Genians Security Center conducted an in-depth analysis of Operation Poseidon, an attack campaign attributed to the Konni APT.
As a result, the threat actor was identified as repeatedly employing social engineering tactics by impersonating North Korean human rights organizations and financial institutions in South Korea, while continuously conducting highly sophisticated and targeted attacks against specific targets.
[Figure 1-1] Operation Poseidon Timeline
Google announced its plan to acquire DoubleClick, an internet advertising technology company, in 2007 and completed the acquisition for approximately $3.1 billion in March 2008. Since then, DoubleClick's ad click tracking and redirection technologies have been integrated into Google Ads and Google Marketing Platform (GMP), serving as core infrastructure for ad traffic delivery and performance measurement.
This attack is analyzed as a case that effectively bypassed email security filtering and user vigilance through a spear-phishing attack vector that exploited the ad click redirection mechanism used within the Google advertising ecosystem. It was confirmed that the attacker utilized the redirection URL structure of a domain used for legitimate ad click tracking (ad.doubleclick[.]net) to incrementally direct users to external infrastructure where actual malicious files were hosted.
Meanwhile, around May and July 2025, similar attack attempts exploiting the click-tracking domain of the NAVER advertising marketing platform (mkt.naver[.]com) were observed on a limited basis. However, in the most recent confirmed attack activities, the attack pattern centered on Google's advertising infrastructure has been consistently maintained.
Redirection URLs based on such advertising infrastructure are highly likely to be recognized as legitimate traffic, making them advantageous for evading initial detection. The Konni APT group was observed establishing an attack flow that first builds credibility through this method, then lures victims into downloading files using legitimate content and finance-themed bait, and ultimately loads and executes final malware by masquerading it as a PDF file execution. This approach is considered a sophisticated initial access tactic capable of effectively bypassing static analysis and signature-based security frameworks.
Considering the comprehensive nature of these attack characteristics, "Operation Poseidon" is classified as a sophisticated APT campaign that is difficult to counter through any single security solution.
This threat intelligence report focuses on “Operation Poseidon,” identified through internal artifacts within malicious scripts, and analyzes the latest attack tactics and technical characteristics used by nation-state threat groups, emphasizing the need for EDR-driven responses and correlation analysis.
Evidence indicates that this threat actor continuously compromises poorly managed WordPress-based websites to use them as malware distribution points and C2 infrastructure, specifically to evade detection and tracking. This operational approach allows for the rapid turnover of attack infrastructure, providing a structural advantage that undermines the effectiveness of URL- and domain-based blocking policies.
During the Initial Access phase, the attacker employs social engineering emails impersonating North Korean human rights organizations or financial institutions. The attack scenario involves inducing recipients to execute files disguised as financial documents or official notices, making the malicious activity blend seamlessly into legitimate business workflows.
To deliver the malware, the actor exploits the structural properties of Shortcut (LNK) files to mask file extensions and icons, subsequently triggering an AutoIt script designed to mimic a legitimate PDF document. This script runs without requiring further user interaction and functions by loading and executing EndRAT-variant remote access trojans directly into memory.
Additionally, the AutoIt script includes an internal build path:
D:\3_Attack Weapon\Autoit\Build\__Poseidon - Attack\client3.3.14.a3x
This serves as a key naming artifact, suggesting that the attacker internally dubbed the campaign "Poseidon" and manages it as a distinct operational unit. Such development artifacts provide valuable insights into the attacker's development environment and operational management, offering a technical basis for linking related campaigns and subsequent activities by the same threat actor.
In summary, "Operation Poseidon" represents an integrated attack pattern that seamlessly combines infrastructure concealment, social engineering-based initial access, and script-driven malware execution. It stands as a prime example of how the Konni APT group continues to evolve its Tactics, Techniques, and Procedures (TTPs).
During the initial access phase, download URLs for attachments delivered via spear-phishing emails served as the primary attack vector. These URLs lure users into downloading a compressed archive, which contains a malicious LNK file.
When a user executes this file, it triggers a chain of malicious activities, ultimately allowing the threat actor to secure unauthorized access to the victim’s system.
A particularly notable aspect is that the malware distribution URLs are disguised as legitimate advertising traffic. The attacker was observed exploiting the structure of marketing and ad-click tracking URLs by embedding the C2 address hosting the actual malicious content within the URL parameters.
