North Korea-Linked Hackers Abuse Naver, Google Ads to Distribute Malware

Seoul: A hacking group linked to North Korea has carried out a sophisticated malware distribution campaign by exploiting online advertising systems run by Naver and Google, according to a report released on Monday.

The online threat assessment published by the Genians Security Center revealed that Konni—a hacking group associated with Kimsuky and other Pyongyang-backed cyber units—has launched an advanced persistent threat (APT) campaign by abusing the advertising infrastructure of major online portals.

As reported by Yonhap News Agency, the group exploited a mechanism known as click tracking, a common feature in online advertising that routes users through intermediary links before redirecting them to advertisers’ websites. By creating fake intermediary links, the hackers redirected users to external servers hosting malicious files.

The report noted that Konni initially targeted Naver’s advertising system but has recently broadened its operations to include Google’s ad platform as well.

Security analysts also discovered the term “Poseidon-Attack” embedded in the malware code, indicating that the campaign has been systematically organised under a label referred to as “Poseidon.”

Cybersecurity experts warned that the campaign underscores the increasing sophistication of state-sponsored North Korean cyber operations. They urged users to avoid opening suspicious email attachments linked to online advertisements, especially files containing shortcut links.

Separately, concerns persist over North Korea’s cyber activities as a potential funding source for its weapons programmes. A U.S. official recently stated that Pyongyang likely stole more than $2 billion in cryptocurrency last year.

Jonathan Fritz, principal deputy assistant secretary at the U.S. State Department’s Bureau of East Asian and Pacific Affairs, made the remarks during a United Nations meeting on a Multilateral Sanctions Monitoring Team (MSMT) report. The report detailed North Korea’s sanctions violations and evasion tactics through cyber operations and overseas IT workers.

The MSMT was formed after a UN expert panel monitoring sanctions enforcement was dissolved in April 2024 following Russia’s veto of a resolution to extend its mandate. The team comprises 11 countries, including South Korea, the United States, Japan, Australia and Canada.

The assessment aligns with estimates from blockchain analytics firm Chainalysis, which reported that North Korean hackers stole approximately $2.02 billion in cryptocurrency in 2025—a 51 percent increase compared to the previous year.

With inputs from IANS