We have been tracking the latest attack campaign by the Lazarus group since last November, as it targeted organizations in South Korea with a sophisticated combination of a watering hole strategy and vulnerability exploitation within South Korean software

Continue reading
Lazarus Group‚ North Korea's most notorious hacking collective, has breached at least six major South Korean corporations using never-before-seen vulnerabilities in mandatory security software. Dubbed *Operation SyncHole, the campaign exploited weaknesses in tools required for online banking and government services, marking one of the most sophisticated supply-chain attacks in recent memory.
The Lazarus Group, sanctioned by the UN for funding Pyongyang‚Äôs weapons programs, infiltrated organizations across software development, semiconductor manufacturing, telecommunications, and finance between November 2024 and February 2025. Kaspersky researchers revealed that the attackers weaponized Cross EX and Innorix Agent‚Äîtwo programs mandated by South Korean law for secure web transactions‚to hijack systems and steal sensitive data[^1].
Victims included unnamed Fortune 500 semiconductor firms and IT giants central to South Korea’s tech-dominated economy. While six companies are confirmed compromised, analysts warn the true scale is likely far greater. “These tools are installed on millions of devices,” said Sojun Ryu, a Kaspersky researcher. “Every user who updated their software was a potential target[^1].”
The operation began with a brazen manipulation of South Korean media. Hackers compromised legitimate news websites, embedding code that redirected specific visitors to fake software download portals. One such site, smartmanagerex[.]com, mimicked the official Cross EX vendor, tricking users into triggering exploits[^1].
“Imagine reading the morning news and unknowingly downloading malware,” explained a KrCERT spokesperson. “The Lazarus Group profiled visitors like predators at a watering hole, striking only high-value targets[^1].”
At the campaign’s core lay two critical vulnerabilities:
The Lazarus Group even developed a custom tool, Innorix Abuser, to automate victim profiling and payload delivery. “This wasn’t a smash-and-grab—it was a surgical strike,” noted Ryu. “They understood South Korea’s digital infrastructure better than many local firms[^1].”
Operation SyncHole showcased Lazarus’ rapidly evolving toolkit, blending legacy malware with cutting-edge tradecraft:
An upgraded version of Lazarus’ signature backdoor used Curve25519 elliptic-curve encryption to secure communications. The malware’s “Core” component supported 37 commands, enabling real-time file theft, screen capture, and persistence via compromised Windows services[^1].
Masquerading as liblzma.dll, this revamped malware employed the GNU GMP library for RSA encryption—a first for Lazarus. It communicated via HTTP requests disguised as routine browser traffic, complete with decoy cookies like `__Host-next-auth-token[^1]`.
Later attack phases shifted to SIGNBT 1.2 and COPPERHEDGE, tools optimized for evading detection. COPPERHEDGE hid configuration files in Alternate Data Streams (ADS), while SIGNBT used RSA-encrypted AES keys to cloak exfiltrated data[^1].
The breakthrough came from analyzing command timestamps. “Malware executions clustered between GMT 00:00–09:00—Pyongyang’s business hours,” revealed Ryu. This temporal footprint, paired with historic Lazarus tactics, cemented North Korean attribution[^1].
A critical error also exposed the hackers: misused Windows commands. “They tried killing processes with `/im` instead of PID numbers,” chuckled a researcher. “Even elite spies get sloppy[^1].”
While patches for Cross EX and Innorix Agent are now available, experts warn the Lazarus Group retains stolen source code. “More zero-days are inevitable,” cautioned a KrCERT advisory. South Korea’s National Cyber Security Center has urged corporations to:
This detects related malware as `Trojan.Win64.Lazarus` and `MEM:Trojan.Win32.SEPEH.gen`, but the Lazarus Group’s shift toward lightweight, modular tools poses an ongoing challenge. As Ryu grimly notes, “Today’s fix is tomorrow’s exploit. This war has no end[^1].”

Splunk disclosed CVE-2026-20253, a critical pre-auth RCE flaw in Splunk Enterprise (CVSS 9.8) from insecure MongoDB defaults. Patches released; upgrade to 9.1.8, 9.2.5, or 9.3.2.