Operation Poseidon: Spear-Phishing Attacks Abusing Google Ads Redirection Mechanisms
Essential information
- Published
- 18/01/2026 18:38
- Modified
- 19/01/2026 09:30
- Tags
- 2026-01-18 autoit autoitrat endrat financial impersonation google ads north korean human rights redirection spear-phishing wordpress
- Related entities
- 1 observables, 1 intrusion sets (apt), 18 techniques (mitre), 2 malware, 19 others
Description
Operation Poseidon is a sophisticated spear-phishing campaign attributed to the Konni APT group. The attackers exploit Google Ads redirection mechanisms to bypass security filters and user awareness. They compromise poorly secured WordPress sites for malware distribution and C2 infrastructure. The campaign uses social engineering tactics, impersonating North Korean human rights organizations and financial institutions. Malware is delivered through LNK files disguised as PDF documents, executing AutoIt scripts that load EndRAT variants. The attackers employ advanced evasion techniques, including email content padding and abuse of legitimate advertising URLs. The campaign demonstrates evolving tactics and infrastructure reuse consistent with previous Konni activities.