APT37/KONNI abuse Google Find Hub to factory‑reset Androids mid‑intrusion

North Korea-linked operators in the KONNI/APT37 orbit used stolen Google credentials to log into Google’s Find Hub and remotely trigger factory resets on victims’ Android phones and tablets, timing the wipes after checking GPS location to isolate targets and delay response (BleepingComputer, Nov 10, 2025; Genians Security Center report). Find Hub is Google’s rebranded “Find My Device” service that supports locating, locking, and erasing devices (Google Find Hub about; Android Authority rebrand coverage).

Intrusion Flow

• Initial contact and delivery
  • Social engineering via KakaoTalk, with lures such as “stress-relief” programs and government-themed spoofs; victims receive a ZIP that contains a digitally signed MSI installer (Stress Clear.msi) (Genians).
  • Genians reports the MSI bears a valid signature attributed to “Chengdu Hechenyingjia Mining Partnership Enterprise,” used to bypass trust heuristics (Genians).
• Loader and persistence
  • The MSI invokes install.bat and error.vbs; the BAT drops AutoIt3.exe and an AutoIt script named IoKlTr.au3 under %PUBLIC%\Music, then creates a scheduled task to execute the script every minute (schtasks copied/masked as hwpviewer.exe) (Genians).
  • BleepingComputer’s summary aligns, describing a signed MSI → BAT/VBS decoy → AutoIt loader chain (script also referenced as IoKITr.au3) (BleepingComputer).
• Secondary payloads and data theft
  • Observed RAT modules include Remcos (v7.0.4 Pro in some cases), Quasar, and RftRAT, delivered from C2 infrastructure (e.g., 116.202.99[.]218; bp-analytics[.]de) (Genians).
  • Quasar is a publicly available C# remote administration tool frequently abused by threat actors (Quasar GitHub). Remcos is a commercial tool repeatedly weaponized by adversaries despite nominally “legitimate” marketing (Trend Micro; see background also in Cisco Talos).
• Account compromise → Find Hub abuse
  • Stolen Google and Naver credentials enable the actors to log into the victim’s Google Account, review security settings, and access Find Hub to enumerate registered Android devices, query their locations, and execute remote factory resets-often multiple times to prolong downtime (Genians; BleepingComputer).
  • Google’s documentation confirms Find Hub supports remote locate/lock/erase and notes that post-erase, location isn’t available until setup is repeated (Google Help). Google has stated this campaign abused legitimate features via stolen credentials, not an Android/Find Hub vulnerability (BleepingComputer).
• Propagation via desktop messenger
  • After the mobile wipe silences alerts, the actors leverage the still-logged-in KakaoTalk PC session on the already compromised Windows host to message contacts with malware, amplifying spread (Genians).
• Attribution context
  • Genians links this activity to a KONNI cluster overlapping with Kimsuky/APT37 targeting; MITRE tracks KONNI as a North Korea-associated RAT family with past ties to APT37 activity (Genians; MITRE ATT&CK: KONNI).

Key Artifacts to Pull

• Windows host (compromised PC)
  • File system
    • %PUBLIC%\Music\AutoIt3.exe and %PUBLIC%\Music\IoKlTr.au3 (AutoIt loader and script); presence of a renamed copy of schtasks.exe (e.g., hwpviewer.exe) used to create scheduled tasks (Genians).
    • AppData staging for RAT modules: subdirectories under %APPDATA%\Google\Browser\ containing “adb/adv” strings, plus AutoIt-related files (autoit.vbs, install.bat) and Quasar decryptor artifacts (e.g., sqlite3.au3) (Genians).
  • Scheduled tasks and logs
    • Task name “IoKlTr” running AutoIt3.exe with the .au3 script; examine Microsoft-Windows-TaskScheduler/Operational for EventID 106 (Task Registered), 107 (trigger), and related history (Microsoft Learn).
  • Network indicators
    • C2 artifacts such as 116.202.99[.]218 and bp-analytics[.]de; correlate with DNS/cache, firewall, EDR networking telemetry (Genians).
  • Messaging client
    • KakaoTalk PC artifacts: chat history, transfer logs, and recently sent files from the compromised session to identify onward distribution (behavior noted in Genians).
• Google account and Android devices
  • Google Account Security → “Your devices,” recent security events, app passwords, and sessions; compare against Find Hub erase events timeline (Google Help; Google Help - Find, secure, or erase).
  • Find Hub portal logs/actions visible to the user (e.g., device list, lock/erase operations) if still accessible post-incident (Google Help).

