Home > National > North Korea

North Korea-linked hacking group targets devices remotely to wipe data

Published: 10 Nov. 2025, 09:42 Updated: 10 Nov. 2025, 19:56

An image of a North Korean hacker [GETTY IMAGES BANK]

Signs have been uncovered that point to a hacking group — believed to be backed by North Korea — remotely controlled computers and Android smartphones to wipe major data.

On Sept. 5, a hacker remotely reset the smartphone of a South Korean psychological counselor and used the stolen KakaoTalk account to send a malicious file disguised as a “stress relief program” to the counselor’s contacts, according to a threat analysis released by information security firm Genians Security Center on Monday.

Ten days later on Sept. 15, an Android smartphone belonging to a North Korean human rights activist was also reset, and the compromised KakaoTalk account was used to distribute a malicious file to 36 acquaintances.

The spread of malware via KakaoTalk messages was analyzed as a typical social engineering-based attack from North Korea that impersonates trusted contacts. But investigators discovered an unprecedented technique in this case.

According to the report, after infiltrating victims’ smartphones and PCs, the hackers lay dormant for a long period while stealing account information for Google and other major IT services. They then used Google’s location-based device lookup to confirm the victim was outside the home or office, and remotely reset the smartphone via Google’s “Find Hub” function.

At the same time, the attackers used already infected PCs or tablets located at the victim’s home or office to distribute the malware to the victim’s contacts, disguising it as other programs such as a “stress relief program.”

[GETTY IMAGES]

Some recipients who suspected the file was malicious tried to verify its authenticity by calling or messaging the victim, but the push notifications, calls and messages on the hacked victim’s phone had been blocked. That delayed initial response and allowed the number of secondary victims to rise quickly. The hackers also deleted key data such as photos, documents and contacts from victims’ smartphones, tablets and PCs.

The report said there is also evidence the attackers used webcams installed on PCs to confirm victims weren't home — the malware included webcam and microphone control features, raising the possibility the infected webcams were used to monitor victims’ every move.

"This combination of device neutralization and account-based propagation is unprecedented among previously known state-sponsored APT scenarios and was first identified and analyzed in this report," wrote Genians. APT scenarios refer to specific, planned sequence of actions used in an Advanced Persistent Threat — a sophisticated, long-term cyberattack.

"It demonstrates the attacker’s tactical maturity and advanced evasion strategy, marking a key inflection point in the evolution of APT tactics."

Genians advised users to apply two-step login verification and avoid saving passwords in browsers to minimize damage. The firm also urged users to power off PCs when not in use and called for manufacturers to strengthen multi-factor authentication systems.

Earlier, the Gyeonggi Nambu Provincial Police Agency’s cyber counterintelligence unit said it is investigating the hacking case involving the North Korea human rights activist and confirmed that the structure of the malware used in the crime is similar to code commonly used by North Korea-linked hacking groups.

This article was originally written in Korean and translated by a bilingual reporter with the help of generative AI tools. It was then edited by a native English-speaking editor. All AI-assisted translations are reviewed and refined by our newsroom.
BY HYEON YE-SEUL [[email protected]]