The Konni APT group, linked to North Korea, has been observed conducting a multi-stage malware campaign targeting both Windows and Android platforms. The initial infection vector involves spear-phishing emails impersonating trusted entities such as tax authorities, delivering malicious attachments that install remote access trojans like Lilith RAT and a newly identified EndRAT variant. These RATs provide attackers with extensive control over compromised systems, including file operations, remote shell access, and system monitoring. On Android devices, the attackers exploit stolen Google credentials to access Google's Find Hub (formerly Find My Device) service, remotely resetting devices and causing unauthorized data deletion. This represents a novel weaponization of legitimate device management functions for destructive purposes. The malware distribution also leverages social engineering by masquerading as psychological counseling or human rights activism apps, increasing the likelihood of user interaction. The EndRAT malware uses signed MSI installers to appear legitimate and employs scheduled tasks to maintain persistence and receive commands from a remote server. The attackers also employ evasion techniques such as deleting security alert emails and using multiple RAT families (including Remcos, Quasar, and RftRAT) to maintain stealth and persistence. The campaign's sophistication is underscored by long-term espionage activities, including webcam spying and credential theft, enabling extensive internal reconnaissance and data exfiltration. While primarily focused on Korean targets, the use of globally prevalent platforms like Google services and Android devices expands the potential attack surface. The campaign also coincides with other North Korean APT activities, such as Lazarus Group's espionage campaigns targeting aerospace and defense sectors, indicating an ongoing, evolving threat landscape from DPRK-affiliated actors.

European organizations face significant risks from this campaign due to widespread use of Windows and Android devices and reliance on Google services. The ability of attackers to remotely wipe devices via legitimate management tools threatens data availability and operational continuity. Credential theft and long-term system control jeopardize confidentiality and integrity, potentially leading to espionage, intellectual property theft, and disruption of critical services. The use of spear-phishing and social engineering increases the likelihood of initial compromise, especially in sectors with limited user awareness or insufficient email security. Organizations with employees or partners in Korea or those engaged in geopolitical or defense-related activities may be targeted for espionage. The campaign's stealth and persistence complicate detection and remediation, raising the risk of prolonged exposure. Additionally, the abuse of signed binaries and legitimate services challenges traditional security controls, necessitating advanced threat hunting and behavioral analytics. The potential deletion of security alerts and logs further impedes incident response efforts, increasing the impact severity.

Implement advanced email filtering and spear-phishing detection tailored to identify impersonation of trusted entities such as tax authorities and psychological counseling services. Enforce multi-factor authentication (MFA) on all Google and critical service accounts to prevent unauthorized access even if credentials are compromised. Monitor Google account activities, especially access to Find Hub and recovery email inboxes, for anomalous logins or deletion of security alerts. Deploy endpoint detection and response (EDR) solutions capable of identifying and blocking known RAT behaviors, including scheduled task creation, MSI installer abuse, and AutoIt script execution. Conduct regular user awareness training focused on recognizing social engineering tactics and suspicious attachments, emphasizing the risks of opening ZIP archives and MSI files from untrusted sources. Restrict the use of administrative privileges and implement application whitelisting to prevent unauthorized execution of signed but malicious binaries. Establish robust logging and alerting mechanisms to detect deletion or tampering of security-related emails and logs. Perform regular audits of device management services and enforce policies limiting remote wipe capabilities to authorized personnel only. Collaborate with threat intelligence providers to stay updated on emerging indicators of compromise related to Konni and associated malware families.