Operation Poseidon: Spear-Phishing Attacks Abusing Google Ads Redirection Mechanisms
Operation Poseidon is a sophisticated spear-phishing campaign attributed to the Konni APT group. The attackers exploit Google Ads redirection mechanisms to bypass security filters and user awareness. They compromise poorly secured WordPress sites for malware distribution and C2 infrastructure. The campaign uses social engineering tactics, impersonating North Korean human rights organizations and financial institutions. Malware is delivered through LNK files disguised as PDF documents, executing AutoIt scripts that load EndRAT variants. The attackers employ advanced evasion techniques, including email content padding and abuse of legitimate advertising URLs. The campaign demonstrates evolving tactics and infrastructure reuse consistent with previous Konni activities.
AI Analysis
Technical Summary
Operation Poseidon is a sophisticated spear-phishing campaign attributed to the Konni APT group, known for targeting geopolitical and strategic interests. The attackers exploit Google Ads redirection mechanisms to bypass conventional security filters and reduce user suspicion by leveraging legitimate advertising URLs. This technique allows malicious links to appear as trusted destinations, increasing the likelihood of user interaction. The campaign employs social engineering by impersonating North Korean human rights organizations and financial institutions, targeting individuals likely interested or involved in these sectors. Malware delivery is conducted through LNK shortcut files disguised as PDF documents; when executed, these files run AutoIt scripts which subsequently load variants of the EndRAT remote access trojan. EndRAT provides attackers with persistent access, data exfiltration capabilities, and control over compromised systems. The attackers also compromise poorly secured WordPress sites to host malware payloads and command-and-control (C2) infrastructure, facilitating flexible and resilient operations. Advanced evasion techniques include email content padding to evade detection by content filters and reuse of infrastructure consistent with prior Konni campaigns, indicating operational continuity and refinement. Indicators of compromise include multiple file hashes and domains, some linked to European countries such as the UK (jlrandsons.co.uk), Poland (kppe.pl), and Belgium (optique-leclercq.be), suggesting potential targeting or collateral impact in these regions. Although no known exploits in the wild have been reported, the campaign's complexity and use of legitimate services for redirection pose significant detection challenges.
Potential Impact
For European organizations, Operation Poseidon presents a medium-level threat with potential impacts on confidentiality, integrity, and availability. The use of spear-phishing targeting specific sectors increases the risk of successful compromise of high-value individuals or entities, particularly those involved with North Korean affairs or financial institutions. Successful infection with EndRAT variants can lead to unauthorized access, data theft, espionage, and potential disruption of business operations. The abuse of Google Ads redirection mechanisms complicates detection and may lead to increased phishing success rates. Compromise of WordPress sites used for malware hosting could also affect European organizations running vulnerable web infrastructure. The campaign's evasion techniques may reduce the effectiveness of traditional email and web security solutions, necessitating more advanced detection capabilities. While the current known exploitation scope is limited, the evolving tactics and infrastructure reuse indicate a persistent threat that could escalate. The reputational damage and regulatory consequences of data breaches in Europe, especially under GDPR, further amplify the impact.
Mitigation Recommendations
1. Implement advanced email filtering solutions capable of detecting and blocking phishing emails that abuse legitimate redirection services like Google Ads. 2. Conduct targeted user awareness training focusing on spear-phishing tactics, especially regarding suspicious LNK files disguised as PDFs and social engineering impersonations related to geopolitical topics. 3. Monitor and restrict execution of LNK files and AutoIt scripts via application whitelisting and endpoint detection and response (EDR) tools. 4. Regularly audit and secure WordPress installations by applying the latest security patches, removing unused plugins/themes, and enforcing strong authentication to prevent site compromise. 5. Employ network monitoring to detect unusual outbound connections to known C2 domains or IPs associated with the campaign indicators. 6. Use threat intelligence feeds to update detection rules with the provided hashes and domains to identify potential compromises early. 7. Restrict or scrutinize the use of Google Ads redirection links in corporate email and web gateways. 8. Establish incident response plans that include rapid containment and forensic analysis for suspected EndRAT infections. 9. Collaborate with advertising platforms to report and mitigate abuse of their redirection mechanisms. 10. Implement multi-factor authentication and least privilege principles to limit attacker lateral movement post-compromise.