Detection Notes

• Host-based
  • Alert on AutoIt3.exe spawning from user-writable or public directories (e.g., %PUBLIC%\Music) and on execution of .au3 scripts outside expected admin tooling paths (Genians).
  • Hunt for creation of scheduled tasks named like “IoKlTr” and for binaries masquerading as hwpviewer.exe calling schtasks semantics; use Task Scheduler Operational log EventIDs 106/107/200/201 for visibility (Microsoft Learn).
  • Look for Quasar/Remcos artifacts and process injection targets (e.g., Quasar decrypted and injected; Remcos persistence); align with vendor intel where applicable (Quasar GitHub; Trend Micro on Remcos).
• Network-based
  • Blocklist/monitor the reported indicators and WordPress-hosted C2 infrastructure patterns; correlate with time windows of observed task execution and AutoIt activity (Genians).
• Account/Cloud
  • Monitor for unusual Find Hub actions (factory reset, repeated erase requests), especially following Windows-side malware execution and Google account logins from atypical IPs/ASNs (Google Help; Genians).

Response Guidance

• Immediate containment
  • Treat the Windows workstation as the beachhead. Isolate it, preserve volatile data, and acquire a forensic image before cleaning, given RATs and AutoIt loaders are present (Genians).
  • Rotate the victim’s Google credentials and forcibly sign out all sessions; review/revoke “Your devices” and app access, then re-establish with strong MFA (Google Help).
  • Enroll high-risk users in Google’s Advanced Protection Program (passkeys/security keys), as Google recommends for targeted accounts (BleepingComputer; Google Advanced Protection).
  • If Android devices were erased via Find Hub, plan for data recovery from backups; note that after erase, Find Hub location is no longer available until device setup repeats (Google Help).
• Eradication and hardening
  • Remove scheduled tasks and file-system remnants (AutoIt3.exe/IoKlTr.au3, renamed schtasks, Startup .lnk files), then reimage where trust is uncertain (Genians).
  • Block or tightly restrict AutoIt interpreters and unsigned script execution in user space; add EDR rules for AutoIt/PowerShell abuse in non-admin contexts (derived from the observed loader chain) (Genians).
  • Require hardware-backed MFA (passkeys or FIDO2 keys) on Google accounts tied to mobile devices; verify recovery channels and disable less secure factors where possible (Google Advanced Protection).
  • Audit KakaoTalk PC clients on affected hosts; notify downstream contacts of potential malicious files sent during the window when phones were wiped (Genians).
• Threat intel and prevention
  • Map collected TTPs to ATT&CK (signed MSI → script interpreter abuse → scheduled task persistence → RAT deployment → credential theft → cloud account abuse) and distribute IoCs to detection teams (MITRE ATT&CK: KONNI; Genians).

Takeaways

• Lock down Google accounts that control mobile devices: enforce passkeys/security keys and enroll at-risk users in Advanced Protection; regularly review “Your devices” and app access (Google Advanced Protection; Google Help).
• Hunt for the signed-MSI→AutoIt scheduled-task pattern (AutoIt3.exe and IoKlTr.au3 under %PUBLIC%\Music; TaskScheduler EventID 106) and for Quasar/Remcos follow-on activity (Genians; Microsoft Learn).
• If Find Hub erases are suspected, correlate account logins, Find Hub actions, and Windows host telemetry to reconstruct timing; assume messenger-based propagation (KakaoTalk PC) and notify exposed contacts (Genians; Google Help).