KONNI KakaoTalk and Google Find Hub Android-wiping campaign
Campaign
Summary
Hide ▲
Show ▼
The KONNI operation is actively combining KakaoTalk spear-phishing with Google Find Hub abuse to track targets and remotely wipe Android devices, raising data-loss and account-takeover risk. The activity is focused on South Koreans and uses spoofed notices from the National Tax Service and police to lure victims. After compromise, the attackers steal Google and Naver credentials, reset devices, and use hijacked KakaoTalk PC sessions to spread malicious files to contacts. The pattern was observed in incidents on September 5 and September 15, showing repeated operational use rather than a one-off event.
Related Happenings
Kimsuky March-April 2026 campaign against South Korean military and corporate entities
Campaign
H score38
First: 29.05.2026 08:57
Last: 29.05.2026 08:57
Sources 1
About this happening:
The **Kimsuky** campaign ran through **March and April 2026**, using **spoofed security-installation pages** and a **fake Webex lure** against **South Korean military and corporat...
Kimsuky March-April 2026 campaign against South Korean military and corporate entities
CampaignAbout this happening: The **Kimsuky** campaign ran through **March and April 2026**, using **spoofed security-installation pages** and a **fake Webex lure** against **South Korean military and corporat...
CallPhantom Google Play fraud campaign targeting Android users in India and Asia-Pacific
Campaign
H score34
First: 08.05.2026 18:08
Last: 08.05.2026 18:08
Sources 1
About this happening:
The **CallPhantom** fraud campaign pushed **28 fake call-history Android apps** through the **Google Play Store**, causing **financial loss** for users who paid for fabricated dat...
CallPhantom Google Play fraud campaign targeting Android users in India and Asia-Pacific
CampaignAbout this happening: The **CallPhantom** fraud campaign pushed **28 fake call-history Android apps** through the **Google Play Store**, causing **financial loss** for users who paid for fabricated dat...
Bitter Middle East spear-phishing campaign targeting civil society figures
Campaign
H score28
First: 09.04.2026 13:45
Last: 09.04.2026 13:45
Sources 1
About this happening:
A **spear-phishing campaign** targeted **civil society figures in Middle Eastern countries**, including **three journalists in Egypt and Lebanon**, creating account-compromise ris...
Bitter Middle East spear-phishing campaign targeting civil society figures
CampaignAbout this happening: A **spear-phishing campaign** targeted **civil society figures in Middle Eastern countries**, including **three journalists in Egypt and Lebanon**, creating account-compromise ris...
Perseus Android malware family actively distributed in the wild
Malware Activity
H score27
First: 19.03.2026 14:43
Last: 19.03.2026 14:43
Sources 1
About this happening:
The **Perseus** **Android malware** family is being actively distributed in the wild, putting infected devices at risk of **device takeover** and **financial fraud**. It spreads t...
Perseus Android malware family actively distributed in the wild
Malware ActivityAbout this happening: The **Perseus** **Android malware** family is being actively distributed in the wild, putting infected devices at risk of **device takeover** and **financial fraud**. It spreads t...
UNC6353 and UNC6691 Coruna iOS exploit campaign
Campaign
H score42
First: 04.03.2026 21:06
Last: 04.03.2026 21:06
Sources 1
About this happening:
The **Coruna** iOS exploit campaign spread through **watering-hole** and **fake finance/crypto** lures, extending reach from **iPhone users** to **crypto users**. **UNC6353** used...
UNC6353 and UNC6691 Coruna iOS exploit campaign
CampaignAbout this happening: The **Coruna** iOS exploit campaign spread through **watering-hole** and **fake finance/crypto** lures, extending reach from **iPhone users** to **crypto users**. **UNC6353** used...
Timeline
-
11.11.2025 02:46 1 articles · 8mo ago
KakaoTalk abuse of a South Korea-based counselor
Exploitation ObservedA threat actor compromised and abused the KakaoTalk account of a South Korea–based counselor who specializes in psychological support for North Korean defector youth, then sent a malicious file disguised as a "stress relief program" to an actual defector student. The same activity used Google Find Hub to retrieve registered Android devices, query GPS location, choose a time when the target was outside, and run remote reset commands that wiped Android devices three times, deleting critical data and disrupting KakaoTalk PC sessions.
Show sources
- APT37 hackers abuse Google Find Hub in Android data-wiping attacks — www.bleepingcomputer.com — 11.11.2025 02:46
-
11.11.2025 02:46 1 articles · 8mo ago
Repeat attack using KakaoTalk and Google Find Hub
Campaign Scope UpdateGenians identified another attack on a separate victim using the same KakaoTalk spear-phishing and Google Find Hub wipe workflow, showing that the Android data-wiping pattern was reused beyond the initial case. The repeated activity reinforces that the campaign was actively targeting South Koreans through messenger-based lures and remote-reset abuse.
Show sources
- APT37 hackers abuse Google Find Hub in Android data-wiping attacks — www.bleepingcomputer.com — 11.11.2025 02:46
-
11.11.2025 02:46 2 articles · 8mo ago
KONNI Android-wiping technical analysis and IoCs
Technical Analysis UpdateTechnical analysis linked the activity to a KONNI cluster with overlapping targets and infrastructure with Kimsuky and APT37, and described spear-phishing that spoofed South Korea’s National Tax Service, the police, and other agencies. The malware chain used a digitally signed MSI/.ZIP attachment, install.bat, error.vbs, and an AutoIT script named IoKITr.au3 to set scheduled-task persistence, fetch additional payloads, and deploy RemcosRAT, QuasarRAT, and RftRAT for Google and Naver credential theft, while also documenting related indicators of compromise.
Show sources
- APT37 hackers abuse Google Find Hub in Android data-wiping attacks — www.bleepingcomputer.com — 11.11.2025 02:46
- Android Devices Targeted By KONNI APT in Find Hub Exploitation — www.infosecurity-magazine.com — 11.11.2025 18:45