This technique allows the URL to be recognized as a legitimate redirection link from a known advertising platform, making it highly effective at bypassing email security filters and URL reputation-based detection systems. For example, the following URL format was identified:
| Legitimate advertising URL | Malicious destination URL | |
| 1 | mkt.naver[.]com/p1/atrb?channel_id=naver_pcstockbottom&campaign_id=2503-shopping-001&target | compromised-example[.]com/wp-admin/malware.zip |
| 2 | ad.doubleclick[.]net/searchads/link/click?ds_dest_url |
[Table 3-1] Legitimate Advertising Platform URLs and Sample Malicious Addresses
By utilizing redirection structures through legitimate advertising infrastructure, this attack method significantly lowers the probability of detection during the initial access phase while effectively reducing user suspicion. Due to these factors, it is classified as a sophisticated spear-phishing-based initial access tactic.
On December 22, 2025, the Financial Security Institute (FSI) of South Korea published a report titled "Threat Intelligence Report: Analysis of the LNK Malware Threat from Nation-State Hacking Groups."
Focusing on the Dark Prism campaign, this report provides an in-depth comparative analysis of LNK-based malicious files utilized by three nation-state threat actors: APT37, Kimsuky, and Konni.
Rather than just listing cases, the report shows high analytical precision by closely tracking and analyzing the structural components, execution flows, and malware delivery processes of each group to identify even the smallest differences.
Through this approach, the report provides advanced threat intelligence from a TTPs (Tactics, Techniques, and Procedures) perspective, which allows for the effective identification of specific threat actors.
Notably, many cases were confirmed where the Konni group distributed malware using documents impersonating financial institutions. The analysis shows that attackers lured recipients into opening files by disguising them as common financial notices, such as transaction confirmations, requests for wire transfer explanations, or privacy policy consent forms.
A key characteristic is the use of malicious filenames that include the names of South Korean financial institutions along with official-sounding phrases like "Request for Submission of Explanation Materials," "Wire Transfer and Transaction History Confirmation," or "Consent for Processing Personal (Credit) Information."
These files were mainly delivered in ZIP archive format, and structures containing LNK-based malicious files or additional malware were observed within the archives.
This technique is a classic social engineering method that exploits trust in financial institutions and familiar business phrases to lower user suspicion. It is considered a strategy that the Konni group has continuously used to increase their initial infection success rates.
Since similar attacks impersonating financial institutions are likely to continue in the future, extra caution is required. Users should not assume a document is legitimate based only on the email subject or filename.
As previously mentioned, this attack used a download URL delivered via spear-phishing emails as the primary initial access method, and the URL was disguised as legitimate advertising traffic.
The threat actor exploited the structure of ad-click tracking URLs by hiding the C2 address of the malicious content within the URL parameters. This allowed them to bypass detection by both users and security systems during the initial phase.
At the same time, the attacker combined this with social engineering tactics, such as using fake financial documents, to lower user suspicion and encourage them to click links or execute files.
The following section provides a more detailed technical analysis focusing on the URL structures, delivery methods, and malware execution flows used in these actual cases.
[Figure 3-1] Malicious URL Embedded in a Legitimate Advertising URL Parameter
Until June 2025, spear-phishing campaigns impersonating South Korean commercial banks mostly included malicious download URLs directly in the email body.
However, since July, many cases have been identified where the attack technique changed. The attackers now use marketing and advertising URLs from Naver and Google as intermediaries, redirecting users to the final malicious file download.
The phishing emails identified in this case used a technique where a large volume of meaningless English sentences was repeatedly inserted into invisible areas using the (display:none) attribute.
While users cannot see this content, email systems and security analysis engines recognize it as part of the email body.
This method was confirmed to be a sophisticated content padding technique used to bypass traditional signature-based detection. At the same time, it is designed to lower overall analysis accuracy by confusing the keyword and context logic of AI-based phishing detection systems and spam filters.
An analysis of the HTML data within the actual email body revealed a structure where 22 English sentences were repeatedly inserted in a fixed pattern, with the actual email content placed in between.
This structure suggests the use of automated templates designed specifically for evasion. It shows that threat actors are refining their tactics with a clear understanding of how email security systems detect threats.
[Figure 4-1] Comparative Analysis of Email HTML Source Code
Phishing detection systems do not simply check for the presence of specific keywords. Instead, they distinguish between legitimate and phishing emails by comprehensively analyzing the overall flow of the text, sentence structure, semantic consistency, and word repetition.
However, as seen in this case, randomly inserting meaningless English words makes the email content artificially long and complex. This makes it difficult for detection systems to accurately identify the core phishing phrases.
This increases the chance that the email will be misclassified as a legitimate or low-risk message, even though it actually contains malicious activity.
