Europol-led Operation Endgame seizes 1,025 servers and arrests a key suspect in Greece, disrupting three major global malware and hacking tools, including Rhadamanthys, VenomRAT and Elysium botnet.

In a massive global operation called Operation Endgame, police forces have taken down the core systems of three major online crime groups, including the Rhadamanthys infostealer, the VenomRAT remote control tool, and the Elysium botnet.

The operation took place between November 10 and 13, 2025, and was managed from Europol’s main office in The Hague, Netherlands. The operation was also supported by Eurojust, the European Union’s judicial cooperation agency.

****Key Arrests and Network Takedown****

This joint action involved law enforcement and legal teams from 11 nations, including Australia, Belgium, Canada, Denmark, France, Germany, Greece, Lithuania, the Netherlands, the United Kingdom, and the United States.

Authorities also had support from more than 30 organisations, including cybersecurity firms like Proofpoint, CrowdStrike, and Bitdefender, which led to the seizure of 11 malicious domains and the shutdown of over 1,025 servers used by cyber criminals to run malware globally.

Seizure notice (Screenshot: Europol)

Additionally, authorities conducted 11 searches across locations in Germany, Greece, and the Netherlands, and arrested a key suspect linked to the VenomRAT operation in Greece on November 3, 2025.

According to Europol’s press release, further probing revealed the astounding scale of the crime. The systems that were taken down had infected hundreds of thousands of computers, resulting in several million stolen login details.

Europol noted that many victims were not even aware their systems were compromised. The main suspect behind the Rhadamanthys infostealer had access to over 100,000 cryptocurrency wallets, possibly worth millions of euros.

Operation Endgame video shared by authorities

****The Fight Continues****

This Operation Endgame, as we know it, is part of a bigger, ongoing effort. Hackread.com has followed this fight from the start, reporting on past actions against other hacking tools. This includes the massive May 2024 takedown that hit dropper tools like Smokeloader, IcedID, and Bumblebee, and the disruption of the DanaBot network in May 2025.

Back in April 2025, authorities arrested criminal customers who paid to use the now-defunct Smokeloader service. This shows that authorities are not just going after the big criminals, but also the people who pay to use their services.

If you are worried that your computer might be infected, police urge you to use free tools like politie.nl/checkyourhack to check your status.

Operation Endgame Hits Rhadamanthys, VenomRAT, Elysium Malware, seize 1025 servers

CVE 2025 42887 vulnerability, rated 9.9, allows code injection through Solution Manager giving attackers full SAP control urgent patch needed to block system takeover.

Cybersecurity researchers are issuing an alert regarding a major security vulnerability discovered in SAP systems. This vulnerability, rated an extremely high 9.9 out of 10 in severity, could potentially let cyber attackers take complete control over a company’s SAP network and all the sensitive data it holds.

The discovery came from the SecurityBridge Threat Research Labs, a specialised team dedicated to identifying weaknesses in SAP security. As we know it, SAP software is the crucial backbone for countless businesses worldwide, handling critical functions like finance and logistics. This means any major security vulnerability presents a massive, immediate risk.

****Code Injection Threat Explained****

The most severe problem found by the SecurityBridge team is known as Note 3668705 (CVE-2025-42887), which affects SAP Solution Manager. This specific component is a powerful tool used to manage other SAP systems.

The issue is a Code Injection vulnerability, meaning an attacker can misuse a remote feature to sneak in malicious programming code. Once the code is successfully injected, it results in a total system compromise.

Joris van de Vis, the Director of Security Research at SecurityBridge, emphasised the severe nature of the threat in the blog post shared with Hackread.com. He noted that this flaw is “particularly dangerous because it allows to injection of code from a low-privileged user, which leads to a full SAP compromise and all data contained in the SAP system.”

****Patching Must Be Immediate****

This critical vulnerability was part of 25 new and updated SAP Security Notes released on the company’s November Patch Day, November 11, 2025. This month’s fixes included four notes in the highest-priority HotNews category.

