TZUTC: -0500   
   MSGID: 1700.consprcy@1:2320/105 2d7b1fc9   
   PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   FORMAT: flowed   
   North Korean hackers hijack Google's Find Hub to find and wipe target devices   
      
   Date:   
   Tue, 11 Nov 2025 23:10:00 +0000   
      
   Description:   
   Hackers look to cover their tracks after stealing sensitive files from    
   devices tracked down with Google's Find Hub.   
      
   FULL STORY   
      
   North Korean threat actors with ties to the government were seen resetting   
   target Android devices to factory settings to cover their tracks.    
      
   Researchers from Genians said they saw these attacks in the wild, targeting   
   primarily individuals in South Korea, carried out by a group called KONNI   
   (named after a remote access tool it is using).   
      
   The researchers say KONNI has overlapping targets and infrastructure with    
   both Kimsuky, and APT37, known North Korean state-sponsored actors.   
      
   Wiping the device   
      
   The attack starts on KakaoTalk messenger, one of the most popular instant    
   chat messaging platforms in the country, where KONNIs agents impersonate   
   trusted entities like the National Tax Service, or the police.    
      
   During the conversation, they send a digitally signed MSI file (or a ZIP   
   archive with it) which, if the victim runs it, launches a script that   
   ultimately downloads different malware modules, including RemcosRAT,   
   QuasarRAT, and RftRAT.    
      
   These RATs harvest all sorts of information from the compromised device,   
   including Google and Naver account credentials which are then used to log    
   into the victims Google account.    
      
   From there, they access Google Find Hub, a built-in tool that lets users   
   remotely locate, lock, or wipe their devices, and use it not only to view all   
   other registered Android devices, but also to track the victims location.    
      
   When they see the victim out and about, and unable to quickly address an   
   attack, they send remote factor reset commands to all devices, erasing data,   
   disabling alerts, and disconnecting the victim from the KakaoTalk PC    
   sessions. The wipe is done three times.    
      
   With the mobile device wiped but the KakaoTalk PC session still active, the   
   hackers use the compromised computer to send malicious files to the victims   
   contacts, spreading the infections further.    
      
   The motive behind the attack is unknown at the time, but state-sponsored   
   threat actors are usually engaged in cyber-espionage and disruption.    
      
    Via BleepingComputer    
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/north-korean-hackers-hijack-googles-fin   
   d-hub-to-find-and-wipe-target-devices   
      
   $$   
   --- SBBSecho 3.28-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700   
   SEEN-BY: 226/30 227/114 229/110 206 300 307 317 400 426 428 470 664   
   SEEN-BY: 229/700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 633/280 712/848 902/26 2320/0 105 304 3634/12 5075/35   
   PATH: 2320/105 229/426