A hacking group with links to the North Korean state has exploited online advertising networks operated by US technology company Google and South Korea’s web portal Naver to deliver malware to unsuspecting users, according to a cybersecurity report. The campaign, tracked by researchers as “Operation Poseidon,” used legitimate advertising URLs to build malicious links that bypass security filters and conceal malware distribution.
The activity was analysed by Genians Security Center, a cybersecurity firm based in South Korea. The report attributes the operation to Konni, an advanced persistent threat group associated with Pyongyang-backed cyber operations. The researchers found that attackers embedded malware delivery mechanisms within advertising click-tracking and redirection systems that are a normal part of online advertising infrastructure.
Instead of hosting malware on clearly malicious domains, the attackers used redirection chains that began with seemingly legitimate advertising links on Google and Naver. These links routed victims through a series of redirects before landing on attacker-controlled servers that initiated malware execution. This method enabled the links to evade conventional security controls that inspect web traffic for threats.
The malware payload identified in the campaign was EndRAT, a remote access tool delivered in a disguised form. The attackers used an AutoIt script masquerading as a harmless PDF file to execute the malware on victim systems. The researchers noted that the operation demonstrated a level of technical sophistication, including development identifiers that suggest ongoing maintenance and evolution of the toolkit used by the hackers.
Part of the attackers’ strategy involved social engineering techniques to increase the perception of legitimacy. According to the report, emails associated with the operation contained lengthy blocks of irrelevant English text designed to confuse automated detection systems and reduce the likelihood of filters flagging the messages as malicious.
Genians’ analysis linked the observed activity to previous campaigns by Konni based on overlaps in infrastructure and malware components. The report said that the group has a history of social engineering attacks, including impersonation of organisations such as human rights groups and financial institutions in South Korea.
Security researchers have documented a broader trend of threat actors using trusted platforms and familiar workflows to spread malware and evade detection. In some recent incidents related to North Korea-linked groups, malicious actors have also used tools like QR codes in spear-phishing campaigns to bypass enterprise security controls by directing victims to malicious content on mobile devices.
The operation highlights challenges in securing complex online advertising ecosystems against abuse. Advertising platforms often rely on redirection and tracking mechanisms that can be repurposed by malicious actors to conceal harmful activity. The report underscores the need for enhanced monitoring and threat detection capabilities that can identify and block malicious traffic within legitimate-looking advertising infrastructure.
The broader context of state-linked cyber operations attributed to North Korean groups includes a range of tactics such as spear-phishing, spyware distribution, and exploitation of device management services, illustrating an evolving threat environment that targets web users and organisations around the world.