By Ian Werther in News — 16 Mar 2026

North Korea-linked Konni deploys KakaoTalk-based malware campaign

A North Korea–linked hacking group known as Konni is conducting a multi-stage malware campaign that uses spear-phishing emails and the KakaoTalk PC messenger to distribute its malware, according to South Korea’s cybersecurity firm Geniance. The campaign is described as an advanced, persistent threat that aims to stay inside victims’ networks for extended periods.

The attack begins with a targeted spear-phishing email that appears legitimate but contains a malicious shortcut file. When a user opens the file, a hidden script executes and compromises the computer. After gaining initial access, the intruders linger on the infected device, collecting internal documents and credentials before taking control of the victim’s KakaoTalk PC account.

Kate Carter, on her 90th birthday, poses for photographer Carol M. Highsmith in the log cabins in North Carolina, United States, where Highsmith's great-grandfather and grandfather, Pleasant Jiles Carter (1847-1931) and Yancey Ligon Carter (1873-1947), were born and lived in Wentworth, North Carolina. — Representative image for context; not directly related to the specific event in this article. License: Public domain. Source: Wikimedia Commons.

Researchers say the attackers then use the compromised KakaoTalk PC application to reach some of the victim’s contacts. They send further malicious files disguised as content such as “North Korea-related video project plans,” leveraging the trust within the victim’s network to accelerate spread.

Because the operation relies on trusted relationships within KakaoTalk, it challenges traditional security measures that focus primarily on blocking external intrusion. The technique illustrates how social networks and legitimate software can be exploited to widen the impact of an intrusion.

Konni is widely believed to be tied to North Korea, and its campaigns have emphasized long-term, stealthy intrusions aimed at data exfiltration and credential theft. The use of a popular domestic messaging app as a propagation channel highlights how threat actors adapt to tools that are deeply embedded in everyday workflows.

For five years, Jeremy Harbeck has worked as a support scientist for NASA’s Operation IceBridge, an airborne mission to study polar ice. The data processing that he does typically takes place in an office at NASA’s Goddard Space Flight Center in Maryland. However, to speed the process of delivering data to the Arctic sea ice forecasting community, Harbeck traveled to Greenland for the first time in spring 2015.
He had just arrived at Greenland’s Thule Air Base on March 20 when a mechanical issue grounded the aircraft. No science flight could happen for a few days. As teams in the United States and Greenland scrambled to locate and deliver a replacement part, researchers on the ground waited. Some of them hiked to what was locally known as “the iceberg.”
The unnamed berg pictured above has been frozen in place by sea ice in North Star Bay. Harbeck shot the photograph—a composite of four 49-second images—on March 21 at about 2:30 a.m. local time. The sun never fully sets at this time of year in the Arctic, so sunlight appears on the left side of the image. Lights from Thule are visible on the right side. Look for the Milky Way (top left) and a few very faint meteors visible in the early morning sky.
Harbeck left the dock at Thule with sea ice scientist (and current IceBridge project scientist) Nathan Kurtz and a local recreation officer at about 10 p.m. From there, the group hiked 2.4 kilometers (1.5 miles) across the still-thick sea ice in weather that Harbeck called a “pleasant” minus 18 degrees Celsius (0 degrees Fahrenheit). They paused frequently on the way, and they even circled the berg to check for polar bears.

“You don’t have a sense of scale of this berg until you get up to it,” Harbeck said. “It’s about the size of my apartment building, and that’s only the part protruding from the water.” Assuming the berg is ungrounded (which is uncertain), about one-tenth of its mass is above water. — Representative image for context; not directly related to the specific event in this article. License: Public domain. Source: Wikimedia Commons.

For international readers, the case underscores broader risks to multinational companies and supply chains that involve Korean operations or partners. If a North Korea–linked actor gains access to corporate communications, there is potential for data leakage, credential abuse, and disruption across cross-border networks that extend beyond Korea’s borders.

Experts recommend heightened awareness of suspicious shortcut files and attachments that resemble official documents. They also advocate strengthened endpoint detection, monitoring for unusual KakaoTalk activity, and broader phishing-awareness training that covers messaging apps used within corporate ecosystems.

Subscribe to Journal of Korea