Cyber Security News

Lazarus APT Targets Organizations by Exploiting One-Day Vulnerabilities

A recent cyber espionage campaign by the notorious Lazarus Advanced Persistent Threat (APT) group, tracked as “Operation SyncHole,” has compromised at least six South Korean organizations across software, IT, financial, semiconductor, and telecommunications sectors since November 2024.

According to detailed research, the attackers employed a combination of watering hole attacks and exploited vulnerabilities in widely used South Korean software, including Cross EX and Innorix Agent.

This operation showcases the group’s deep understanding of the local software ecosystem, targeting applications integral to online banking and government services.

The campaign’s sophistication lies in its use of one-day vulnerabilities flaws patched shortly after discovery but exploited during the narrow window of exposure demonstrating Lazarus’ agility in weaponizing newly identified weaknesses.

Lazarus APTLazarus APT
Attack flow during initial compromise

Technical Precision in Malware Deployment and Lateral Movement

The attack began with users visiting compromised South Korean media sites, triggering the delivery of the ThreatNeedle backdoor via a watering hole strategy.

Lazarus exploited flaws in Cross EX, a legitimate browser-support software, to inject malware into the SyncHost.exe process, enabling privilege escalation and persistence.

Simultaneously, a one-day vulnerability in Innorix Agent (versions up to 9.2.18.496) facilitated lateral movement within networks, allowing the deployment of additional payloads like ThreatNeedle and LPEClient.

The operation unfolded in two phases: the first relied on updated variants of ThreatNeedle and wAgent, while the second introduced SIGNBT (version 0.0.1 and 1.2) and COPPERHEDGE for reconnaissance and payload delivery.

Notably, the malware incorporated advanced encryption (Curve25519 for ThreatNeedle, RSA for SIGNBT) and modular structures, reflecting Lazarus’ evolving tactics.

New libraries, such as the GNU Multiple-Precision (GMP) in wAgent, and techniques like Tartarus-TpAllocInject in the Agamemnon downloader, were observed, underscoring their focus on bypassing modern security solutions.

Operational structure of the wAgent variant

Infrastructure analysis revealed compromised legitimate South Korean websites repurposed as command-and-control (C2) servers, with domains like www.smartmanagerex[.]com mimicking trusted vendors to evade detection.

Rapid response by security researchers, in collaboration with the Korea Internet & Security Agency (KrCERT/CC), led to the patching of exploited software vulnerabilities, including a previously unknown zero-day in Innorix Agent (KVE-2025-0014).

Despite these efforts, the researchers warn that many more organizations may have been compromised, given the widespread use of the targeted software.

Lazarus’ persistent focus on South Korean supply chains, as seen in prior campaigns like Bookcode (2020) and DeathNote (2022), suggests that such attacks will continue, potentially leveraging undiscovered zero-days.

Organizations are urged to deploy robust security solutions and remain vigilant against cascading supply chain threats.

TypeValueLocation
ThreatNeedle Loaderf1bcb4c5aa35220757d09fc5feea193bC:\System32\PCAuditex.dll
wAgent Loaderdc0e17879d66ea9409cdf679bfea388cC:\ProgramData\intel\util.dat
COPPERHEDGE Dropper2d47ef0089010d9b699cd1bbbc66f10a%AppData%\hnc_net.tmp
C2 Serverwww.smartmanagerex[.]com
C2 Serverhxxps://thek-portal[.]com/eng/career/index.asp

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations, particularly…

2 hours ago

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search Service…

2 hours ago

UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion

UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider, has…

2 hours ago

Over 2,800 Hacked Websites Targeting MacOS Users with AMOS Stealer Malware

Cybersecurity researcher has uncovered a massive malware campaign targeting MacOS users through approximately 2,800 compromised…

3 hours ago

Hackers Bypass AI Filters from Microsoft, Nvidia, and Meta Using a Simple Emoji

Cybersecurity researchers have uncovered a critical flaw in the content moderation systems of AI models…

4 hours ago

Microsoft Alerts That Default Helm Charts May Expose Kubernetes Apps to Data Leaks

Microsoft’s cybersecurity research team has issued a stark warning about the risks of using default…

4 hours ago