Konni Hackers Expand Their Attacks
Konni Hackers continue to widen their operations. They now target Android and Windows devices with new tools. They aim to steal data and gain remote control. Moreover, they use social engineering to reach unsuspecting users.
Konni actors pretend to be counselors or human rights experts. They spread malware disguised as stress-relief apps. Therefore, many victims trust the files and install them without caution.
Abusing Find Hub for Remote Data Wipes
The threat actors also misuse a legitimate device-tracking service called Find Hub. They use stolen credentials to trigger remote resets. As a result, victims lose personal data without warning.
This tactic appeared in early September 2025. It marks the first known case of this group weaponizing built-in management features. However, their attacks begin long before the wipe happens.
Spear-Phishing Leads to Full System Access
The attackers start with tailored spear-phishing emails. They impersonate official agencies to trick victims into opening infected attachments. These files drop remote access tools that allow full system control.
Once inside, the intruders spy through webcams. They also operate systems when victims are away. Additionally, they collect chat credentials to spread malware to more contacts.
Stealthy Credential Theft and Cover-Ups
The malware gathers account credentials from major online platforms. Attackers then log in, issue commands, and hide their tracks. For example, they delete warning emails and empty trash folders. This behavior allows long-term persistence.
Complex Malware Chain and Multiple RATs
The distributed ZIP file hides a malicious installer. It uses a legitimate signature to seem trustworthy. Once run, it shows a fake error message while executing harmful commands.
An automated script runs every minute to fetch new instructions. These commands allow file theft, uploads, program execution, and remote shell control. Researchers call this variant EndRAT.
The attackers also deploy other remote tools such as updated trojans and earlier RAT families. Their selection shows a focus on local targets and long-term espionage.
Other Threat Groups Show Similar Activity
Another threat group uses updated espionage tools delivered through fake documents. Victims must enable macros, which then launch hidden components. Consequently, the malware contacts remote servers and waits for more tasks.
Furthermore, analysts recently found a new JavaScript dropper linked to another hostile actor. It downloads more scripts, creates scheduled tasks, and opens empty documents as decoys.
How to Prevent These Attacks
Users should stay alert, update devices, and avoid opening unexpected attachments. They should also enable multi-factor authentication and monitor account activity. Professional cybersecurity services can provide continuous threat detection and real-time incident response. These services also help deploy advanced endpoint protection to block remote-control malware.
Sleep well, we got you covered.