SAP’s patch release included a second max-severity flaw (CVE-2025-42890, a perfect 10.0/10) related to hardcoded login details in the SQL Anywhere Monitor tool. Another HotNews fix (Note 3647332) was an update for an issue in SAP SRM. There were also two patches in the important High-Priority category, including one (Note 3633049) for a memory flaw in SAP CommonCryptoLib, used for encryption tasks.

A public fix (patch) has been released for CVE-2025-42887. While this solves the problem, the release of the patch also gives cybercriminals the information they need to try and copy the attack, which could speed up exploit development. Therefore, all organisations using SAP are strongly advised to install this patch immediately.

Furthermore, even older software is seeing updates: four fixes were released for the SAP Business Connector, a tool many integration specialists may remember. The SecurityBridge team also found two other issues addressed in the November patches: a Medium priority vulnerability (Note 3643337) and a Low priority one (Note 3634053).

The firm gave its own customers an advanced warning about these discoveries on October 30, 2025, advising them to update their security protections before the public disclosure.

SAP Pushes Emergency Patch for 9.9 Rated CVE-2025-42887 After Full Takeover Risk

Q3 showed sharp growth in malware activity as Lumma AgentTesla and Xworm drove access and data theft forcing SOC teams toward quicker behavior checks

_Disclosure: This article was provided by ANY.RUN. The information and analysis presented are based on their research and findings._

The third quarter of 2025 saw a concerning evolution in the malware landscape. The latest ANY.RUN Malware Trends quarterly report confirms a clear pattern: threat actors are prioritising fast monetisation and initial access operations.

The number of threats investigated in ANY.RUN’s Sandbox grew by 21.6% since Q2, compared to 9.8% growth between Q1 and Q2.

Malicious verdicts increased by 18%. The sandbox extracted 32.8% more IOCs than in Q2, respectively enriching threat data available via Threat Intelligence Lookup and TI Feeds.

****The Three Top Threats SOC Teams Must Watch****

Three malware families dominate the threat landscape due to their ability to quickly monetise stolen data and establish remote control:

**Malware Family**

**Q3 Sandbox detections**

**Type**

**Primary Objective**

Lumma

9,664

Stealer

Remote access, payload delivery, and file manipulation

AgentTesla

5,337

Stealer/RAT

Keylogging, clipboard/email creds, data exfiltration.

Xworm

5,085

RAT

Remote access, payload delivery, file manipulation

Top malware families by ANY.RUN’s Sandbox detections in Q3

Analysts must adapt by reducing triage time, switching from signature-based detection to behaviour-based detection, and enriching indicators with real-time threat context.

****1\. Lumma Stealer – Credential Monetisation at Scale****

Lumma Stealer is currently the most active and prevalent malware family observed in the report. It specialises in stealing sensitive data from endpoints, focusing on browser-stored credentials, cryptocurrency wallets, form autofill data, saved credit cards, and session cookies. Lumma is particularly aggressive in industries such as finance and commerce in Europe and North America, where the stolen data has the highest monetary value.

For organisations, a single Lumma infection can result in corporate account compromise, lateral movement through SaaS access, and asset theft without triggering traditional ransomware alarms.

Lumma’s operators consistently update their infrastructure, rotating malicious domains and other C2 inventory. Threat Intelligence Lookup allows analysts to extract IOCs from the most recent sandbox sessions where Lumma samples were detonated and fuel detection and response systems. threatName:”Lumma” and domainName:””

Recently detected Lumma domains found via TI Lookup

****Where ANY.RUN’s Threat Intelligence Lookup Fits In****

TI Lookup is a real-time threat investigation platform that enriches indicators with context, not just reputation scores. It aggregates fresh IOCs, IOAs, and behaviour patterns (IOBs) directly from malware detonations performed in ANY.RUN’s Interactive Sandbox, powered by data contributed by more than 15,000 enterprise SOCs and security teams across multiple industries.

