North Korea-Linked Hackers Weaponize Google’s Find Hub in Global Credential Heist
Cyber warfare escalates as state-sponsored actors exploit trusted platforms.
How a phishing campaign bypassed enterprise defenses—and what it means for crypto security.
Active since at least Q3 2025, the operation mirrors Pyongyang's crypto-jacking playbook: infiltrate, impersonate, liquidate. No surprise—their Lazarus Group needs fresh capital after last year's $200M DeFi hacks got frozen by Chainalysis.
Key targets? Crypto-native employees at exchanges and wallet providers. The attack vector? A poisoned browser extension masquerading as Google's official developer toolkit.
While Web2 firms scramble for patches, Web3 orgs face a brutal truth: your GitHub OAuth tokens are now higher-value than most altcoins. Time to rotate those API keys—assuming your 'decentralized' team actually has operational controls.
South Korean cybersecurity group says malware is for Korea-focused operations
According to investigators, the spear-phishing emails appear to originate from legitimate companies, such as the National Tax Service. This trick fools users into opening malicious attachments that contain remote access trojans, such as Lilith RAT, which can take control of compromised computers and send additional payloads.
The threat actor can stay hidden in the compromised computer for over a year, spying via the webcam and operating the system when the user is absent. GSC stated, “In this process, the access obtained during the initial intrusion enables system control and additional information collection, while evasion tactics allow long-term concealment.”
Hackers can steal the victim’s Google and Naver account credentials. After getting their hands on the stolen Google passwords, the hackers use them to log in to Google’s Find Hub and wipe their devices remotely.
For instance, these hackers logged into a recovery email account listed under Naver, and they deleted Google security alert emails. Additionally, they emptied the trash folder in the inbox to conceal their tracks.
The hackers are also using a ZIP file. It is propagated via the messaging app containing a malicious Microsoft Installer (MSI) package called “Stress Clear.msi”. This package uses a legal signature provided to a Chinese company to authenticate the application’s appearance. Once it’s started, it uses a batch script to do the basic setup.
It then runs a Visual Basic Script (VBScript) that displays a fake error message about a language pack compatibility issue while the malicious commands are executed in the background.
The malware is similar to Lilith RAT in some ways, but it has been given the code name EndRAT (also known as EndClient RAT by security researcher Ovi Liber) due to the changes that have been identified.
Genians stated that the Konni APT actors also used an AutoIt script to initiate the Remcos RAT version 7.0.4, which was publicly disclosed on September 10, 2025, by the group responsible for its maintenance. Now, hackers are using newer versions of the Trojan in their attacks. Quasar RAT and RftRAT, another trojan used by Kimsuky in 2023, have also been found on target devices.
The South Korean cybersecurity company said, “This suggests that the malware is tailored to Korea-focused operations and that obtaining relevant data and conducting in-depth analysis requires substantial effort.”
North Korea-backed hackers’ impetus grows
This attack is definitely a follow-up to the Konni APT campaign, which is tied to the Kimsuky and APT 37 groups that the North Korean government backs.
At the same time, ENKI revealed that the Lazarus Group used an updated version of the Comebacker malware in attacks against defense and aerospace companies using specially made Microsoft Word documents as bait as part of an espionage operation. They claim to be from Airbus, the Edge Group, and the Indian Institute of Technology Kanpur to deceive people.
Meanwhile, as reported by Cryptopolitan, Second Vice Foreign Minister Kim Ji-na announced that South Korea is considering sanctions against North Korea over rampant cryptocurrency crime, and that cooperation with the US is critical.
If you're reading this, you’re already ahead. Stay there with our newsletter.
