A North Korea-linked hacking group has recently distributed malware by embedding it in online advertising campaigns operated by Naver and Google, the two most widely used portals in South Korea.

According to an online threat assessment report released by the South Korea-based Genians Security Center, “Konni,” a hacking group tied to “Kimsuky” and other Pyongyang-backed hacking groups, launched an advanced persistent threat campaign by abusing the online ad systems.

The group exploited a process referred to as click tracking used in online advertising, which routes users through intermediary web links before directing them to advertisers’ websites, ultimately redirecting users to external servers hosting malicious files.

Though Konni initially focused on abusing Naver’s advertising services, it has recently expanded its reach through Google’s ad systems.

The think tank identified the phrase “Poseidon-Attack” within the malware code, suggesting the hacking group has systematically managed the campaign under the Poseidon designation.