Operation Poseidon: Spear-Phishing Attacks Abusing Google Ads Redirection Mechanisms
Operation Poseidon is a spear-phishing campaign by the Konni APT group that abuses Google Ads redirection to evade detection and deliver malware. Attackers impersonate North Korean human rights organizations and financial institutions to lure victims. Malware is delivered via LNK files disguised as PDFs, executing AutoIt scripts that load EndRAT variants. The campaign leverages compromised WordPress sites for malware hosting and command-and-control infrastructure. Advanced evasion techniques include email content padding and use of legitimate advertising URLs. No known exploits in the wild have been reported yet. The campaign reflects evolving tactics consistent with previous Konni activities. European organizations could be targeted due to the presence of domains linked to UK, Poland, and Belgium. Mitigation requires enhanced email filtering, user training, and monitoring of suspicious LNK files and network traffic. The threat is assessed as medium severity due to its sophisticated evasion but limited current exploitation scope.
AI Analysis
Technical Summary
Operation Poseidon is a sophisticated spear-phishing campaign attributed to the Konni APT group, known for targeting geopolitical and strategic interests. The attackers exploit Google Ads redirection mechanisms to bypass conventional security filters and reduce user suspicion by leveraging legitimate advertising URLs. This technique allows malicious links to appear as trusted destinations, increasing the likelihood of user interaction. The campaign employs social engineering by impersonating North Korean human rights organizations and financial institutions, targeting individuals likely interested or involved in these sectors. Malware delivery is conducted through LNK shortcut files disguised as PDF documents; when executed, these files run AutoIt scripts which subsequently load variants of the EndRAT remote access trojan. EndRAT provides attackers with persistent access, data exfiltration capabilities, and control over compromised systems. The attackers also compromise poorly secured WordPress sites to host malware payloads and command-and-control (C2) infrastructure, facilitating flexible and resilient operations. Advanced evasion techniques include email content padding to evade detection by content filters and reuse of infrastructure consistent with prior Konni campaigns, indicating operational continuity and refinement. Indicators of compromise include multiple file hashes and domains, some linked to European countries such as the UK (jlrandsons.co.uk), Poland (kppe.pl), and Belgium (optique-leclercq.be), suggesting potential targeting or collateral impact in these regions. Although no known exploits in the wild have been reported, the campaign's complexity and use of legitimate services for redirection pose significant detection challenges.
Potential Impact
For European organizations, Operation Poseidon presents a medium-level threat with potential impacts on confidentiality, integrity, and availability. The use of spear-phishing targeting specific sectors increases the risk of successful compromise of high-value individuals or entities, particularly those involved with North Korean affairs or financial institutions. Successful infection with EndRAT variants can lead to unauthorized access, data theft, espionage, and potential disruption of business operations. The abuse of Google Ads redirection mechanisms complicates detection and may lead to increased phishing success rates. Compromise of WordPress sites used for malware hosting could also affect European organizations running vulnerable web infrastructure. The campaign's evasion techniques may reduce the effectiveness of traditional email and web security solutions, necessitating more advanced detection capabilities. While the current known exploitation scope is limited, the evolving tactics and infrastructure reuse indicate a persistent threat that could escalate. The reputational damage and regulatory consequences of data breaches in Europe, especially under GDPR, further amplify the impact.
Mitigation Recommendations
1. Implement advanced email filtering solutions capable of detecting and blocking phishing emails that abuse legitimate redirection services like Google Ads. 2. Conduct targeted user awareness training focusing on spear-phishing tactics, especially regarding suspicious LNK files disguised as PDFs and social engineering impersonations related to geopolitical topics. 3. Monitor and restrict execution of LNK files and AutoIt scripts via application whitelisting and endpoint detection and response (EDR) tools. 4. Regularly audit and secure WordPress installations by applying the latest security patches, removing unused plugins/themes, and enforcing strong authentication to prevent site compromise. 5. Employ network monitoring to detect unusual outbound connections to known C2 domains or IPs associated with the campaign indicators. 6. Use threat intelligence feeds to update detection rules with the provided hashes and domains to identify potential compromises early. 7. Restrict or scrutinize the use of Google Ads redirection links in corporate email and web gateways. 8. Establish incident response plans that include rapid containment and forensic analysis for suspected EndRAT infections. 9. Collaborate with advertising platforms to report and mitigate abuse of their redirection mechanisms. 10. Implement multi-factor authentication and least privilege principles to limit attacker lateral movement post-compromise.
