BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

Konni Phishing Campaign Hijacks KakaoTalk

Konni group hijacks KakaoTalk to spread multiple RATs via phishing lures.

  • Konni attacks use phishing disguised as official notices to steal credentials.
  • Threat actors hijack victims’ KakaoTalk desktop apps to spread malware to contacts.
  • The campaign uses multiple remote access trojans (RATs) for long-term persistence.
  • The malicious LNK file drops decoy content while secretly executing malware.

South Korean threat intelligence firm Genians has revealed that North Korean hacking group Konni waged a persistent campaign in March 2026, using phishing to hijack victims’ KakaoTalk applications to spread malware. Their report noted attackers first compromised a victim desktop for an extended period. Consequently, the hackers stole internal documents and sensitive information while hiding on the endpoint.

- Advertisement -

The initial spear-phishing email was disguised as a notice appointing the recipient as a North Korean human rights lecturer. However, it contained a malicious ZIP attachment with a Windows shortcut (LNK) file. This file downloaded a next-stage payload, established persistence, and displayed a decoy PDF as a distraction.

The primary malware is a remote access trojan (RAT) named EndRAT, written in AutoIt. Meanwhile, analysis of the infected host uncovered additional scripts for RftRAT and RemcosRAT. This indicates the adversary deployed multiple RAT families for improved resilience, Genians said.

An crucial aspect involves abusing the victim’s KakaoTalk desktop app to distribute malicious ZIP files to specific contacts. Therefore, existing victims became intermediaries for further attacks. The campaign uses filenames disguised as materials introducing North Korea-related content.

This is not the first time Konni has abused KakaoTalk sessions. In November 2025, the group sent malicious payloads to contacts while initiating a remote wipe of Android devices. Consequently, the latest activity represents a multi-stage attack combining long-term persistence, information theft, and account-based redistribution.

- Advertisement -

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

Cambridge: Ethereum Energy Intensity Low, Overall Use High

Ethereum consumes roughly 7.87 GWh annually, the second-lowest energy intensity per market value among...

Saylor and Back oppose BIP-110 fork over Bitcoin security fears

Michael Saylor and Adam Back have publicly opposed BIP-110, a temporary Bitcoin fork proposal...

China, India groups target Pakistani police in cyber espionage

Suspected China- and India-aligned threat actors targeted Pakistani law enforcement in a sustained cyber...

AMD Stock Dips 10% Amid AI Volatility Ahead of Q3 Earnings

AMD stock fell nearly 10% from $580 on June 30 to roughly $516 by...

Bitcoin Creator Back Warns BIP-110 Data Limit Could Split Network

Adam Back said Bitcoin has "robustly rejected" BIP-110, arguing the proposal conflicts with the...

Must Read

Top 8 Books Every Beginner Should Read About Cryptocurrency

Cryptocurrency and blockchain technology are filled with technical terms that beginners find challenging to understand. One of the best ways to learn about cryptocurrency...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading