State-Sponsored Remote Wipe Tactics Targeting Android Devices
2025-11-09 • Genians •
https://www.genians.co.kr/en/blog/threat_intelligence/android
Genians links newly observed Android remote-wipe activity to the KONNI APT campaign, which the report describes as associated with Kimsuky or APT37 and connected to North Korean state-directed operations. The campaign targeted South Korea-based individuals including a psychological counselor supporting North Korean defector youth, using National Tax Service-themed spear phishing and KakaoTalk messages carrying malware disguised as a stress-relief program. After compromising PCs and accounts, the operators abused stolen Google credentials and Find Hub to track Android devices and repeatedly trigger remote wipes, disrupting victims' ability to receive alerts and respond. The report also describes follow-on propagation through hijacked KakaoTalk PC sessions, turning trusted accounts into delivery channels for secondary malicious files.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| IPv4 | 91.107.208.93 | 2025-11-09 | 2026-01-22 |
| IPv4 | 109.234.36.135 | 2025-11-09 | 2026-01-22 |
| IPv4 | 116.202.99.218 | 2025-11-05 | 2026-01-22 |
| IPv4 | 94.103.87.212 | 2024-07-31 | 2026-01-22 |
| IPv4 | 93.183.93.185 | 2024-07-12 | 2026-01-22 |
| IPv4 | 62.113.118.157 | 2024-07-08 | 2026-01-22 |
| DOMAIN | genuinashop.com | 2025-11-09 | 2026-01-18 |
| IPv4 | 77.246.101.72 | 2025-11-09 | 2026-01-18 |
| IPv4 | 77.246.108.96 | 2025-11-09 | 2026-01-18 |
| HASH | 53aea290d7245ee902a808fd87a6a173 | 2025-11-09 | 2025-11-09 |
| HASH | 048e1698c4b711d1652df4bf4be04f9e | 2025-11-09 | 2025-11-09 |
| HASH | ef1a8f66351d03413ed2c7d499ee5164 | 2025-11-09 | 2025-11-09 |
| HASH | 8230af6642f5f1927bbbbc7fd6e5427f | 2025-11-09 | 2025-11-09 |
| HASH | 09b91626507a62121a4bdb08debb3ed9 | 2025-11-09 | 2025-11-09 |
| HASH | f7363c5cfd6fa24a86e542fcd05283e8 | 2025-11-09 | 2025-11-09 |
| HASH | 5ab26df9c161a6c5f0497fde381d7fca | 2025-11-09 | 2025-11-09 |
| HASH | 38f8fd9e8d27ae665b3ac0f56492f6c4 | 2025-11-09 | 2025-11-09 |
| HASH | b0eba111b570bb1c93ca1f48557d265b | 2025-11-09 | 2025-11-09 |
| HASH | 56c7b448dbc37aa50eb1c2a6475aca5e | 2025-11-09 | 2025-11-09 |
| HASH | 25e38d618f38b3218c3252cf0d22c969 | 2025-11-09 | 2025-11-09 |
| HASH | 8f82226b2f24d470c02f6664f67f23f7 | 2025-11-09 | 2025-11-09 |
| DOMAIN | youkhanhdoit.co | 2025-11-09 | 2025-11-09 |
| DOMAIN | bp-analytics.de | 2025-11-09 | 2025-11-09 |
| IPv4 | 89.110.83.245 | 2025-11-09 | 2025-11-09 |
| IPv4 | 38.180.148.108 | 2025-11-09 | 2025-11-09 |
| IPv4 | 212.118.52.168 | 2025-11-09 | 2025-11-09 |
| HASH | f6800836d55d049fe79e3d47d54e1119 | 2025-04-01 | 2025-11-09 |
| HASH | 99ee7852b8041a540fdb74b3784d0409 | 2025-04-01 | 2025-11-09 |
| DOMAIN | oldfoxcompany.com | 2025-04-01 | 2025-11-09 |
| DOMAIN | xcellentrenovations.com | 2025-04-01 | 2025-11-09 |
| IPv4 | 192.109.119.113 | 2025-04-01 | 2025-11-09 |
| DOMAIN | professionaltutors.net | 2024-07-31 | 2025-11-09 |