Affected Countries
United Kingdom, Poland, Belgium
Indicators of Compromise
- hash: 0171338d904381bbf3d1a909a48f4e92
- hash: 639b5489d2fb79bcb715905a046d4a54
- hash: 8b8fa6c4298d83d78e11b52f22a79100
- hash: 94935397dce29684f384e57f85beeb0a
- hash: a58ef1e53920a6e528dc31001f302c7b
- hash: d4b06cb4ed834c295d0848b90a109f09
- hash: f5842320e04c2c97d1f69cebfd47df3d
- hash: 33057c8c7f277e89872239907792f6f2319713d4
- hash: 8d9d5a21d75e14410cc30e15176ecae45d17221c654ccdb94d99d131c14de6e9
- domain: aceeyl.com
- domain: althouqroastery.com
- domain: anupamaivf.com
- domain: creativepackout.co
- domain: encryptuganda.org
- domain: genuinashop.com
- domain: igamingroundtable.com
- domain: jlrandsons.co.uk
- domain: kppe.pl
- domain: kyowaind.co.jp
- domain: nationalinterestparty.com
- domain: optique-leclercq.be
- domain: pomozzi.com
- domain: sparkwebsolutions.space
- domain: tatukikai.jp
- domain: vintashmarket.com
- domain: appoitment.dotoit.media
Operation Poseidon: Spear-Phishing Attacks Abusing Google Ads Redirection Mechanisms
Description
Operation Poseidon is a spear-phishing campaign by the Konni APT group that abuses Google Ads redirection to evade detection and deliver malware. Attackers impersonate North Korean human rights organizations and financial institutions to lure victims. Malware is delivered via LNK files disguised as PDFs, executing AutoIt scripts that load EndRAT variants. The campaign leverages compromised WordPress sites for malware hosting and command-and-control infrastructure. Advanced evasion techniques include email content padding and use of legitimate advertising URLs. No known exploits in the wild have been reported yet. The campaign reflects evolving tactics consistent with previous Konni activities. European organizations could be targeted due to the presence of domains linked to UK, Poland, and Belgium. Mitigation requires enhanced email filtering, user training, and monitoring of suspicious LNK files and network traffic. The threat is assessed as medium severity due to its sophisticated evasion but limited current exploitation scope.
AI-Powered Analysis
Technical Analysis
Operation Poseidon is a sophisticated spear-phishing campaign attributed to the Konni APT group, known for targeting geopolitical and strategic interests. The attackers exploit Google Ads redirection mechanisms to bypass conventional security filters and reduce user suspicion by leveraging legitimate advertising URLs. This technique allows malicious links to appear as trusted destinations, increasing the likelihood of user interaction. The campaign employs social engineering by impersonating North Korean human rights organizations and financial institutions, targeting individuals likely interested or involved in these sectors. Malware delivery is conducted through LNK shortcut files disguised as PDF documents; when executed, these files run AutoIt scripts which subsequently load variants of the EndRAT remote access trojan. EndRAT provides attackers with persistent access, data exfiltration capabilities, and control over compromised systems. The attackers also compromise poorly secured WordPress sites to host malware payloads and command-and-control (C2) infrastructure, facilitating flexible and resilient operations. Advanced evasion techniques include email content padding to evade detection by content filters and reuse of infrastructure consistent with prior Konni campaigns, indicating operational continuity and refinement. Indicators of compromise include multiple file hashes and domains, some linked to European countries such as the UK (jlrandsons.co.uk), Poland (kppe.pl), and Belgium (optique-leclercq.be), suggesting potential targeting or collateral impact in these regions. Although no known exploits in the wild have been reported, the campaign's complexity and use of legitimate services for redirection pose significant detection challenges.
