North Korean hackers are abusing Google’s Find Hub tool to track the GPS location of their targets and remotely reset Android devices to factory settings.
The attacks are primarily targeting South Koreans, and start by approaching the potential victims over KakaoTalk messenger – the most popular instant messaging app in the country.
South Korean cybersecurity solutions company Genians links the malicious activity to a KONNI activity cluster, which “has overlapping targets and infrastructure with Kimsuky and APT37.”
KONNI typically refers to a remote access tool that has been linked to attacks from North Korean hackers in the APT37 (ScarCruft) and Kimsuky (Emerald Sleet) groups that targeted multiple sectors (e.g., education, government, and cryptocurrency).
According to Genians, the KONNI campaign infects computers with remote access trojans that enable sensitive data exfiltration.
Wiping Android devices is done to isolate victims, delete attack traces, delay recovery, and silence security alerts. Specifically, the reset disconnects victims from KakaoTalk PC sessions, which the attackers hijack post-wiping to spread to their targets’ contacts.
Infection chain
The KONNI campaign analyzed by Genians targets victims via spear-phishing messages that spoof South Korea’s National Tax Service, the police, and other agencies.
Once the victim executes the digitally signed MSI attachment (or a .ZIP containing it), the file invokes an embedded install.bat and an error.vbs script used as a decoy to mislead the user with a fake “language pack error.”
The BAT triggers an AutoIT script (IoKITr.au3) that sets persistence on the device via a scheduled task. The script fetches additional modules from a command and control (C2) point, and provides the threat actors with remote access, keylogging, and additional payload introduction capabilities.
Genians reports that the secondary payloads retrieved by the script include RemcosRAT, QuasarRAT, and RftRAT.
These tools are used for harvesting the victim’s Google and Naver account credentials, which enables them to log into the targets’ Gmail and Naver mail, change security settings, and wipe logs showing compromise.
Using Find Hub to reset devices
From the compromised Google account, the attacker opens Google Find Hub to retrieve registered Android devices and query their GPS location.
Find Hub is Android’s default “Find my Device” tool, allowing users to remotely locate, lock, or even wipe Android devices in cases of loss or theft.
Genians’ forensic analysis of several victim computer systems revealed that the attacker wiped a target’s device through Find Hub’s remote reset command.
“The investigation found that on the morning of September 5 a threat actor compromised and abused the KakaoTalk account of a South Korea–based counselor who specializes in psychological support for North Korean defector youth, and sent a malicious file disguised as a “stress relief program” to an actual defector student,” Genians researchers say.
The researchers say that the hackers used the GPS tracking feature to select a time when their target was outside and less capable of urgently responding to the situation.
Source: Genians Security
During the attack, the threat actor ran the remote reset commands on all registered Android devices. This led to the complete deletion of critical data. The attacker executed the wipe commands three times, which prevented recovery and use of the devices for a longer period.
With the mobile alerts neutralized, the attacker used the victim’s logged-in KakaoTalk PC session on the already compromised computer to distribute malicious files to the victim’s contacts.
On September 15, Genians noticed another attack on a separate victim using the same method.
To block these attacks, it is recommended to protect Google accounts by enabling multi-factor authentication and ensuring quick access to a recovery account.
When receiving files on messenger apps, always try to verify the sender’s identity by calling them directly before downloading/opening them.
Genians’ report includes a technical analysis of the malware used as well as a list of indicators of compromise (IoCs) related to the investigated activity.
Update 11/11 – A Google spokesperson has sent BleepingComputer the following comment regarding the above.
“This attack did not exploit any security flaw in Android or Find Hub. The report indicates this targeted attack required PC malware to be present in order to steal Google account credentials and abuse legitimate functions in Find Hub (formerly Find My Device). We strongly urge all users to enable 2-Step Verification or passkeys for comprehensive protection against credential theft. For users facing higher visibility or targeted attacks, we recommend enrolling in our Advanced Protection Program for Google’s strongest level of account security.” – A Google spokesperson.
As MCP (Model Context Protocol) becomes the standard for connecting LLMs to tools and data, security teams are moving fast to keep these new services safe.
This free cheat sheet outlines 7 best practices you can start using today.
