- Konni attacks use phishing disguised as official notices to steal credentials.
- Threat actors hijack victims’ KakaoTalk desktop apps to spread malware to contacts.
- The campaign uses multiple remote access trojans (RATs) for long-term persistence.
- The malicious LNK file drops decoy content while secretly executing malware.
South Korean threat intelligence firm Genians has revealed that North Korean hacking group Konni waged a persistent campaign in March 2026, using phishing to hijack victims’ KakaoTalk applications to spread malware. Their report noted attackers first compromised a victim desktop for an extended period. Consequently, the hackers stole internal documents and sensitive information while hiding on the endpoint.
The initial spear-phishing email was disguised as a notice appointing the recipient as a North Korean human rights lecturer. However, it contained a malicious ZIP attachment with a Windows shortcut (LNK) file. This file downloaded a next-stage payload, established persistence, and displayed a decoy PDF as a distraction.
The primary malware is a remote access trojan (RAT) named EndRAT, written in AutoIt. Meanwhile, analysis of the infected host uncovered additional scripts for RftRAT and RemcosRAT. This indicates the adversary deployed multiple RAT families for improved resilience, Genians said.
An crucial aspect involves abusing the victim’s KakaoTalk desktop app to distribute malicious ZIP files to specific contacts. Therefore, existing victims became intermediaries for further attacks. The campaign uses filenames disguised as materials introducing North Korea-related content.
This is not the first time Konni has abused KakaoTalk sessions. In November 2025, the group sent malicious payloads to contacts while initiating a remote wipe of Android devices. Consequently, the latest activity represents a multi-stage attack combining long-term persistence, information theft, and account-based redistribution.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
