The North Korea-linked cyber espionage group Konni — also known as Earth Imp, Opal Sleet, Osmium, TA406, and Vedalia — has launched a new wave of attacks targeting Android and Windows systems, aiming to steal sensitive data and gain remote control over compromised devices.
According to a report from the Genians Security Center (GSC), the attackers impersonated psychological counselors and North Korean human rights activists, distributing malware disguised as stress-relief programs. “Attackers impersonated psychological counselors and North Korean human rights activists, distributing malware disguised as stress-relief programs,” the GSC confirmed in its technical analysis.
The campaign’s most alarming discovery is the group’s ability to exploit Google’s asset tracking platform, Find Hub (formerly Find My Device), to remotely reset Android devices — effectively erasing personal data from victims’ phones. Detected in early September 2025, this marks the first known instance of the threat actor using legitimate mobile management features for destructive remote actions.
The Android-focused attacks were part of a broader, multi-platform operation. GSC noted that the threat actors also executed Windows-based spear-phishing campaigns, posing as trusted organizations such as the National Tax Service to lure victims into opening malicious attachments. Once opened, these emails deployed the Lilith Remote Access Trojan (RAT), allowing attackers to take control of infected systems, exfiltrate data, and deliver additional payloads.
Investigators further observed that after compromising a victim’s computer, the hackers took advantage of the logged-in KakaoTalk messaging app sessions to spread malware-laden ZIP archives to the victim’s contacts, expanding the infection chain through social engineering.
By combining spear-phishing, social engineering, and legitimate service exploitation, Konni continues to refine its tactics for persistence and data theft. The group’s ability to weaponize official Google services highlights a concerning shift toward using trusted infrastructure for malicious purposes.
Security experts warn that the Konni campaign demonstrates the increasing sophistication of North Korean cyber operations, which now blend psychological manipulation with advanced technical methods to achieve both espionage and disruption objectives. Users are urged to avoid installing unofficial apps, remain cautious of unsolicited communications, and ensure devices are updated and protected against such evolving threats.
