North Korean cybercriminals have been leveraging phishing techniques to gain unauthorized access to victims’ KakaoTalk desktop applications, subsequently distributing malware to select contacts. This campaign has been identified by Genians, a South Korean threat intelligence firm, as the work of the Konni hacker group.
Phishing as the Initial Attack Vector
The attack begins with a spear-phishing email that masquerades as a notification about a North Korean human rights lecture. Upon opening, the email prompts the recipient to execute a malicious LNK file, which instigates the installation of remote access malware. This malware remains hidden within the victim’s system, enabling the theft of sensitive documents and data over an extended period.
Konni’s approach is characterized by its ability to exploit the trust inherent in compromised systems, using victims’ KakaoTalk applications to further disseminate the malware. This tactic was previously observed in November 2025, when the group used KakaoTalk sessions to distribute malicious payloads while simultaneously wiping victims’ Android devices via stolen credentials.
Advanced Malware Deployment
The spear-phishing email contains a ZIP file attachment that includes a Windows shortcut (LNK). When executed, this file downloads additional payloads from an external server, establishing persistence through scheduled tasks. It then executes the malware while displaying a decoy PDF to distract the user.
The downloaded malware, known as EndRAT or EndClient RAT, is written in AutoIt and provides the attacker with full control over the compromised system. It facilitates activities such as file management, remote shell access, and data exfiltration. Further investigation revealed the presence of other malicious artifacts, like AutoIt scripts for RftRAT and RemcosRAT, suggesting a high-value target status.
Propagation Through KakaoTalk
A notable aspect of the attack is the utilization of the victim’s KakaoTalk application to send malicious files disguised as North Korea-related materials to the victim’s contacts. This strategy effectively turns victims into conduits for further malware dissemination.
According to Genians, this operation represents a sophisticated, multi-stage attack that combines spear-phishing with long-term persistence, data theft, and account exploitation. The selection of specific contacts from the victim’s friend list for further targeting highlights the calculated nature of the attack.
As cyber threats continue to evolve, awareness and vigilance remain crucial in mitigating the risks posed by such sophisticated campaigns.
