Analysis of the Spear-Phishing and KakaoTalk-Linked Threat Campaign

The Konni Group conducted a sophisticated multi-stage attack campaign, initiating with a spear-phishing email disguised as a North Korean human rights lecturer appointment. The attack progressed through execution of a malicious LNK file, installation of remote access malware, and long-term persistence for data theft. A key feature was the unauthorized access to victims' KakaoTalk PC applications, used to distribute additional malicious files to selected contacts. The campaign employed multiple RAT families, including EndRAT, RftRAT, and RemcosRAT, with a distributed C2 infrastructure across Finland, Japan, and the Netherlands. The threat actor's tactics included trust-based propagation, account session abuse, and modular payload deployment, highlighting the need for advanced behavior-based detection and multi-layered defense strategies.

Pulse ID: 69ba831f2287b29db4e4645e
Pulse Link: https://otx.alienvault.com/pulse/69ba831f2287b29db4e4645e
Pulse Author: AlienVault
Created: 2026-03-18 10:49:03

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #DRat #DataTheft #Email #Finland #ICS #InfoSec #Japan #Konni #Korea #LNK #Malware #NorthKorea #OTX #OpenThreatExchange #Phishing #RAT #Remcos #RemcosRAT #Rust #SpearPhishing #TheNetherlands #bot #AlienVault

COVERT RAT: Phishing Campaign

A sophisticated multi-stage infection chain targets Argentina's judicial ecosystem using spear-phishing tactics and authentic-looking judicial content. The campaign employs a carefully crafted ZIP archive containing a weaponized LNK shortcut, BAT-based loader script, and judicial-themed PDF decoy. The attack chain leads to the deployment of a Rust-based Remote Access Trojan (RAT) that demonstrates extensive anti-VM, anti-sandbox, and anti-debugging techniques. The RAT establishes a resilient command-and-control channel, supports modular commands for various malicious activities, and implements full lifecycle management. The operation, dubbed 'Operation Covert Access,' aims to secure long-term access within high-trust institutional settings, highlighting the need for improved defenses against socially engineered intrusion chains.

Pulse ID: 69b821c38b5e35d90728323e
Pulse Link: https://otx.alienvault.com/pulse/69b821c38b5e35d90728323e
Pulse Author: AlienVault
Created: 2026-03-16 15:29:07

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ICS #InfoSec #LNK #OTX #OpenThreatExchange #PDF #Phishing #RAT #RemoteAccessTrojan #Rust #SpearPhishing #Trojan #ZIP #bot #AlienVault

Hey, fellow Lincolnites.

If you had a bunch of (non-mass market) board games that you are looking to unload, how would you do so? Some I would like to get some money for, but others might be donations.

Please reply and boost for visibility.

#LNK #BoardGames

Abusing Windows File Explorer and WebDAV for Malware Delivery

This analysis details how threat actors are exploiting Windows File Explorer's WebDAV functionality to deliver malware. WebDAV, a legacy protocol, is being used to trick users into downloading malicious files without going through web browsers, potentially bypassing security controls. Campaigns often use complex chains of scripts and legitimate files to deliver Remote Access Trojans (RATs). The tactic has been observed since February 2024, with increased activity from September 2024. Threat actors frequently abuse Cloudflare Tunnel demo accounts to host WebDAV servers. The report explains WebDAV links, how File Explorer can be manipulated, and various methods used by attackers, including URL shortcut files and LNK files. It also highlights the prevalence of German and English language campaigns targeting European corporate email accounts.

Pulse ID: 69a3ce1589019e16f3785b72
Pulse Link: https://otx.alienvault.com/pulse/69a3ce1589019e16f3785b72
Pulse Author: AlienVault
Created: 2026-03-01 05:26:45

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Cloud #CyberSecurity #Email #Europe #InfoSec #LNK #Malware #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #Trojan #Windows #bot #AlienVault

Massive Winos 4.0 Campaigns Target Taiwan

A series of targeted phishing campaigns in Taiwan have been observed disseminating Winos 4.0 (ValleyRat) malware and associated plugins. The attacks exploit local business processes using themes like tax audits and e-invoices. The campaigns employ various techniques including malicious LNK files, DLL sideloading, and Bring Your Own Vulnerable Driver (BYOVD) attacks. The malware utilizes UAC bypassing, driver loading, and process termination to evade detection and disable security software. The attacks are attributed to a subgroup of the Silver Fox APT, showing sophisticated localization and evolving evasion techniques. The campaigns have been active since at least January 2026, using consistent infrastructure and development identifiers.

Pulse ID: 699a6ee1425f8f4a6e583f31
Pulse Link: https://otx.alienvault.com/pulse/699a6ee1425f8f4a6e583f31
Pulse Author: AlienVault
Created: 2026-02-22 02:50:09

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #LNK #Malware #OTX #OpenThreatExchange #Phishing #RAT #SideLoading #bot #AlienVault