A North Korea-linked hacking group has been found abusing online advertising infrastructure operated by Google and South Korea’s Naver to distribute malware while evading security controls, according to a new report by cybersecurity firm Genians Security Center.
The campaign, referred to by researchers as “Operation Poseidon,” is attributed to Konni, an advanced persistent threat (APT) group associated with Pyongyang-backed cyber operations. The report describes a spear-phishing campaign that weaponized advertising URLs to make malicious links appear legitimate.
According to the report, “a spear phishing campaign disguised as advertising URLs was used to bypass security filtering mechanisms and user awareness,” allowing the attackers to conceal malware delivery inside normal-looking web traffic.
Abuse of Google Ads infrastructure
Genians’ analysis focuses on how attackers exploited ad click-tracking and redirection, a standard feature of online advertising, to quietly redirect victims to attacker-controlled servers.
The researchers said the campaign first abused South Korea’s dominant web portal, Naver, before expanding to Google’s global advertising platform, increasing both reach and impact.
The report explains that Google’s ad infrastructure relies on redirect chains originally developed through DoubleClick, which Google acquired in 2008 and later integrated into Google Ads and the Google Marketing Platform.
By disguising malicious links as advertising URLs, the attackers were able to bypass email filters and avoid immediate suspicion.
Furthermore, rather than hosting malware directly on obviously malicious domains, the attackers relied on poorly secured WordPress websites as part of the delivery chain, the researchers said.
The malware used in the campaign was identified as EndRAT, which was delivered in a disguised form. It was loaded through the execution of an AutoIt script masquerading as a PDF file.
Operation Poseidon shows increasing technical sophistication. The malware includes internal version numbers like "client3.3.14," suggesting ongoing development and maintenance.
The attackers also use clever evasion techniques. For instance, they stuff meaningless invisible English text into phishing emails in order to confuse AI-based detection systems.
Part of a broader pattern
Genians linked the activity to Konni based on infrastructure, malware, and operational overlap with previous campaigns.
According to Genians’ analysis, the threat actor was identified as repeatedly employing social engineering tactics by impersonating North Korean human rights organizations and financial institutions in South Korea. It added that the group has “continuously conducted highly sophisticated and targeted attacks against specific targets.”
What distinguishes Operation Poseidon is the choice of delivery channel. By exploiting both Naver’s and Google’s global ad infrastructure, the attackers demonstrated that trusted advertising systems can be repurposed as malware-delivery mechanisms.
The findings mirror a broader trend in North Korea-linked cyber operations that increasingly rely on trusted platforms and familiar workflows.
In the past, North Korean hackers targeted job seekers using fake coding tests embedded with malware, exploiting developer trust in platforms like GitHub. In another campaign, researchers found North Korea-linked actors using AI-generated military ID cards to add credibility to phishing lures.
Unlock more exclusive Cybernews content on YouTube
Your email address will not be published. Required fields are markedmarked