"Preparing a North Korea Documentary, Please Review"... Alert Issued for KakaoTalk-Based Impersonation Phishing
'KONNI,' a hacking group known to be linked to North Korea, has been conducting a multi-stage attack involving spear-phishing emails disguised as notifications for appointments as North Korean human rights lecturers, in conjunction with attacks via KakaoTalk.
According to a threat intelligence analysis report released on March 16, 2026, by the Genius Security Center, KONNI has been carrying out a campaign to distribute malicious files disguised as North Korea-themed content.
KONNI first attempts initial infiltration by sending a phishing email disguised as a notification for the appointment of a North Korean human rights lecturer. It then infects systems with remote control malware using a shortcut file (LNK type) as the malicious payload. After infection, the malware hides on the device for an extended period, stealing internal documents and sensitive information.
The most notable aspect of this campaign is that victims are exploited as secondary distributors of the malware. KONNI gained unauthorized access to the victim's KakaoTalk PC version and selectively targeted individuals from the victim's friends list.
The report assessed this campaign as a propagation-type Advanced Persistent Threat (APT) attack that combines trust-based spreading with account abuse, warning of its high threat level. The Genius Security Center stated, "The attackers use bait content in the form of proposals for North Korea-related videos to deceive recipients and have established a trust-based propagation structure by exploiting existing victims as additional attack vectors. This is evaluated as a multi-stage attack system that combines long-term persistence, information theft, and account-based re-propagation."
Meanwhile, KONNI has consistently engaged in sophisticated attack activities in the past. In January 2026, through Operation Poseidon, the group exploited Google Ads' click redirection mechanism to bypass email security filtering and user vigilance. Last year, it employed remote wipe tactics targeting Android devices to maintain control over the device or erase evidence.
The report suggested that KONNI's activities should be understood as part of a long-term and systematic operational campaign. It recommended that, in response to increasingly sophisticated attacks, organizations go beyond simply blocking based on Indicators of Compromise (IoCs) and implement endpoint detection and response (EDR)-centered defense frameworks.
In particular, organizations should establish security guidelines for sending and receiving files via messenger services and enhance their defense systems to detect file-sharing patterns that deviate from users' usual behavior. Users should also be cautious about shortcut files disguised as document icons and attachments masquerading as official documents or notifications.
Hot Picks Today
"Could I Also Receive 370 Billion Won?"... No Limit on 'Stock Manipulation Whistleblower Rewards' Starting the 26th
- Samsung Electronics Labor-Management Reach Agreement, General Strike Postponed... "Deficit-Business Unit Allocation Deferred for One Year"
- "From a 70 Million Won Loss to a 350 Million Won Profit with Samsung and SK hynix"... 'Stock Jackpot' Grandfather Gains Attention
- "Stocks Are Not Taxed, but Annual Crypto Gains Over 2.5 Million Won to Be Taxed Next Year... Investors Push Back"
- "Who Is Visiting Japan These Days?" The Once-Crowded Tourist Spots Empty Out... What's Happening?
The Genius Security Center emphasized, "A multi-layered defense strategy is necessary, taking into account the attacker's tactics, techniques, and procedures (TTPs) across the entire chain from initial infiltration to persistence, information collection, abuse of messenger apps, and re-propagation."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
