Pierluigi Paganini
April 25, 2025
Kaspersky researchers reported that the North Korea-linked APT group Lazarus targeted at least six firms in South Korea in a cyber espionage campaign tracked as Operation SyncHole.
The campaign has been active since at least November 2024, Lazarus Group is targeting South Korean organizations using watering hole tactics and exploiting software vulnerabilities. Targeted organizations are in IT, finance, semiconductors, and the telecom sectors, with likely more compromised.
Kaspersky notified Korea Internet & Security Agency (KrCERT/CC), the researchers discovered that threat actor exploited a one-day vulnerability in Innorix Agent for lateral movement.
The attackers used multiple hacking tools and malware, including ThreatNeedle, Agamemnon downloader, wAgent, SIGNBT, and COPPERHEDGE.
“The initial infection was discovered in November of last year when we detected a variant of the ThreatNeedle backdoor, one of the Lazarus group’s flagship malicious tools, used against a South Korean software company. We found that the malware was running in the memory of a legitimate SyncHost.exe process, and was created as a subprocess of Cross EX, legitimate software developed in South Korea.” reads the report published by Kaspersky. “This potentially was the starting point for the compromise of further five organizations in South Korea.”
In South Korea, many government and banking websites require users to install specific security software for functions like anti-keylogging and digital signatures. These programs run continuously in the background, making them attractive targets. The North Korea-linked Lazarus Group exploited vulnerabilities in one such program, Cross EX, using it in watering hole attacks aimed specifically at South Korean sectors. The malware injection process originated from Cross EX and was executed with high system privileges, suggesting privilege escalation. The National Cyber Security Center of South Korea had already issued advisories [1, 2] on these risks in 2023, also collaborating with the UK on joint warnings. The incidents, all involving the same execution pattern and version of Cross EX, occurred between November 2024 and February 2025, confirming a coordinated and targeted campaign.
The Lazarus group exploited vulnerabilities in South Korean software, notably Innorix Agent and Cross EX, to infiltrate systems, spread malware, and streamline attacks. Infections began via compromised media sites, leading to ThreatNeedle malware deployment through malicious redirects and privilege escalation.
The Lazarus group’s Operation SyncHole is composed of two phases: initially using ThreatNeedle and wAgent malware, then shifting to SIGNBT and COPPERHEDGE. The researchers reported that after early detection and response to the first attack, the group modified its tactics, deploying three updated malware chains in later, more frequent attacks across multiple targets.
“We derived a total of four different malware execution chains based on these phases from at least six affected organizations. In the first infection case, we found a variant of the ThreatNeedle malware, but in subsequent attacks, the SIGNBT malware took its place, thus launching the second phase. We believe this is due to the quick and aggressive action we took with the first victim.” continues the report. “In subsequent attacks, the Lazarus group introduced three updated infection chains including SIGNBT, and we observed a wider range of targets and more frequent attacks. This suggests that the group may have realized that their carefully prepared attacks had been exposed, and extensively leveraged the vulnerability from then on.”
In the first phase of the Lazarus group’s campaign, threat actor used updated versions of ThreatNeedle, wAgent, and Agamemnon malware. ThreatNeedle was split into Loader and Core components, using advanced encryption (ChaCha20 with Curve25519) and system persistence techniques. wAgent included AES-128-CBC decryption and leveraged RSA via the GMP library. Agamemnon facilitated payload delivery using novel methods like Tartarus-TpAllocInject. The group exploited South Korea-specific software, notably Innorix Agent, for lateral movement, embedding malware disguised as legitimate services. The second phase introduced SIGNBT and COPPERHEDGE. SIGNBT 1.2 focused on payload delivery with encrypted C2 communication, while COPPERHEDGE was used for internal reconnaissance. This operation showcases the Lazarus group’s shift to modular, stealthy, and locally tailored malware.
“The Lazarus group’s specialized attacks targeting supply chains in South Korea are expected to continue in the future. Our research over the past few years provided evidence that many software development vendors in Korea have already been attacked, and if the source code of a product has been compromised, other zero-day vulnerabilities may continue to be discovered.” concludes the report that includes Indicators of Compromise (IoCs) for this campaign. “The attackers are also making efforts to minimize detection by developing new malware or enhancing existing malware. In particular, they introduce enhancements to the communication with the C2, command structure, and the way they send and receive data.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Lazarus)
