By Ian Werther in News — 16 Mar 2026

North Korea-linked hackers use KakaoTalk to spread malware in staged cyberattack.

A North Korea–linked hacking group known as Konni is reportedly conducting multi-stage cyberattacks that chain email and instant messaging to spread malware, according to a threat intelligence report released on the 16th by Genian Security Center.

The campaign begins with spearphishing disguised as a routine professional message, camouflaged as a notice about appointing a North Korea human rights instructor. The email carries a compressed attachment containing a malicious LNK (shortcut) file. When the recipient opens the archive and double-clicks the LNK, a hidden script executes and the target’s PC becomes infected.

For five years, Jeremy Harbeck has worked as a support scientist for NASA’s Operation IceBridge, an airborne mission to study polar ice. The data processing that he does typically takes place in an office at NASA’s Goddard Space Flight Center in Maryland. However, to speed the process of delivering data to the Arctic sea ice forecasting community, Harbeck traveled to Greenland for the first time in spring 2015.
He had just arrived at Greenland’s Thule Air Base on March 20 when a mechanical issue grounded the aircraft. No science flight could happen for a few days. As teams in the United States and Greenland scrambled to locate and deliver a replacement part, researchers on the ground waited. Some of them hiked to what was locally known as “the iceberg.”
The unnamed berg pictured above has been frozen in place by sea ice in North Star Bay. Harbeck shot the photograph—a composite of four 49-second images—on March 21 at about 2:30 a.m. local time. The sun never fully sets at this time of year in the Arctic, so sunlight appears on the left side of the image. Lights from Thule are visible on the right side. Look for the Milky Way (top left) and a few very faint meteors visible in the early morning sky.
Harbeck left the dock at Thule with sea ice scientist (and current IceBridge project scientist) Nathan Kurtz and a local recreation officer at about 10 p.m. From there, the group hiked 2.4 kilometers (1.5 miles) across the still-thick sea ice in weather that Harbeck called a “pleasant” minus 18 degrees Celsius (0 degrees Fahrenheit). They paused frequently on the way, and they even circled the berg to check for polar bears.

“You don’t have a sense of scale of this berg until you get up to it,” Harbeck said. “It’s about the size of my apartment building, and that’s only the part protruding from the water.” Assuming the berg is ungrounded (which is uncertain), about one-tenth of its mass is above water. — Representative image for context; not directly related to the specific event in this article. License: Public domain. Source: Wikimedia Commons.

What distinguishes this operation is its use of the victim’s KakaoTalk PC client to broaden the attack. After infection, the attackers harvest account credentials and seize the messenger session, then push the malicious file to the victim’s contacts, leveraging trust within a social circle to maximize reach.

Genian describes this as more than simple data theft; it represents an “account-based re-dissemination” model that exploits trusted relationships to create a multistep chain of infection. The attackers aim to stay dormant on machines long enough to move laterally through the user’s network.

Kate Carter, on her 90th birthday, poses for photographer Carol M. Highsmith in the log cabins in North Carolina, United States, where Highsmith's great-grandfather and grandfather, Pleasant Jiles Carter (1847-1931) and Yancey Ligon Carter (1873-1947), were born and lived in Wentworth, North Carolina. — Representative image for context; not directly related to the specific event in this article. License: Public domain. Source: Wikimedia Commons.

To counter such threats, Genian urges defenders to go beyond basic indicator-based blocks and adopt endpoint detection and response (EDR) strategies that focus on anomalous behavior. Specific recommendations include security guidelines for file transfers via messaging apps, monitoring for abnormal bulk or repeated transfers, and ensuring robust session protections on key devices. The firm also emphasizes user education to recognize icons or attachments that hide executable content, such as shortcuts masquerading as documents.

The implications extend beyond Korea. North Korea–linked groups have targeted international organizations and cross-border supply chains in the past, and the rise of trusted-network-based propagation methods is a global concern. For U.S. readers, the case underscores the vulnerability of multinational operations to credential theft and lateral movement through familiar consumer or enterprise messaging tools, reinforcing the need for comprehensive cyber defense, cross-border information sharing, and resilient supply-chain security.

Subscribe to Journal of Korea