Potential Impact
For European organizations, Operation Poseidon presents a medium-level threat with potential impacts on confidentiality, integrity, and availability. The use of spear-phishing targeting specific sectors increases the risk of successful compromise of high-value individuals or entities, particularly those involved with North Korean affairs or financial institutions. Successful infection with EndRAT variants can lead to unauthorized access, data theft, espionage, and potential disruption of business operations. The abuse of Google Ads redirection mechanisms complicates detection and may lead to increased phishing success rates. Compromise of WordPress sites used for malware hosting could also affect European organizations running vulnerable web infrastructure. The campaign's evasion techniques may reduce the effectiveness of traditional email and web security solutions, necessitating more advanced detection capabilities. While the current known exploitation scope is limited, the evolving tactics and infrastructure reuse indicate a persistent threat that could escalate. The reputational damage and regulatory consequences of data breaches in Europe, especially under GDPR, further amplify the impact.
Mitigation Recommendations
1. Implement advanced email filtering solutions capable of detecting and blocking phishing emails that abuse legitimate redirection services like Google Ads. 2. Conduct targeted user awareness training focusing on spear-phishing tactics, especially regarding suspicious LNK files disguised as PDFs and social engineering impersonations related to geopolitical topics. 3. Monitor and restrict execution of LNK files and AutoIt scripts via application whitelisting and endpoint detection and response (EDR) tools. 4. Regularly audit and secure WordPress installations by applying the latest security patches, removing unused plugins/themes, and enforcing strong authentication to prevent site compromise. 5. Employ network monitoring to detect unusual outbound connections to known C2 domains or IPs associated with the campaign indicators. 6. Use threat intelligence feeds to update detection rules with the provided hashes and domains to identify potential compromises early. 7. Restrict or scrutinize the use of Google Ads redirection links in corporate email and web gateways. 8. Establish incident response plans that include rapid containment and forensic analysis for suspected EndRAT infections. 9. Collaborate with advertising platforms to report and mitigate abuse of their redirection mechanisms. 10. Implement multi-factor authentication and least privilege principles to limit attacker lateral movement post-compromise.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.genians.co.kr/en/blog/threat_intelligence/spear-phishing?hs_amp=true"]
- Adversary
- Konni
- Pulse Id
- 696d289962926b96a6584416
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash0171338d904381bbf3d1a909a48f4e92 | — | |
hash639b5489d2fb79bcb715905a046d4a54 | — | |
hash8b8fa6c4298d83d78e11b52f22a79100 | — | |
hash94935397dce29684f384e57f85beeb0a | — | |
hasha58ef1e53920a6e528dc31001f302c7b | — | |
hashd4b06cb4ed834c295d0848b90a109f09 | — | |
hashf5842320e04c2c97d1f69cebfd47df3d | — | |
hash33057c8c7f277e89872239907792f6f2319713d4 | — | |
hash8d9d5a21d75e14410cc30e15176ecae45d17221c654ccdb94d99d131c14de6e9 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainaceeyl.com | — | |
domainalthouqroastery.com | — | |
domainanupamaivf.com | — | |
domaincreativepackout.co | — | |
domainencryptuganda.org | — | |
domaingenuinashop.com | — | |
domainigamingroundtable.com | — | |
domainjlrandsons.co.uk | — | |
domainkppe.pl | — | |
domainkyowaind.co.jp | — | |
domainnationalinterestparty.com | — | |
domainoptique-leclercq.be | — | |
domainpomozzi.com | — | |
domainsparkwebsolutions.space | — | |
domaintatukikai.jp | — | |
domainvintashmarket.com | — | |
domainappoitment.dotoit.media | — |
Threat ID: 696df8d5d302b072d99485ac
Added to database: 1/19/2026, 9:26:45 AM
Last enriched: 1/19/2026, 9:41:42 AM
Last updated: 1/19/2026, 10:44:15 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
VoidLink threat analysis: C2-compiled kernel rootkits discovered
MediumTargeted espionage leveraging geopolitical themes
MediumDecember 2025 Infostealer Trend Report
MediumPDFSIDER Malware - Exploitation of DLL Side-Loading for AV and EDR Evasion
MediumDissecting CrashFix: A New Toy
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.