TZUTC: -0500
MSGID: 1700.consprcy@1:2320/105 2d7b1fc9
PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
BBSID: CAPCITY2
CHRS: ASCII 1
FORMAT: flowed
North Korean hackers hijack Google's Find Hub to find and wipe target devices

Date:
Tue, 11 Nov 2025 23:10:00 +0000

Description:
Hackers look to cover their tracks after stealing sensitive files from 
devices tracked down with Google's Find Hub.

FULL STORY

North Korean threat actors with ties to the government were seen resetting
target Android devices to factory settings to cover their tracks. 

Researchers from Genians said they saw these attacks in the wild, targeting
primarily individuals in South Korea, carried out by a group called KONNI
(named after a remote access tool it is using).

The researchers say KONNI has overlapping targets and infrastructure with 
both Kimsuky, and APT37, known North Korean state-sponsored actors.

Wiping the device

The attack starts on KakaoTalk messenger, one of the most popular instant 
chat messaging platforms in the country, where KONNIs agents impersonate
trusted entities like the National Tax Service, or the police. 

During the conversation, they send a digitally signed MSI file (or a ZIP
archive with it) which, if the victim runs it, launches a script that
ultimately downloads different malware modules, including RemcosRAT,
QuasarRAT, and RftRAT. 

These RATs harvest all sorts of information from the compromised device,
including Google and Naver account credentials which are then used to log 
into the victims Google account. 

From there, they access Google Find Hub, a built-in tool that lets users
remotely locate, lock, or wipe their devices, and use it not only to view all
other registered Android devices, but also to track the victims location. 

When they see the victim out and about, and unable to quickly address an
attack, they send remote factor reset commands to all devices, erasing data,
disabling alerts, and disconnecting the victim from the KakaoTalk PC 
sessions. The wipe is done three times. 

With the mobile device wiped but the KakaoTalk PC session still active, the
hackers use the compromised computer to send malicious files to the victims
contacts, spreading the infections further. 

The motive behind the attack is unknown at the time, but state-sponsored
threat actors are usually engaged in cyber-espionage and disruption. 

 Via BleepingComputer 

======================================================================
Link to news story:
https://www.techradar.com/pro/security/north-korean-hackers-hijack-googles-fin
d-hub-to-find-and-wipe-target-devices

$$
--- SBBSecho 3.28-Linux
 * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)
SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700
SEEN-BY: 226/30 227/114 229/110 206 300 307 317 400 426 428 470 664
SEEN-BY: 229/700 705 266/512 291/111 320/219 322/757 342/200 396/45
SEEN-BY: 460/58 633/280 712/848 902/26 2320/0 105 304 3634/12 5075/35
PATH: 2320/105 229/426