ESRC attributes Operation Blackbird activity to the suspected Geumseong 121 group and shows the operation expanding from earlier server and PC targeting into Android mobile espionage. The campaign targeted North Korean defectors and related individuals by sending direct app-install links through SNS comments or messengers such as KakaoTalk, indicating a narrowed, targeted delivery model rather than mass malware distribution. The spyware history includes droppers that abused Samsung and LG device vulnerabilities, including CVE-2015-7888, and later apps disguised as useful software to persuade victims to install them. The apps registered device details, downloaded command files and additional DEX modules, collected sensitive data including account and document information, and exfiltrated encrypted results to Dropbox, Yandex, or compromised web servers. Dropbox folders tied to the operation reportedly exposed attacker test data, suspected operator email and KakaoTalk profile information, exploit code, and victim personal data, giving defenders infrastructure and behavioral evidence to track the activity.