The North Korea-linked cyber espionage group Konni, also known as Earth Imp, Opal Sleet, Osmium, TA406, and Vedalia, has launched a new wave of attacks targeting both Android and Windows systems. The campaign aims to steal sensitive data and gain remote control over compromised devices.
According to a report from the Genians Security Center (GSC), the attackers disguised themselves as psychological counsellors and North Korean human rights activists, distributing malware under the appearance of stress-relief programmes. The GSC confirmed, “Attackers impersonated psychological counsellors and North Korean human rights activists, distributing malware disguised as stress-relief programmes.”
One of the most concerning discoveries in this campaign is Konni’s ability to exploit Google’s asset tracking platform, Find Hub (formerly Find My Device), to remotely reset Android devices. This allows attackers to erase all personal data from victims’ phones. Detected in early September 2025, it marks the first known instance of this group using legitimate mobile management tools for destructive remote actions.
The Android-based attacks were part of a broader, cross-platform campaign. GSC revealed that the group also executed Windows-targeted spear-phishing attacks, posing as trusted organisations such as the National Tax Service. Victims were tricked into opening malicious attachments that deployed the Lilith Remote Access Trojan (RAT), enabling attackers to control infected systems, steal data, and install additional malware.
Investigators also observed that after compromising a victim’s computer, the hackers exploited active KakaoTalk sessions to send malware-infected ZIP archives to the victim’s contacts, using social engineering to expand the infection chain.
By combining spear-phishing, social engineering, and the abuse of legitimate services, Konni continues to refine its methods for persistence and data theft. The group’s ability to weaponise trusted Google services signals a worrying trend of attackers using legitimate infrastructure for malicious activity.
Security experts warn that this campaign reflects the growing sophistication of North Korean cyber operations, which now blend psychological manipulation with advanced technical tactics to achieve espionage and disruption goals. Users are advised to avoid unofficial applications, be cautious of unsolicited messages, and keep their devices updated to guard against such threats.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream formerly known as CIO News is a premier platform dedicated to delivering latest news, updates, and insights from the tech industry. With its strong foundation of intellectual property and thought leadership, the platform is well-positioned to stay ahead of the curve and lead conversations about how technology shapes our world. From its early days as CIO News to its rebranding as The Mainstream on November 28, 2024, it has been expanding its global reach, targeting key markets in the Middle East & Africa, ASEAN, the USA, and the UK. The Mainstream is a vision to put technology at the center of every conversation, inspiring professionals and organizations to embrace the future of tech.
