A North Korean-linked actor known as Konni (also known as Earth Imp, Opal Sleet, Osmium, TA406, and Vedalia) is believed to be responsible for a new series of data theft and remote control attacks targeting both Android and Windows devices.
“The attackers posed as psychological counselors and North Korean human rights activists and distributed malware disguised as stress relief programs,” the Genians Security Center (GSC) said in a technical report.
Notable in the attacks targeting Android devices is the attacker’s devastating ability to exploit Google’s asset tracking service Find Hub (formerly known as Find My Device) to remotely reset a victim’s device, thereby leading to unauthorized deletion of personal data. This activity was detected in early September 2025.
This development marks the first time a hacking group has weaponized legitimate administrative capabilities to remotely reset mobile devices. This activity also involves an attack chain in which the attacker approaches the target through a spear-phishing email, gains access to their computer, and leverages the logged-in KakaoTalk chat app session to distribute a malicious payload to their contacts in the form of a ZIP archive.
Spear-phishing emails are said to imitate legitimate organizations such as the Internal Revenue Service, trick recipients into opening malicious attachments, and deliver remote access Trojans like Lilith RAT that can remotely take over compromised machines and deliver additional payloads.
Conni attack flow
“The attackers remained dormant on compromised computers for over a year, spying on them via webcams and operating systems in users’ absence,” GSC said. “In this process, access gained during the initial infiltration allows for system control and additional intelligence gathering, while evasion tactics allow for long-term concealment.”
Once the malware is deployed on a victim’s computer, the attacker can perform internal reconnaissance and monitoring, as well as steal the victim’s Google and Naver account credentials. The stolen Google credentials are used to log into Google’s Find Hub and initiate a remote wipe of the device.
In one case, the attacker was found to have signed into a recovery email account registered with Naver, deleted security alert emails from Google, and emptied the Trash folder in the inbox to hide any trace of their fraud.
The ZIP files propagated via the messaging app contain a malicious Microsoft Installer (MSI) package (‘Stress Clear.msi’) that leverages a valid signature issued to a Chinese company to lend legitimacy to the application. Once launched, it starts running a Visual Basic Script (VB Script) that calls a batch script to perform initial setup and displays a bogus error message about a language pack compatibility issue. Meanwhile, malicious commands are executed in the background.
This includes launching an AutoIt script configured to run every minute via a scheduled task to execute additional commands received from an external server (‘116.202.99’).[.]Although this malware shares some similarities with Lilith RAT, it has been codenamed EndRAT (also known as EndClient RAT by security researcher Ovi Liber) due to the observed differences.
The list of supported commands is:
shellStart, start a remote shell sessionshellStop, stop remote shell updates, send system information list, list drive or root directory goUp, move up one directorydownload, extract file upload, receive file execution, run program on hostDelete, delete files on host
According to Genians, the Konni APT attacker leveraged an AutoIt script to launch Remcos RAT version 7.0.4, which was released by its administrator Breaking Security on September 10, 2025, indicating that the attackers are actively using the new version of the Trojan in their attacks. Quasar RAT and RftRAT, another Trojan used by Kimsuky in 2023, were also observed on victim devices.
“This suggests that this malware is tailored to South Korea-focused operations and requires significant effort to obtain relevant data and conduct detailed analysis,” the South Korean cybersecurity firm said.
Details on Lazarus Group’s new comebacker variant
The disclosure comes as ENKI details that Lazarus Group used the latest version of the Comebacker malware in attacks targeting aerospace and defense organizations using Microsoft Word document lures customized to match espionage. This lure mimics Airbus, Edge Group, and Indian Institute of Technology Kanpur.
When a victim opens the file and enables macros, the infection chain begins, executing the embedded VBA code and delivering a decoy document that is displayed to the user, along with a loader component that launches Comebacker in memory.
The malware establishes communication with a command and control (C2) server via HTTPS and enters a loop in which it polls for new commands or downloads and executes encrypted payloads.
“The attacker’s use of a very specific decoy document indicates that this is a targeted spear-phishing campaign,” ENKI said in a technical report. “There have been no reports of victims to date, but the C2 infrastructure remains active as of the publication of this article.”
Kimsuky uses new JavaScript dropper
This finding also coincides with the discovery of a new JavaScript-based malware dropper used by Kimsuky in recent operations, indicating that the threat actor is continually refining its malware arsenal. The initial access mechanism by which JavaScript malware is distributed is currently unknown.
Kimsuky JavaScript dropper flow
The starting point for the attack is the first JavaScript file (‘subject.js’). This file connects to adversary-controlled infrastructure to fetch further JavaScript code that can execute commands, extract data, and obtain a third-stage JavaScript payload, creating a scheduled task that launches the first JavaScript file every minute and possibly an empty Word document as a decoy.
“The Word document is empty and has no macros running in the background, so this could be the bait,” Pulse Dive Threat Research said in an analysis published last week.
Source link
