North Korean Konni group exploits Google Find Hub and KakaoTalk to wipe phones and spread malware in South Korea

How North Korean operatives turned trusted apps against South Koreans

North Korean state backed cyber operators executed a coordinated campaign that turned everyday tools into attack rails, according to forensic investigators in South Korea. The group, linked to the Konni cluster of Pyongyang aligned actors, stole Google account credentials, took remote control of Android phones and tablets through Googles Find Hub service, then hijacked KakaoTalk accounts to push malware across real contact networks. Researchers describe it as the first confirmed case in which a North Korea linked operation compromised Google accounts to remotely control smart devices using built in management functions.

Security analysts at Genians Security Center say the attackers first impersonated tax officials to plant malware. After a period of quiet monitoring, the intruders logged into stolen Google accounts. Through Find Hub, a consumer safety tool that lets owners locate and protect lost devices, they tracked phone locations and issued remote factory resets. The wipes erased personal data and temporarily muted alerts, a condition that helped the next stage succeed.

With targets unable to receive calls and notifications, the operation shifted to the KakaoTalk desktop client that remained signed in. Using the victims name and trusted chat history, the attackers sent malicious files disguised as stress relief programs to contact lists. The tactic let the malware propagate through social trust and delayed discovery because many victims were locked out or busy recovering their phones.

Google has stated that the activity abused valid account access and legitimate features, not a vulnerability in Android or Find Hub. The company urges users to enable two step verification or passkeys and, for high risk individuals, to enroll in Advanced Protection.

What happened in the attacks

The operation unfolded in stages that blended email lures, account theft, cloud based device control, and messenger abuse. It is an example of an attacker living off the land, where built in services and trusted apps become the attacker’s tools. Two incidents detailed by investigators, including cases on September 5 and September 15, show how quickly the approach can spread malware within personal and professional circles once a single account is compromised.

Step 1: Spear phishing and initial compromise

The intrusion began with targeted messages that spoofed South Korea’s National Tax Service. Victims were persuaded to open attachments or installers that looked legitimate, including files packaged as signed MSI installers. Behind the scenes, these files launched scripts that established persistence and downloaded remote access tools. Analysts observed families of malware that provide full control of Windows systems, including Lilith RAT, Remcos RAT, Quasar RAT, and RftRAT, as well as AutoIt based loaders. The malware conducted reconnaissance, harvested browser stored credentials, and monitored activity, staging the environment for account theft.

Targets included people who work with North Korean defectors and human rights advocates. Some lures were framed as helpful programs for stress relief. By tailoring the message to the recipient’s role and concerns, the attackers raised their odds that a file would be opened, which then gave them a foothold on a personal computer.

Step 2: Account takeover and Find Hub misuse

With malware in place, the operators stole account credentials for services such as Google and Naver. Using those stolen Google logins, they accessed Find Hub. The service allows device owners to query a phone’s last known location and issue commands like play a sound or reset a device to factory settings. The intruders used the location query to check that a target was not actively using the phone, then triggered the remote reset. Investigators also found signs that in some cases the attackers deleted security alert emails and emptied mailbox trash folders to cover their tracks. Multiple reset commands were issued to frustrate recovery and reduce evidence on the phone.

Once a device was reset, the owner could not view new notifications, including urgent messages from contacts asking about strange files. The wipe also removed indicators that could have exposed the intrusion, which gave the attackers time to execute the next step from a different device still logged in to the victim’s accounts.

Step 3: KakaoTalk as the malware megaphone

KakaoTalk is near universal in South Korea, and many users keep a desktop session signed in. After the mobile reset, the attackers pivoted to the victims KakaoTalk PC client to distribute malicious files at speed. Messages went out under the real name and profile photo of the victim, often with a brief note and an attachment. Recipients who trusted the sender opened the file, which installed malware and expanded the number of compromised machines. One case involved messages sent to more than 30 contacts in minutes. Another involved broad simultaneous distribution from a different compromised account ten days later.

