Executive Summary
In late 2025, the North Korea-linked threat actor known as Konni (also referred to as Earth Imp, Opal Sleet, TA406, and Vedalia) launched a sophisticated campaign targeting Android and Windows users by abusing Google’s Find Hub functionality as a remote data-wiping weapon. The attackers impersonated psychological counselors and North Korean human rights activists, distributing malware via fake stress-relief applications that enabled remote access, data theft, and destructive wipes. The operation leveraged advanced evasion tactics, encrypted traffic channels, and targeted high-value individuals, resulting in significant loss and compromise of sensitive personal and organizational information.
This incident exemplifies the growing risk from state-affiliated actors using social engineering and legitimate platform abuse to bypass defenses. With threat techniques evolving, organizations must now prioritize threat hunting, advance east-west traffic visibility, and enforce robust segmentation policies to catch and contain similar attacks.
Why This Matters Now
The Konni campaign demonstrates the increasing urgency to defend against advanced persistent threats exploiting trusted platforms and social engineering. Sophisticated attackers now rapidly adapt their methods, targeting both consumer and enterprise endpoints—underscoring the need for up-to-date controls, incident response readiness, and compliance with evolving cyber regulations.
Attack Path Analysis
The Konni group initiated attacks by phishing targets with malware-laden applications impersonating psychological support tools, gaining an initial foothold on cloud-connected endpoints. After foothold, they escalated privileges to attain deeper access on compromised hosts or applications. From there, the attackers leveraged lateral movement to access additional assets within internal cloud/hybrid infrastructure. They established command and control via covert channels for persistent remote access. Sensitive data was then exfiltrated using encrypted or disguised outbound channels. Ultimately, the attackers utilized their access to potentially wipe data or disrupt operations, achieving their remote impact objectives.
Kill Chain Progression
Initial Compromise
Description
Victims downloaded and executed malware disguised as legitimate stress-relief programs, resulting in endpoint and initial cloud workload compromise.
Related CVEs
CVE-2025-9491
CVSS 8.8A vulnerability in Windows LNK files allows attackers to execute hidden malicious commands via crafted shortcut files.
Affected Products:
Microsoft Windows – All supported versions
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Spearphishing Attachment
Malicious File
Command and Scripting Interpreter: PowerShell
Application Layer Protocol: Web Protocols
Obfuscated Files or Information
Transfer Data to Cloud Account
Data Destruction
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Incident Response Plan
Control ID: 12.10.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management
Control ID: Article 10
CISA ZTMM 2.0 – User/Device Authentication and Least Privilege
Control ID: 3.4
NIS2 Directive – Incident Handling
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
High-value target for North Korean APT groups seeking intelligence through social engineering campaigns targeting government officials and sensitive communications infrastructure.
Non-Profit/Volunteering
Human rights organizations face targeted attacks through impersonation of activists, exploiting trust relationships to deploy remote access malware and steal sensitive data.
Health Care / Life Sciences
Psychological counselor impersonation threatens patient confidentiality and HIPAA compliance, enabling data exfiltration through fake stress-relief applications targeting healthcare workers.
Computer Software/Engineering
Android and Windows development environments vulnerable to supply chain attacks, requiring enhanced east-west traffic monitoring and zero trust segmentation controls.
Sources
- Konni Hackers Turn Google’s Find Hub into a Remote Data-Wiping Weaponhttps://thehackernews.com/2025/11/konni-hackers-turn-googles-find-hub.htmlVerified
- Konni APT Abuses Google Find My Device To Track And Factory‑reset Android Phones In South Koreahttps://cybersecurefox.com/en/konni-abuses-google-find-my-device-factory-reset-android-kakaotalk-phishing/Verified
- North Korean Hacking Group Konni Targets Android and Windows Devices in Dual-Platform Cyber Campaignhttps://www.thecybersyrup.com/p/north-korean-hacking-group-konni-targets-android-and-windows-devices-in-dual-platform-cyber-campaignVerified
- Konni APT Abuses Google Find My Device To Track And Factory‑reset Android Phones In South Koreahttps://cybersecurefox.com/en/konni-abuses-google-find-my-device-factory-reset-android-kakaotalk-phishing/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying network segmentation, egress policy enforcement, encrypted traffic controls, and centralized incident visibility would have severely constrained Konni's ability to escalate, move laterally, exfiltrate data, and cause destructive impact within hybrid cloud environments.
Control: Threat Detection & Anomaly Response
Mitigation: Rapid detection and alerting of suspicious downloads or anomalous executable behaviors.
Control: Zero Trust Segmentation
Mitigation: Restricted scope of privilege abuse and containment of elevated actions.
Control: East-West Traffic Security
Mitigation: Microsegmentation blocks lateral traversal between unrelated workloads or namespaces.
Control: Egress Security & Policy Enforcement
Mitigation: Suspicious outbound C2 traffic is detected, filtered, or blocked.
Control: Encrypted Traffic (HPE)
Mitigation: Prevents data interception and enables policy-based inspection of encrypted flows.
Centralized monitoring enables real-time detection of mass deletion or destructive activity.
Impact at a Glance
Affected Business Functions
- Communications
- Data Management
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive personal and organizational data due to unauthorized access and remote wiping of devices.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce zero trust segmentation and microsegmentation to block unauthorized lateral movement throughout cloud workloads.
- • Apply comprehensive egress filtering and encrypted traffic inspection to disrupt command & control and data exfiltration channels.
- • Leverage real-time anomaly detection and centralized visibility to rapidly surface and respond to malware execution and privilege escalation events.
- • Ensure robust workload identity hardening and least privilege access across all cloud and hybrid endpoints.
- • Integrate distributed policy controls and automation to maintain strong governance, compliance, and rapid incident response at scale.
