North Korean hackers have impersonated human rights organizations and financial institutions in South Korea to lure targets into opening malicious files, according to a report released Monday by cybersecurity firm Genians. File Photo by Stephen Shaver/UPI | License Photo
North Korea-linked hackers are using emails that impersonate human rights organizations and financial institutions to lure targets into opening malicious files, according to a threat intelligence report released Monday by South Korean cybersecurity firm Genians.
The campaign, dubbed “Operation Poseidon,” has been attributed to the Konni hacking cluster, a group linked by security researchers to Pyongyang-backed cyber operations and known for conducting long-running advanced persistent threat, or APT, campaigns.
“The threat actor was identified as repeatedly employing social engineering tactics by impersonating North Korean human rights organizations and financial institutions in South Korea,” the Genians Security Center report said.
Genians said Konni has overlapping targets and infrastructure with other North Korea-linked threat groups, including Kimsuky and APT37, which have been tied to cyber espionage, surveillance and influence operations targeting South Korean government agencies, researchers and civil society groups.
According to the report, the spearphishing emails relied on links that appeared trustworthy because they passed through legitimate online advertising and click-tracking systems commonly used to track user engagement. By embedding malicious destinations behind trusted tracking URLs, the attackers were able to bypass email security filters and reduce suspicion among recipients.
The links ultimately redirected victims to servers hosting malicious files. Genians said the scheme exploited Google Ads redirection URLs and poorly secured WordPress sites to deliver malware payloads, with the files often disguised as PDF documents or financial notices.
Security experts say APT campaigns are among the most challenging to defend against because they combine long-term access with carefully crafted social engineering designed to bypass conventional defenses.
“Considering the comprehensive nature of these attack characteristics, ‘Operation Poseidon’ is classified as a sophisticated APT campaign that is difficult to counter through any single security solution,” the Genians report said.
The findings come as North Korea, under heavy international sanctions, has increasingly turned to hacking and cybertheft to help bankroll its nuclear and ballistic missile programs.
An October report by the 11-country Multilateral Sanctions Monitoring Team described North Korea’s cybercrime apparatus as “a full-spectrum, national program operating at a sophistication approaching the cyber programs of China and Russia.”
The report added that “nearly all the DPRK’s malicious cyber activity, cybercrime, laundering and IT work is carried out under the supervision, direction and for the benefit of entities sanctioned by the United Nations for their role in the DPRK’s unlawful WMD and ballistic missile programs.”
The Democratic People’s Republic of Korea is the official name of North Korea.
In November, the U.S. Treasury Department assessed that North Korea had stolen more than $3 billion over the past three years in attacks on financial systems and cryptocurrency platforms.
Genians urged organizations and individuals to remain cautious when receiving unsolicited emails.
“Since similar attacks impersonating financial institutions are likely to continue in the future, extra caution is required,” the report said. “Users should not assume a document is legitimate based only on the email subject or filename.”
