A new campaign by the North Korean state-sponsored hacking group Konni has weaponized Google's Find Hub feature to remotely wipe Android smartphones and tablets in South Korea, disrupting victims' access and deleting sensitive data.
The attacks followed a year-long period of stealth activity and exploited hijacked Google accounts to trigger destructive factory resets.
The findings come from Genians Security Center (GSC), which linked the campaign to Konni, a group previously associated with the Kimsuky/APT37 nexus and believed to operate under North Korea's Reconnaissance General Bureau (RGB). GSC's analysis revealed a highly coordinated, multi-stage attack chain that combines phishing, credential theft, device-level disruption, and malware propagation via hijacked messaging accounts.
Abusing Google's ‘Find Hub' service
Google's Find Hub, designed to help users locate lost or stolen Android devices, was exploited by the attackers after they compromised victims' Google accounts. Using legitimate login credentials, the hackers accessed Find Hub and issued remote wipe commands, deleting data on smartphones and tablets across multiple incidents. In some cases, they repeatedly triggered factory resets, keeping victims locked out of their own devices for extended periods.
This marks the first documented abuse of Find Hub for destructive purposes by a state-sponsored actor, highlighting the increasing weaponization of built-in cloud device management tools.
The campaign initially targeted humanitarian and activist sectors, including psychologists working with North Korean defectors. Attackers posed as trusted individuals, such as counselors or acquaintances, on KakaoTalk, a widely used messaging app in South Korea, to deliver malware disguised as a “Stress Relief Program” in MSI installer format.
The malware, named Stress Clear.msi, contained a digitally signed Microsoft Installer package with embedded AutoIt-based scripts (IoKlTr.au3) that set up persistence mechanisms via scheduled tasks and communicated with remote command-and-control (C2) servers hosted in Germany, Japan, and the Netherlands.
Upon execution, the malware installed components in public folders (e.g., C:\Users\Public\Music) and used fake error messages to mislead users into thinking installation had failed. Meanwhile, hidden scripts enabled surveillance, data exfiltration, and lateral movement.
Genians
The attackers synchronized the remote device wipes with social engineering phases of the attack. After confirming via Find Hub that a target was physically away from their device, they would trigger a remote wipe, effectively delaying any detection of compromised KakaoTalk sessions.
Immediately after wiping a device, the attackers would hijack the victim's KakaoTalk PC session to spread malware to the victim's contacts, leveraging social trust to propagate further infections.
Beyond AutoIt scripts, the campaign utilized several Remote Access Trojans (RATs), including:
- RemcosRAT 7.0.4 Pro: Capable of full remote control, keylogging, and data theft.
- QuasarRAT: Deployed via AES-encrypted payloads decrypted at runtime and injected into hncfinder.exe.
- RftRAT: Loaded into cleanmgr.exe, using subtractive obfuscation to conceal its C2 address.
These components connected to geographically distributed infrastructure and used WordPress-hosted sites as C2 relays, aiding evasion and attribution resistance.
Android users are advised to use strong Google account passwords and enable two-factor authentication (2FA). If you're worried about unauthorized remote wipes, do not add your device to Google's Find Hub.
Leave a Reply