Operation Poseidon is a spear-phishing campaign attributed to the Konni APT that abused legitimate advertising redirection (ad.doubleclick[.]net, mkt.naver[.]com) and compromised WordPress sites to distribute EndRAT via LNK files and AutoIt scripts disguised as PDFs. The campaign reused C2 infrastructure (e.g., jlrandsons.co[.]uk), multiple IPs and file hashes, and underscores the need for behavior-based EDR detection and multi-stage redirection analysis. #EndRAT #Konni
Keypoints
- Spear-phishing emails embedded download URLs that leveraged legitimate advertising redirection to bypass email and URL reputation filtering.
- Poorly secured WordPress sites were used as malware distribution points and C2 infrastructure to evade blocking and tracking.
- The operation was internally named โPoseidonโ and attributed to the Konni APT based on reused infrastructure and code artifacts.
- EndRAT (AutoItRAT) was delivered via LNK files inside ZIP archives; an AutoIt script masquerading as a PDF loaded the RAT into memory.
- Attackers exploited ad click-tracking domains (ad.doubleclick[.]net, mkt.naver[.]com) to make malicious redirects appear legitimate.
- Email HTML obfuscation (hidden content padding) and web beacons were used to evade detection and confirm target engagement.
- The report emphasizes EDR behavior-based detection, process/network correlation, and blocking of risky attachment types (e.g., LNK in ZIP) as mitigations.
MITRE Techniques
- [T1566 ] Phishing โ Spear-phishing emails delivered download URLs in the message body to trick recipients into opening ZIP archives containing malicious LNK files. (โdownload URLs for attachments delivered via spear-phishing emails served as the primary attack vector.โ)
- [T1203 ] Exploitation for Client Execution โ An AutoIt script disguised as a PDF was invoked by the LNK shortcut, loading and executing an EndRAT-variant RAT directly in memory. (โAutoIt script designed to mimic a legitimate PDF documentโฆ functions by loading and executing EndRAT-variant remote access trojans directly into memory.โ)
- [T1071 ] Application Layer Protocol โ The campaign abused legitimate advertising redirection domains to host or redirect to C2/download infrastructure, blending C2 with normal ad traffic. (โutilized the redirection URL structure of a domain used for legitimate ad click tracking (ad.doubleclick[.]net) to incrementally direct users to external infrastructure where actual malicious files were hosted.โ)
Indicators of Compromise
- [File hash ] Malicious payloads and samples observed โ f5842320e04c2c97d1f69cebfd47df3d, 6a4c3256ff063f67d3251d6dd8229931, and 12 more hashes
- [IP address ] C2 and hosting infrastructure โ 109.234.36[.]135, 144.124.247[.]97, and 2 more IPs
- [Domain ] Redirect and C2 domains used in redirection and hosting โ ad.doubleclick[.]net (used for ad click redirection), jlrandsons.co[.]uk (shared C2/hosting across cases)
- [File name ] Lure filenames and archive examples delivered via phishing โ (REDACTED)์ก๊ธ ๋ฐ ๊ฑฐ๋๋ด์ญ ๊ด๋ จ ์๋ช ์๋ฃ ์ ์ถ ์๋ฅ(Submission Documents for Wire Transfer and Transaction History Explanations)(20250722).zip, (REDACTED) Request for Submission of Explanation Materials_20250430TS5869570S.zip (ZIP archives containing LNK shortcuts)