Konni Deploys EndRAT Through Phishing, Uses KakaoTalk to Propagate Malware

Summary

North Korean threat actor Konni deployed EndRAT malware through spear-phishing emails disguised as North Korean human rights lecturer notices, then abused compromised victims' KakaoTalk accounts to propagate malware to their contacts. The campaign demonstrates sophisticated multi-stage attacks combining persistence, data theft, and social engineering to turn victims into unwitting distribution vectors.

Full text

Konni Deploys EndRAT Through Phishing, Uses KakaoTalk to Propagate Malware Ravie LakshmananMar 17, 2026Threat Intelligence / Endpoint Security North Korean threat actors have been observed sending phishing to compromise targets and obtain access to a victim's KakaoTalk desktop application to distribute malicious payloads to certain contacts. The activity has been attributed by South Korean threat intelligence firm Genians to a hacking group referred to as Konni. "Initial access was achieved through a spear-phishing email disguised as a notice appointing the recipient as a North Korean human rights lecturer," the Genians Security Center (GSC) noted in an analysis. "After the spear-phishing attack succeeded, the victim executed a malicious LNK file, resulting in infection with remote access malware. The malware remained concealed and persistent on the victim's endpoint for an extended period, stealing internal documents and sensitive information." The threat actor is said to have remained on the compromised host for an extended period of time, leveraging the unauthorized access to siphon internal documents and make use of the KakaoTalk application to selectively propagate the malware to specific contacts. The attack is notable for abusing the trust associated with compromised victims to deceive and ensnare additional targets. This is not the first time Konni has employed the messaging app as a distribution vector. In November 2025, the hacking group was found abusing signed-in KakaoTalk chat app sessions to send malicious payloads to victims' contacts in the form of a ZIP archive, while simultaneously initiating a remote wipe of their Android devices using stolen Google credentials. The starting point of the latest attack campaign is a spear-phishing email that's used as a ploy to trick recipients into opening a ZIP file attachment containing a Windows shortcut (LNK). Upon execution, the LNK file downloads a next-stage payload from an external server, establishes persistence using scheduled tasks, and ultimately executes the malware, while displaying a PDF decoy document to the user as a distraction mechanism. Written in AutoIt, the downloaded malware is a remote access trojan (RAT) named EndRAT (aka EndClient RAT), which allows the operator to remotely commandeer the compromised host through capabilities like file management, remote shell access, data transfer, and persistence. Further analysis of the infected host has uncovered the presence of various malicious artifacts, including AutoIt scripts corresponding to RftRAT and RemcosRAT, indicating that the adversary deemed the victim as valuable enough to drop multiple RAT families for improved resilience. An important aspect of the attack is the threat actor's abuse of the victim's KakaoTalk application installed on the infected system to distribute malicious files in the form of ZIP files to other individuals in their contact list and deploy the same malware. This essentially turns existing victims into intermediaries for further attacks. "This campaign is assessed as a multi-stage attack operation that extends beyond simple spear-phishing, combining long-term persistence, information theft, and account-based redistribution," Genians said. "The actor selected certain contacts from the victim’s friend list and sent them additional malicious files. In doing so, the attacker used filenames disguised as materials introducing North Korea-related content to induce recipients to open the files." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  cybersecurity, data theft, endpoint security, Malware, North Korea, Phishing, Remote Access Trojan, social engineering, Threat Intelligence Trending News ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday Popular Resources Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026 Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths Identity Controls Checklist: Find Missing Protections in Apps

Indicators of Compromise

• malware — EndRAT
• malware — RftRAT
• malware — RemcosRAT
• mitre_attack — T1566.002
• mitre_attack — T1547.005
• mitre_attack — T1041