VERY IMPORTANT

Operation Poseidon is a sophisticated spear-phishing campaign attributed to the Konni APT group. The attackers exploit Google Ads redirection mechanisms to bypass security filters and user awareness. They compromise poorly secured WordPress sites for malware distribution and C2 infrastructure. The campaign uses social engineering tactics, impersonating North Korean human rights organizations and financial institutions. Malware is delivered through LNK files disguised as PDF documents, executing AutoIt scripts that load EndRAT variants. The attackers employ advanced evasion techniques, including email content padding and abuse of legitimate advertising URLs. The campaign demonstrates evolving tactics and infrastructure reuse consistent with previous Konni activities.