This recent attack comes on the heels of Konni, a North Korea-affiliated threat actor, embroiling the public in a campaign of sophisticated cyberattacks. These attacks are directly aimed at Android and Windows devices. In early September 2025, malicious actors made coordinated attacks focused on data extraction and remote manipulation. This was a big step up in Konni’s arsenal. This project is known by many other names, such as Earth Imp, Opal Sleet, Osmium, TA406 and Vedalia.
These attacks are more sophisticated than a one-layer approach. First, a JavaScript file named “themes.js” links to infrastructure that’s entirely under the control of bad actors. From there, it downloads second-stage JavaScript code that can run commands on the machine, exfiltrate data, and download a third-stage Java payload. Malware analysts later found out that Konni’s ruse is to use an empty Word document as a sham. This approach tricks targets into launching the malware themselves.
Technical Details of the Attack
Konni’s malware works by establishing an interaction with a command-and-control (C2) server via HTTPS. Once the backdoor is set up, the malware enters an infinite loop of waiting for and executing commands. This process allows it to download encrypted payloads and execute them without a hitch. This malware was recently discovered and dubbed EndRAT, or EndClient RAT. It is able to run commands from a huge ecosystem, including shellStart, shellStop, refresh, list, goUp, download, upload, run and delete.
Security researchers have seen Konni use an AutoIt script to deploy the Remcos RAT v7.0.4. This approach illustrates the group’s ongoing efforts to refine its malware arsenal and adapt its methods for greater efficiency in evading detection. The C2 infrastructure linked to Konni is still operational, showing that the threat is not yet fully neutralized.
“This attack did not exploit any security flaw in Android or Find Hub. The report indicates this targeted attack required PC malware to be present in order to steal Google account credentials and abuse legitimate functions in Find Hub,” – Google spokesperson.
Deceptive Tactics and Spear Phishing Campaigns
As of late, most egregiously Konni has been creating extremely sneaky maneuvers to make their strikes more effective. The latest reports document how attackers have impersonated mental health counselors and North Korean human rights defenders. They’re spreading malware hidden under the guise of stress-relief applications. This targeted brand of manipulation is designed to breach the safeguards of potential victims to capitalize on their trust.
The type of bait—the good old empty Word document—has caused a lot of alarm in the cybersecurity research community. One expert remarked on the document’s deceptive nature:
“Since the Word document is empty and does not run any macros in the background, it may be a lure,” – Pulsedive Threat Research.
As another security analyst pointed out, the specificity included in the lure documents was telling. This indicates a more focused spear phishing effort likely targeted to specific individuals or groups.
“The actor’s use of highly specific lure documents indicates that this is a targeted spear phishing campaign,” – ENKI.
Ongoing Threat Assessment
Despite the technical sophistication of these attacks, as of today there are no confirmed reports of such victims. C2 pipeline still in use Experts caution that Konni’s C2 infrastructure is very much alive. It casts doubt that lessons will be learned for future incidents.
“Although there are no reports of victims so far, the C2 infrastructure remains active at the time of this publication,” – ENKI.
Konni has been described as a perma-evil, an ongoing menace that creates alarm. This new policy would have damaging consequences for users on both Android and Windows devices. With the Genians Security Center (GSC), we uncovered a scary twist in Konni’s peripheral nature. Most notably, they observed that the threat actor napped in their systems for extended periods before launching attacks.
“The threat actor stayed hidden in the compromised computer for over a year, spying via the webcam and operating the system when the user was absent,” – GSC.
In light of these changes, cybersecurity experts are stressing the need for awareness and preemptive action to prevent threats like these. We encourage users to continue to be on the lookout for unexpected messages and to use strong security measures to protect their devices.