At least six South Korean organizations across key industries have been targeted by North Korea-linked hackers in a sophisticated cyberattack campaign known as Operation SyncHole. The attackers, identified as the Lazarus Group, launched a series of intrusions starting in November 2024, according to a new report from Kaspersky.
The targeted sectors include IT, software, telecommunications, finance, and semiconductor manufacturing. Kaspersky researchers Sojun Ryu and Vasily Berdnikov noted that the attackers used a strategic mix of watering hole attacks and software vulnerability exploitation to breach their targets.
Watering Hole Attacks and Exploited Vulnerabilities
The campaign begins with watering hole attacks, which lure unsuspecting users to compromised South Korean media websites. These sites then redirect selected visitors to an attacker-controlled domain. Once redirected, a malicious script attempts to exploit vulnerabilities in Cross EX—a local security software widely used in South Korea for online banking and government websites. Cross EX supports anti-keylogging features and certificate-based digital signatures.
Kaspersky suspects that the Lazarus Group used this flaw to inject malware into targeted systems. The infection chain involves executing the legitimate file SyncHost.exe, which then loads shellcode to deliver a customized variant of Lazarus’s known ThreatNeedle malware.
The attack follows a two-phase pattern. First, the attackers deploy ThreatNeedle and wAgent to establish initial access. Then, they activate more advanced tools like SIGNBT and COPPERHEDGE for persistence, surveillance, and credential theft.
One of the tools used for profiling victims and fetching additional malware is LPEClient. Another downloader called Agamemnon pulls more payloads from the group’s command-and-control (C2) servers. It also uses the “Hell’s Gate” technique, which helps the malware evade traditional security detection methods.
Lateral Movement via Innorix Agent Exploits
One of the most striking aspects of the campaign is its use of Innorix Agent, a local file transfer tool, for lateral movement. The attackers exploited a previously unknown vulnerability in this software to move across internal networks. Kaspersky confirmed that the vulnerability allowed for arbitrary file downloads and has since been patched by the vendor.
This approach mirrors tactics used by Andariel, a known sub-group of Lazarus. In the past, Andariel deployed malware like Volgmer and Andardoor using similar lateral movement techniques.
Kaspersky researchers emphasized that Lazarus has shown a deep understanding of South Korea’s cybersecurity environment. They are targeting popular, locally used software—like Cross EX and Innorix Agent—to gain access and stay undetected. The attackers have also refined their malware’s communication with C2 servers and introduced stealthy data exchange mechanisms.
Kaspersky warns that Lazarus’s focus on South Korea’s software supply chain is unlikely to slow down. The group is known for frequently updating its tools and adopting new methods to stay ahead of detection systems.
“The Lazarus group’s specialized attacks targeting supply chains in South Korea are expected to continue,” said Kaspersky. “The attackers are also making efforts to minimize detection by developing new malware or enhancing existing malware.”
The evolution of Lazarus’s toolkit includes improvements to command structures, encrypted communication, and payload delivery methods. With the use of watering hole sites, zero-day vulnerabilities, and multi-stage malware, the group continues to pose a serious threat to organizations in South Korea and beyond.
