The recent phishing campaign attributed to the North Korean group Konni has expanded its target range to include developers and engineering teams in Japan, Australia, and India. This shift marks a significant broadening from their previous focus on regions like South Korea, Russia, and various European nations. Check Point Research reported these developments in a technical analysis published last week.
Since its activities began in 2014, Konni has gained notoriety for its cyberattacks, often employing advanced techniques to exploit vulnerabilities. The most recent campaign, named Operation Poseidon, involves the distribution of spear-phishing emails that disguise malicious links as legitimate advertising from platforms like Google and Naver.
Victims are tricked into downloading ZIP files that contain a Windows shortcut designed to run an AutoIt script, which is a variant of Konni malware known as EndRAT. This malware can facilitate remote access to affected devices, posing serious security threats. The group has also utilized improperly secured WordPress sites for malware distribution and command-and-control operations.