The North Korea-linked Lazarus Group has launched a new cyberattack campaign called Operation SyncHole, targeting six major organizations in South Korea. Victims span across the software, IT, finance, semiconductor, and telecom industries.
Security firm Kaspersky first spotted signs of this campaign in November 2024. The hackers used a mix of watering hole tactics and software flaws to break into company networks. Their tools included well-known malware like ThreatNeedle, wAgent, SIGNBT, and COPPERHEDGE.
A key part of the attack involved a flaw in Cross EX. This software is widely used in South Korea for online banking and digital certificate services. The attackers used this vulnerability to inject malware after users visited compromised websites.
They also exploited a bug in Innorix Agent, a file transfer tool. This allowed them to move from one system to another once inside a network. That tactic echoes earlier attacks from the Andariel subgroup of Lazarus, which used similar methods to spread malware like Volgmer and Andardoor.
The initial infection began with a watering hole attack. Visitors to certain South Korean news sites were silently redirected to a hacker-controlled page. There, a hidden script likely exploited a Cross EX flaw and launched malware. The attack loaded a fake version of SyncHost.exe and injected a backdoor into it—triggering the installation of ThreatNeedle.
This campaign ran in two clear phases. First, ThreatNeedle and wAgent were used to break in. Then, malware like SIGNBT and COPPERHEDGE helped the hackers stay hidden, explore internal systems, and steal credentials.
Lazarus also used other tools to carry out the attack. One called LPEClient helped profile victims and prepare payloads. Another, Agamemnon, downloaded extra files from hacker-controlled servers. It used a stealth technique called Hell’s Gate to bypass antivirus tools during the download.
Among those downloads was another file that exploited the Innorix Agent. Kaspersky later found it was a zero-day bug that allowed files to be pulled from a system without permission. Innorix has since fixed the issue.
Kaspersky warned that these types of attacks are likely to continue. Lazarus is constantly upgrading its malware. They’re also improving how their tools communicate with command servers and avoid detection.
The group’s deep knowledge of South Korean systems gives them an edge. Their ability to target widely-used local software makes them hard to stop.
