A hacking group linked to North Korea known as "Konni" is carrying out a multistage attack that combines spear phishing emails disguised as a notice of appointment for a North Korean human rights lecturer and KakaoTalk.
First, they plant malware on the victim's PC via email, then use it to make unauthorized access to the KakaoTalk PC version account stolen in the process and resend the malware to nearby acquaintances.
According to a threat intelligence analysis report released on the 16th by Genians Security Center (GSC), the Konni group has recently been carrying out advanced persistent threat (APT) attacks using this method.
The attack begins with a spear phishing email disguised as a "notice of appointment for a North Korean human rights lecturer." The attacker uses North Korea-related lure content to gain the recipient's trust, then induces the user to run a malicious shortcut (LNK) file inside a compressed file attached to the email. The moment the user clicks the LNK file to open a document, a malicious script hidden inside a remote-control module executes, infecting the PC.
A defining feature of this attack is that it used the KakaoTalk PC version installed on the victim's device as a conduit for spreading.
The attacker was found to have remained dormant on the victim's PC for an extended period to steal account information and, based on that, to have accessed the KakaoTalk PC version session in an unauthorized manner. The attacker then continued the campaign by selecting some of the victim's friends and sending malicious files again disguised as items such as a "North Korea-related video proposal."
Because this exploits the trust relationship with the original victim, the recipient is very likely to open the file without much suspicion.
Genians said, "This attack goes beyond simple spear phishing; it is a propagating APT attack that combines trust-based spread with abuse of account sessions, making it highly threatening," adding, "It is a multistage attack system that combines long-term dormancy, data theft, and account-based re-propagation, forming a structure that turns existing victims into new attack conduits."
Genians advised that to counter increasingly sophisticated APT attacks, it is urgent to move beyond simple indicators of compromise (IoC)-based blocking and adopt an endpoint detection and response (EDR)-centered abnormal behavior response framework.
At the organizational level, it is necessary to establish security guidelines for sending and receiving files via messengers, detect abnormal mass or repetitive transmission patterns, and check whether sessions on critical devices are protected.
It also emphasized the need to strengthen user training so that users are wary of shortcut files disguised with document icons or attachments masquerading as official documents.
A Genians official said, "For spear phishing emails that leverage socio-political topics of interest such as North Korea, human rights, security, and public agency notices, it is necessary to apply a policy that minimizes the execution of attachments," adding, "Corporations should establish endpoint security systems capable of real-time behavior-based detection and blocking at the execution stage to respond to such attacks."