Affected Countries
United Kingdom, Poland, Belgium
Indicators of Compromise
- hash: 0171338d904381bbf3d1a909a48f4e92
- hash: 639b5489d2fb79bcb715905a046d4a54
- hash: 8b8fa6c4298d83d78e11b52f22a79100
- hash: 94935397dce29684f384e57f85beeb0a
- hash: a58ef1e53920a6e528dc31001f302c7b
- hash: d4b06cb4ed834c295d0848b90a109f09
- hash: f5842320e04c2c97d1f69cebfd47df3d
- hash: 33057c8c7f277e89872239907792f6f2319713d4
- hash: 8d9d5a21d75e14410cc30e15176ecae45d17221c654ccdb94d99d131c14de6e9
- domain: aceeyl.com
- domain: althouqroastery.com
- domain: anupamaivf.com
- domain: creativepackout.co
- domain: encryptuganda.org
- domain: genuinashop.com
- domain: igamingroundtable.com
- domain: jlrandsons.co.uk
- domain: kppe.pl
- domain: kyowaind.co.jp
- domain: nationalinterestparty.com
- domain: optique-leclercq.be
- domain: pomozzi.com
- domain: sparkwebsolutions.space
- domain: tatukikai.jp
- domain: vintashmarket.com
- domain: appoitment.dotoit.media
Operation Poseidon: Spear-Phishing Attacks Abusing Google Ads Redirection Mechanisms
Description
Operation Poseidon is a sophisticated spear-phishing campaign attributed to the Konni APT group. The attackers exploit Google Ads redirection mechanisms to bypass security filters and user awareness. They compromise poorly secured WordPress sites for malware distribution and C2 infrastructure. The campaign uses social engineering tactics, impersonating North Korean human rights organizations and financial institutions. Malware is delivered through LNK files disguised as PDF documents, executing AutoIt scripts that load EndRAT variants. The attackers employ advanced evasion techniques, including email content padding and abuse of legitimate advertising URLs. The campaign demonstrates evolving tactics and infrastructure reuse consistent with previous Konni activities.
AI-Powered Analysis
Technical Analysis
Operation Poseidon is a sophisticated spear-phishing campaign attributed to the Konni APT group, known for targeting geopolitical and strategic interests. The attackers exploit Google Ads redirection mechanisms to bypass conventional security filters and reduce user suspicion by leveraging legitimate advertising URLs. This technique allows malicious links to appear as trusted destinations, increasing the likelihood of user interaction. The campaign employs social engineering by impersonating North Korean human rights organizations and financial institutions, targeting individuals likely interested or involved in these sectors. Malware delivery is conducted through LNK shortcut files disguised as PDF documents; when executed, these files run AutoIt scripts which subsequently load variants of the EndRAT remote access trojan. EndRAT provides attackers with persistent access, data exfiltration capabilities, and control over compromised systems. The attackers also compromise poorly secured WordPress sites to host malware payloads and command-and-control (C2) infrastructure, facilitating flexible and resilient operations. Advanced evasion techniques include email content padding to evade detection by content filters and reuse of infrastructure consistent with prior Konni campaigns, indicating operational continuity and refinement. Indicators of compromise include multiple file hashes and domains, some linked to European countries such as the UK (jlrandsons.co.uk), Poland (kppe.pl), and Belgium (optique-leclercq.be), suggesting potential targeting or collateral impact in these regions. Although no known exploits in the wild have been reported, the campaign's complexity and use of legitimate services for redirection pose significant detection challenges.
