The Genians Security Center (GSC) has uncovered a new wave of cyberattacks linked to the KONNI advanced persistent threat (APT) campaign, a hacking operation believed to be associated with North Korean groups commonly known as Kimsuky or APT37.
According to GSC’s investigation, attackers distributed malicious files disguised as “stress-relief programs” through South Korea’s popular KakaoTalk messaging platform. The files were designed to infect victims’ computers and enable long-term surveillance.
Researchers say the campaign also exploited a legitimate Android security feature known as Google’s “Find Hub,” typically used to locate or protect lost devices. In this case, hackers allegedly gained access to victims’ Google accounts and used the tool to track device locations and remotely reset smartphones and tablets. The resets erased personal data from several Android devices in South Korea, marking the first confirmed instance of a state-sponsored group using the service for destructive purposes.
GSC notes that KONNI shares targets and infrastructure with the Kimsuky and APT37 hacking groups, believed to operate on behalf of the North Korean government. The groups are thought to be connected to the regime’s 63 Research Center and to cyber operators already under international sanctions.
The attack chain began with phishing emails posing as notifications about appointments with North Korean human rights instructors. Victims were prompted to open attachments disguised as PDF documents, which installed malware on their computers.
Once inside the system, the attackers reportedly remained inactive for extended periods while collecting account credentials. They later used the desktop version of KakaoTalk to spread additional malware to the victim’s contacts.