Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Konni multi-stage KakaoTalk phishing campaign

Campaign
First reported
Last updated
Happening score
H score 34
1 unique sources, 1 articles

Summary

Hide ▲

The Konni operation is expanding through spear-phishing and abused KakaoTalk desktop accounts, increasing the chance that one compromise reaches multiple contacts. It matters because the intrusion combines long-term persistence, information theft, and account-based redistribution rather than a one-time lure. The latest wave used a ZIP/LNK chain to deliver EndRAT (EndClient RAT) and related remote-access tooling.

Related Happenings

DarkSword operators phishing and watering-hole campaign

Campaign
First: 18.03.2026 23:15 Last: 18.03.2026 23:15 Sources 1

About this happening: **DarkSword** operators ran a **cross-border phishing and watering-hole campaign** using an **iPhone exploit chain** against users in **Saudi Arabia** and **Ukraine**, with additi...

Open Happening

BeatBanker Android phishing campaign targeting Brazilian users

Campaign
First: 12.03.2026 09:56 Last: 12.03.2026 09:56 Sources 1

About this happening: A **BeatBanker** Android phishing campaign is targeting **Brazilian users**, creating a risk of device compromise and payment theft. The lure uses **Google Play Store** lookalike...

Open Happening

Russian state-sponsored hackers' ongoing Signal and WhatsApp phishing campaign

Campaign
First: 09.03.2026 23:24 Last: 09.03.2026 23:24 Sources 1

About this happening: An **ongoing Russian state-sponsored phishing campaign** is targeting **Signal** and **WhatsApp** users, with the **UK NCSC** warning on **March 31** that **Russia-based actors**...

Open Happening

Global Profit / MC Profit Always exposed phishing repository leak

Data Leak
First: 25.02.2026 01:57 Last: 25.02.2026 01:57 Sources 1

About this happening: An exposed repository tied to **Global Profit / MC Profit Always** leaked an **SQL database** and **Telegram webhook logs**, exposing phishing-operator communications and infrastr...

Open Happening

Jinkusu's Starkiller phishing-as-a-service ecosystem commoditizes account takeover

Threat Actor Meta
First: 20.02.2026 22:00 Last: 20.02.2026 22:00 Sources 1

About this happening: A new phishing-as-a-service operation tied to **Jinkusu** is proxying real login pages through attacker infrastructure, making **MFA bypass** and account takeover easier for low-s...

Open Happening

Timeline

  1. 17.03.2026 11:53 2 articles · 2mo ago

    Genians attributes KakaoTalk phishing campaign to Konni

    Attribution Update

    Genians attributes a North Korean phishing campaign to Konni after observing spear-phishing emails that used a ZIP attachment and Windows LNK file to install EndRAT (aka EndClient RAT). The operation abuses a victim's KakaoTalk desktop application to send malicious ZIP files to contacts, while scheduled tasks maintain persistence, a PDF decoy masks execution, and the compromised host is used to steal internal documents and sensitive information. Additional artifacts tied to RftRAT and RemcosRAT indicate a multi-stage operation built for long-term access and resilience.

    Show sources
    Open in new tab