Operation Poseidon: Konni Group Hijacks Google & Naver Ad Links to Deploy EndRAT

The campaign designated as “Operation Poseidon” has been identified as a sophisticated targeted assault, wherein adversaries exploited advertising traffic redirection mechanisms to circumvent electronic mail filters and diminish user vigilance.

The cornerstone of this stratagem was the utilization of link structures from Google Ads and Naver, enabling the masking of deleterious transitions as legitimate promotional clicks. According to an assessment by the Genians Security Center, the Konni threat collective—a North Korean entity renowned for its prowess in social engineering and the deployment of AutoIt scripts—is the architect of this operation.

The primary targets encompassed South Korean entities, specifically within the fiscal and human rights sectors. Malefactors disseminated missives masquerading as official correspondence from banking institutions and advocacy groups, enticing recipients to inspect archived documents. In reality, these archives harbored LNK shortcuts that, upon execution, invoked AutoIt scripts. These scripts subsequently surreptitiously loaded the EndRAT malware into memory, cloaking the process behind the facade of a PDF document. A salient feature of this methodology is the absence of any requisite user interaction following the initial file execution.

Within their infrastructure, the adversaries leveraged vulnerable WordPress installations, repurposing them as intermediary hosts and command-and-control channels. This facilitated the rapid rotation of domains and significantly impeded forensic tracking. Furthermore, evidence emerged of “tracking pixels”—clandestine 1×1 transparent images embedded within emails—designed to verify the moment of engagement by the recipient.

Beginning in July 2025, a tactical evolution was observed. While previously malicious links were embedded directly within the message body, the group transitioned to wrapping them within Google and Naver advertising URLs. This maneuver effectively bypassed filters predicated on URL reputation and bolstered the perceived legitimacy of the content.

The campaign was distinguished by a profound degree of mimicry; emails utilized the nomenclature of authentic banks and adopted formal verbiage regarding “transfer confirmations” or “consent for personal data processing.” Certain files imitated official invitations to human rights symposia concerning North Korea. Regardless of the pretext, all contained malicious LNK files that, once activated, established a connection to a unified command server.

Analytical scrutiny of the infrastructure and underlying code confirms Konni’s authorship. In several instances, the malicious scripts contained the internal designation “Poseidon — Attack.” Although this string was excised in later iterations, the original compilation paths indicate a consistent project structure and developmental approach.

Given the elevation of this threat, prevention cannot be effectively achieved through mere filtration or rudimentary antivirus solutions. Experts emphasize the necessity of behavioral detection systems, such as EDR, alongside the continuous analysis of adversarial tactics. Specifically, detecting the transition from shortcut execution to script or PowerShell invocation is paramount for early intervention. The implementation of multi-layered defense and contextual event analysis enables the timely localization of incidents, thereby curtailing response times and thwarting the lateral progression of the attack.