Konni APT Hijacks KakaoTalk Accounts to Spread Malware in Multi-Stage Spear-Phishing Campaign

Home Cyber Security News Konni APT Hijacks KakaoTalk Accounts to Spread Malware in Multi-Stage Spear-Phishing Campaign A threat group known as Konni APT has been caught running a multi-stage attack campaign that starts with targeted spear-phishing emails and ends with hijacking victims’ KakaoTalk messaging accounts to push malware further. The campaign was uncovered following a forensic investigation of a compromised system and relies on North Korean human rights themes to trick targets into opening files that appear completely harmless. The attack started with emails crafted to look like official notices appointing recipients as North Korean human rights lecturers. These messages were designed to feel relevant to the target’s professional interests, making them appear credible. Inside the email was an archive containing a malicious LNK shortcut file disguised with a standard document icon. When the recipient clicked on it, the file quietly launched a PowerShell script in the background, which connected to an external command-and-control server and downloaded additional malware onto the victim’s machine. Overall Attack Flow (Source – Genians) Genians analysts identified that after gaining an initial foothold, the threat actor did not pull back. Instead, the attacker remained hidden on the infected system for an extended period, quietly collecting internal documents, user account details, and system environment data. This prolonged dwell time gave the group ample opportunity to gather meaningful intelligence before escalating the attack. What separates this campaign from a typical phishing operation is what came next. The attacker gained unauthorized access to the victim’s KakaoTalk PC application, which was already running on the infected machine. Using the victim’s own contact list, the attacker carefully selected specific friends and sent them a malicious file disguised as a planning document for North Korea-related video content. This turned the original victim into a trusted delivery point for malware, making the secondary wave of attacks significantly harder for recipients to detect. Distribution of Malicious Files via KakaoTalk (Source – Genians) The full campaign also involved the deployment of three separate remote access tools — EndRAT, RftRAT, and RemcosRAT — all delivered as AutoIt-based scripts disguised as document files. C2 servers connected to the operation were traced to locations in Finland, Japan, and the Netherlands, suggesting a deliberate effort to spread the infrastructure across multiple borders. The Infection Mechanism: From LNK File to Full Compromise The malicious LNK file at the heart of this attack is far more capable than a typical shortcut. When a user double-clicks the file, it silently launches a 32-bit PowerShell process through cmd.exe, specifically using the SysWOW64 directory path — a technique that can sidestep certain security controls. Extracted Commands from the Malicious LNK File (Source – Genians) Rather than using a hardcoded filename, the PowerShell script locates the LNK file by matching a specific file size, meaning it continues to function even if renamed. Once located, the script reads a large data block embedded within the LNK file from a fixed offset and decodes it using a single-byte XOR key. The decoded result is a decoy PDF that opens for the user, making the interaction appear completely normal. While the victim reads the decoy, the actual attack continues in the background. The LNK file deletes itself from disk immediately after execution, removing forensic evidence and making it difficult to trace the incident. Two files are then downloaded from the C2 domain — a legitimate AutoIt interpreter and a compiled malicious AutoIt script. A scheduled task is created to run every minute for 365 days, giving the attacker reliable and long-lasting access to the infected machine. To reduce exposure to this threat, organizations and individuals should consider the following: Inspect or quarantine archive attachments containing LNK shortcut files before they reach end users, especially those disguised with document icons. Deploy EDR solutions capable of detecting abnormal process chains following LNK execution, including PowerShell spawning and scheduled task registration. Monitor messaging applications on corporate endpoints for unusual or high-volume file-transfer activity that falls outside a user’s normal behavior. Train users to confirm file types before opening them and to report suspicious attachments, even from known and trusted contacts. Block outbound traffic to unauthorized domains and IP addresses, with particular attention paid to confirmed C2 infrastructure associated with known threat actors. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. RELATED ARTICLESMORE FROM AUTHOR Android Android 17 Advanced Protection Mode to Block Malicious Service Usage Cyber Security News Attackers Abuse Microsoft Teams and Quick Assist to Drop Stealthy A0Backdoor AI OpenClaw AI Agents Leaking Sensitive Data in Indirect Prompt Injection Attacks Top 10 Essential E-Signature Solutions for Cybersecurity in 2026 January 31, 2026 Top 10 Best Data Removal Services In 2026 January 29, 2026 Best VPN Services of 2026: Fast, Secure & Affordable January 26, 2026 Top 10 Best Data Security Companies in 2026 January 23, 2026 Top 15 Best Ethical Hacking Tools – 2026 January 15, 2026