State-Sponsored Remote Wipe Tactics Targeting Android Devices
Summary:
A recent campaign linked to North Korean threat actors is abusing Google’s Find Hub to track and remotely wipe the Android devices of targeted South Koreans. The operation, attributed to the KONNI activity cluster, which overlaps with APT37 (ScarCruft) and Kimsuky (Emerald Sleet), relies on credential theft rather than exploiting any Google or Android vulnerabilities. According to South Korean cybersecurity firm Genians, the campaign begins with spear-phishing messages on KakaoTalk impersonating South Korean government agencies. Once victims execute a malicious MSI or ZIP attachment, the infection chain drops AutoIT-based scripts that establish persistence and install RATs such as RemcosRAT, QuasarRAT, and RftRAT to harvest Google and Naver credentials. The attackers then log into victims’ Google accounts, access Find Hub, and use its legitimate remote reset function to factory-wipe devices, erasing evidence and isolating targets. This disables KakaoTalk mobile alerts, allowing threat actors to hijack PC sessions and propagate further malicious files to contacts.
On November 11th, a Google spokesperson confirmed that this activity did not exploit any security flaw in Android or Find Hub. The campaign required the presence of PC malware to steal Google credentials and misuse legitimate Find Hub functionality. Google strongly encourages users to enable 2-Step Verification or passkeys, and for high-risk users, to enroll in the Advanced Protection Program for the company’s highest level of account security.
Security Officer Comments:
This campaign reflects the evolution of North Korean cyber operations toward abusing trusted, cloud-based services instead of exploiting zero-days. By leveraging legitimate tools and valid credentials, the attackers effectively “live off the cloud,” complicating detection and response. The repeated remote wipes serve dual purposes, forensic destruction and operational disruption, effectively silencing victims and hindering remediation. The targeting of counselors assisting North Korean defectors suggests strategic intent beyond financial gain, emphasizing psychological impact and surveillance value.
Suggested Corrections:
Enable multi-factor authentication or Google passkeys to prevent credential-based abuse of Find Hub. Avoid downloading or opening unsolicited attachments from messaging platforms, even from trusted contacts, without verification. Implement endpoint detection and response capable of identifying AutoIT-based persistence and remote access tools such as RemcosRAT and QuasarRAT. Regularly review Google account device and session logs for anomalous access or wipe activity. Encourage users to enroll in Google’s Advanced Protection Program, especially those in high-risk roles. Finally, security teams should enhance phishing awareness training focused on localized lures impersonating South Korean government entities.
Link(s):
https://www.bleepingcomputer.com/ne...ogle-find-hub-in-android-data-wiping-attacks/
A recent campaign linked to North Korean threat actors is abusing Google’s Find Hub to track and remotely wipe the Android devices of targeted South Koreans. The operation, attributed to the KONNI activity cluster, which overlaps with APT37 (ScarCruft) and Kimsuky (Emerald Sleet), relies on credential theft rather than exploiting any Google or Android vulnerabilities. According to South Korean cybersecurity firm Genians, the campaign begins with spear-phishing messages on KakaoTalk impersonating South Korean government agencies. Once victims execute a malicious MSI or ZIP attachment, the infection chain drops AutoIT-based scripts that establish persistence and install RATs such as RemcosRAT, QuasarRAT, and RftRAT to harvest Google and Naver credentials. The attackers then log into victims’ Google accounts, access Find Hub, and use its legitimate remote reset function to factory-wipe devices, erasing evidence and isolating targets. This disables KakaoTalk mobile alerts, allowing threat actors to hijack PC sessions and propagate further malicious files to contacts.
On November 11th, a Google spokesperson confirmed that this activity did not exploit any security flaw in Android or Find Hub. The campaign required the presence of PC malware to steal Google credentials and misuse legitimate Find Hub functionality. Google strongly encourages users to enable 2-Step Verification or passkeys, and for high-risk users, to enroll in the Advanced Protection Program for the company’s highest level of account security.
Security Officer Comments:
This campaign reflects the evolution of North Korean cyber operations toward abusing trusted, cloud-based services instead of exploiting zero-days. By leveraging legitimate tools and valid credentials, the attackers effectively “live off the cloud,” complicating detection and response. The repeated remote wipes serve dual purposes, forensic destruction and operational disruption, effectively silencing victims and hindering remediation. The targeting of counselors assisting North Korean defectors suggests strategic intent beyond financial gain, emphasizing psychological impact and surveillance value.
Suggested Corrections:
Enable multi-factor authentication or Google passkeys to prevent credential-based abuse of Find Hub. Avoid downloading or opening unsolicited attachments from messaging platforms, even from trusted contacts, without verification. Implement endpoint detection and response capable of identifying AutoIT-based persistence and remote access tools such as RemcosRAT and QuasarRAT. Regularly review Google account device and session logs for anomalous access or wipe activity. Encourage users to enroll in Google’s Advanced Protection Program, especially those in high-risk roles. Finally, security teams should enhance phishing awareness training focused on localized lures impersonating South Korean government entities.
Link(s):
https://www.bleepingcomputer.com/ne...ogle-find-hub-in-android-data-wiping-attacks/