State-Sponsored Remote Wipe Tactics Targeting Android Devices

Nov. 10, 2025, 11:48 a.m.

Description

A new Android remote data-wipe attack exploiting Google's Find Hub feature has been identified as part of the KONNI APT campaign. The attackers impersonated psychological counselors and human rights activists, distributing malware disguised as stress-relief programs via KakaoTalk messenger. They compromised Google accounts to track victims' locations and remotely wipe Android devices. The attack involved spear-phishing, prolonged reconnaissance, and abuse of legitimate management functions. Multiple RAT variants were deployed, including RemcosRAT, QuasarRAT, and RftRAT. The campaign utilized WordPress-based hosting and geographically distributed C2 servers to evade detection. This sophisticated attack demonstrates the evolving tactics of state-sponsored threat actors.

External References

https://www.genians.co.kr/en/blog/threat_intelligence/android
https://otx.alienvault.com/pulse/6911c911b6b2b40bf3ccf268
Tags
apt
rat
social engineering
android
remcosrat
quasarrat
spear-phishing
2025-11-10
rftrat
find hub
remote wipe
lilithrat
kakaotalk
endrat
google account

Date

  • Created: Nov. 10, 2025, 11:14 a.m.
  • Published: Nov. 10, 2025, 11:14 a.m.
  • Modified: Nov. 10, 2025, 11:48 a.m.

Indicators

  • 7107c110e4694f50a39a91f8497b9f0e88dbe6a3face0d2123a89bcebf241a1d
  • 192.109.119.113
  • appoitment.dotoit.media
  • xcellentrenovations.com
  • youkhanhdoit.co
  • sparkwebsolutions.space
  • professionaltutors.net
  • oldfoxcompany.com
  • genuinashop.com
  • bp-analytics.de
Download all indicators here!

Attack Patterns

  • EndRAT
  • LilithRAT
  • RftRAT
  • RemcosRAT
  • QuasarRAT
  • KONNI

Additional Informations

  • Government