Kimsuky APT Takes Over South Korean Androids, Abuses KakaoTalk - Dark Reading

Remote WorkforceMobile SecurityEndpoint SecurityThreat IntelligenceNewsKimsuky APT Takes Over South Korean Androids, Abuses KakaoTalkKonni, a subset of the state-sponsored DPRK cyberespionage group, first exploits Google Find Hub, which ironically aims to protect lost Android devices, to remotely wipe devices.Elizabeth Montalbano,Contributing WriterNovember 11, 20254 Min ReadSource: Rafa Press via ShutterstockOne of North Korea's formidable advanced persistent threat (APT) groups is targeting Android users in South Korea with a remote reset attack that exploits a feature in Google aimed at helping users find their devices.Researchers at South Korean cybersecurity firm Genians discovered the attack, which uses social engineering to distribute remote access Trojans (RATs) and other malware via KakaoTalk, a South Korean messaging app. They've attributed the campaign to the Konni APT, also known as, APT37,  TA406, and Thallium, which is believed to be working under the umbrella of the state-sponsored group Kimsuky."The recently identified Konni campaign is particularly notable for cases in which Google Android-based smartphones and tablet PCs in South Korea were remotely reset, resulting in the unauthorized deletion of personal data stored on the devices," according to a blog post by Genians.The attacks exploited Find Hub, a Google service that, ironically, is aimed at protecting lost or stolen Android devices. In this case, however, Konni uses the service to perform location tracking and to remotely wipe devices once it obtains control of Android devices by compromising Google accounts, according to the post.Related:Zscaler-SquareX Deal Boosts Zero Trust, Secure Browsing CapabilitiesIt's the first time a North Korean APT has "compromised Find Hub accounts and abused legitimate management functions to remotely reset mobile devices," according to Genians. The attack chain also used victims' KakaoTalk PC sessions to distribute malicious files to close contacts, exploiting familiarity to lend legitimacy to its bad intent.Pwning Android Users: A Complex, Multistage CyberattackThe attack has two key stages: a spear-phishing attack that began in July of last year that aimed to compromise specific devices, and a secondary attack that spreads malware via KakaoTalk using those compromised devices.In the spear-phishing campaign, attackers targeted Android devices by spoofing organizations such as South Korea's National Tax Service. Once in, they conducted internal reconnaissance and information collection for a prolonged period of time.Among the victims was a professional psychological counselor who supports young North Korean defectors during resettlement, providing services such as career guidance, educational counseling, and mentoring. Attackers later used this compromised account, among others, to propagate malicious files via KakaoTalk.The threat actor also gained unauthorized access to the victim's PC and stole a large volume of personally identifiable information (PII), sensitive data, and private content captured through the webcam, according to Genians.Related:Torq Moves SOCs Beyond SOAR With AI-Powered Hyper AutomationInside the Psychological Counselor HackSpecifically, attackers compromised the KakaoTalk account of the psychological counselor on Sept. 5. Once the account was compromised, attackers used Find Hub's location query, then executed a remote reset command on both an Android smartphone and a tablet device. "The remote reset halted normal device operation, blocking notification and message alerts from messenger applications and effectively cutting off the account owner's awareness channel, thereby delaying detection and response," according to Genians.Attackers then sent a malicious file disguised as a "stress relief program" to one of the counselor's North Korean student defectors. "Execution of the file resulted in infections on several devices" that required remediation, according to Genians. The files distributed were malicious AutoIt scripts and modules that enable remote access and keylogging, as well as various RATs, including LilithRAT and RemcosRAT. Then, 10 days later on Sept. 15, a separate victim's KakaoTalk account was used to distribute similar malicious files en masse, in a simultaneous wave."These findings show that the attackers deliberately targeted services built on social trust to amplify their impact, reflecting more advanced tactics and increasingly sophisticated methods of concealment," according to the post.Related:'Stanley' Toolkit Turns Chrome Into Undetectable Phishing VectorMitigating Cyberespionage AttacksKimsuky and its various umbrella groups are consistently upgrading their tactics to achieve more success in their cyberespionage and financial goals to support the North Korean regime. Multistage attacks that abuse trusted relationships like the one Konni carried out here are becoming increasingly more common, demanding attention from defenders, according to the researchers.Specifically, organizations can protect themselves by leveraging available forensic analysis and threat intelligence, which help determine the root cause of these attacks and help them prevent recurrences among their own employees or networks, according to Genians. To that end, the researchers have provided a list of indicators of compromise (IoCs) of the Konni attacks to help identify potential infiltration, including domain and IP addresses associated with the campaign.The researchers also strongly recommend strengthening real-time, behavior-based detection, and IOC-linked monitoring through endpoint detection and response (EDR).Read more about:DR Global Asia PacificAbout the AuthorElizabeth MontalbanoContributing WriterElizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.See more from Elizabeth MontalbanoMore InsightsIndustry ReportsFrost Radar™: Non-human Identity Solutions2026 CISO AI Risk ReportCybersecurity Forecast 2026The ROI of AI in SecurityThreatLabz 2025 Ransomware ReportAccess More ResearchWebinarsBuilding a Robust SOC in a Post-AI WorldRetail Security: Protecting Customer Data and Payment SystemsRethinking SSE: When Unified SASE Delivers the Flexibility Enterprises NeedSecuring Remote and Hybrid Work Forecast: Beyond the VPNAI-Powered Threat Detection: Beyond Traditional Security ModelsMore WebinarsEditor's ChoiceCybersecurity OperationsWhy Stryker's Outage Is a Disaster Recovery Wake-Up CallWhy Stryker's Outage Is a Disaster Recovery Wake-Up CallbyJai VijayanMar 12, 20265 Min ReadWant more Dark Reading stories in your Google search results?2026 Security Trends & OutlooksThreat IntelligenceCybersecurity Predictions for 2026: Navigating the Future of Digital ThreatsJan 2, 2026Cyber RiskNavigating Privacy and Cybersecurity Laws in 2026 Will Prove DifficultJan 12, 2026|7 Min ReadEndpoint SecurityCISOs Face a Tighter Insurance Market in 2026Jan 5, 2026|7 Min ReadThreat Intelligence2026: The Year Agentic AI Becomes the Attack-Surface Poster ChildJan 30, 2026|8 Min ReadDownload the CollectionKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsBuilding a Robust SOC in a Post-AI WorldThurs, March 19, 2026 at 1pm ESTRetail Security: Protecting Customer Data and Payment SystemsThurs, April 2, 2026 at 1pm ESTRethinking SSE: When Unified SASE Delivers the Flexibility Enterprises NeedWed, April 1, 2026 at 1pm ESTSecuring Remote and Hybrid Work Forecast: Beyond the VPNTues, March 10, 2026 at 1pm ESTAI-Powered Threat Detection: Beyond Traditional Security ModelsWed, March 25, 2026 at 1pm ESTMore WebinarsWhite PapersAutonomous Pentesting at Machine Speed, Without False PositivesFixing Organizations' Identity Security PostureBest practices for incident response planningIndustry Report: AI, SOC, and Modernizing CybersecurityThe Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks.Explore More White PapersGISEC GLOBAL 2026GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills.📌 Book Your Space