North Korea hackers used KakaoTalk in spear-phishing campaign, report says
North Korea hackers used KakaoTalk in spear-phishing campaign, report says
Publish Date: 2026-03-16 04:02:00
Source Domain: www.upi.com
Using an unordered list, summarize the following article with between 4 and 8 key points.
SEOUL, March 16 (UPI) — North Korea-linked hackers carried out a spear-phishing campaign that used the popular South Korean messaging platform KakaoTalk to spread malware and steal sensitive information, according to a cybersecurity report released Monday.
The campaign was attributed to the Konni advanced persistent threat group and detailed in an analysis by the South Korean cybersecurity firm Genians Security Center.
Researchers said the attackers initially targeted victims with spear-phishing emails offering what appeared to be an appointment as a lecturer on North Korean human rights issues. The emails contained a malicious shortcut file that, when executed, installed remote-access malware on the victim’s computer.
The operation stood out for its use of compromised victims to help spread the attack, creating what researchers described as a “trust-based propagation chain that leveraged existing victims as intermediaries for further intrusions.”
“This campaign is assessed as a multi-stage operation that extends beyond simple spear-phishing, combining long-term persistence, information theft and account-based redistribution,” the report said.
Genians said Konni shares overlapping targets and infrastructure with other North Korea-linked threat groups, including Kimsuky and APT37, which have been tied to cyber espionage, surveillance and influence operations targeting South Korean government agencies, researchers and civil society groups.
Once inside the system, the hackers collected internal documents and other data while maintaining persistent access to the compromised machine.
Investigators found the attackers also gained control of the victim’s KakaoTalk desktop session and used contacts in the victim’s friend list to distribute malicious files to additional targets — a key step that allowed the campaign to expand.
“A notable feature of this campaign is that, after gaining unauthorized access to the victim’s KakaoTalk PC session, the attacker used selected contacts from the victim’s friend list to redistribute the malicious file,” the report said.
The attackers used messages framed as planning topics for North Korea-related video content to capture recipients’ interest, turning existing victims into new distribution channels, according to the researchers.
In January, Genians reported that the same group carried out spear-phishing attacks impersonating human rights organizations and financial institutions in an effort to compromise computers and harvest sensitive data.
The findings come as North Korea, under heavy international sanctions, has increasingly turned to hacking and cybertheft to help bankroll its nuclear and ballistic missile programs.
An October report by the 11-country Multilateral Sanctions Monitoring Team described North Korea’s cybercrime apparatus as “a full-spectrum national program operating at a sophistication approaching the cyber programs of China and Russia.”
The report added that “nearly all the DPRK’s malicious cyber activity, cybercrime, laundering and IT work is carried out under the supervision, direction and for the benefit of entities sanctioned by the United Nations for their role in the DPRK’s unlawful WMD and ballistic missile programs.”
The Democratic People’s Republic of Korea is the official name of North Korea.
In November, the U.S. Treasury Department said North Korea had stolen more than $3 billion over the previous three years through attacks on financial systems and cryptocurrency platforms.
Washington has moved to disrupt the North’s other cyber-enabled revenue streams. On Friday, the Treasury Department imposed sanctions on individuals and entities accused of helping North Korean information technology workers obtain remote jobs using stolen identities and fraudulent documentation, with earnings funneled back to Pyongyang.
