APT37 Exploits Google Find Hub in Android Data-Wiping Attacks Against South Korean Targets

Date: November 10, 2025

Overview: A newly identified campaign attributed to the North Korean threat actor APT37 (also known as “ScarCruft”) has been found abusing Google’s Find Hub service for Android to remotely track, wipe and silence target devices. The campaign specifically targets users in South Korea and is believed to be run in concert with the activity cluster known as KONNI. The attackers leverage spear-phishing and compromised Google accounts to trigger factory resets of Android devices at precisely timed moments, undermining recovery and investigative efforts.

Attack Chain & Technical Flow

The campaign begins with a carefully crafted spear-phishing message—often delivered via the popular South Korean messenger app KakaoTalk—which impersonates a legitimate organisation such as the national tax authority, police or consular office. The email or ZIP attachment contains a signed MSI or BAT script that installs remote access trojans (RATs) such as RemcosRAT, QuasarRAT or RtfRAT onto the victim’s computer. These RATs harvest Google (and sometimes local Naver) credentials, enabling the attackers to hijack the victim’s Google account.

Once control of the Google account is secured, the adversary accesses the Google Find Hub service to enumerate all registered Android devices under that account. They then activate tracking to determine when the target is outside and less capable of immediate response. At the precise moment of vulnerability, the attacker executes the remote “factory reset” functionality of Find Hub on the victim’s device, wiping data, removing the victim’s access, and severing any remote forensic visibility. In some cases, the wipe command was executed repeatedly to ensure data loss and delay recovery efforts.

Victimology & Targets

The victims include South Korea-based individuals such as human-rights advocates, counsellors for North Korean defectors, and employees of organisations with ties to North Korea-related issues. In one case, investigators recorded that on September 5 the counsellor’s Android device was wiped three times in rapid succession, rendering it unusable for hours and allowing the attacker to abuse the victim’s KakaoTalk session on the PC to propagate malware to the victim’s contacts. The campaign’s focus on Korean-language lures and targeted messenger vectors underlines its precision and limited target base, rather than indiscriminate mass malware distribution.

Motivation & Strategic Context

APT37 is a state-aligned North Korean actor known for espionage, credential theft and intelligence collection rather than immediate financial gain. The use of Google Find Hub for data wiping serves a dual purpose: eliminating device access for victims and obstructing forensic investigation or incident response. By wiping devices and hijacking messenger sessions, the adversary gains a foothold into both personal and professional networks of the target, enabling longer-term compromise and intelligence gathering. The targeting of defectors’ counsellors and Korean-related organisations is consistent with North Korea’s broader intelligence missions.

Impact & Risks to Stakeholders

Compromise of Google accounts plus remote wiping of Android devices introduces a high-risk scenario: victims lose device access, lose visibility to adversary actions, and may inadvertently spread malware to their contact lists. Organisations with staff handling sensitive issues (defector counselling, human-rights work, government liaison) must assume access to one account could result in a broader propagation and data-exfiltration event. Attackers may use this method to disable detection and extend dwell time, turning a credential compromise into a full device-level incident.

Defensive Measures for Organisations & Individuals

To defend against this level of targeted campaign, the following steps are critical:

• Enable strong multi-factor authentication (MFA) on all Google accounts and connected services, including reliable recovery methods not tied solely to the compromised account.
• Review and limit the number of devices and accounts registered under personal Google profiles; remove any unused devices or accounts.
• Disable automatic sign-in of messenger clients like KakaoTalk, and isolate PC messenger sessions from corporate networks where feasible.
• Deploy endpoint detection and response (EDR) and monitor for the installation of known RATs and persistence techniques linked to the KONNI toolkit.
• Train staff to validate links and attachments in messenger apps and email—particularly unsolicited ZIP or installer files claiming to come from authorities.
• For highly privileged or sensitive users, consider using a dedicated clean device for critical messaging, with minimal applications installed and no profile synchronisation of personal Google accounts.

Indicators of Compromise (IoCs) & Forensic Priorities

Defensive teams should hunt for:

• New login activity in Google accounts associated with unfamiliar IP addresses or devices shortly before device wipe incidents.
• Scheduled tasks or unknown processes on Windows endpoints that launch AutoIT or BAT scripts with names referencing “language pack error” or similar decoy messages.
• Commands executed via Google Find Hub leading to device resets or notifications of “device reset by owner” under account settings.
• Evidence of messenger session reuse from PC clients (e.g., KakaoTalk) after Android device wipe—indicating attacker pivot.
• Data exfiltration of key account lists (Gmail, Naver) followed by remote activity on connected services and device-reset commands within short intervals.

What Happens Next

Investigations into this campaign are ongoing, and security teams are concerned the tactic may expand beyond South Korea to wider regions where Google accounts and Android devices are widespread. Organisations working with defectors, counselling, human-rights advocacy or intelligence in the Indo-Pacific should assume this method is available to adversaries and prepare incident-response processes accordingly. Providers of messenger and social apps may face new pressure to detect device-wipe abuse linked to compromised accounts and to collaborate with platform owners such as Google on cross-platform signalling of wipe misuse.

Conclusion

The APT37 campaign abusing Google Find Hub for remote wiping represents an evolution of mobile espionage tradecraft: not only gaining entry, but actively disabling detection and recovery by incapacitating the victim’s device. The combination of credential theft, remote device control, and messenger-based spread underscores the need for layered defences and rapid detection of account compromise. For high-risk users, the device is as much an attack surface as the cloud account—and strategic adversaries are increasingly exploiting both.