North Korean threat actors have been observed sending phishing to compromise targets and obtain access to a victim’s KakaoTalk desktop application to distribute malicious payloads to certain contacts.
The activity has been attributed by South Korean threat intelligence firm Genians to a hacking group referred to as Konni.
“Initial access was achieved through a spear-phishing email disguised as a notice appointing the recipient as a North Korean human rights lecturer,” the Genians Security Center (GSC) noted in an analysis.
“After the spear-phishing attack succeeded, the victim executed a malicious LNK file, resulting in infection with remote access malware. The malware remained concealed and persistent on the victim’s endpoint for an extended period, stealing internal documents and sensitive information.”
The threat actor is said to have remained on the compromised host for an extended period of time, leveraging the unauthorized access to siphon internal documents and make use of the KakaoTalk application to selectively propagate the malware to specific contacts.
The attack is notable for abusing the trust associated with compromised victims to deceive and ensnare additional targets. This is not the first time Konni has employed the messaging app as a distribution vector. In November 2025, the hacking group was found abusing signed-in KakaoTalk chat app sessions to send malicious payloads to victims’ contacts in the form of a ZIP archive, while simultaneously initiating a remote wipe of their Android devices using stolen Google credentials.
The starting point of the latest attack campaign is a spear-phishing email that’s used as a ploy to trick recipients into opening a ZIP file attachment containing a Windows shortcut (LNK). Upon execution, the LNK file downloads a next-stage payload from an external server, establishes persistence using scheduled tasks, and ultimately executes the malware, while displaying a PDF decoy document to the user as a distraction mechanism.
Written in AutoIt, the downloaded malware is a remote access trojan (RAT) named EndRAT (aka EndClient RAT), which allows the operator to remotely commandeer the compromised host through capabilities like file management, remote shell access, data transfer, and persistence.
Further analysis of the infected host has uncovered the presence of various malicious artifacts, including AutoIt scripts corresponding to RftRAT and Remcos RAT, indicating that the adversary deemed the victim as valuable enough to drop multiple RAT families for improved resilience.
An important aspect of the attack is the threat actor’s abuse of the victim’s KakaoTalk application installed on the infected system to distribute malicious files in the form of ZIP files to other individuals in their contact list and deploy the same malware. This essentially turns existing victims into intermediaries for further attacks.
“This campaign is assessed as a multi-stage attack operation that extends beyond simple spear-phishing, combining long-term persistence, information theft, and account-based redistribution,” Genians said. “The actor selected certain contacts from the victim’s friend list and sent them additional malicious files. In doing so, the attacker used filenames disguised as materials introducing North Korea-related content to induce recipients to open the files.”
