Skip to content

Lazarus threat actors breach six South Korean companies

  • by
  • 2 min read

North Korean threat actors, Lazarus, targeted several companies in the IT, software, telecommunication and finance industries in South Korea via a watering hole attack strategy combined with exploitation of a flaw in South Korean software.

The vulnerability was found in a file transfer client used in South Korea to accomplish administrative and financial tasks. The espionage campaign, named ‘Operation SyncHole’ by Kaspersky researchers, breached at least six organisations between November 2024 and February 2025.

In a report, the cybersecurity company said, “We are confident that there are many more affected organizations across a broader range of industries, given the popularity of the software exploited by Lazarus in this campaign.” The threat group leveraged an exploit that the vendor was aware of and it was used before in other campaigns.

The attack sequence began with the victims visiting South Korean media portals that had been compromised by Lazarus, using server-side scripts to profile visitors and redirect potential targets to the infected domains.

The destination sites are designed to imitate legitimate software vendors, including the distributor of Cross EX, a tool that allows South Koreans to use security programs within several browsers for interactions with government sites and internet banking. A malicious JavaScript is used on the fake webpage to abuse Cross-EX software and deliver the payload.

“Although the exact method by which Cross EX was exploited to deliver malware remains unclear, we believe that the attackers escalated their privileges during the exploitation process as we confirmed the process was executed with high integrity level in most cases,” Kaspersky said. A security advisory posted recently on the Korea Internet & Security Agency’s (KrCERT) website said that vulnerabilities in Cross EX, addressed by Kaspersky during their research, have been patched.

Multiple infection chains with differences in initial and latter stages of the attack were observed across the six confirmed company breaches, implying that only the initial infection shared commonalities. Based on the toolset used by Operation SyncHole, Kaspersky confirmed that the North Korean government backed the Lazarus compromise.

The anti-virus company said that they have shared the findings with KrCERT and patches for the exploited software have been released. Additionally, they uncovered a zero-day flaw (KVE-2024-0014) in Innorix Agent versions 9.2.18.001 through 9.2.18.538, enabling arbitrary file downloads, that has not yet been exploited.

In the News: “Educational” toolkit for evading Microsoft Office 365 MFA being sold online

Arun Maity

Arun Maity

Arun Maity is a journalist from Kolkata who graduated from the Asian College of Journalism. He has an avid interest in music, videogames and anime. When he's not working, you can find him practicing and recording his drum covers, watching anime or playing games. You can contact him here: arunmaity23@proton.me

Related Reads

This is an image of data breach featured cybersecurity 113 e1666861228304

Sensitive information of over 5.5 million patients stolen from Yale Health

This is an image of cyber security hacked breach

“Educational” toolkit for evading Microsoft Office 365 MFA being sold online

This is an image of dark web hacker security

Cybercriminals are using the Pope’s death to preach malware

This is an image of phishing featured storyblocks

North Korean IT workers are using deepfakes to get jobs

This is an image of cisco 3289sd

Cisco confirms several products affected by RCE flaw

This is an image of telecom tower

South Korea’s biggest telco discloses data breach

>