State-Sponsored Remote Wipe Tactics Targeting Android Devices
Essential information
- Published
- 10/11/2025 11:14
- Modified
- 10/11/2025 11:48
- Tags
- 2025-11-10 android apt endrat find hub google account kakaotalk lilithrat quasarrat rat remcosrat remote wipe rftrat social engineering spear-phishing
- Related entities
- 10 observables, 1 intrusion sets (apt), 15 techniques (mitre), 5 malware, 1 others
Description
A new Android remote data-wipe attack exploiting Google's Find Hub feature has been identified as part of the KONNI APT campaign. The attackers impersonated psychological counselors and human rights activists, distributing malware disguised as stress-relief programs via KakaoTalk messenger. They compromised Google accounts to track victims' locations and remotely wipe Android devices. The attack involved spear-phishing, prolonged reconnaissance, and abuse of legitimate management functions. Multiple RAT variants were deployed, including RemcosRAT, QuasarRAT, and RftRAT. The campaign utilized WordPress-based hosting and geographically distributed C2 servers to evade detection. This sophisticated attack demonstrates the evolving tactics of state-sponsored threat actors.