Konni, a threat cluster linked to North Korea, has expanded its tactics by abusing Google Find Hub (commonly known as Find My Device) to remotely locate, lock, and factory‑reset Android devices. According to research by Genians, the campaign targets users in South Korea and begins with social engineering on the popular messaging app KakaoTalk.
Attack vector: KakaoTalk phishing, signed installers, and modular RATs
Adversaries impersonate the National Tax Service, police, and other authorities, distributing signed MSI installers or ZIP archives as attachments. Upon execution, a VBS script displays a decoy “language pack error” to distract the user, while a BAT script deploys an AutoIt loader, persists it via Task Scheduler, and establishes command‑and‑control. The operators then stage modular payloads including RemcosRAT, QuasarRAT, and RftRAT to enable covert remote control, data exfiltration, and credential theft.
Account takeover and misuse of Google Find My Device
Post‑compromise, the malware harvests Google and Naver credentials, signs into victims’ accounts, modifies security settings, and attempts to remove forensic traces. With access to the Google account, the attackers invoke Find Hub/Find My Device to track device location, remotely lock the phone, or trigger a full data wipe. Genians notes the wipe is often timed when the victim is away from home to maximize disruption and hinder incident response.
Links to Kimsuky and APT37 and a shift toward destructive outcomes
Targeting and infrastructure overlap with North Korean groups Kimsuky (Emerald Sleet) and APT37 (ScarCruft), which traditionally focus on government, education, and cryptocurrency entities. While previous Konni activity emphasized long‑term espionage via RATs, the current campaign indicates a pivot toward destructive outcomes—device locking and wiping—that complicate recovery and impede investigations.
Case study: tailored social engineering against a high‑risk community
Genians documents a 5 September 2025 incident involving a South Korean consultant assisting North Korean defectors. Attackers hijacked the consultant’s trusted KakaoTalk profile to deliver a “stress relief program” to a student defector. After the PC was infected and the victim’s smartphone was reset to factory settings, the adversaries continued to distribute malicious attachments to the victim’s contacts using the active desktop session of KakaoTalk.
Why phones are wiped: isolation, anti‑forensics, and alert suppression
Remote wiping serves multiple objectives: it isolates the victim from communications and security checks, eliminates on‑device artifacts, delays account recovery, and prevents push notifications about suspicious activity from reaching the owner. Google has stated that no vulnerabilities in Android or Find Hub were exploited; the critical prerequisite is prior compromise of the victim’s PC and Google account takeover.
TTP analysis: living off the land in the Google ecosystem
The campaign exemplifies a cloud‑era “living‑off‑the‑land” approach: instead of relying on exploits, adversaries weaponize legitimate platform features—here, Google’s device management functions. Such activity blends into normal user behavior, reduces signature‑based detections, and makes policy‑level blocking more challenging.
Defensive guidance: practical steps for users and organizations
For users
Enable multi‑factor authentication—preferably passkeys or FIDO hardware keys—on Google and Naver accounts. Review and revoke suspicious sessions and devices in account security dashboards. Disable or restrict script and MSI execution from untrusted sources, and don’t open government‑themed attachments received over messengers. Audit Find My Device settings and remove unused sessions or recovery methods.
For organizations
Deploy EDR with robust script control (VBS/Batch/AutoIt), enforce MSI blocking from untrusted sources, and monitor Google Workspace/Naver sign‑ins with geo‑velocity and behavioral analytics. Mandate MFA/passkeys and conditional access. Where supported, alert on Find My Device actions and automate session revocation when RAT activity is detected.
Konni’s latest activity shows how a single desktop compromise can cascade into destructive impacts on mobile devices without any zero‑day exploits. Strengthening MFA with passkeys, tightening script execution policies, maintaining vigilant session reviews, and continuously training users to recognize phishing remain the most effective countermeasures against the abuse of legitimate cloud features.
