Operation SyncHole: Lazarus APT targets supply chains in South Korea
April 25, 2025
The Lazarus Group, linked to North Korea, aimed its cyber espionage campaign, dubbed Operation SyncHole, at least six enterprises in South Korea.
According to Kaspersky analysts, Lazarus, a group associated with North Korea, targeted a minimum of six organizations in South Korea in a cyber espionage operation named Operation SyncHole.
Since November 2024, this campaign has been in action, with Lazarus Group using strategies like a “watering hole” and exploiting vulnerabilities in software to target organizations in South Korea, particularly in the IT, finance, semiconductors, and telecom sectors, likely with more impacted.
Informing Korea Internet & Security Agency (KrCERT/CC, researchers discovered the threat actor used a one-day vulnerability in Innorix Agent for lateral movement.
The attackers utilized various hacking tools and malware, such as ThreatNeedle, Agamemnon downloader, wAgent, SIGNBT, and COPPERHEDGE.
“The initial infection was detected in November of the previous year, when a variation of the ThreatNeedle backdoor, one of Lazarus group’s main malicious tools, was identified in an attack on a South Korean software company. It was observed that the malware was operating within a legitimate SyncHost.exe process’ memory, operating as a sub-process of Cross EX, a legitimate South Korean software,” states the report released by Kaspersky. “This could possibly have been the entry point for compromising five other organizations in South Korea.”
In South Korea, various government and banking websites necessitate users to install specific security software for functionalities like anti-keylogging and digital signatures. These applications run continuously in the background, making them vulnerable targets. The Lazarus Group, linked to North Korea, exploited vulnerabilities in one such software, Cross EX, utilizing it in watering hole attacks aimed at sectors specific to South Korea. The injection of malware originated from Cross EX and was executed with elevated system privileges, suggesting a case of privilege escalation. The National Cyber Security Center of South Korea had previously released advisories [1, 2] about these risks in 2023, also collaborating with the UK on mutual warnings. The incidents, all showcasing the same execution pattern and version of Cross EX, occurred from November 2024 to February 2025, confirming a coordinated, targeted operation.
The Lazarus group exploited weaknesses in South Korean software, particularly Innorix Agent and Cross EX, to breach systems, distribute malware, and streamline their attacks. Infections started through compromised media sites, leading to the deployment of ThreatNeedle malware via malicious redirects and privilege escalation.
Operation SyncHole by the Lazarus group consists of two phases: an initial phase using ThreatNeedle and wAgent malware, followed by a transition to SIGNBT and COPPERHEDGE. Analysts revealed that after detecting and responding early to the first attack, the group altered its techniques, introducing three updated malware chains in subsequent, more frequent attacks across several targets.
“We identified a total of four different malware execution chains from at least six affected organizations based on these phases. In the first case of infection, we discovered a variant of the ThreatNeedle malware, but in the subsequent attacks, SIGNBT malware replaced it, marking the onset of the second phase. This change can be attributed to the prompt and aggressive measures taken against the first victim,” continued the report. “In the later attacks, the Lazarus group rolled out three updated infection chains incorporating SIGNBT, observing a broader target range and more frequent attacks. This indicates that the group likely realized their meticulously planned attacks had been exposed, prompting them to magnify their use of the vulnerability from then on.”
In the initial phase of the Lazarus group’s campaign, the threat actor utilized updated versions of ThreatNeedle, wAgent, and Agamemnon malware. ThreatNeedle was split into Loader and Core components, implementing sophisticated encryption (ChaCha20 with Curve25519) and system persistence methods. wAgent featured AES-128-CBC decryption and employed RSA via the GMP library. Agamemnon facilitated payload delivery with innovative methods such as Tartarus-TpAllocInject. The group exploited South Korea-specific software, particularly Innorix Agent, for lateral movement, embedding malware camouflaged as valid services. The subsequent phase introduced SIGNBT and COPPERHEDGE. SIGNBT 1.2 was focused on payload delivery with encrypted C2 communication, while COPPERHEDGE was deployed for internal reconnaissance. This operation highlights the Lazarus group’s shift to modular, elusive, and locally customized malware.
“The Lazarus group’s targeted attacks on South Korean supply chains are anticipated to persist in the future. Our study in recent years has uncovered evidence that numerous software development vendors in Korea have already faced attacks, and if a product’s source code has been compromised, additional zero-day vulnerabilities may continue to emerge,” concluded the report, which includes Indicators of Compromise (IoCs) for this operation. “The attackers are also striving to reduce detection by developing new malware or enhancing existing ones. In particular, improvements have been made to C2 communication, command setup, and data transmission and reception methods.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Lazarus)
About Author
