Operation Poseidon: Spear-Phishing Attacks Abusing Google Ads Redirection Mechanisms
2026-01-18 • Genians •
https://www.genians.co.kr/en/blog/threat_intelligence/spear-phishing
Genians attributes Operation Poseidon to Konni APT and details a targeted phishing chain against South Korean financial and North Korean human rights-related lures. The actor used legitimate advertising redirect structures, especially ad.doubleclick[.]net and earlier mkt.naver[.]com activity, to make malicious downloads appear as ordinary ad-click traffic before sending users to compromised WordPress infrastructure. Delivered ZIP archives contained LNK files that launched AutoIt scripts masquerading as PDF execution and loaded EndRAT or AutoItRAT variants in memory. Infrastructure reuse such as jlrandsons.co[.]uk and internal build-path artifacts tied to Poseidon provide technical evidence for linking related campaign activity and tracking Konni’s evolving initial access tradecraft.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| IPv4 | 109.234.36.135 | 2025-11-09 | 2026-01-22 |
| HASH | 0777781dedd57f8016b7c627411bdf2c | 2026-01-18 | 2026-01-18 |
| HASH | 639b5489d2fb79bcb715905a046d4a54 | 2026-01-18 | 2026-01-18 |
| HASH | 94935397dce29684f384e57f85beeb0a | 2026-01-18 | 2026-01-18 |
| HASH | d6aa7e9ff0528425146e64d9472ffdbd | 2026-01-18 | 2026-01-18 |
| HASH | 908d074f69c0bf203ed225557b7827ec | 2026-01-18 | 2026-01-18 |
| HASH | a9a52e2f2afe28778a8537f955ee1310 | 2026-01-18 | 2026-01-18 |
| HASH | a58ef1e53920a6e528dc31001f302c7b | 2026-01-18 | 2026-01-18 |
| HASH | d4b06cb4ed834c295d0848b90a109f09 | 2026-01-18 | 2026-01-18 |
| HASH | 303c5e4842613f7b9ee408e5c6721c00 | 2026-01-18 | 2026-01-18 |
| HASH | f5842320e04c2c97d1f69cebfd47df3d | 2026-01-18 | 2026-01-18 |
| HASH | 0171338d904381bbf3d1a909a48f4e92 | 2026-01-18 | 2026-01-18 |
| HASH | ad6273981cb53917cb8bda8e2f2e31a8 | 2026-01-18 | 2026-01-18 |
| DOMAIN | tatukikai.jp | 2026-01-18 | 2026-01-18 |
| DOMAIN | anupamaivf.com | 2026-01-18 | 2026-01-18 |
| DOMAIN | encryptuganda.org | 2026-01-18 | 2026-01-18 |
| DOMAIN | vintashmarket.com | 2026-01-18 | 2026-01-18 |
| DOMAIN | aceeyl.com | 2026-01-18 | 2026-01-18 |
| DOMAIN | kyowaind.co.jp | 2026-01-18 | 2026-01-18 |
| DOMAIN | creativepackout.co | 2026-01-18 | 2026-01-18 |
| DOMAIN | jlrandsons.co.uk | 2026-01-18 | 2026-01-18 |
| DOMAIN | igamingroundtable.com | 2026-01-18 | 2026-01-18 |
| DOMAIN | ad.doubleclick.net | 2026-01-18 | 2026-01-18 |
| DOMAIN | althouqroastery.com | 2026-01-18 | 2026-01-18 |
| DOMAIN | pomozzi.com | 2026-01-18 | 2026-01-18 |
| IPv4 | 144.124.247.97 | 2026-01-18 | 2026-01-18 |
| DOMAIN | genuinashop.com | 2025-11-09 | 2026-01-18 |
| IPv4 | 77.246.101.72 | 2025-11-09 | 2026-01-18 |
| IPv4 | 77.246.108.96 | 2025-11-09 | 2026-01-18 |
| HASH | 8b8fa6c4298d83d78e11b52f22a79100 | 2025-08-08 | 2026-01-18 |
| HASH | 6a4c3256ff063f67d3251d6dd8229931 | 2025-05-26 | 2026-01-18 |
| DOMAIN | nationalinterestparty.com | 2025-04-01 | 2026-01-18 |