Genians attributes Operation Poseidon to the Konni APT and describes spear-phishing activity that impersonated South Korean financial institutions and North Korean human rights organizations. The campaign used Google Ads and earlier NAVER ad-click redirection URLs to make malicious download links appear like legitimate advertising traffic before sending victims to compromised WordPress infrastructure. The delivery chain relied on ZIP archives containing LNK files, followed by AutoIt scripts masquerading as PDF execution and loading EndRAT-family remote access malware. Evidence includes reused C2 infrastructure such as jlrandsons.co[.]uk and internal build-path strings referencing "Poseidon - Attack" and client versioning. The report highlights how Konni blended business-themed lures, redirect abuse, tracking beacons, and content-padding evasion to bypass both user suspicion and security filtering.