This gives analysts access to threat intelligence captured from real attacks happening right now, not stale feeds or public blocklists.

Besides the context, it enables analysts to reduce triage time, raise detection accuracy, and retain confidence in their decisions. For business, the key objectives gained are analyst efficiency and better judgment, faster MTTR, and measurable ROI.

In short, TI Lookup turns threat intelligence into operational efficiency: less time spent investigating means more time preventing breaches.

****2\. AgentTesla – activity doubled quarter-over-quarter****

AgentTesla is a widely distributed credential stealer and remote access tool (RAT) with a multilayered set of functions, including keylogging, clipboard monitoring, credential extraction from browsers and email clients, and exfiltration via SMTP or HTTP.

The malware has recently seen a sharp increase in activity, doubling quarter-to-quarter. It is particularly common in industries with large numbers of external communications, transportation, logistics, and education. Its operational simplicity and low barrier to entry make it popular among less sophisticated cybercriminal groups.

Use Threat Intelligence Lookup to instantly check network artefacts and spot AgentTesla in your network.

domainName:”mail.funworld.co.id”

Domain proven to be associated with AgentTesla campaigns via TI Lookup

Explore the linked sandbox sessions to observe AgentTesla’s attack chain and behaviour patterns:

View analysis

AgentTesla detonation in ANY.RUN’s Sandbox

****3\. Xworm (RAT) – modular, covert, highly scalable****

Xworm is a flexible, modular remote access Trojan, is often used as the first foothold in an intrusion, where it serves as a launcher for other malware, including stealers and ransomware. After execution, Xworm enables remote command execution, file manipulation, keylogging, surveillance, and exfiltration. It supports multiple communication channels, including C2 tunnelling through legitimate cloud services, which complicates detection.

Xworm infections are especially dangerous for organisations because the malware acts as a bridge to full compromise. The malware actively targets manufacturing, tourism, and healthcare: industries where business disruption can have immediate operational consequences.

Xworm samples added and analysed by sandbox users from Colombia

****To sum up:****

*   Lumma steals access.
*   AgentTesla steals communications.
*   Xworm turns those stolen credentials into full control of the environment.

****Conclusion****

As Q4 2025 unfolds, Lumma Stealer, AgentTesla, and Xworm RAT will continue to evolve, adopting new evasion techniques and targeting mechanisms to bypass traditional defences.

For SOC analysts, the challenge isn’t just detecting these threats: it’s responding fast enough to minimise impact. The difference between a contained incident and a major breach often comes down to how quickly you can identify what you’re dealing with and implement the right countermeasures.

ANY.RUN’s Threat Intelligence Lookup bridges this critical gap, transforming unknown indicators into actionable intelligence within seconds. By combining comprehensive threat data with interactive analysis capabilities, it empowers your team to move from reactive detection to proactive defence.

The threat landscape will only grow more complex. Ensure your SOC has the intelligence infrastructure to stay one step ahead.

Stop paying for data without context – get visibility that drives decisions.  
Choose your plan for intel sourced from 15K+ real SOCs

Top 3 Malware Families in Q4: How to Keep Your SOC Ready

New York, New York, 13th November 2025, CyberNewsWire

**New York, New York, November 13th, 2025, CyberNewsWire**

BreachLock, a global leader in offensive security, just announced a powerful new integration with Vanta, the leading AI-powered trust management platform, enabling organizations to push security validation evidence directly into compliance workflows with a single click. 

This integration bridges the gap between continuous security testing and compliance by allowing mutual customers to connect the BreachLock Unified Platform to their Vanta environment. Users can automatically send security evidence from the BreachLock Unified Platform, including penetration testing reports, adversarial exposure validation (AEV) results, attack surface management (ASM) results, and more, into the appropriate Vanta control folders, eliminating manual uploads and user errors while significantly reducing audit preparation time. 

> Commenting on the addition of this integration, BreachLock Founder & CEO expressed, “Our clients shouldn’t have to waste time manually transferring evidence between BreachLock and Vanta,” adding, “This integration ensures that our mutual customers’ security findings are always audit-ready and aligned with frameworks like SOC 2 and ISO 27001 within their Vanta environments, effortlessly.” 

