Konni Hackers Turn Google’s Find Hub Into A Remote Data-wiping Weapon

The North Korea-affiliated threat actor known as Konni (aka Earth Imp, Opal Sleet, Osmium, TA406, and Vedalia) has been attributed to a new set of attacks targeting both Android and Windows devices for data theft and remote control.

"Attackers impersonated psychological counselors and North Korean human rights activists, distributing malware disguised as stress-relief programs," the Genians Security Center (GSC) said in a technical report.

What's notable about the attacks targeting Android devices is also the destructive ability of the threat actors to exploit Google's asset tracking services Find Hub (formerly Find My Device) to remotely reset victim devices, thereby leading to the unauthorized deletion of personal data. The activity was detected in early September 2025.

The development marks the first time the hacking group has weaponized legitimate management functions to remotely reset mobile devices. The activity is also preceded by an attack chain in which the attackers approach targets via spear-phishing emails to obtain access to their computers, and leverage their logged-in KakaoTalk chat app sessions to distribute the malicious payloads to their contacts in the form of a ZIP archive.

The spear-phishing emails are said to mimic legitimate entities like the National Tax Service to deceive recipients into opening malicious attachments to deliver remote access trojans like Lilith RAT that can remotely commandeer compromised machines and deliver additional payloads.

"The threat actor stayed hidden in the compromised computer for over a year, spying via the webcam and operating the system when the user was absent," GSC noted. "In this process, the access obtained during the initial intrusion enables system control and additional information collection, while evasion tactics allow long-term concealment."

The deployed malware on the victim's computer allows the threat actors to carry out internal reconnaissance and monitoring, as well as exfiltrate victims' Google and Naver account credentials. The stolen Google credentials are then used to log in to Google's Find Hub and initiate a remote wipe of their devices.

In one case, the attackers have been found to sign into a recovery email account registered under Naver, delete security alert emails from Google, and empty the inbox's trash folder to cover up traces of the nefarious activity.

The ZIP file propagated via the messaging app contains a malicious Microsoft Installer (MSI) package ("Stress Cl

Source: The Hacker News