A new cybersecurity report has revealed that a hacking group linked to North Korea carried out a covert and highly sophisticated cyberattack by misusing online advertisements on popular platforms such as Naver and Google. The activity was uncovered by the Genians Security Center, a South Korea–based cybersecurity research body that closely monitored the operation.
Unlike common cyber scams that rely on fake emails or suspicious-looking websites, this attack blended into everyday online activity. The campaign was designed to look normal to regular internet users, making it far more difficult to detect. Researchers said the malware was quietly distributed through advertising systems that millions of people interact with daily, increasing the risk of widespread exposure.
How Online Ads Were Turned Into a Malware Trap
Online advertisements commonly use a system known as click tracking, which routes users through tracking links before they reach the intended website. According to the report, hackers linked to North Korea took advantage of this process by inserting fake tracking links that appeared legitimate. When users clicked on certain ads, they were unknowingly redirected to external servers operated by the attackers, where malicious files were hosted.
Stanford experiment shows AI hacker ARTEMIS outperforms highly paid human cybersecurity experts
The hacking group, identified as Konni, is known to have ties to Kimsuky and other state-backed cyber units. The campaign initially targeted Naver’s advertising system, which is widely used in South Korea. Over time, the same approach was expanded to Google’s advertising network, significantly increasing the campaign’s reach, according to reporting carried by Yonhap.
Because the ads appeared on trusted platforms, users had little reason to suspect any danger. The redirection process happened quickly and silently in the background. Analysts later found the phrase Poseidon-Attack embedded in the malware code, suggesting the campaign was centrally organized and carefully managed over an extended period. This type of long-term, low-visibility operation is known as an advanced persistent threat.
What the Malware Does and Why It Is Dangerous
Once the malware reached a user’s device, it was capable of performing several harmful actions. These included stealing sensitive data, monitoring user activity, and creating hidden access points that allowed hackers to regain control later.
The biggest crypto threat in 2026 isn’t exchanges or scams — it’s malware already on your phone
One of the most worrying elements identified by researchers was the use of shortcut link files in the campaign linked to North Korea. These files often appear harmless, resembling normal links or documents. However, when opened, they can quietly execute malware without alerting the user. Security experts warned that such files are especially dangerous because many people do not recognize them as a potential threat.
The campaign demonstrated a high level of technical skill often associated with state-backed cyber operations from North Korea. Instead of launching direct attacks on computer systems, the hackers used trusted advertising platforms as delivery channels. This approach allowed them to bypass many traditional security defenses and reach ordinary users more easily. Experts advised users to remain cautious when clicking ad-linked content or downloading unfamiliar files, even when they appear on well-known platforms.
Links to Wider Cybercrime and Sanctions Violations
This advertising-based malware campaign is part of a broader pattern of cyber activity linked to North Korea, according to international monitoring bodies. A multinational group known as the Multilateral Sanctions Monitoring Team (MSMT) has raised concerns about the country’s continued use of cybercrime to evade global sanctions, especially after a previous United Nations expert panel was dissolved.
$8751< penalty rocks Georgia Tech Research Corp for weak cyber defenses in
DARPA, Air Force projects
Separate assessments from blockchain analytics firm Chainalysis estimate that hackers linked to the country stole more than $2 billion worth of cryptocurrency in a single year. This marked a significant increase compared to previous periods and highlighted how cyber operations have become a major source of funding.
The spread of malware through Naver and Google advertisements has added to growing concerns, as it shows that ordinary internet users are directly affected by these activities. Security teams continue to examine the full scope of the campaign while urging users to remain cautious when interacting with online ads or downloading files from unknown sources.
