North Korean APT Uses Remote Wipe to Target Android Users

Researchers from the Genians Security Center (GSC) revealed a new wave of attacks linked to North Korean state-sponsored groups exploiting Google’s Find Hub service to remotely wipe Android devices. 

The activity is attributed to the KONNI advanced persistent threat (APT) campaign — closely associated with the Kimsuky and APT37 groups, which are known to operate under the direction of the North Korean regime. 

This campaign marks the first confirmed instance of threat actors weaponizing Google’s device-tracking and management service for destructive purposes.

KONNI’s Targeted Spear-Phishing Campaign in South Korea

According to the GSC, the KONNI campaign has been active for years, targeting individuals in South Korea through highly personalized spear-phishing attacks. 

The group distributed malicious files disguised as “stress-relief programs” via KakaoTalk, a popular messaging platform in South Korea. 

Victims received these files from contacts impersonating acquaintances, psychological counselors, or North Korean human rights activists — an approach designed to exploit personal trust.

The Multilateral Sanctions Monitoring Team (MSMT), under the United Nations Security Council, has confirmed operational links between Kimsuky, KONNI, and North Korea’s 63 Research Center. 

These groups are part of a broader strategy by Pyongyang to conduct cyber espionage, surveillance, and financial theft to support sanctioned activities.

Google Find Hub Exploited for Remote Wipe Campaigns

The most concerning aspect of the newly identified campaign is its abuse of Google’s Find Hub, a legitimate feature designed to help users locate or reset lost Android devices. 

Threat actors, after compromising Google account credentials, used the tool’s legitimate management functions to remotely reset smartphones and tablets, erasing data and disrupting communications. This tactic effectively severed victims from their digital networks, delaying detection and response.

Investigators confirmed that the attackers tracked victims’ real-time GPS locations and triggered remote wipe commands after confirming that the device owners were away. 

This coordinated sequence — device neutralization followed by secondary propagation through compromised KakaoTalk accounts — demonstrates a high degree of tactical sophistication.

How the KONNI Attack Unfolded

The campaign began with spear-phishing emails impersonating trusted organizations, such as South Korea’s National Tax Service. 

Once victims opened the malicious attachments, the attackers gained initial access and established persistence using AutoIt-based malware. 

These scripts performed continuous surveillance, harvested data, and installed additional payloads, including remote access trojans (RATs) such as RemcosRAT, QuasarRAT, and RftRAT.

The attackers relied on Microsoft Installer (MSI) files containing valid digital signatures to bypass security checks. 

Inside, batch files and Visual Basic scripts executed stealthy payloads, while fake “language pack” error messages concealed malicious activity. 

The malware established persistence by creating scheduled tasks that relaunched the payload every minute, ensuring long-term control even after system restarts.

Once control was achieved, the threat actors exfiltrated credentials for both Google and Naver accounts, deleted security alerts to cover their tracks, and used the stolen data to execute multiple remote wipe commands through Find Hub. 

Victims experienced repeated device resets, loss of stored data, and ongoing system disruption, while their compromised messaging sessions were weaponized to spread further infections.

Tracing the KONNI Campaign’s Global Footprint

Digital forensics and threat intelligence indicate that KONNI’s infrastructure is hosted primarily on WordPress-based servers located in Germany, Russia, and the United States, with additional relay nodes in Japan and the Netherlands. 

Linguistic traces within malicious scripts — such as North Korean vocabulary — further corroborate attribution to state-backed operators.

The GSC’s analysis also revealed that attackers labeled internal folders with terms like “Attack Weapon,” suggesting deliberate intent to develop cyberattack tools for offensive operations. 

The use of multiple RATs, AutoIt scripts, and distributed command-and-control (C2) infrastructure reflects an advanced, modular approach designed for stealth, persistence, and global reach.

Strengthen Defenses Against State-Sponsored Threats

To counter evolving state-sponsored cyber threats, organizations must strengthen both user authentication and endpoint defenses. 

The following measures focus on hardening account security, improving threat detection, and reducing the risk from social engineering tactics.  

• Implement multi-factor authentication (MFA), regularly update passwords, and enforce conditional access policies.
• Adopt endpoint detection and response (EDR) and mobile device management (MDM) solutions to detect anomalous behavior and manage device security.
• Strengthen Find Hub and similar remote management tools by requiring user verification such as PIN, fingerprint, or facial recognition before executing remote wipe commands.
• Verify files received through messenger and email platforms, use warning prompts, and provide regular security awareness training to reduce risk.
• Segment networks, apply the principle of least privilege, and keep firmware and applications fully patched or leverage compensating, layered controls to reduce risk.
• Monitor for abnormal login behavior, integrate threat intelligence feeds, and conduct proactive threat hunting.

True cyber resilience comes from combining disciplined controls, continuous visibility, and proactive defense to help organizations protect against emerging threats.

The latest KONNI-linked campaign underscores a significant evolution in state-sponsored cyber operations. 

By hijacking legitimate services like Google’s Find Hub, attackers demonstrate a growing ability to weaponize trusted tools for destructive ends. 

This growing abuse of legitimate platforms highlights why adopting a zero-trust approach — where no user or system is inherently trusted — has become essential for modern cybersecurity.