North Korea-linked APT abuses Google Find Hub for device wiping and spying
A state-sponsored threat actor affiliated with APT37 (and the KONNI activity cluster) has been observed abusing Google Find Hub to geolocate Android devices and perform remote wipes after credential theft. The campaign targets primarily South Korean users, uses social engineering via the popular messenger KakaoTalk and gains initial access through malware delivered to Windows systems. Defenders must view mobile device management features not only as protective, but also as potential attack amplifiers once account credentials are compromised.
Attack timeline and targets
< campaign triggered in September 2025 when the adversary delivered spear-phishing messages impersonating South Korean institutions to select victims. Via these messages, users were urged to open attachments which installed malware on Windows endpoints. Once the attacker obtained Google account credentials, they leveraged those accounts to access Find Hub, query registered Android devices, determine the targets’ location, and then issue remote factory resets. In multiple documented cases the attacker waited until the user was away from the device before triggering wipe commands. :contentReference[oaicite:4]{index=4}In one notable incident a psychological counsellor aiding North Korean defectors was targeted. Once their account was compromised the attacker used active KakaoTalk PC sessions to propagate malware to contacts, while the victim’s mobile devices were wiped to prevent detection and recovery. :contentReference[oaicite:5]{index=5}
Technical chain of the intrusion
The attack is multi-stage:
- Spear-phishing message via KakaoTalk or email, masquerading as a trusted institution (e.g., National Tax Service). :contentReference[oaicite:6]{index=6}
- User executes attachment (MSI or ZIP) which installs an AutoIt script, schedules a task, and retrieves payloads (such as RemcosRAT, QuasarRAT, RftRAT) to harvest credentials and exfiltrate data. :contentReference[oaicite:7]{index=7}
- Malware steals Google (and sometimes Naver) credentials, enabling access to the victim’s account and connected devices. :contentReference[oaicite:8]{index=8}
- Using the stolen credentials, attacker logs into the Google account, accesses Find Hub, lists registered Android devices, queries GPS location to verify when the user is away, then issues factory-reset commands (remote wipe) on the devices — sometimes repeating the wipe multiple times. :contentReference[oaicite:9]{index=9}
- With the device disabled and alerts suppressed, the attacker uses the compromised KakaoTalk PC session to send the malware to the victim’s contacts, expanding the compromise. :contentReference[oaicite:10]{index=10}
Notably, Google states there is no exploit of a security flaw in Android or Find Hub — the attack turns on credential theft and abuse of legitimate account features. :contentReference[oaicite:11]{index=11}
Impact and significance
While this campaign appears to have a regional focus (South Korea), its implications are global. Key impacts include:
- Complete takeover of a user’s Android device fleet via legitimate remote-management features after account compromise.
- Suppression of alerts and notifications by wiping the device, delaying detection and limiting the user’s ability to respond.
- Leveraging trust relationships (messenger contacts) to propagate malware laterally within a social graph — increasing outbreak potential.
- Demonstrating that cloud-based device-management tools can be leveraged as attack pivots when credentials are compromised — a shift in mindset for defenders.
For cybersecurity professionals, this campaign underscores the convergence of endpoint compromise, credential theft, cloud-service abuse and device management escalation. It challenges defenders to treat features designed for “lost device recovery” as potential weaponisation paths.
Detection and hunting guidance for SOC teams
Defenders should monitor the following telemetry sources and behaviours:
- Unusual Google account login events: from new geolocations or unknown devices, especially followed by alteration of MFA settings or connected device list changes.
- Suspicious creation or deletion of Android device entries in Find Hub / device registration list during times when the user is inactive or away.
- Unexpected remote wipe commands issued from legitimate Google account — correlate account actions with device wipe events.
- Social-engineering-driven load of MSI/ZIP attachments via messenger apps (KakaoTalk) followed by scheduled task creation, AutoIt scripts, RAT downloads — detect persistence mechanisms on Windows endpoints. :contentReference[oaicite:12]{index=12}
- Propagation events in messenger contacts: compromised PC session sending files to contacts, particularly after device wipe has occurred — monitor outgoing files from known user accounts or peer devices.
Sample query to detect possible account compromise in Google Workspaces or G-Suite logs:
login_events
| where login_type="GoogleAccount" and (geo_location != user_home_location or new_device=true)
| join device_management_events on login_events.user = device_management_events.user
| where device_management_events.action in ("remote_wipe","delete_device")
| project timestamp, user, geo_location, device_id, action
On the endpoint side (Windows): detect scheduled tasks created by AutoIt scripts:
DeviceScheduledTaskEvents
| where CommandLine contains "IoKITr.au3" or InitiatingProcessFileName in ("install.bat","error.vbs")
| project Timestamp, DeviceName, InitiatingProcessFileName, CommandLine
Mitigation and response actions
Response teams should prioritise the following steps:
- Strengthen account security: Enforce multi-factor authentication (MFA) or passkeys on Google accounts, especially those tied to device management. Enroll high-risk users in Google’s Advanced Protection Program. :contentReference[oaicite:13]{index=13}
- Monitor device-management logs: Configure alerting on changes to device registration, remote wipe commands, and changes to device-management account status.
- Restrict social-engineering vectors: Provide phishing awareness training focused on messenger apps (KakaoTalk) and attachments impersonating trusted institutions. Block or flag MSI/ZIP attachments from untrusted senders.
- Endpoint hardening: Deploy behaviour-based EDR to detect RATs, AutoIt scripts and scheduled tasks created outside of maintenance windows. Validate any unusual processes or command-line behaviour in Windows hosts. :contentReference[oaicite:14]{index=14}
- Incident triage: If a Google account is compromised, review the list of registered devices, perform a forced logout and device wipe from the organisation’s management console, and reset account credentials and session tokens. Also, perform forensic image capture of the PC used in the initial compromise to identify RATs and persistence.
Long-term strategic lessons
This campaign offers several strategic take-aways:
- Zero-trust principles apply to device-management tools: assume that any account with elevated privileges or device-wipe capabilities must be tightly controlled, monitored and isolated.
- Cross-platform attacks: Windows endpoint compromise led to abuse of mobile management features — defenders must unify disparate telemetry (PC, mobile, cloud) for holistic visibility.
- Social trust abuse: Messenger apps and trusted contacts are now vectors for privilege escalation and lateral spread — detection must extend into communications apps and user behaviour.
- Credential theft is still gateway to high-impact operations: Even though no new zero-day hardware exploit is used, this campaign achieves major effect via credential compromise and abuse of legitimate functionality — emphasising the need for identity-centric protections.
