1. Forum
  2. FidoNet
  3. CONSPRCY

  • North Korean hackers hija

    From Mike Powell@1:2320/105 to All on Thursday, November 13, 2025 08:54:45
    North Korean hackers hijack Google's Find Hub to find and wipe target devices

    Date:
    Tue, 11 Nov 2025 23:10:00 +0000

    Description:
    Hackers look to cover their tracks after stealing sensitive files from
    devices tracked down with Google's Find Hub.

    FULL STORY

    North Korean threat actors with ties to the government were seen resetting target Android devices to factory settings to cover their tracks.

    Researchers from Genians said they saw these attacks in the wild, targeting primarily individuals in South Korea, carried out by a group called KONNI (named after a remote access tool it is using).

    The researchers say KONNI has overlapping targets and infrastructure with
    both Kimsuky, and APT37, known North Korean state-sponsored actors.

    Wiping the device

    The attack starts on KakaoTalk messenger, one of the most popular instant
    chat messaging platforms in the country, where KONNIs agents impersonate trusted entities like the National Tax Service, or the police.

    During the conversation, they send a digitally signed MSI file (or a ZIP archive with it) which, if the victim runs it, launches a script that ultimately downloads different malware modules, including RemcosRAT,
    QuasarRAT, and RftRAT.

    These RATs harvest all sorts of information from the compromised device, including Google and Naver account credentials which are then used to log
    into the victims Google account.

    From there, they access Google Find Hub, a built-in tool that lets users remotely locate, lock, or wipe their devices, and use it not only to view all other registered Android devices, but also to track the victims location.

    When they see the victim out and about, and unable to quickly address an attack, they send remote factor reset commands to all devices, erasing data, disabling alerts, and disconnecting the victim from the KakaoTalk PC
    sessions. The wipe is done three times.

    With the mobile device wiped but the KakaoTalk PC session still active, the hackers use the compromised computer to send malicious files to the victims contacts, spreading the infections further.

    The motive behind the attack is unknown at the time, but state-sponsored
    threat actors are usually engaged in cyber-espionage and disruption.

    Via BleepingComputer

    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/north-korean-hackers-hijack-googles-fin d-hub-to-find-and-wipe-target-devices

    $$
    --- SBBSecho 3.28-Linux
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)