> “At Vanta, our mission is to support companies regardless of their tech stack,” said Chris Morris, Staff Product Manager at Vanta. “We’re excited for BreachLock’s integration and to support our mutual customers!” 

The BreachLock Unified Platform supports modern Continuous Threat Exposure Management (CTEM) programs by unifying all CTEM-aligned tools and solutions modern security teams need, including both autonomous and human-led Penetration Testing as a Service (PTaaS), Adversarial Exposure Validation (AEV) for autonomous red teaming, and Attack Surface Management (ASM). This unified approach enables organizations to continuously discover, validate, and remediate exposures across their entire internal and external environments, including web, API, network, mobile, cloud assets, and more. 

With the new BreachLock x Vanta integration, organizations can maintain always-current compliance evidence across all attack surfaces, supporting continuous security and compliance alignment. 

**Key Benefits of the Integration Include** 

*   One-click evidence transfers from BreachLock to Vanta. 
*   Automatic alignment with SOC 2, ISO 27001, and other controls. 
*   Reduced manual effort and fewer errors during audit preparation. 
*   Continuous compliance support through CTEM and automated testing. 

Setting up the integration is simple; users connect to Vanta directly from the BreachLock Platform and authorize BreachLock within Vanta, following a quick step-by-step setup process outlined in a recent blog post on the integration. 

This collaboration between BreachLock and Vanta marks a significant step forward in unifying offensive security and compliance workflows, helping organizations stay not only secure but audit-ready year-round. 

**About BreachLock**

BreachLock is a global leader in offensive security, delivering scalable and continuous security testing. Trusted by global enterprises, BreachLock provides human-led and AI-powered Attack Surface Management, Penetration Testing as a Service (PTaaS), Red Teaming, and Adversarial Exposure Validation (AEV) solutions that help security teams stay ahead of adversaries. 

With a mission to make proactive security the new standard, BreachLock is shaping the future of cybersecurity through automation, data-driven intelligence, and expert-driven execution.

**Contact**

**Senior Marketing Executive**  
**Megan Charrois**  
**BreachLock**  
**\[email protected\]**

BreachLock and Vanta Bridge the Gap Between Continuous Security Testing and Compliance with New Integration

Singapore, Singapore, 13th November 2025, CyberNewsWire

**Singapore, Singapore, November 13th, 2025, CyberNewsWire**

**Recognition we believe underscores global customer trust and proven product excellence for security teams evaluating NDR solutions**

**ThreatBook**, a global leader in threat intelligence-based cybersecurity solutions, today announced that for its **Threat Detection Platform (TDP)**, it has been recognized as a **Strong Performer** in the 2025 Gartner Peer Insights Voice of the Customer for Network Detection and Response (NDR).

This marks the **third consecutive year** that ThreatBook has received this distinction, which we believe underscores consistent customer satisfaction, product innovation, and operational excellence.

> According to Gartner: “‘Voice of the Customer’ is a document that synthesizes Gartner Peer Insights reviews into insights for buyers of technology and services. This aggregated peer perspective, along with the individual detailed reviews, is complementary to Gartner expert research and can play a key role in your buying process. Peers are verified reviewers of a technology product or service, who not only rate the offering, but also provide valuable feedback to consider before making a purchase decision.”

> “We’re thrilled to be recognized again as a Strong Performer in the Gartner Peer Insights ‘Voice of the Customer’ for NDR,” said Mr. Feng XUE, Chief Executive Officer of ThreatBook. “Our mission is to empower security teams with visibility and precision, especially in the Asia-Pacific region where attacks are becoming more sophisticated and targeted. We believe, this recognition reflects our customers’ trust in ThreatBook TDP’s ability to deliver real detection accuracy and operational resilience.”

