Summary: Recently, the North Korean group Lazarus executed an espionage campaign, dubbed ‘Operation SyncHole,’ targeting various South Korean sectors, including software and finance. The attackers employed a watering hole strategy alongside a vulnerability in the Cross EX file transfer client to compromise at least six organizations between November 2024 and February 2025. Kaspersky reports that many more organizations may have been affected given the widespread use of the exploited software.
Affected: Multiple organizations in South Korea, specifically in software, IT, finance, and telecommunications.
Keypoints :
- Lazarus utilized a compromised South Korean media portal to redirect targets to malicious domains.
- The exploit involved a malicious JavaScript on a fake site using the Cross EX software to deliver the ThreatNeedle backdoor.
- Kaspersky noted a non-exploited zero-day flaw in Innorix Agent, which was responsibly reported and subsequently patched.