Konni hackers deploy EndRAT malware through phishing

Researchers say the campaign turns compromised users into distribution points for further attacks.

What happened

North Korean threat actors linked to the Konni hacking group have been observed using spear phishing emails to compromise victims and deliver malware through the KakaoTalk messaging app. According to reporting by The Hacker News, the campaign starts with an email disguised as a notice appointing the recipient as a North Korean human rights lecturer. The message includes a ZIP attachment containing a malicious Windows shortcut (LNK) file, which is a file that can run commands when opened. Once executed, the shortcut downloads additional malware from a remote server, sets up scheduled tasks to maintain access on the system, and displays a decoy PDF to distract the victim while the infection continues in the background.

Going deeper

The downloaded malware is a remote access trojan called EndRAT, also known as EndClient RAT, written in AutoIt. A remote access trojan allows attackers to remotely control infected systems, steal files, run commands, and maintain long-term access. Researchers found that the attackers remained on compromised systems for extended periods, extracting internal documents and sensitive information. The campaign also involved deploying additional malware families, such as RftRAT and Remcos RAT, suggesting the attackers layered multiple backdoors to maintain access even if one tool was detected or removed. One of the more unusual aspects of the campaign involved abusing the victim’s active KakaoTalk desktop session to distribute malicious ZIP files to selected contacts, effectively turning compromised users into intermediaries for spreading the malware.

What was said

In an analysis by The Hacker News on March 17, 2026, researchers wrote, “Initial access was achieved through a spear phishing email disguised as a notice appointing the recipient as a North Korean human rights lecturer.” They added that the campaign “extends beyond simple spear phishing, combining long-term persistence, information theft, and account-based redistribution,” where attackers steal data and then use the victim’s own accounts to spread the attack further. The researchers also said, “This campaign is assessed as a multi-stage attack operation that extends beyond simple spear-phishing, combining long-term persistence, information theft, and account-based redistribution,” explaining that the attacker selected contacts from the victim’s friend list and sent them more malicious files, using filenames disguised as North Korea-related content to trick recipients into opening them.

In the know

Previously linked to Konni APT, another EndRAT campaign was identified using legitimate advertising infrastructure to hide malicious links and bypass email security. According to Cybersecurity News, attackers embedded malicious destinations inside trusted Google Ads tracking URLs, allowing phishing emails to appear as normal advertising traffic. The campaign targeted organizations by impersonating financial institutions and human rights groups, routing victims through Google’s ad.doubleclick.net domain to compromised WordPress sites hosting malicious ZIP files. These archives contained shortcut files that launched AutoIt scripts disguised as PDFs, which then loaded the malware directly into memory to avoid file-based detection. Researchers also found that attackers frequently rotated infrastructure and reused compromised websites for both malware delivery and command and control, reducing the effectiveness of traditional domain blocking and blacklist controls.

The bottom line

U.S. cybersecurity authorities have consistently linked Konni to North Korean-aligned espionage campaigns targeting government, diplomatic, and research organizations. The group relies on spear phishing and remote access malware to gain entry, maintain long-term access, and extract sensitive information. Activity tied to Konni continues to prioritize persistence and intelligence collection over immediate financial gain, aligning with the broader pattern seen in state-backed cyber operations.

FAQs

What is the Konni hacking group?

Konni is a threat group widely believed by researchers to be associated with North Korea and has been active for years, conducting espionage campaigns against political and research organizations.

What is an LNK file, and why is it dangerous?

An LNK file is a Windows shortcut that can execute commands or open programs. Attackers use malicious LNK files to trigger malware downloads without requiring traditional executable files.

What does a remote access trojan do?

A remote access trojan allows attackers to control an infected computer remotely, steal files, execute commands, and maintain persistent access.

Why was KakaoTalk used to spread the malware?

Attackers exploited active KakaoTalk sessions on compromised machines to send malicious files to trusted contacts, increasing the likelihood that recipients would open them.

Why would attackers deploy multiple RAT families on one system?

Using multiple remote access tools provides redundancy and resilience. If one tool is detected or removed, attackers can continue operating through another backdoor.