**Recognition Driven by Real-World Customer Feedback**

To be included in the report, vendors must meet stringent inclusion criteria and are positioned within four quadrants based on user interest, product experience, and overall satisfaction — covering areas such as product capabilities, support, and delivery.

According to the research: “in the network detection and response market, Gartner Peer Insights published 1,263 reviews and ratings during the consideration period,” with 11 vendors ultimately meeting the inclusion standards. ThreatBook is among the few vendors recognized as a Strong Performer for three consecutive years. **ThreatBook was among the few vendors to meet the full inclusion criteria and achieved 100% of customers willing to recommend ThreatBook TDP, based on 43 overall verified reviews submitted as of Aug 2025.**

Enterprise users from finance, manufacturing, energy, services, and retail sectors across Asia-Pacific, North America, the Middle East, and Europe contributed feedback that rated ThreatBook TDP highly in overall product experience, detection precision, and operational efficiency.

**TDP: Industry Leading Intelligence-Driven Detection and Response**

As the market leader in China’s threat intelligence sector (iResearch, 2024 China Threat Intelligence Industry Development Report), ThreatBook integrates high-fidelity threat intelligence into its detection and response solutions.

ThreatBook TDP is a full-traffic, intelligence-driven NDR platform designed to provide visibility, context, and actionability at scale.

**Key strengths include:**

l **High-Precision Detection** – Built on ThreatBook’s proprietary global and APAC threat intelligence, TDP achieves industry-leading detection accuracy for targeted and advanced attacks.

l **Operational Readiness** – Automatically maps enterprise attack surfaces and reconstructs attack chains from an adversarial perspective for proactive defense.

l **Closed-Loop Response** – Integrates with a broad ecosystem of security tools, supporting automated blocking and orchestration with 99% effectiveness.

l **User-Focused Experience** – Offers an intuitive interface and multi-dimensional analytics to enhance SOC efficiency and decision-making.

**Proven Across Industries and Regions**

Today, ThreatBook TDP is deployed in thousands of leading enterprises across critical industries including finance, energy, power, internet, and smart manufacturing.

It has become a core detection and response system for enterprise and government SOCs, helping them achieve visibility, precision, and proactive defense in dynamic threat environments.

Full review:

https://www.gartner.com/reviews/market/network-detection-and-response/vendor/threatbook/product/threatbook-tdp-ndr/review/view/6146934

Full Review: https://www.gartner.com/reviews/market/network-detection-and-response/vendor/threatbook/product/threatbook-tdp-ndr/review/view/6145510

Gartner, Voice of the Customer for Network Detection and Response, 30 October 2025

\* Disclaimer: GARTNER and PEER INSIGHTS are registered trademarks of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved. Gartner Peer Insights content consists of the opinions of individual end users based on their own experiences, and should not be construed as statements of fact, nor do they represent the views of Gartner or its affiliates. Gartner does not endorse any vendor, product or service depicted in this content nor makes any warranties, expressed or implied, with respect to this content, about its accuracy or completeness, including any warranties of merchantability or fitness for a particular purpose.

**About ThreatBook**

ThreatBook is a global cybersecurity company specializing in advanced threat intelligence, detection, and response. Founded in 2015, ThreatBook equips enterprises, governments, and service providers with the clarity and context needed to defend against evolving digital risks.

By combining artificial intelligence with deep threat intelligence, ThreatBook delivers real-time visibility, hyper-accurate detections, and early-warning insights against nation-state actors, cybercriminal groups, and emerging attack campaigns. With unique vantage points from across the Asia Pacific region and beyond, ThreatBook provides intelligence coverage that bridges Eastern and Western threat landscapes, offering an unmatched perspective for global defenders.

ThreatBook: Act with Intelligence that Matters. To learn more, visit www.threatbook.io or follow us on LinkedIn.