Who is behind the campaign

The activity is attributed to the Konni cluster, a North Korea linked cyber espionage network that overlaps with entities widely tracked as Kimsuky and APT37. Different security vendors use different names for the same or closely allied operators, including Earth Imp, Opal Sleet, Osmium, TA406, and Vedalia. These teams share infrastructure and tool sets across campaigns that target South Korean government bodies, education, media, civil society, and cryptocurrency communities.

North Korean operators have a history of mobile targeting. For example, researchers have documented Android spyware that pretends to be utilities or security apps, with features to record audio, capture screens, and exfiltrate files. What sets the present campaign apart is the way it abuses account based device management to wipe phones, then pivots immediately to a desktop messenger session to spread further. The combination points to mature coordination across multiple platforms rather than a single malware strand acting alone.

Why the Find Hub abuse is a turning point

For years, North Korea linked groups have mixed custom malware with stolen credentials and legitimate tools. The Find Hub abuse raises the stakes because it turns a consumer safety feature into a remote eraser and a distraction engine. A reset neutralizes a phone, deletes traces of espionage data, and silences out of band warnings at the moment when they matter most. That creates an opening to use a logged in desktop session for rapid distribution.

The approach also complicates incident response. Some telemetry and evidence that would reside on the phone disappears with a reset. The relevant activity is split between the device, the cloud account, and the desktop client. Defenders must collect data from all three to fully reconstruct the sequence. Genians analysts described the method as a watershed for advanced North Korea linked operations.

In a report on the case, Genians Security Center wrote:

This combination of device neutralization and account based propagation is unprecedented among previously known state sponsored APT scenarios.

Fallout for victims and the human toll

The intruders did not pick random targets. Investigators say a psychological counselor who supports North Korean defector students had a phone reset on September 5. Within a short window, the counselor’s KakaoTalk account was used to send a file labeled as a stress relief program to clients. When several recipients opened it, their machines were infected. The choice of both the messenger and the message played on trust and relevance to the recipients lives.

Ten days later, a human rights activist focused on North Korea had a similar experience. Their Android device was remotely reset through Find Hub, then the activist’s KakaoTalk account sent malicious files to 36 acquaintances. In both cases, the victims’ phones could not receive calls or alerts during the crucial first hours, which delayed warnings from contacts who suspected something was wrong.

For some victims, the wiping removed photos, documents, contacts, and work product. Investigators also found malware modules with webcam and microphone control capabilities on infected PCs, raising concern that cameras may have been used to check whether victims were physically present before resets were issued. People who work with defectors and civil society groups in South Korea already face unique risks. The campaign shows how everyday digital life can be turned against them in ways that carry personal and professional costs.

Expert and official responses

South Korean police have opened investigations into the two September incidents. Analysts said the code and techniques match patterns previously linked to North Korea aligned groups. Investigators urged potential targets, including counselors and activists, to run thorough checks of both desktop and mobile environments for account compromise.

Security teams highlight that the attackers did not need a programming flaw in Android or in Find Hub. They needed valid credentials and access to trusted apps. Researchers recommend service providers add real time verification steps for sensitive actions like remote resets, and that messengers provide stronger warnings or delays when a desktop client attempts to send executable files to many contacts in a short period.

How to protect your Google and KakaoTalk accounts

The campaign relied on stolen logins, persistent desktop sessions, and features that users normally trust. The following steps reduce risk and make account abuse harder:

• Turn on two step verification for your Google account. Prefer passkeys or a security key. People at higher risk, such as activists and journalists, should enroll in Google’s Advanced Protection Program.
• Open Google Account settings and run Security Checkup. Remove unfamiliar devices and sessions. Revoke third party access you do not recognize. Review recovery phone and email.
• Check Find Hub or Find My Device settings for the list of devices tied to your account. Make sure you recognize each device. Ensure each device is locked with a strong PIN and that remote reset requires your authentication.
• Audit your email security. Look for suspicious filters, forwarding rules, or delegated access in Gmail. Attackers sometimes add rules that hide alerts.
• Avoid saving passwords in the browser on shared or unmanaged PCs. Use a reputable password manager that locks with a master password or security key.
• Keep Android, Windows, macOS, and KakaoTalk updated. Review KakaoTalk settings to see which PCs are signed in to your account and sign out of any you do not recognize.
• Be critical of unsolicited files or app installers, even from contacts you trust. Confirm by calling the sender on a separate channel before opening any file.
• Maintain offline backups for key photos and documents. A reset will not touch an external backup that is kept disconnected when not in use.
• Enable login alerts, then read them carefully. If you receive a suspicious alert, do not click links in the alert. Instead, navigate directly to account settings in a new browser session and review activity.

Immediate steps if you think you were targeted

• From a clean device you control, change your Google and KakaoTalk passwords. Then enable two step verification or passkeys.
• Open Google Account, review recent security events, and sign out of all other sessions. Revoke any unfamiliar app tokens.
• In Gmail, remove strange filters or forwarding rules. In KakaoTalk, force sign out of all PCs and reauthorize only the ones you use.
• If your phone was reset, treat it as a fresh device. Before restoring, change your account passwords and verify recovery information. Restore only from trusted backups.
• Warn your contacts that messages from you may have been malicious. Ask them to avoid opening files they received and to run security scans.
• Preserve evidence where possible. Do not wipe your PC. Capture screenshots of suspicious activity logs, then contact your local cybercrime unit or a trusted security team.

What organizations should do now

Organizations with staff in South Korea, or with ties to North Korea related work, should assume they are attractive targets. A focused program that blends identity security with endpoint monitoring will reduce risk and speed response.

• Require multi factor authentication on all Google Workspace and identity provider accounts. Adopt phishing resistant methods such as passkeys or hardware security keys.
• Harden browsers and disable password auto save in unmanaged environments. Provide an enterprise grade password manager for staff.
• Deploy endpoint detection and response with behavior based rules for AutoIt launchers, MSI script abuse, and known RAT families including Lilith RAT, Remcos RAT, Quasar RAT, and RftRAT.
• Block or quarantine executable attachments and MSI installers from external senders at the email and messenger gateway where possible.
• Monitor cloud audit logs for suspicious actions, including remote reset activity and repeated location checks through device management services tied to user accounts.
• Run regular phishing simulations tailored to local lures such as tax agency notices. Provide just in time training for staff who handle sensitive work with defectors and activists.
• Establish a rapid response playbook for account takeover that covers Google accounts, KakaoTalk desktop clients, and mobile device resets. Practice the playbook in tabletop exercises.
• Create a channel for contacts to report suspicious messages and files that appear to come from your staff. Treat those reports as high priority.

At a Glance

• Investigators link a new campaign against South Koreans to the North Korea aligned Konni cluster.
• Attackers stole Google credentials, used Find Hub to track and factory reset Android devices, then abused KakaoTalk desktop sessions to spread malware to contacts.
• Cases include a counselor for North Korean defector students and a human rights activist, with malware messages sent to more than 30 contacts in one incident and 36 in another.
• The operation used spear phishing that spoofed the National Tax Service, signed MSI installers, AutoIt scripts, and remote access tools including Lilith RAT, Remcos RAT, Quasar RAT, and RftRAT.
• Researchers call it the first confirmed case of a North Korea linked actor using compromised Google accounts to issue remote device commands through Find Hub.
• Google says the activity abused legitimate account features and stolen credentials, not an Android or Find Hub flaw, and urges the use of two step verification or passkeys.
• Police in South Korea are investigating and security teams advise stronger identity protections, device hardening, and careful verification of files received through messengers.
• High risk users should enroll in Advanced Protection, audit logged in devices for Google and KakaoTalk, and maintain offline backups to limit damage from resets.