Beyond simple obfuscation, this is considered a sophisticated evasion technique designed to intentionally confuse the logic of AI-based phishing detection systems. It is highly likely that similar methods will continue to be used in future attacks.
However, by analyzing these characteristics and using them as AI training data, this technique can also be used to improve automated detection systems against similar threats.
[Figure 4-2] URL Links Inserted in the Email Body
A web beacon using an <img> tag is inserted at the bottom of the email body.
This beacon consists of a transparent 1×1 pixel image. When the email client loads the remote image, an HTTP request is sent to an external server (kppe[.]pl) set up by the threat actor.
This allows the threat actor to see if the recipient has opened the email. The Base64 encoded value (un) included in the request parameter is used to track individual recipients.
[Figure 4-3] 1×1 Pixel Image Tag
While this technique is also used in legitimate marketing emails, it is frequently seen in malicious campaigns as a tool for discovery. Attackers use it to check if a recipient has opened the email and if the address is active.
In addition, evidence shows that the PHPMailer open-source library was used in this attack. PHPMailer is a library that allows users to send emails via SMTP, Sendmail, or Mail functions in PHP-based web environments. It is widely used by legitimate web services and applications.
However, in malicious campaigns, PHPMailer is often used to spoof the sender (From) header and display name. This allows threat actors to impersonate trusted organizations or official email addresses. This approach increases the success rate of social engineering attacks by tricking recipients into opening the email and performing further actions, such as clicking links or opening attachments.
In some of the attacks carried out in December 2025, spear-phishing techniques using themes other than finance were identified. Evidence shows that the threat actor impersonated a real non-profit organization (NGO) to recruit lecturers for an academy focused on raising awareness and discussing solutions for North Korean human rights issues.
[Figure 4-4] Spear-Phishing Attack Disguised as Human Rights Theme
The bottom of the email body features a UI designed to look like it contains two PDF and HWP attachments. However, clicking the URL links in this area directs the user to a malicious address.
This URL also exploits parameters from a Google ad-tracking domain. It is designed to lead users to download malicious files from a WordPress-based server using a Vietnamese country domain (.vn).
ZIP files were downloaded in both the November 2025 financial impersonation attacks and the December 2025 North Korean human rights theme attacks, each containing LNK files that act as Windows shortcuts.
When the LNK file is executed, typical malicious activities repeatedly observed in Konni campaigns are identified. Specifically, the 'AutoIt3.exe' executable and a malicious AutoIt script disguised as a PDF file are downloaded from the C2 server and executed.
An analysis of the LNK files used in both the financial and North Korean human rights theme attacks revealed that they share the same C2 address (jlrandsons.co[.]uk) and show identical attack code patterns.
This reuse of infrastructure serves as key technical evidence suggesting that both attacks were carried out by the same threat actor. The malicious script has been reported since around July 2025 and is classified as "EndRAT" or "AutoItRAT." It also includes a unique identifier string used during communication with the C2 server.
[Figure 4-5] Internal Code of the AutoIt Script
In the past, some EndRAT code samples included the string "Poseidon - Attack," but recent analysis confirms that this string has been removed.
This change suggests the code was likely modified to avoid detection and hide traces after the threat actor realized the string could be used as an indicator to identify their campaigns and activities.
[Figure 4-6] Compiler Directives of the AutoIt Script
This matches internal identifier strings repeatedly observed in previously reported AutoIt-based RAT samples. Explicit versioning, such as "client3.3.14," suggests that the malware is being maintained and improved as a continuous framework. This development approach is consistent with characteristics identified in previous Konni campaigns.
Additionally, the threat actor distributed the malware without removing the build paths and project identifier strings during compilation. This is considered an OPSEC failure that can be used to analyze the relationships between malware families and attack infrastructure.
The build path string serves as key evidence by exposing the development environment and internal project names of the EndRAT family, providing critical technical clues for identifying the threat actor and analyzing connections within the campaign.
Genians Security Center (GSC) has consistently accumulated and published insights on the major cyber operations of Konni campaigns through its Cyber Threat Intelligence (CTI) reports.
Cross-campaign correlation with these past activities is effective in systematically identifying the Tactics, Techniques, and Procedures (TTPs) consistently used by the threat group, providing an analytical foundation for a more precise assessment of the relationship between their infrastructure operations and strategic intent.
Based on multiple cyber threat intelligence (CTI) analyses, activities associated with the Konni campaign have been continuously identified. This indicates the need to analyze the structural characteristics of a threat actor operating over an extended period, beyond isolated intrusion incidents.
