North Korea-backed group hijacks Google’s Find Hub in credential theft campaign

The North Korean hacker group Konni has discovered a new set of attacks that, for the first time, use Google’s Find Hub asset tracking feature. The attacks target both Android and Windows devices to steal data and gain remote control.

The activity detected in early September 2025 revealed that the attacks can exploit Google’s asset tracking services Find Hub, thereby leading to the unauthorized deletion of personal data.

The hack starts with an attack chain in which Konni sends spear-phishing emails to targets to get access to their computers. They then use the targets’ logged-in KakaoTalk chat app sessions to send malicious payloads to their contacts in the form of a ZIP archive.

The Genians Security Centre (GSC) in a technical report stated, “Attackers impersonated psychological counsellors and North Korean human rights activists, distributing malware disguised as stress-relief programs.”

South Korean cybersecurity group says malware is for Korea-focused operations

According to investigators, the spear-phishing emails appear to originate from legitimate companies, such as the National Tax Service. This trick fools users into opening malicious attachments that contain remote access trojans, such as Lilith RAT, which can take control of compromised computers and send additional payloads.

The threat actor can stay hidden in the compromised computer for over a year, spying via the webcam and operating the system when the user is absent. GSC stated, “In this process, the access obtained during the initial intrusion enables system control and additional information collection, while evasion tactics allow long-term concealment.”

Konni attack flow. Source: The Hacker News

Hackers can steal the victim’s Google and Naver account credentials. After getting their hands on the stolen Google passwords, the hackers use them to log in to Google’s Find Hub and wipe their devices remotely.

For instance, these hackers logged into a recovery email account listed under Naver, and they deleted Google security alert emails. Additionally, they emptied the trash folder in the inbox to conceal their tracks.

The hackers are also using a ZIP file. It is propagated via the messaging app containing a malicious Microsoft Installer (MSI) package called “Stress Clear.msi”. This package uses a legal signature provided to a Chinese company to authenticate the application’s appearance. Once it’s started, it uses a batch script to do the basic setup.

It then runs a Visual Basic Script (VBScript) that displays a fake error message about a language pack compatibility issue while the malicious commands are executed in the background.

The malware is similar to Lilith RAT in some ways, but it has been given the code name EndRAT (also known as EndClient RAT by security researcher Ovi Liber) due to the changes that have been identified.

Genians stated that the Konni APT actors also used an AutoIt script to initiate the Remcos RAT version 7.0.4, which was publicly disclosed on September 10, 2025, by the group responsible for its maintenance. Now, hackers are using newer versions of the Trojan in their attacks. Quasar RAT and RftRAT, another trojan used by Kimsuky in 2023, have also been found on target devices.

The South Korean cybersecurity company said, “This suggests that the malware is tailored to Korea-focused operations and that obtaining relevant data and conducting in-depth analysis requires substantial effort.”

North Korea-backed hackers’ impetus grows

This attack is definitely a follow-up to the Konni APT campaign, which is tied to the Kimsuky and APT 37 groups that the North Korean government backs.

At the same time, ENKI revealed that the Lazarus Group used an updated version of the Comebacker malware in attacks against defense and aerospace companies using specially made Microsoft Word documents as bait as part of an espionage operation. They claim to be from Airbus, the Edge Group, and the Indian Institute of Technology Kanpur to deceive people.

Meanwhile, as reported by Cryptopolitan, Second Vice Foreign Minister Kim Ji-na announced that South Korea is considering sanctions against North Korea over rampant cryptocurrency crime, and that cooperation with the US is critical.