**Contact**

**Belmont Communications**  
**ThreatBook**  
**\[email protected\]**

ThreatBook Peer-Recognized as a Strong Performer in the 2025 Gartner® Peer Insights™ Voice of the Customer for Network Detection and Response — for the Third Consecutive Year

AI security firm Mindgard discovered a flaw in OpenAI’s Sora 2 model, forcing the video generator to leak…

AI security firm Mindgard discovered a flaw in OpenAI’s Sora 2 model, forcing the video generator to leak its system prompt through audio transcripts. Read how this leak exposed the foundational rules of OpenAI’s video tool. 

A new study by Mindgard, a company specialising in AI security testing, has revealed a surprising way to get OpenAI‘s advanced video creation tool, Sora 2, to reveal its internal rulebook, or system prompt.

This rulebook defines the AI model’s safety limits and operational guidelines. Researchers discovered that asking the multi-talented model to speak its secrets was the most effective approach. This research, shared with Hackread.com, began on November 3, 2025, and was published on November 12, 2025.

****Bypassing the Digital Guardrails****

System prompts are like the brain’s internal guide for a large language model (LLM), telling the AI to “respond normally in all other cases” unless, for instance, it’s asked to generate a video. As we know it, companies program the AI to refuse to share these hidden rules, which are critical for security.

The Mindgard team, led by Aaron Portnoy, Head of Research and Innovation, tried various methods to expose the rules through text, image, video, and audio. Because Sora 2 clips are limited to about 10 to 15 seconds, they had to work in stages, extracting short tokens across many frames and stitching them together later.

When asked to display text in a video, the results were often distorted. The researchers observed that the text began legible but quickly deteriorated as the video played. As the report says, “Moving from text to image to video compounds errors and semantic drift.”

****Audio Was the Breakthrough****

The clearest recovery path was through audio generation. Asking Sora 2 to speak short parts of the prompt allowed them to use transcripts to piece together a nearly complete set of foundational instructions. They even sped up the audio to fit more text into the short clips. The report noted that this method “produced the highest-fidelity recovery.”

This simple trick reconstructed the system prompt, revealing specific internal rules, such as avoiding “sexually suggestive visuals or content.” The researchers noted they recovered a detailed, foundational instruction set from the model, too, which is the model’s core configuration code and suggests they accessed the AI’s secret, developer-set rules.

This process confirms that even with strong safety training, creative prompts can still expose core settings. Multi-modal models like Sora 2 create new security pathways for information leakage through audio and video outputs.

This video, generated by Sora 2, begins with fairly legible text, but quickly deteriorates as playback ensues or as long text is generated (Source: Mindgard)

To address this, Mindgard provided key advice– AI builders should treat system prompts as secret settings, test audio/video outputs for leaks, and limit response length. Conversely, users must ask vendors if rules are private, check that video/audio outputs are protected, and review their overall rule management.

Mindgard Finds Sora 2 Vulnerability Leaking Hidden System Prompt via Audio

Old DarkComet RAT spyware is back, hiding inside fake Bitcoin wallets and trading apps to steal credentials via keylogging.

Cybercriminals are constantly looking for new ways to steal money, and the world of cryptocurrency, especially Bitcoin, has become a major target. Recently, a new piece of old computer spyware, known as DarkComet RAT, was found cleverly hidden inside a file that looked exactly like a legitimate Bitcoin wallet or trading program.

The malware was discovered and analysed by Point Wild’s Lat61 Threat Intelligence Team.  This particular software is a Remote Access Trojan (RAT), which allows a hacker to take full, secret control of a victim’s computer. It’s a highly capable tool, offering features that range from recording every single keystroke you make (keylogging) to stealing files, watching you through your webcam, and even controlling your desktop remotely.

****Disguised and Dangerous****

The DarkComet RAT, which was originally developed back in 2008 but later discontinued by its creator, is still widely available to criminals. The spyware was also mentioned in WikiLeaks’ Vault 7 data leak, which revealed that the American CIA and the Syrian government under President Bashar al-Assad had both used DarkComet to hack the devices of their own citizens.

The latest sample analysed was delivered inside a compressed RAR file, which is a common trick used by attackers to evade security filters and encourage users to open the file themselves. Upon extraction, the file was revealed as an application named “94k BTC wallet.exe”.

