Find notable cyber news and cases, enriched with sources, timelines, and signals.

KONNI KakaoTalk and Google Find Hub Android-wiping campaign

Campaign
First reported
Last updated
Happening score
H score 35
2 unique sources, 2 articles

Summary

Hide ▲

The KONNI operation is actively combining KakaoTalk spear-phishing with Google Find Hub abuse to track targets and remotely wipe Android devices, raising data-loss and account-takeover risk. The activity is focused on South Koreans and uses spoofed notices from the National Tax Service and police to lure victims. After compromise, the attackers steal Google and Naver credentials, reset devices, and use hijacked KakaoTalk PC sessions to spread malicious files to contacts. The pattern was observed in incidents on September 5 and September 15, showing repeated operational use rather than a one-off event.

Related Happenings

Kimsuky March-April 2026 campaign against South Korean military and corporate entities

Campaign
H score38 First: 29.05.2026 08:57 Last: 29.05.2026 08:57 Sources 1

About this happening: The **Kimsuky** campaign ran through **March and April 2026**, using **spoofed security-installation pages** and a **fake Webex lure** against **South Korean military and corporat...

CallPhantom Google Play fraud campaign targeting Android users in India and Asia-Pacific

Campaign
H score34 First: 08.05.2026 18:08 Last: 08.05.2026 18:08 Sources 1

About this happening: The **CallPhantom** fraud campaign pushed **28 fake call-history Android apps** through the **Google Play Store**, causing **financial loss** for users who paid for fabricated dat...

Bitter Middle East spear-phishing campaign targeting civil society figures

Campaign
H score28 First: 09.04.2026 13:45 Last: 09.04.2026 13:45 Sources 1

About this happening: A **spear-phishing campaign** targeted **civil society figures in Middle Eastern countries**, including **three journalists in Egypt and Lebanon**, creating account-compromise ris...

Perseus Android malware family actively distributed in the wild

Malware Activity
H score27 First: 19.03.2026 14:43 Last: 19.03.2026 14:43 Sources 1

About this happening: The **Perseus** **Android malware** family is being actively distributed in the wild, putting infected devices at risk of **device takeover** and **financial fraud**. It spreads t...

UNC6353 and UNC6691 Coruna iOS exploit campaign

Campaign
H score42 First: 04.03.2026 21:06 Last: 04.03.2026 21:06 Sources 1

About this happening: The **Coruna** iOS exploit campaign spread through **watering-hole** and **fake finance/crypto** lures, extending reach from **iPhone users** to **crypto users**. **UNC6353** used...

Timeline

  1. 11.11.2025 02:46 1 articles · 8mo ago

    KakaoTalk abuse of a South Korea-based counselor

    Exploitation Observed

    A threat actor compromised and abused the KakaoTalk account of a South Korea–based counselor who specializes in psychological support for North Korean defector youth, then sent a malicious file disguised as a "stress relief program" to an actual defector student. The same activity used Google Find Hub to retrieve registered Android devices, query GPS location, choose a time when the target was outside, and run remote reset commands that wiped Android devices three times, deleting critical data and disrupting KakaoTalk PC sessions.

    Show sources
  2. 11.11.2025 02:46 1 articles · 8mo ago

    Repeat attack using KakaoTalk and Google Find Hub

    Campaign Scope Update

    Genians identified another attack on a separate victim using the same KakaoTalk spear-phishing and Google Find Hub wipe workflow, showing that the Android data-wiping pattern was reused beyond the initial case. The repeated activity reinforces that the campaign was actively targeting South Koreans through messenger-based lures and remote-reset abuse.

    Show sources
  3. 11.11.2025 02:46 2 articles · 8mo ago

    KONNI Android-wiping technical analysis and IoCs

    Technical Analysis Update

    Technical analysis linked the activity to a KONNI cluster with overlapping targets and infrastructure with Kimsuky and APT37, and described spear-phishing that spoofed South Korea’s National Tax Service, the police, and other agencies. The malware chain used a digitally signed MSI/.ZIP attachment, install.bat, error.vbs, and an AutoIT script named IoKITr.au3 to set scheduled-task persistence, fetch additional payloads, and deploy RemcosRAT, QuasarRAT, and RftRAT for Google and Naver credential theft, while also documenting related indicators of compromise.

    Show sources