A North Korea-linked hacking group has been abusing online advertising infrastructure operated by Google and South Korea’s Naver to distribute malware, according to a new report from cybersecurity firm Genians.
The campaign, dubbed “Operation Poseidon,” is attributed to Konni, an advanced persistent threat (APT) group associated with Pyongyang-backed cyber operations. Researchers found that attackers weaponized advertising URLs in spear-phishing emails, making malicious links appear legitimate and allowing them to bypass email filters.
Genians said the attackers exploited ad click-tracking and redirection features to route victims to attacker-controlled servers. The operation initially abused Naver’s advertising ecosystem before expanding to Google’s global ad platform. Google’s infrastructure, built in part on redirect chains its DoubleClick ad click tracking and redirection technology, was leveraged to mask malicious activity.
“Meanwhile, similar attack attempts exploiting the click tracking domain (mkt.naver[.]com) of the NAVER advertising marketing platform were observed to a limited extent around May and July 2025, but recent attack activity confirmed since then has consistently focused on the Google advertising infrastructure,” the report noted.
Rather than hosting malware on suspicious domains, the attackers used poorly secured WordPress sites as part of the delivery chain. In the initial stage, threat actor used phishing emails impersonating North Korean human rights organizations or financial institutions, with files disguised as financial business documents.
In this campaign, the threat actor used the EndRAT malware delivered via an AutoIt script masquerading as a PDF file. Researchers say that the observed malware version indicates that EndRAT’s development is still ongoing.
The emails used hidden HTML content containing repeated meaningless English sentences to evade detection. Although invisible to users, the content is processed by email security systems and was designed to bypass signature-based and AI-driven spam and phishing detection.
“This configuration suggests the possibility of using automated templates designed to evade detection, and is seen as an example of threat actors evolving their attack tactics with a clear understanding of the detection logic of email security systems,” the researchers said.