From this perspective, a systematic approach to threat attribution, beyond the technical analysis of individual attacks, serves as a critical factor in assessing the actual threat level posed by the campaign.
Threat attribution analysis goes beyond identifying the actor behind an attack. It plays an essential role in comprehensively understanding how attack infrastructure is operated, the repetition of tactics, techniques, and procedures (TTPs), the persistence of operations, and the strategic objectives driving them. In particular, for nation-state threat actors such as the Konni campaign, which operate over long periods with strategic intent, attribution analysis helps clarify operational patterns and attack motivations that are difficult to discern from individual incidents alone.
Accurate threat attribution also provides tangible value from a security operations perspective. Understanding threat actor-specific characteristics can lead to more advanced threat modeling, refined detection rules, and more concrete threat hunting scenarios. This, in turn, forms the foundation for shifting an organization’s defense strategy from short-term, reactive responses to a sustained and proactive defense posture.
Accordingly, analysis of the Konni campaign should not be limited to the detection of isolated attacks. Instead, it needs to be conducted from a threat attribution-focused perspective that synthesizes multiple campaigns and activities observed over an extended period.
Such an approach contributes to a clearer understanding of the threat actor’s strategic intent and long-term operational direction, and provides an important reference point for more realistically assessing organizational risk and establishing response priorities.
Based on a comprehensive analysis of the relationships among the key hosts, domains, and C2 addresses identified in this threat, the reused network assets and observed TTPs were found to be consistent with activities previously reported in Konni campaigns.
[Figure 5-1] Threat Infrastructure Correlation Diagram
A comprehensive analysis of the identified attack flows confirmed that multiple email delivery hosts, web beacon domains, and associated external domains were operated as part of a unified infrastructure framework.
In particular, the domain linkage structure centered on ad.doubleclick[.]net was used to disguise malicious activity as legitimate advertising traffic, with the purpose of obscuring attack tracking and C2 communications.
Within this infrastructure, email delivery hosts and web beacon domains were cross-linked, and some domains were found to be structurally consistent with network asset reuse patterns observed in previously reported Konni campaigns.
Additionally, the use of legitimate websites in Japan, Europe, and Southeast Asia as link domains or relay nodes aligns with the infrastructure obfuscation and evasion tactics that this threat group has consistently employed.
The malicious file distributed during the initial stage of the attack took the form of a lure document exploiting North Korean human rights issues. Its use of Korea-related social and political themes is consistent with the characteristics of previously observed targeted campaigns.
Analysis indicates that, upon execution, the file was designed to communicate with an external C2 server to carry out additional malicious activities.
When considering the combination of factors, including a web beacon-based tracking structure, infrastructure leveraging legitimate service domains, network asset reuse, and lure documents exploiting North Korean human rights issues, this threat demonstrates a high level of correlation with previously reported Konni campaigns across tactics, techniques, and infrastructure.
Accordingly, this threat activity is attributed to the Konni threat group based on sufficient technical evidence.
This threat employed an advanced initial access technique that abused redirection mechanisms within legitimate advertising infrastructure to bypass URL reputation-based security controls and email security filtering.
In particular, by incorporating legitimate domains as part of the attack chain, the threat actor established user trust in advance and then leveraged multi-stage redirection to connect victims to malware distribution infrastructure.
Given these attack characteristics, this threat is assessed as an APT attack that is difficult to mitigate through a single security solution or IoC-based blocking policies alone. Accordingly, a multi-layered defense strategy centered on the threat actor’s TTPs is required.
Policies should be implemented to block or quarantine attachment-based access by default for emails impersonating financial institutions, public organizations, or human rights groups.
For file formats that enable multi-stage execution, such as LNK files contained within ZIP archives, business necessity should be reassessed. Unnecessary formats should be designated for inbound blocking or automatic quarantine.
For email attachments with filenames containing financial or administrative keywords such as “explanatory materials,” “remittance confirmation,” “transaction details,” or “personal information consent,” user warning banners and additional verification procedures should be applied.
Rather than blocking legitimate advertising domains themselves, proxy servers and security gateways should strengthen behavior-based detection for post-click redirection flows, including the final destination URLs in the redirection chain and paths that lead to non-business-related file downloads.
When archive files or executables are downloaded through advertising redirection URLs, such activity should be classified as anomalous and subjected to additional verification or blocking policies.
This threat combined LNK files, AutoIt scripts, and memory-loaded remote access malware to evade static signature-based detection. Accordingly, responses centered on endpoint behavior-based detection through EDR are critically required.
The attack unfolded in a staged manner following user-initiated file execution. An initial access technique was observed in which an LNK file embedded within a ZIP archive was executed while masquerading as a legitimate document.
