The North Korea-affiliated threat actor Konni has launched new attacks targeting Android and Windows devices, marking the first time the hacking group weaponized Google's Find Hub to remotely reset and wipe victim devices after stealing credentials.
Attackers impersonated psychological counselors and North Korean human rights activists, distributing malware disguised as stress-relief programs. The threat actors approached targets via spear-phishing emails that mimicked legitimate entities like the National Tax Service. Once they gained access to victims' computers, they leveraged logged-in KakaoTalk chat app sessions to distribute malicious payloads to the victims' contacts in ZIP archive format. The malware enabled the attackers to stay hidden in compromised computers for over a year, spying via webcam and operating systems when users were absent. The deployed malware collected victims' Google and Naver account credentials. Attackers then used the stolen Google credentials to log into Google's Find Hub and initiate remote wipes of victims' devices. In one case, attackers signed into a recovery email account registered under Naver, deleted security alert emails from Google, and emptied the inbox's trash folder to cover their tracks.
The ZIP file distributed via messaging apps contained a malicious Microsoft Installer package called "Stress Clear.msi" that abused a valid signature issued to a Chinese company. Once launched, it invoked a batch script and ran a Visual Basic Script displaying a fake error message about language pack compatibility issues while executing malicious commands in the background. The attack deployed an AutoIt script configured to run every minute via scheduled task, executing commands from an external server. The malware, codenamed EndRAT, supported commands including:
Konni actors also utilized AutoIt scripts to launch Remcos RAT version 7.0.4, released on September 10, 2025.
A Google spokesperson told The Hacker News, "This attack did not exploit any security flaw in Android or Find Hub. The report indicates this targeted attack required PC malware to be present in order to steal Google account credentials and abuse legitimate functions in Find Hub." The spokesperson urged users to enable 2-Step Verification or passkeys to safeguard against credential theft and recommended users at elevated risk enroll in Google's Advanced Protection Program.
According to Paubox's 2025 Healthcare Email Security Report, only 5% of known phishing attacks are reported by employees to their security teams, this shows the challenge organizations face in detecting social engineering tactics like those employed in the Konni campaign.
Find Hub (formerly Find My Device) is Google's asset tracking service that allows users to locate, lock, or remotely wipe their Android devices. The service is designed as a security feature to help users protect their data if devices are lost or stolen. Remote wipe functionality completely erases all data from a device, restoring it to factory settings. While this feature is good for security purposes, threat actors can abuse it when they gain unauthorized access to victims' Google accounts. This shows how adversaries weaponize legitimate device management functions rather than exploiting technical vulnerabilities.
The risks of credential theft are well-documented in healthcare. The Warby Parker breach, cited in the Paubox report, demonstrates how credential stuffing attacks can compromise nearly 200,000 patient records when attackers gain unauthorized access to email systems through stolen or leaked login credentials.
This attack represents a shift in North Korean threat actor tactics by weaponizing legitimate security features rather than exploiting software vulnerabilities. Healthcare organizations face a risk because medical professionals often access patient data on personal devices and use messaging apps like those exploited in this campaign. The year-long persistence attackers achieved on compromised systems means they could potentially access protected health information over extended periods. The combination of credential theft, remote device wiping, and evidence destruction creates an attack chain that can result in permanent data loss while covering the attackers' tracks. Healthcare entities must recognize that even properly secured cloud services become attack vectors when adversaries steal credentials through endpoint compromise. Enabling Google's Advanced Protection Program for high-risk users adds security layers that make credential-based attacks harder to execute.
Related: HIPAA Compliant Email: The Definitive Guide
They stole login credentials through malware installed on compromised Windows computers.
No, the attackers abused legitimate Find Hub features using stolen credentials rather than exploiting a flaw.
The attackers used an AutoIt-based RAT called EndRAT and Remcos RAT version 7.0.4.
They used these identities to make phishing emails appear trustworthy and increase the success of social engineering.
It harvested Naver account details, webcam footage, and other system data from infected devices.