Executive Summary

Recent threat intelligence has uncovered a sophisticated campaign orchestrated by the North Korean state-sponsored group APT37 (also known as ScarCruft), in which adversaries are abusing the legitimate Google Find Hub (formerly known as Find My Device) service to remotely wipe Android devices. This attack chain leverages advanced social engineering, credential theft, and the exploitation of cloud-based device management features to achieve destructive outcomes. The primary targets are South Korean individuals, particularly those involved in supporting North Korean defectors, as well as sectors such as education, government, and cryptocurrency. The campaign demonstrates a significant escalation in the operational capabilities of APT37 and its affiliates, including KONNI and Kimsuky (Emerald Sleet), by combining traditional malware delivery with the abuse of trusted cloud services for data destruction and lateral movement.

Threat Actor Profile

APT37 is a North Korean advanced persistent threat group with a history of targeting South Korean entities, government agencies, and individuals associated with North Korean defector support networks. The group is known for its use of custom malware, spear-phishing, and exploitation of both Windows and Android platforms. APT37 often overlaps operationally with other North Korean clusters such as KONNI and Kimsuky (Emerald Sleet), sharing infrastructure, malware, and targeting strategies. Their campaigns are characterized by a high degree of social engineering, rapid adaptation to new technologies, and a focus on both espionage and destructive operations.

Technical Analysis of Malware/TTPs

The attack chain begins with highly targeted spear-phishing, typically delivered via KakaoTalk, South Korea’s most popular messaging platform. Adversaries impersonate trusted organizations such as the National Tax Service, law enforcement, or psychological counselors, and send malicious files disguised as legitimate documents or installers. These files are often digitally signed MSI installers or ZIP archives containing the installer (e.g., "Stress Clear.zip" with "Stress Clear.msi").

Upon execution, the MSI launches an embedded install.bat script and a decoy error.vbs script, which simulates a benign error message to distract the victim. The batch script then executes an AutoIT script (IoKITr.au3), which establishes persistence on the system via scheduled tasks. This AutoIT script is responsible for downloading additional payloads from a command-and-control (C2) server.

The secondary payloads include well-known remote access trojans such as RemcosRAT (notably version 7.0.4 Pro), QuasarRAT, and RftRAT. These RATs provide the attackers with full remote access, keylogging, and the ability to deploy further modules. The malware is designed to harvest credentials for both Google and Naver accounts, enabling the attackers to access a wide range of cloud services, including email and device management portals.

The most critical phase of the attack involves the abuse of the Google Find Hub service. With stolen Google credentials, the attackers log into the victim’s Google account and access the Find Hub dashboard. From here, they can query the GPS location of all registered Android devices and remotely issue factory reset (wipe) commands. The attackers often execute the wipe multiple times to ensure complete data destruction and to hinder any recovery attempts. This action is not the result of a vulnerability in Android or Find Hub, but rather the exploitation of legitimate features through compromised credentials.

After the mobile devices are wiped, the attackers exploit the fact that the victim’s KakaoTalk PC session remains active. They use this session to send further malicious payloads to the victim’s contacts, thereby propagating the attack within trusted social circles.

Exploitation in the Wild

The campaign has been observed in multiple incidents, with a notable case on September 5, 2025, targeting a counselor specializing in psychological support for North Korean defector youth. The attacker used the GPS tracking feature of Google Find Hub to determine when the victim was outside their home, timing the device wipe for maximum disruption. At least one additional attack using the same methodology was reported on September 15, 2025. The attacks are highly targeted, with victims selected based on their involvement in sensitive activities or organizations.

The exploitation is not limited to a single sector; individuals in education, government, and cryptocurrency, as well as those supporting North Korean defectors, have all been targeted. The attackers’ use of legitimate cloud services and social engineering makes detection and prevention particularly challenging.

Victimology and Targeting

The primary victims are South Korean individuals, especially those engaged in activities related to North Korean defectors. The targeting is precise, often focusing on individuals with access to sensitive information or influential social networks. The attackers leverage personal information gathered from open sources or previous breaches to craft convincing spear-phishing messages. The use of KakaoTalk as the initial vector exploits the platform’s ubiquity and the high level of trust among its users.

Secondary victims include contacts of the initial targets, as the attackers use compromised KakaoTalk sessions to distribute malware further. This lateral movement increases the potential impact of the campaign, allowing the threat actors to reach a broader set of high-value individuals.

Mitigation and Countermeasures

To defend against this campaign, organizations and individuals should implement the following countermeasures. Enabling multi-factor authentication (MFA) on all Google and Naver accounts is critical, as it significantly reduces the risk of credential abuse. Users should be educated to verify the identity of senders before opening files received via messenger apps, particularly those purporting to be from official organizations. Regular monitoring for unauthorized access to Google accounts and device management features is essential, as is reviewing and restricting device access in Google Find Hub.

Endpoint security solutions should be configured to detect and block the execution of known RATs such as RemcosRAT, QuasarRAT, and RftRAT, as well as to monitor for suspicious scheduled tasks and AutoIT script activity. Organizations should maintain an up-to-date inventory of all devices registered to corporate Google accounts and ensure that only authorized personnel have access to device management features.

In the event of a suspected compromise, immediate steps should be taken to revoke access to affected accounts, reset credentials, and review all device management actions performed via Google Find Hub. Incident response teams should consult the latest indicators of compromise (IOCs) and threat intelligence reports to inform their investigations.

References

BleepingComputer: APT37 hackers abuse Google Find Hub in Android data-wiping attacks

Genians Threat Intelligence Blog: APT37 Android Campaign

Lookout Threat Intelligence: APT37 Mobile Spyware

MITRE ATT&CK: APT37, Kimsuky

Cyber Security News on X (Twitter): APT37 Find Hub Abuse

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with advanced tools to assess, monitor, and mitigate cyber risks across their digital supply chains. Our platform leverages real-time threat intelligence, automated risk scoring, and continuous monitoring to help customers stay ahead of emerging threats and regulatory requirements. We are committed to empowering our clients with actionable insights and robust security controls to protect their most critical assets.

For any questions or further information, please contact us at ops@rescana.com.