Lazarus APT Targets Organizations by Exploiting One-Day Vulnerabilities

A recent cyber espionage campaign by the notorious Lazarus Advanced Persistent Threat (APT) group, tracked as “Operation SyncHole,” has compromised at least six South Korean organizations across software, IT, financial, semiconductor, and telecommunications sectors since November 2024.

According to detailed research, the attackers employed a combination of watering hole attacks and exploited vulnerabilities in widely used South Korean software, including Cross EX and Innorix Agent.

This operation showcases the group’s deep understanding of the local software ecosystem, targeting applications integral to online banking and government services.

The campaign’s sophistication lies in its use of one-day vulnerabilities flaws patched shortly after discovery but exploited during the narrow window of exposure demonstrating Lazarus’ agility in weaponizing newly identified weaknesses.

Technical Precision in Malware Deployment and Lateral Movement

The attack began with users visiting compromised South Korean media sites, triggering the delivery of the ThreatNeedle backdoor ...