![An illustration of a North Korean hacker at a computer, with a background of binary code. [GETTY IMAGES]](https://koreajoongangdaily.joins.com/data/photo/2026/01/19/106451c1-9a58-4970-a6f6-17d5a10e0dda.jpg)
An illustration of a North Korean hacker at a computer, with a background of binary code. [GETTY IMAGES]
A North Korea-linked hacking group known as “Konni” has been carrying out an advanced cyberattack campaign dubbed the “Poseidon Operation,” distributing malware by exploiting Korean portal Naver and Google’s advertising systems, according to a recent report.
By using legitimate ad-delivery paths to slip past security filters, the hacking effort has been seen as directly exposing the limits of existing defenses.
Genians Security Center, the threat research arm of cybersecurity firm Genians, said in athreat intelligence analysis reportreleased last Friday that the Konni group has recently been running an advanced persistent threat campaign that uses Naver and Google’s ad infrastructure as an attack route.
At the center of the campaign is the abuse of click tracking technologies built into portal advertising systems. Click tracking is an intermediate URL that users pass through after clicking an ad and before reaching an advertiser’s page — a structure legitimately used to measure ad performance.
The hackers copied that URL structure and instead funneled users step by step to malicious servers. The tactic aims to make blocking difficult even when security software or AI-based detection systems scan the link, because it appears to be a legitimate Naver or Google domain.
“Around May and July 2025, similar attack attempts exploiting the click-tracking domain of the Naver advertising marketing platform were observed on a limited basis,” said the report. “However, in the most recent confirmed attack activities, the attack pattern centered on Google’s advertising infrastructure has been consistently maintained.”
![An illustration of a hacker at the computer. [GETTY IMAGES BANK]](https://koreajoongangdaily.joins.com/data/photo/2026/01/19/23cde440-99aa-4322-b550-1cbac1b01ddc.jpg)
An illustration of a hacker at the computer. [GETTY IMAGES BANK]
Some servers used in the attack were identified as WordPress-based websites with weak security management, which is seen as a strategy to quickly swap out servers and evade tracking if parts of the attack infrastructure are blocked.
The starting point is a carefully crafted spoofing email. Posing as financial institutions or North Korea human rights organizations, the Konni group lowered recipients’ guards with work-related subject lines such as “explanatory materials,” “remittance confirmation,” “transaction details” or “personal information consent.”
Clicking the link in the email triggers the download of a compressed file, which contains a file that looks like a document. In reality, however, it is not a PDF but a malicious Windows shortcut file that masquerades as a document when executed while simultaneously running malicious scripts.
In the process, an AutoIt-based script runs automatically to install remote-control malware, infecting the user without obvious warning signs.
Genians’ analysts also found a development path string containing “Poseidon – Attack,” leading them to conclude the hackers had been systematically preparing and managing the campaign under the project name “Poseidon.”
![A North Korean flag flutters at the propaganda village of Gijungdong in North Korea, in this picture taken near the truce village of Panmunjom inside the demilitarized zone in South Korea on July 19, 2022. [REUTERS/YONHAP]](https://koreajoongangdaily.joins.com/data/photo/2026/01/19/ff364f6e-debb-4267-a37f-05d2a4f89e70.jpg)
A North Korean flag flutters at the propaganda village of Gijungdong in North Korea, in this picture taken near the truce village of Panmunjom inside the demilitarized zone in South Korea on July 19, 2022. [REUTERS/YONHAP]
Security experts warn that the case goes beyond simple phishing and shows that the tactics of state-backed hacking groups have grown more sophisticated.
“Blocking legitimate ad domains across the board is realistically impossible, so traditional pattern-based security systems have limitations,” an official at Genians Security Center said. “Compressed files attached to emails — especially shortcut files inside them — require extra caution and should never be run if the source is unclear.”
This article was originally written in Korean and translated by a bilingual reporter with the help of generative AI tools. It was then edited by a native English-speaking editor. All AI-assisted translations are reviewed and refined by our newsroom.
BY JEONG JAE-HONG [[email protected]]
