Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

KONNI AutoIt loader and RAT delivery activity

Malware Activity
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

KONNI operators used a disguised MSI installer to drop an AutoIt loader that established persistence and fetched additional payloads, raising the impact of the intrusion chain. The loader connected to C2 servers and enabled delivery of RemcosRAT, QuasarRAT, and RftRAT, expanding remote control over compromised systems. The activity mattered because the malware chain paired social engineering with staged payload delivery to support follow-on compromise and destructive abuse. The operation also used trusted messaging channels, increasing the chance that victims would execute the installer.

Related Happenings

GlassWorm v2 cloned VS Code extension loaders

Malware Activity
First: 27.04.2026 14:23 Last: 27.04.2026 14:23 Sources 1

About this happening: The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...

Open Happening

Konni multi-stage KakaoTalk phishing campaign

Campaign
First: 17.03.2026 11:53 Last: 17.03.2026 11:53 Sources 1

About this happening: The **Konni** operation is expanding through **spear-phishing** and abused **KakaoTalk** desktop accounts, increasing the chance that one compromise reaches multiple contacts. It...

Open Happening

KONNI KakaoTalk and Google Find Hub Android-wiping campaign

Campaign
First: 11.11.2025 02:46 Last: 11.11.2025 02:46 Sources 1

How related: The operation, uncovered by the Genians Security Center (GSC), is linked to the long-running KONNI advanced persistent threat (APT) campaign, associated with North Korea’s Kimsuky and APT37 groups.

About this happening: The **KONNI** operation is actively combining **KakaoTalk spear-phishing** with **Google Find Hub** abuse to track targets and remotely wipe **Android devices**, raising data-loss...

Open Happening

InedibleOchotense spear phishing campaign impersonating ESET

Campaign
First: 07.11.2025 14:20 Last: 07.11.2025 14:20 Sources 1

About this happening: The **InedibleOchotense** spear phishing campaign impersonating **ESET** delivered a **trojanized installer** and **Kalambur backdoor**, creating a direct infection risk for targe...

Open Happening

Nimbus Manticore Western Europe critical infrastructure targeting campaign

Campaign
First: 23.09.2025 00:00 Last: 23.09.2025 00:00 Sources 1

About this happening: The **Nimbus Manticore** campaign now targets **critical infrastructure** in **Western Europe**, expanding the group's reach beyond the Middle East and increasing the risk of cred...

Open Happening

Timeline

  1. 11.11.2025 18:45 2 articles · 6mo ago

    GSC reports KONNI abuse of Google Find Hub

    Initial Disclosure

    Genians Security Center described a KONNI APT campaign linked to Kimsuky and APT37 that used compromised KakaoTalk accounts to spread disguised MSI files, steal Google account credentials, and abuse Google’s Find Hub to remotely wipe Android phones and tablets, marking the first confirmed state-sponsored abuse of the feature for destructive operations.

    Show sources
    Open in new tab