Konni, known as a North Korea–linked hacking group, is carrying out what it calls the "Poseidon operation," abusing the ad systems of Naver and Google to spread malware. The group used the paths users take after clicking ads on portal sites for hacking attacks. By exploiting legitimate ad paths to bypass security, the campaign is seen as striking directly at the limits of existing defenses.
According to a threat intelligence analysis report released on the 19th by the Genians Security Center, Konni has been conducting an advanced persistent threat (APT) attack that uses portal ads as an attack channel.
The core of the "Poseidon operation" is the abuse of the "click tracking path" used in Naver and Google ad systems. Click tracking refers to the intermediate path a user passes through before reaching an advertiser's page after clicking an ad, a URL structure normally used for ad performance analysis.
When a user clicks an ad at the top of search results, it appears to pass through a legitimate ad address and land on the final destination site. But the hackers copied this legitimate URL structure and, during the brief redirection, gradually led users to external servers seeded with malicious files. Even if a security system or artificial intelligence (AI) detection tool scans the link, it recognizes it as a legitimate Naver or Google domain, making it hard to block.
Genians said, "In the past, abuse cases mainly targeted Naver's ad paths, but recently the scope has expanded to include Google's ad infrastructure," adding, "Inserting attack code into normal ad traffic has become a primary infiltration tactic of the Konni group."
In particular, some of the servers used in the attack were found to be WordPress-based websites, which are relatively weak in security management. This appears to be a way to quickly swap servers if the attack infrastructure is blocked, in order to evade defenses.
The Konni group began its attack with sophisticated spoofed emails. Posing as financial institutions or North Korean human rights groups, it approached victims with work-related subjects likely to be opened, such as "financial transaction verification" or "submission of supporting documents."
When a user clicks the link in the email body, a compressed file is downloaded. The file inside the archive appears at a glance to have a PDF document icon, but it is actually a malicious Windows shortcut (LNK) file. When this file is run, it looks like a document opens, but behind the scenes a malicious script (AutoIt) automatically runs and installs a remote-control malware on the user's PC.
The Genians analysis team found a development path inside the malicious file's code that included the string "Poseidon-Attack."
Security experts warned that the case suggests a sophisticated operation by a nation-backed hacking group, going beyond simple phishing.
A Genians Security Center (GSC) official said, "It is practically impossible to indiscriminately block legitimate ad domains, so there are limits to defending with existing pattern-based security," adding, "It is essential to deploy an endpoint detection and response (EDR) solution that can detect abnormal behavior and external communications inside the PC in real time after a file is executed."
The official also urged, "Never run compressed files attached to emails, especially shortcut (LNK) files included inside."