10.11.2025
2 min
489
North Korean–linked hackers from the KONNI / APT37 cluster are compromising PCs, stealing Google account logins, and then abusing Google’s Find Hub (“Find My Device”) to geolocate victims and remotely wipe all their Android phones — cutting them off from messengers and destroying evidence of the breach.
The campaign, analysed by South Korean company Genians, targets mainly South Koreans via spear-phishing on KakaoTalk, the country’s most popular messenger. Attackers pose as tax authorities, police or other agencies and send MSI installers (sometimes inside ZIP archives) that are digitally signed to look legitimate. Once opened, the MSI launches an install.bat and a decoy error.vbs, showing a fake “language pack error” while an AutoIT script quietly sets up persistence via a scheduled task and pulls more payloads from the C2.
Those second-stage payloads include RemcosRAT, QuasarRAT and RftRAT — remote-access tools used to keylog, harvest passwords and cookies, and in particular to steal Google and Naver credentials. With full access to the victim’s Google account, the operators can read email, change security settings and wipe logs of suspicious logins.
From there, the most destructive step starts in the browser, not on the phone: the attackers sign in to Google Find Hub, list all registered Android devices, query their GPS location and trigger remote factory resets. Forensics by Genians shows phones being wiped multiple times in a row to make recovery harder and prolong downtime. In one documented case, the victim was a counsellor working with North Korean defector youth; the attackers waited until GPS showed the target outside before wiping the devices and taking over the KakaoTalk PC session to send more malware to their contacts.
The purpose of all this is classic: isolate the victim, erase traces of intrusion, slow down incident response and turn trusted accounts into launchpads for further compromises. KONNI is a long-running toolset and activity cluster tied to North Korean espionage groups APT37 (ScarCruft) and Kimsuky, which have historically targeted government, education and cryptocurrency organisations.
In this wave, the toolset is tuned for South Korea’s ecosystem: KakaoTalk as the initial entry point, Naver and Google as key identity providers, and Find Hub as the legitimate “remote management” layer abused after account takeover. Google stresses that there is no vulnerability in Android or Find Hub itself; the attackers rely on traditional malware on the PC to steal credentials and then use official account features exactly as a real user could. Google’s response is to push 2-Step Verification / passkeys for everyone, and its Advanced Protection Program for high-risk users.
This campaign is a reminder that mobile security doesn’t start on the phone: once your Google account is gone, so is control over every Android device tied to it. For organisations and at-risk users, the practical checklist is simple but non-negotiable: enforce MFA on Google accounts, monitor for new logins and OAuth sessions, treat unexpected “install this tool” messages in messengers as hostile until verified by voice, and teach users that “Find my device” can be weaponised against them once an attacker owns their account.
