Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

KONNI KakaoTalk and Google Find Hub Android-wiping campaign

Campaign
First reported
Last updated
Happening score
H score 39
2 unique sources, 2 articles

Summary

Hide ▲

The KONNI operation is actively combining KakaoTalk spear-phishing with Google Find Hub abuse to track targets and remotely wipe Android devices, raising data-loss and account-takeover risk. The activity is focused on South Koreans and uses spoofed notices from the National Tax Service and police to lure victims. After compromise, the attackers steal Google and Naver credentials, reset devices, and use hijacked KakaoTalk PC sessions to spread malicious files to contacts. The pattern was observed in incidents on September 5 and September 15, showing repeated operational use rather than a one-off event.

Related Happenings

CallPhantom Google Play fraud campaign targeting Android users in India and Asia-Pacific

Campaign
First: 08.05.2026 18:08 Last: 08.05.2026 18:08 Sources 1

About this happening: The **CallPhantom** fraud campaign pushed **28 fake call-history Android apps** through the **Google Play Store**, causing **financial loss** for users who paid for fabricated dat...

Open Happening

Bitter Middle East spear-phishing campaign targeting civil society figures

Campaign
First: 09.04.2026 13:45 Last: 09.04.2026 13:45 Sources 1

About this happening: A **spear-phishing campaign** targeted **civil society figures in Middle Eastern countries**, including **three journalists in Egypt and Lebanon**, creating account-compromise ris...

Open Happening

Perseus Android malware family actively distributed in the wild

Malware Activity
First: 19.03.2026 14:43 Last: 19.03.2026 14:43 Sources 1

About this happening: The **Perseus** **Android malware** family is being actively distributed in the wild, putting infected devices at risk of **device takeover** and **financial fraud**. It spreads t...

Open Happening

UNC6353 and UNC6691 Coruna iOS exploit campaign

Campaign
First: 04.03.2026 21:06 Last: 04.03.2026 21:06 Sources 1

About this happening: The **Coruna** iOS exploit campaign spread through **watering-hole** and **fake finance/crypto** lures, extending reach from **iPhone users** to **crypto users**. **UNC6353** used...

Open Happening

Kimwolf Android botnet expands proxy-relay operations to over 2 million devices

Malware Activity
First: 05.01.2026 18:41 Last: 05.01.2026 18:41 Sources 1

About this happening: The **Kimwolf** **Android botnet** continued to evolve as a **proxy-relay** and **DDoS** operation built on **more than 2 million infected devices**, with abuse of **exposed ADB**...

Latest development: 20.03.2026 08:25

The U.S. Department of Justice announced a court-authorized law-enforcement operation that disrupted command-and-control (C2) infrastructure used by the IoT botnets AISURU, Kimwolf, JackSkid, and Mossad, with assistance from Canada, Germany, and private sector firms including Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, SpyCloud, Synthient, Team Cymru, Unit 221B, and QiAnXin XLab. The botnets were linked to distributed denial-of-service (DDoS) attacks targeting victims worldwide and to more than 2 million Android devices, while the four botnets were estimated to have infected no less than 3 million devices worldwide.

Open Happening

Timeline

  1. 11.11.2025 02:46 1 articles · 6mo ago

    KakaoTalk abuse of a South Korea-based counselor

    Exploitation Observed

    A threat actor compromised and abused the KakaoTalk account of a South Korea–based counselor who specializes in psychological support for North Korean defector youth, then sent a malicious file disguised as a "stress relief program" to an actual defector student. The same activity used Google Find Hub to retrieve registered Android devices, query GPS location, choose a time when the target was outside, and run remote reset commands that wiped Android devices three times, deleting critical data and disrupting KakaoTalk PC sessions.

    Show sources
    Open in new tab
  2. 11.11.2025 02:46 1 articles · 6mo ago

    Repeat attack using KakaoTalk and Google Find Hub

    Campaign Scope Update

    Genians identified another attack on a separate victim using the same KakaoTalk spear-phishing and Google Find Hub wipe workflow, showing that the Android data-wiping pattern was reused beyond the initial case. The repeated activity reinforces that the campaign was actively targeting South Koreans through messenger-based lures and remote-reset abuse.

    Show sources
    Open in new tab
  3. 11.11.2025 02:46 2 articles · 6mo ago

    KONNI Android-wiping technical analysis and IoCs

    Technical Analysis Update

    Technical analysis linked the activity to a KONNI cluster with overlapping targets and infrastructure with Kimsuky and APT37, and described spear-phishing that spoofed South Korea’s National Tax Service, the police, and other agencies. The malware chain used a digitally signed MSI/.ZIP attachment, install.bat, error.vbs, and an AutoIT script named IoKITr.au3 to set scheduled-task persistence, fetch additional payloads, and deploy RemcosRAT, QuasarRAT, and RftRAT for Google and Naver credential theft, while also documenting related indicators of compromise.

    Show sources
    Open in new tab