Summary: The Lazarus Group has been linked to a targeted campaign against South Korean industries, utilizing sophisticated tactics including watering hole attacks and exploiting vulnerabilities in legitimate software. The attacks have chiefly affected the software, IT, financial, semiconductor, and telecommunications sectors, with notable tools like ThreatNeedle and COPPERHEDGE reported as part of the campaign. Security researchers predict that these specialized attacks will continue, as the group adapts its methods to evade detection and enhance their operations.
Affected: South Korean industries (software, IT, financial, semiconductor manufacturing, telecommunications)
Keypoints :
- Targeting began in November 2024, employing a combination of watering hole strategies and vulnerability exploitation.
- Specific vulnerabilities in Cross EX and Innorix Agent were exploited to deploy malware and conduct lateral movement.
- Attacks are characterized by initial phases using ThreatNeedle and wAgent, evolving to include SIGNBT and COPPERHEDGE for persistence and credential dumping.
- Malware deployment is facilitated by tools like Agamemnon, which downloads additional payloads from a command-and-control server while bypassing security measures.
- New enhancements and techniques are continuously developed to minimize detection and maximize effectiveness of malware communications.
Source: https://thehackernews.com/2025/04/lazarus-hits-6-south-korean-firms-via.html