Against this attack flow, Genians’ integrated endpoint security platform 'Genian Insights E' can identify abnormal process trees in real time through endpoint behavior-based detection. Specifically, after LNK execution, the platform detects cases where the actually invoked processes transition not to legitimate document viewers but to cmd.exe, powershell.exe, or AutoIt executables.
In addition, by performing correlation analysis based on AV, IoC, ML, and XBA (behavior-based engine), threats are assessed as behavior-driven attack flows rather than simple execution events. This enables effective detection and blocking of APT attacks at an early stage, before the attack fully progresses.
[Figure 6-1] Identification of Initial Access Flow Through EDR
By leveraging the Attack Storyline feature of Genian EDR, the entire initial access process can be clearly visualized step-by-step, showing how a ZIP attachment delivered via spear phishing progressed through download, extraction, and execution of an embedded LNK shortcut.
In particular, execution of the LNK shortcut file contained within the compressed archive is immediately identified as anomalous behavior distinct from normal user activity by the EDR's behavior-based analytics engine (XBA).
This enables malicious activity to be detected at an early stage, prior to or at the initial phase of payload execution, allowing for a timely response.
EDR administrators can perform the following immediate response actions based on the Attack Storyline.
These capabilities go beyond simple detection of individual events and support a context-based understanding of the entire attack flow, thereby improving both analysis efficiency and response speed.
[Figure 6-2] Malicious Command Identification View
Following execution of a malicious LNK file, the EDR automatically collects and visualizes command-line information internally embedded within the shortcut file. This allows EDR administrators to easily review the full PowerShell execution command contained in the LNK file without requiring additional manual analysis.
These capabilities go beyond simple event detection and support rapid identification of the attacker’s actual execution intent and behavior, contributing to a practical reduction in Mean Time To Respond (MTTR).
As MTTR increases, the likelihood that a threat actor will conduct follow-on activities such as privilege escalation, lateral movement, or data exfiltration within the internal environment also increases.
Conversely, reducing MTTR effectively limits the attacker’s dwell time, positively impacting the minimization of the intrusion scope and prevention of damage propagation.
[Figure 6-3] Detection View of Anomalous C2 Communication Behavior
After execution of a malicious LNK file, the EDR continuously monitors follow-on activities performed through PowerShell commands and collects and analyzes network communication events between the host and attacker-designated C2 servers.
The collected communication data is analyzed in conjunction with process execution context, enabling identification of anomalous external connection attempts that deviate from legitimate PowerShell usage patterns.
In particular, when a PowerShell process communicates with external IP addresses or domains to download additional payloads or receive attack commands, such behavior is classified as a high-risk indicator and triggers immediate detection and alerts in accordance with EDR behavior-based detection policies.
Through these capabilities, EDR administrators can achieve the following response outcomes.
In recent PowerShell-based attacks, fileless C2 communication has been frequently observed. In such cases, visibility into network behavior serves as a critical indicator for determining whether an endpoint has been compromised.
Accordingly, an EDR environment that enables analysis of process-associated network events plays an important role in establishing a behavior-centric threat detection framework that goes beyond simple file-based detection.
f5842320e04c2c97d1f69cebfd47df3d
6a4c3256ff063f67d3251d6dd8229931
8b8fa6c4298d83d78e11b52f22a79100
303c5e4842613f7b9ee408e5c6721c00
639b5489d2fb79bcb715905a046d4a54
908d074f69c0bf203ed225557b7827ec
0171338d904381bbf3d1a909a48f4e92
0777781dedd57f8016b7c627411bdf2c
94935397dce29684f384e57f85beeb0a
a9a52e2f2afe28778a8537f955ee1310
a58ef1e53920a6e528dc31001f302c7b
ad6273981cb53917cb8bda8e2f2e31a8
d4b06cb4ed834c295d0848b90a109f09
d6aa7e9ff0528425146e64d9472ffdbd
109.234.36[.]135
144.124.247[.]97
77.246.101[.]72
77.246.108[.]96
aceeyl[.]com
althouqroastery[.]com
anupamaivf[.]com
appoitment.dotoit[.]media
creativepackout[.]co
encryptuganda[.]org
genuinashop[.]com
igamingroundtable[.]com
jlrandsons.co[.]uk
kppe[.]pl
kyowaind.co[.]jp
nationalinterestparty[.]com
optique-leclercq[.]be
pomozzi[.]com
sparkwebsolutions[.]space
tatukikai[.]jp
vintashmarket[.]com