NORTH Korean threat actors, identified by South Korean threat intelligence firm Genians as Konni, have been observed sending phishing to compromise targets and gain access to a victim’s KakaoTalk desktop application to distribute malicious payloads to contacts. According to Genians, initial access was achieved via a spear-phishing email disguised as a notice appointing the recipient as a North Korean human rights lecturer, after which a malicious LNK file execution led to remote access malware infection.
The operation is said to maintain persistence on the infected host for an extended period, siphoning internal documents and using KakaoTalk to selectively propagate the malware to specific contacts. The campaign is not the first time Konni has used KakaoTalk as a distribution vector; in November 2025 they were found abusing signed-in KakaoTalk chat sessions to send malicious payloads in ZIP form while attempting to wipe Android devices using stolen Google credentials.
The downloaded Windows-based payload, named EndRAT (also EndClient RAT), enables remote control with capabilities including file management, remote shell, data transfer and persistence.