North Korean threat actors have been observed sending phishing attacks to show protocols and gain access to the victim’s KakaoTalk desktop application to distribute malicious payloads to other contacts.
The operation was created by a South Korean intelligence firm, Genians, on a hacker group called Koni.
“The initial access was achieved through a phishing email disguised as a notice identifying the recipient as a North Korean human rights lecturer,” the Genians Security Center (GSC) noted in an analysis.
“After the successful phishing attack, the victim extracted the malicious LNK file, which led to the malware. The malware stays hidden and persists on the victim’s end for a long time, stealing internal documents and sensitive information.”
The threat actor is said to have resided on the vulnerable host for a long time, using unauthorized access to internal siphon documents and using the KakaoTalk app to selectively distribute malware to specific contacts.
Attacks are characterized by abusing the trust associated with vulnerable victims to deceive and capture additional targets. This is not the first time Konni has used a messaging app as a distribution vector. In November 2025, a hacking group was found to be abusing KakaoTalk’s authenticated chat app sessions to send malicious payloads to victim contacts in the form of a ZIP archive, while simultaneously executing a remote wipe of their Android devices using stolen Google credentials.
It’s the start of a recent phishing email attack campaign that is used as a trick to trick recipients into opening a ZIP file attachment that contains a Windows shortcut (LNK). After execution, the LNK file downloads the payload of the next stage from an external server, establishes persistence using programmed tasks, and finally releases the malware, while displaying a deceptive PDF document to the user as a distraction.
Documented by AutoIt, the downloaded malware is a remote access trojan (RAT) called EndRAT (also known as EndClient RAT), which allows an operator to remotely control a vulnerable host using capabilities such as file management, remote shell access, data transfer, and persistence.
Further analysis of the infected host found the presence of various malicious artifacts, including AutoIt scripts associated with RftRAT and RemcosRAT, indicating that the adversary saw the victim as important enough to drop multiple RAT families to improve resilience.
A key element of the attack is the threat actor’s misuse of the KakaoTalk victim application installed on the infected system to distribute malicious files in the form of ZIP files to other people in their contact list and release the same malware. This essentially turns existing victims into facilitators to continue the attack.
“This campaign is being evaluated as a multi-stage attack that goes beyond phishing, including long-term persistence, identity theft, and account-based redistribution,” Genians said. “The actor selected certain contacts from the victim’s friends list and sent them additional malicious files. In doing so, the attacker used filenames disguised as those presenting content related to North Korea to entice recipients to open the files.”
