Konni APT leverages EndRAT and KakaoTalk for multi-stage phishing and lateral propagation

First reported

17.03.2026 11:53

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A North Korean advanced persistent threat (APT) group, tracked as Konni, conducted a multi-stage spear-phishing campaign to compromise targets and abuse compromised KakaoTalk desktop application sessions for malware propagation. Initial access was achieved via a spear-phishing email masquerading as an appointment notice for a North Korean human rights lecturer, leading to execution of a malicious LNK file. The payload deployed a remote access trojan (RAT) named EndRAT (written in AutoIt), establishing persistence via scheduled tasks and exfiltrating sensitive data. The adversary maintained long-term access on compromised hosts, stole internal documents, and used the victim’s KakaoTalk contacts to selectively propagate malware via ZIP archives disguised as North Korea-related content. The campaign reflects a high-trust abuse strategy, leveraging compromised user accounts to deceive additional targets.

Timeline

17.03.2026 11:53 1 articles · 3h ago

Konni APT abuses EndRAT and KakaoTalk for multi-stage phishing and lateral malware propagation
Konni APT compromised targets via spear-phishing emails delivering a malicious LNK file that deployed EndRAT, a remote access trojan written in AutoIt. The adversary established persistence through scheduled tasks and stole sensitive data from compromised hosts. Leveraging compromised KakaoTalk sessions, the actor selectively propagated malware to contacts via ZIP files disguised as North Korea-related content, turning victims into intermediaries for further attacks.
Show sources

Konni Deploys EndRAT Through Phishing, Uses KakaoTalk to Propagate Malware — thehackernews.com — 17.03.2026 11:53
Open in new tab

Information Snippets

Initial access vector was a spear-phishing email with a ZIP attachment containing a malicious Windows shortcut (LNK) file.
First reported: 17.03.2026 11:53

1 source, 1 article
Show sources
- Konni Deploys EndRAT Through Phishing, Uses KakaoTalk to Propagate Malware — thehackernews.com — 17.03.2026 11:53
Execution of the LNK triggered the download of a next-stage payload that installed EndRAT, a remote access trojan written in AutoIt.
First reported: 17.03.2026 11:53

1 source, 1 article
Show sources
- Konni Deploys EndRAT Through Phishing, Uses KakaoTalk to Propagate Malware — thehackernews.com — 17.03.2026 11:53
EndRAT provides remote control capabilities including file management, remote shell access, data transfer, and persistence via scheduled tasks.
First reported: 17.03.2026 11:53

1 source, 1 article
Show sources
- Konni Deploys EndRAT Through Phishing, Uses KakaoTalk to Propagate Malware — thehackernews.com — 17.03.2026 11:53
The threat actor maintained long-term access on compromised hosts, exfiltrating sensitive information and using KakaoTalk to propagate malicious ZIP files to selected contacts.
First reported: 17.03.2026 11:53

1 source, 1 article
Show sources
- Konni Deploys EndRAT Through Phishing, Uses KakaoTalk to Propagate Malware — thehackernews.com — 17.03.2026 11:53
Additional RATs—RftRAT and RemcosRAT—were deployed on the infected host, indicating the victim was assessed as high-value.
First reported: 17.03.2026 11:53

1 source, 1 article
Show sources
- Konni Deploys EndRAT Through Phishing, Uses KakaoTalk to Propagate Malware — thehackernews.com — 17.03.2026 11:53
Konni previously abused KakaoTalk in November 2025 by sending ZIP archives to contacts and remotely wiping Android devices using stolen Google credentials.
First reported: 17.03.2026 11:53

1 source, 1 article
Show sources
- Konni Deploys EndRAT Through Phishing, Uses KakaoTalk to Propagate Malware — thehackernews.com — 17.03.2026 11:53

Summary

Timeline

Konni APT abuses EndRAT and KakaoTalk for multi-stage phishing and lateral malware propagation

Information Snippets