Potential Impact
For European organizations, Operation Poseidon presents a medium-level threat with potential impacts on confidentiality, integrity, and availability. The use of spear-phishing targeting specific sectors increases the risk of successful compromise of high-value individuals or entities, particularly those involved with North Korean affairs or financial institutions. Successful infection with EndRAT variants can lead to unauthorized access, data theft, espionage, and potential disruption of business operations. The abuse of Google Ads redirection mechanisms complicates detection and may lead to increased phishing success rates. Compromise of WordPress sites used for malware hosting could also affect European organizations running vulnerable web infrastructure. The campaign's evasion techniques may reduce the effectiveness of traditional email and web security solutions, necessitating more advanced detection capabilities. While the current known exploitation scope is limited, the evolving tactics and infrastructure reuse indicate a persistent threat that could escalate. The reputational damage and regulatory consequences of data breaches in Europe, especially under GDPR, further amplify the impact.
Mitigation Recommendations
1. Implement advanced email filtering solutions capable of detecting and blocking phishing emails that abuse legitimate redirection services like Google Ads. 2. Conduct targeted user awareness training focusing on spear-phishing tactics, especially regarding suspicious LNK files disguised as PDFs and social engineering impersonations related to geopolitical topics. 3. Monitor and restrict execution of LNK files and AutoIt scripts via application whitelisting and endpoint detection and response (EDR) tools. 4. Regularly audit and secure WordPress installations by applying the latest security patches, removing unused plugins/themes, and enforcing strong authentication to prevent site compromise. 5. Employ network monitoring to detect unusual outbound connections to known C2 domains or IPs associated with the campaign indicators. 6. Use threat intelligence feeds to update detection rules with the provided hashes and domains to identify potential compromises early. 7. Restrict or scrutinize the use of Google Ads redirection links in corporate email and web gateways. 8. Establish incident response plans that include rapid containment and forensic analysis for suspected EndRAT infections. 9. Collaborate with advertising platforms to report and mitigate abuse of their redirection mechanisms. 10. Implement multi-factor authentication and least privilege principles to limit attacker lateral movement post-compromise.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.genians.co.kr/en/blog/threat_intelligence/spear-phishing?hs_amp=true"]
- Adversary
- Konni
- Pulse Id
- 696d289962926b96a6584416
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash0171338d904381bbf3d1a909a48f4e92 | — | |
hash639b5489d2fb79bcb715905a046d4a54 | — | |
hash8b8fa6c4298d83d78e11b52f22a79100 | — | |
hash94935397dce29684f384e57f85beeb0a | — | |
hasha58ef1e53920a6e528dc31001f302c7b | — | |
hashd4b06cb4ed834c295d0848b90a109f09 | — | |
hashf5842320e04c2c97d1f69cebfd47df3d | — | |
hash33057c8c7f277e89872239907792f6f2319713d4 | — | |
hash8d9d5a21d75e14410cc30e15176ecae45d17221c654ccdb94d99d131c14de6e9 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainaceeyl.com | — | |
domainalthouqroastery.com | — | |
domainanupamaivf.com | — | |
domaincreativepackout.co | — | |
domainencryptuganda.org | — | |
domaingenuinashop.com | — | |
domainigamingroundtable.com | — | |
domainjlrandsons.co.uk | — | |
domainkppe.pl | — | |
domainkyowaind.co.jp | — | |
domainnationalinterestparty.com | — | |
domainoptique-leclercq.be | — | |
domainpomozzi.com | — | |
domainsparkwebsolutions.space | — | |
domaintatukikai.jp | — | |
domainvintashmarket.com | — | |
domainappoitment.dotoit.media | — |
Threat ID: 696df8d5d302b072d99485ac
Added to database: 1/19/2026, 9:26:45 AM
Last enriched: 1/19/2026, 9:41:42 AM
Last updated: 2/7/2026, 3:51:55 AM
Views: 182
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
ThreatFox IOCs for 2026-02-06
MediumThreatFox IOCs for 2026-02-05
MediumTechnical Analysis of Marco Stealer
MediumNew Clickfix variant 'CrashFix' deploying Python Remote Access Trojan
MediumKnife Cutting the Edge: Disclosing a China-nexus gateway-monitoring AitM framework
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.