Kimsuky Pwns South Korean Androids, Abuses KakaoTalk TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsApplication SecurityOWASP Highlights Supply Chain Risks in New Top 10 ListOWASP Highlights Supply Chain Risks in New Top 10 ListbyJai Vijayan, Contributing WriterNov 10, 20255 Min ReadCyberattacks & Data BreachesGlassWorm Returns, Slices Back into VS Code ExtensionsGlassWorm Returns, Slices Back into VS Code ExtensionsbyAlexander CulafiNov 10, 20253 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllThreat IntelligenceSilver Fox APT Blurs the Line Between Espionage & CybercrimeSilver Fox APT Blurs the Line Between Espionage & CybercrimebyNate Nelson, Contributing WriterAug 8, 20253 Min ReadThreat IntelligenceIran-Israel War Triggers a Maelstrom in CyberspaceIran-Israel War Triggers a Maelstrom in CyberspacebyNate Nelson, Contributing WriterJun 19, 20255 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryRemote WorkforceMobile SecurityEndpoint SecurityThreat IntelligenceNewsKimsuky APT Takes Over South Korean Androids, Abuses KakaoTalkKonni, a subset of the state-sponsored DPRK cyberespionage group, first exploits Google Find Hub, which ironically aims to protect lost Android devices, to remotely wipe devices.Elizabeth Montalbano, Contributing WriterNovember 11, 20254 Min ReadSource: Rafa Press via ShutterstockOne of North Korea's formidable advanced persistent threat (APT) groups is targeting Android users in South Korea with a remote reset attack, which exploits a feature in Google aimed at helping users find their devices.Researchers at South Korean cybersecurity firm Genians discovered the attack, which uses social engineering to distribute remote access trojans (RATs) and other malware via KakaoTalk, a South Korean messaging app. They've attributed the campaign to the Konni APT, also known as, APT37,  TA406, and Thallium, which is believed to be working under the umbrella of the state-sponsored group Kimsuky."The recently identified Konni campaign is particularly notable for cases in which Google Android–based smartphones and tablet PCs in South Korea were remotely reset, resulting in the unauthorized deletion of personal data stored on the devices," according to a blog post by Genians.The attacks exploited Find Hub, a Google service that, ironically, is aimed at protecting lost or stolen Android devices. In this case, however, Konni uses the service to perform location tracking and to remotely wipe devices once it obtains control of Android devices by compromising Google accounts, according to the post.It's the first time a North Korean APT has "compromised Find Hub accounts and abused legitimate management functions to remotely reset mobile devices," according to Genians. The attack chain also used victims' KakaoTalk PC sessions to distribute malicious files to close contacts, exploiting familiarity to lend legitimacy to its bad intent.Related:Calling All Influencers: Spear-Phishers Dangle Tesla, Red Bull JobsPwning Android Users: A Complex, Multi-Stage CyberattackThe attack has two key stages: a spear-phishing attack that began in July of last year that aimed to compromise specific devices; and a secondary attack that spreads malware via KakaoTalk using those compromised devices.In the spear-phishing campaign, attackers targeted Android devices by spoofing organizations such as South Korea's National Tax Service. Once in, they conducted internal reconnaissance and information collection for a prolonged period of time.Among the victims was a professional psychological counselor who supports young North Korean defectors during resettlement, providing services such as career guidance, educational counseling, and mentoring. Attackers later used this compromised account, among others, to propagate malicious files via KakaoTalk.The threat actor also gained unauthorized access to the victim’s PC and stole a large volume of personally identifiable information (PII), sensitive data, and private content captured through the webcam, according to Genians.Related:China Exploited New VMware Bug for Nearly a YearInside the Psychological Counselor HackSpecifically, attackers compromised the KakaoTalk account of the psychological counselor on Sept. 5. Once the account was compromised, attackers used Find Hub’s location query, then executed a remote reset command on both an Android smartphone and a tablet device. "The remote reset halted normal device operation, blocking notification and message alerts from messenger applications and effectively cutting off the account owner’s awareness channel, thereby delaying detection and response," according to Genians.Attackers then sent a malicious file disguised as a “stress relief program” to one of the counselor's North Korean student defectors. "Execution of the file resulted in infections on several devices" that required remediation, according to Genians. The files distributed were malicious AutoIt scripts and modules that enable remote access and keylogging, as well as various RATs, including LilithRAT and RemcosRAT. Then, 10 days later on Sept. 15, a separate victim’s KakaoTalk account was used to distribute similar malicious files en masse, in a simultaneous wave."These findings show that the attackers deliberately targeted services built on social trust to amplify their impact, reflecting more advanced tactics and increasingly sophisticated methods of concealment," according to the post.Related:How Maclaren Racing Gets From the Browser to the TrackMitigating Cyberespionage AttacksKimsuky and its various umbrella groups are consistently upgrading their tactics to achieve more success in their cyberespionage and financial goals to support the North Korean regime. Multi-stage attacks that abuse trusted relationships like the one Konni carried out here are becoming increasingly more common, demanding attention from defenders, according to the researchers.Specifically, organizations can protect themselves by leveraging available forensic analysis and threat intelligence, which help determine the root cause of these attacks and help them prevent recurrences among their own employees or networks, according to Genians. To that end, the researchers have provided a list of indicators of compromise (IoCs) of the Konni attacks to help identify potential infiltration, including domain and IP addresses associated with the campaign.The researchers also strongly recommend strengthening real-time, behavior-based detection, and IOC-linked monitoring through endpoint detection and response (EDR).Read more about:DR Global Asia PacificAbout the AuthorElizabeth Montalbano, Contributing WriterElizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.See more from Elizabeth Montalbano, Contributing WriterMore InsightsIndustry Reports2025 DigiCert DDoS Biannual ReportDigiCert RADAR - Risk Analysis, Detection & Attack ReconnaissanceThe Total Economic Impact of DigiCert ONEIDC MarketScape: Worldwide Exposure Management 2025 Vendor AssessmentThe Forrester Wave™: Unified Vulnerability Management Solutions, Q3 2025Access More ResearchWebinarsHow AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMore WebinarsYou May Also LikeEditor's ChoiceApplication Security'Ransomvibing' Infests Visual Studio Extension Market'Ransomvibing' Infests Visual Studio Extension MarketbyAlexander CulafiNov 7, 20254 Min ReadKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeNov 13, 2025During this event, we'll examine the most prolific threat actors in cybercrime and cyber espionage, and how they target and infiltrate their victims.Secure Your SeatWebinarsHow AI & Autonomous Patching Eliminate Exposure RisksOn-DemandThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterTues, Nov 18, 2025 at 1pm ESTSecuring the Hybrid Workforce: Challenges and SolutionsTues, Nov 4, 2025 at 1pm ESTCybersecurity Outlook 2026Virtual Event | December 3rd, 2025 | 11:00am - 5:20pm ET | Doors Open at 10:30am ETThreat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesTuesday, Oct 21, 2025 at 1pm ESTMore WebinarsWhite PapersPKI Modernization WhitepaperEDR v XDR v MDR- The Cybersecurity ABCs ExplainedHow to Chart a Path to Exposure Management MaturitySecurity Leaders' Guide to Exposure Management StrategyThe NHI Buyers GuideExplore More White PapersDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