Further probing revealed a key detail: the file was “packed” using a technique called UPX. This technique helps the malware remain disguised and much smaller in size, making it harder for simple security tools to detect it before it runs. As we know it, hiding the malicious code this way is a major challenge for computer defences.

****The Attackers’ Goal****

Once a victim is tricked into running the file, the DarkComet RAT immediately begins its attack. It copies itself into a hidden system folder and creates an autostart entry to ensure it loads every time the computer is turned on, successfully achieving persistence.

The malware then attempts to connect to a specific remote location (kvejo991.ddns.net over port 1604) to communicate with the attacker and receive commands. It is worth noting that the central goal of DarkComet was clearly seen in its keylogging activity, where it recorded all of the victim’s keystrokes and saved them in a local folder called dclogs. This is a huge risk, as these logs could easily contain passwords, bank details, or, most critically, the credentials to access Bitcoin wallets, leading directly to financial losses.

Keystroke logs (Point Wild)

This research was shared with Hackread.com. It clearly shows how old malware is being repurposed with modern lures, emphasising the need for all cryptocurrency users to download wallets and trading tools only from verified and trusted sources.

The findings offer a critical warning for anyone involved in digital currency. As Dr. Zulfikar Ramzan, CTO of Point Wild, and Head of the Lat61 Threat Intelligence Team, explains: “Old malware never truly dies – it just gets repackaged. DarkComet’s return inside a fake Bitcoin tool shows how cybercriminals recycle classic RATs to exploit modern hype.”

DarkComet Spyware Resurfaces Disguised as Fake Bitcoin Wallet

North Korea-linked KONNI hackers used KakaoTalk and Google Find Hub to spy on victims and remotely wipe Android devices in a targeted phishing campaign.

A state-sponsored hacking group known as KONNI, suspected to be linked to the North Korean regime and related groups like Kimsuky or APT37, has been caught using a two-part attack to spy on users and erase data on their Android devices.

This concerning finding comes from an investigation by the Genians Security Center (GSC), which first identified the attack chain.

** **Phishing, Spying, and Gaining Trust****

The initial problem starts with spear phishing, where hackers send a convincing message to trick a person into opening a malicious file. In this campaign, the attackers impersonated trusted roles, such as a professional psychological counsellor supporting North Korean defector youths or staff from the National Tax Service.

Once a victim opened the malicious file (disguised as a document or application form), hackers gained hidden access to their computer. Research reveals the Konni actors stayed hidden for over a year, secretly monitoring the victim, sometimes through their webcam.

****Weaponising Trust and Erasing Data****

The research firm found that once inside, the KONNI hackers focused their operation on the South Korean region, leveraging the widely used local platform, KakaoTalk messenger. They abused the victim’s logged-in KakaoTalk messenger account to spread their malware further, like a stress relief program called Stress Clear.zip, to their contacts.

This trust-based attack is highly effective. As per GSC’s report, logs show that on September 5, 2025, one victim’s account was compromised, followed by a larger wave on September 15, 2025.

The attack then turned destructive; after stealing the victim’s Google account passwords, the hackers misused the legitimate Google Find Hub service (which is meant to help you find a lost phone).

By confirming the victim was away from their devices, KONNI hackers used Find Hub to execute a remote factory reset on the victim’s Android smartphone and tablet. This action wiped out all personal data and blocked the victim from receiving alerts, successfully cutting off their ability to detect and respond to the ongoing attack.

Malicious file distribution through KakaoTalk, a log showing remote reset operations, and the overall attack chain. (Source: Genians Security Center)

****Recommended Defences****

This case shows how personal data can be stolen and then used to turn a victim into a source of further attack. To protect against this, you should never open or run files from unexpected sources, even if they appear to come from someone you know.

Additionally, using extra security like two-factor authentication (2FA) for your Google account is highly recommended to protect against unauthorised access.

Source

HackRead