Full Report
The North Korea-affiliated threat actor known as Konni (aka Earth Imp, Opal Sleet, Osmium, TA406, and Vedalia) has been attributed to a new set of attacks targeting both Android and Windows devices for data theft and remote control. "Attackers impersonated psychological counselors and North Korean human rights activists, distributing malware disguised as stress-relief programs," the Genians
Analysis Summary
# Threat Actor: Konni
## Attribution & Identity
Attributed to North Korea.
**Known Aliases:** Earth Imp, Opal Sleet, Osmium, TA406, and Vedalia.
## Activity Summary
Konni has been attributed to a new set of attacks detected in early September 2025, targeting both Android and Windows devices for data theft and remote control. The campaigns involve social engineering where attackers impersonated psychological counselors and North Korean human rights activists, distributing malware disguised as stress-relief programs. The group previously remained hidden in compromised computers for over a year, spying via the webcam and operating the system when the user was absent.
A notable new development is the destructive ability to exploit Google's asset tracking service, Find Hub (formerly Find My Device), to remotely reset victim Android devices, leading to unauthorized data deletion. Stolen Google credentials are used to sign into Find Hub, and attackers were observed logging into associated recovery email accounts (e.g., Naver) to delete security alerts and clear trash folders to cover their tracks.
## Tactics, Techniques & Procedures
- **Initial Access & Delivery:** Spear-phishing emails mimicking legitimate entities (e.g., National Tax Service) used to gain initial computer access.
- **Lateral Movement/Propagation:** Leveraging logged-in KakaoTalk sessions to distribute malicious payloads (ZIP archives) to contacts.
- **Execution (Windows):** Malicious ZIP archives contained a Microsoft Installer (MSI) package ("Stress Clear.msi") abusing a valid signature from a Chinese company. This installs a batch script, which runs a VB Script to show a fake error message while executing commands in the background.
- **Persistence & Execution:** An AutoIt script is scheduled to run every minute to execute external commands.
- **Remote Control & Espionage:** Deployed malware allows for internal reconnaissance, monitoring (webcam spying), and long-term concealment.
- **Credential Theft:** Exfiltrating Google and Naver account credentials.
- **Destructive Action (Android):** Using stolen Google credentials to initiate factory resets via Google Find Hub.
- **Use of Known Tools:** Utilizing Remote Access Trojans (RATs) such as Lilith RAT and recently updated versions of Remcos RAT (v7.0.4) and Quasar RAT.
## Targeting
- **Sectors:** Not explicitly detailed by sector in the provided text, but the methods imply targets with sensitive personal or professional data, including individuals associated with human rights activities.
- **Geography:** Not explicitly detailed, but mentions of Naver (Korean service) suggest association with South Korea or targets using Korean services.
- **Victims:** Individuals targeted through impersonation as psychological counselors and North Korean human rights activists.
## Tools & Infrastructure
- **Malware Families Used:**
- Lilith RAT (used in initial intrusion).
- EndRAT (newly observed malware codename, potentially similar to EndClient RAT).
- Remcos RAT (version 7.0.4, actively updated by the threat actors).
- Quasar RAT.
- **Infrastructure:**
- External server for command execution: `116.202.99[.]218` (Defanged).
## Implications
Konni demonstrates sophisticated initial access techniques via spear-phishing and misuse of common communication channels (KakaoTalk). Their ability to maintain long-term persistence (over a year) while spying is significant. The most critical escalation observed is the weaponization of legitimate recovery services (Google Find Hub) to achieve remote, unauthorized data destruction on Android devices, marking a destructive capability previously unobserved for this group.
## Mitigations
- **Email Security:** Implement advanced email filtering to detect spear-phishing campaigns mimicking tax services or organizational entities.
- **Application Validation:** Exercise extreme caution with executables delivered via non-standard channels (like chat apps), especially those using seemingly legitimate signatures (like the abused MSI signature).
- **Endpoint Detection & Response (EDR):** Monitor for scheduled tasks executing obfuscated scripts (AutoIt, VBScript) and unauthorized use of legitimate services (Google Account logins).
- **Account Security:** Implement Multi/Two-Factor Authentication (MFA/2FA) on Google and Naver accounts to prevent session hijacking, even if credentials are stolen.
- **Device Management:** Be aware of the risk of remote device wipes via legitimate asset tracking services if Google credentials are compromised.