The Konni APT, a subset of the state-sponsored DPRK cyberespionage group Kimsuky, is actively engaged in a sophisticated remote reset attack targeting Android users in South Korea. This operation, first uncovered by South Korean cybersecurity firm Genians, leverages Google’s Find Hub service—ironically designed to locate lost devices—to remotely wipe compromised smartphones and tablets. The attackers’ objective is to gain unauthorized access to personal data and conduct reconnaissance, a tactic employed across multiple stages.

Initially, the attackers utilized a spear-phishing campaign targeting specific individuals, including a psychological counselor assisting North Korean defectors. This campaign involved spoofing organizations such as South Korea’s National Tax Service. This initial reconnaissance phase collected information and established a foothold within identified devices. The attackers then employed Find Hub’s location query functionality to initiate a remote reset command, effectively halting device operations and denying notification alerts from messaging applications.

A key element of the attack chain involved exploiting KakaoTalk, a prevalent South Korean messaging app. The attackers distributed malicious files via compromised KakaoTalk PC sessions, capitalizing on social trust to mask their intentions. These files, disguised as a “stress relief program,” contained AutoIt scripts and modules that enabled remote access and keylogging, alongside various Remote Access Trojans (RATs) like LilithRAT and RemcosRAT. This multi-stage approach, combined with the abuse of legitimate system functions, demonstrated a complex, highly coordinated effort.

One specific instance involved a psychological counselor who supported North Korean defectors. The attackers compromised her KakaoTalk account on September 5th, following which they used Find Hub and executed the remote reset command. This action yielded access to the device, allowing for the theft of personal data, including PII, sensitive data, and webcam footage. The attackers followed up with a second wave of malicious files distributed through another compromised KakaoTalk account on September 15th, amplifying the impact of the attack. The sophisticated tactics used – ranging from spear-phishing to social engineering and the abuse of trusted services – highlight the increasing resourcefulness of advanced persistent threats like Kimsuky.

This attack underscores the dangers of leveraging trusted systems like Find Hub, emphasizing the need for robust security measures. The use of social trust via messaging apps to spread malware is a particularly concerning trend. The full extent of the damage caused by this operation, and the potential vulnerabilities exposed, highlights the importance of vigilance, multi-layered defenses, and continuous monitoring when dealing with mobile devices, particularly in regions facing active cyberespionage threats. The ongoing sophistication of operations like this, alongside the use of multiple stages and various tools, highlights the evolving nature of cyber threats. The researchers at Genians have provided Indicators of Compromise (IoCs) to assist in threat detection and response, reinforcing the importance of proactive defense strategies.