North Korean-linked threat group Lazarus is once again in the spotlight after launching a new campaign targeting multiple South Korean companies across critical industries.

This time, it’s part of an operation called SyncHole, which blends watering hole tactics with zero-days exploitation to deliver advanced malware.

Who Was Targeted and How

Kaspersky reports that at least six organizations have been hit so far, spanning sectors like:

• Financial services
• Information technology
• Semiconductors
• Software development
• Telecommunications

While Lazarus has historically focused on South Korea, this campaign stands out for how it leverages the country’s unique software ecosystem.

South Korean companies are required by law to run certain security applications in browser environments—tools like Cross EX and Innorix Agent are used to handle certificate-based logins, anti-keylogging, and secure file transfers.

Lazarus took full advantage of this.

The Exploits and Infection Chain

The attackers:

• Exploited a vulnerability in Cross EX to gain an initial foothold.
• Used a zero-day in Innorix Agent to move deeper into networks.

The chain started when victims visited compromised South Korean media websites. A server-side script filtered traffic and redirected potential targets to an attacker-controlled domain. From there, malicious scripts executed and triggered:

• The SyncHost process (a legitimate system tool)
• Injection of ThreatNeedle and wAgent malware

At later stages, Lazarus deployed:

• SignBT and CopperHedge for broader payload delivery
• LPEClient for profiling victims
• Agamemnon for downloading additional malware
• A credential dumping tool to extract sensitive access data

Why This Campaign Matters

There are a few key takeaways I want to highlight:

1. Lazarus is evolving. Their ability to understand and exploit country-specific security tools shows high sophistication. They aren’t relying on generic exploits—they’re targeting software used only in South Korea.

2. This wasn’t opportunistic. The sites used in the watering hole attacks were handpicked to lure users from the targeted industries. This is a tailored campaign, not spray-and-pray.

3. The malware is getting stealthier. Kaspersky’s analysis showed that Lazarus is refining its malware to evade detection, using manual Windows commands for reconnaissance and staging attacks carefully within internal systems.