13.03.2026
3 min
362
A new phishing campaign targeting users by abusing KakaoTalk messaging app to spread malware has been launched by North Korean hacking group Konni. When a victim is compromised, this stolen account now serves as a pivot point from which other accounts are targeted.
It starts with a spear-phishing email that is carefully crafted to appear as an official notice informing the recipient that he or she has been named a North Korean human rights instructor. The email includes a ZIP file that contains a malicious LNK file.
When the LNK file is executed, it starts a multi-stage infection chain: downloads a payload from an external server, persistence through tasks on the task scheduler, and other RAT. Simultaneously, a fake PDF file opens so that the target does not suspect anything and may believe the payment to be real. This malware, dubbed EndRAT (for EndClient RAT) is an AutoIt-written backdoor that allows attackers to execute full control of the infected system, such as:
file management
remote shell access
data exfiltration
long-term persistence
Once they gained access, the attackers utilized the victim’s KakaoTalk account to send malicious ZIP files to purposefully chosen contacts. It creates a chain infection model where trust over known contacts increases the success rate of attacks tremendously.
Meanwhile, the researchers found that other sys- tems may hold more RAT families:
RftRAT
RemcosRAT
That means there are victims that are so valued by the attacker that they will deploy several malware tools. That campaign “is classified as a multi-phased attack operation that is separate from the standard spear-phishing operation, which features a longer-term persistence that comprises of information stealing and account based redistribution,” the South Korean firm, Genians, said.
Previously, the group leveraged similar tactics by sending malicious files through KakaoTalk and remotely wiping Android devices using stolen Google credentials. The campaign is evidence of a change in attack strategy: Rather than scaling up direct attacks against victims, compromised accounts spawn further infections as distribution hubs. Essentially, every single user that goes on to become infected is an involuntary cog in the greater spread of malware, which effectively also makes the campaign more powerful and stealthy.
