North Korean hackers are leveraging Google’s Find Hub tool to track the GPS locations of targets and reset their Android devices to factory settings. The attacks focus on South Koreans, often starting with a phishing attempt via KakaoTalk, the country’s leading messaging app. Genians, a South Korean cybersecurity firm, attributes these malicious activities to the KONNI group, which shares infrastructure and targets with the APT37 and Kimsuky groups. KONNI is known for employing remote access tools to steal sensitive data across various sectors like education and government. The infection process typically begins with spear-phishing emails that impersonate official entities like South Korea's National Tax Service. Victims are tricked into executing a malicious attachment, which installs a script that establishes persistence on their devices, allowing attackers to access them remotely. Keylogging and data harvesting tools like RemcosRAT and QuasarRAT are then deployed to capture credentials for services such as Google and Naver. This access enables the attackers to exploit Find Hub, using it to wipe devices remotely once they determine the victim is less likely to respond. In one notable incident, the attackers hijacked a KakaoTalk account of a counselor supporting North Korean defectors and sent a fake "stress relief program" to a student. After compromising the victim's Google account, they executed commands that wiped the target's Android device multiple times, erasing critical data and preventing recovery. This allowed the attackers to then use the victim's KakaoTalk PC session to distribute more malicious files to their contacts. Genians urges users to enable multi-factor authentication on Google accounts and verify identities before opening files sent via messaging apps to mitigate these risks.