{ "id": "8944e728-d2bf-4bc6-ad7f-49bf337b66e2", "created_at": "2026-04-06T00:12:16.82714Z", "updated_at": "2026-04-10T03:38:19.821683Z", "deleted_at": null, "sha1_hash": "6f74388bf9e24ad594c4d19b7d4e14e4b255ca62", "title": "Operation SyncHole: Lazarus APT goes back to the well", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2064095, "plain_text": "Operation SyncHole: Lazarus APT goes back to the well\r\nBy Sojun Ryu\r\nPublished: 2025-04-24 · Archived: 2026-04-05 19:47:10 UTC\r\nWe have been tracking the latest attack campaign by the Lazarus group since last November, as it targeted\r\norganizations in South Korea with a sophisticated combination of a watering hole strategy and vulnerability\r\nexploitation within South Korean software. The campaign, dubbed “Operation SyncHole”, has impacted at least\r\nsix organizations in South Korea’s software, IT, financial, semiconductor manufacturing, and telecommunications\r\nindustries, and we are confident that many more companies have actually been compromised. We immediately\r\ntook action by communicating meaningful information to the Korea Internet \u0026 Security Agency (KrCERT/CC)\r\nfor rapid action upon detection, and we have now confirmed that the software exploited in this campaign has all\r\nbeen updated to patched versions.\r\nTimeline of the operation\r\nOur findings in a nutshell:\r\nAt least six South Korean organizations were compromised by a watering hole attack combined with\r\nexploitation of vulnerabilities by the Lazarus group.\r\nA one-day vulnerability in Innorix Agent was also used for lateral movement.\r\nVariants of Lazarus’ malicious tools, such as ThreatNeedle, Agamemnon downloader, wAgent, SIGNBT,\r\nand COPPERHEDGE, were discovered with new features.\r\nBackground\r\nThe initial infection was discovered in November of last year when we detected a variant of the ThreatNeedle\r\nbackdoor, one of the Lazarus group’s flagship malicious tools, used against a South Korean software company. We\r\nfound that the malware was running in the memory of a legitimate SyncHost.exe process, and was created as a\r\nsubprocess of Cross EX, legitimate software developed in South Korea. This potentially was the starting point for\r\nhttps://securelist.com/operation-synchole-watering-hole-attacks-by-lazarus/116326/\r\nPage 1 of 16\n\nthe compromise of further five organizations in South Korea. Additionally, according to a recent security advisory\r\nposted on the KrCERT website, there appear to be recently patched vulnerabilities in Cross EX, which were\r\naddressed during the timeframe of our research.\r\nIn the South Korean internet environment, the online banking and government websites require the installation of\r\nparticular security software to support functions such as anti-keylogging and certificate-based digital signatures.\r\nHowever, due to the nature of these software packages, they constantly run in the background to interact with the\r\nbrowser. The Lazarus group shows a strong grasp of these specifics and is using a South Korea-targeted strategy\r\nthat combines vulnerabilities in such software with watering hole attacks. The South Korean National Cyber\r\nSecurity Center published its own security advisory in 2023 against such incidents, and also published additional\r\njoint security advisories in cooperation with the UK government.\r\nCross EX is designed to enable the use of such security software in various browser environments, and is executed\r\nwith user-level privileges except immediately after installation. Although the exact method by which Cross EX\r\nwas exploited to deliver malware remains unclear, we believe that the attackers escalated their privileges during\r\nthe exploitation process as we confirmed the process was executed with high integrity level in most cases. The\r\nfacts below led us to conclude that a vulnerability in the Cross EX software was most likely leveraged in this\r\noperation.\r\nThe most recent version of Cross EX at the time of the incidents was installed on the infected PCs.\r\nExecution chains originating from the Cross EX process that we observed across the targeted organizations\r\nwere all identical.\r\nThe incidents that saw the Synchost process abused to inject malware were concentrated within a short\r\nperiod of time: between November 2024 and February 2025.\r\nIn the earliest attack of this operation, the Lazarus group also exploited another South Korean software product,\r\nInnorix Agent, leveraging a vulnerability to facilitate lateral movement, enabling the installation of additional\r\nmalware on a targeted host of their choice. They even developed malware to exploit this, avoiding repetitive tasks\r\nand streamlining processes. The exploited software, Innorix Agent (version 9.2.18.450 and earlier), was\r\npreviously abused by the Andariel group, while the malware we obtained targeted the more recent version\r\n9.2.18.496.\r\nWhile analyzing the malware’s behavior, we discovered an additional arbitrary file download zero-day\r\nvulnerability in Innorix Agent, which we managed to detect before any threat actors used it in their attacks. We\r\nreported the issues to the Korea Internet \u0026 Security Agency (KrCERT) and the vendor. The software has since\r\nbeen updated with patched versions.\r\nInstalling malware through vulnerabilities in software exclusively developed in South Korea is a key part of the\r\nLazarus group’s strategy to target South Korean entities, and we previously disclosed a similar case in 2023, as did\r\nESET and KrCERT.\r\nInitial vector\r\nThe infection began when the user of a targeted system accessed several South Korean online media sites. Shortly\r\nafter visiting one particular site, the machine was compromised by the ThreatNeedle malware, suggesting that the\r\nhttps://securelist.com/operation-synchole-watering-hole-attacks-by-lazarus/116326/\r\nPage 2 of 16\n\nsite played a key role in the initial delivery of the backdoor. During the analysis, it was discovered that the\r\ninfected system was communicating with a suspicious IP address. Further examination revealed that this IP hosted\r\ntwo domains (T1583.001), both of which appeared to be hastily created car rental websites using publicly\r\navailable HTML templates.\r\nAppearance of www.smartmanagerex[.]com\r\nThe first domain, www.smartmanagerex[.]com, seemed to be masquerading as software provided by the same\r\nvendor that distributes Cross EX. Based on these findings, we reconstructed the following attack scenario.\r\nhttps://securelist.com/operation-synchole-watering-hole-attacks-by-lazarus/116326/\r\nPage 3 of 16\n\nAttack flow during initial compromise\r\nGiven that online media sites are typically visited quite frequently by a wealth of users, the Lazarus group filters\r\nvisitors with a server-side script and redirects desired targets to an attacker-controlled website (T1608.004). We\r\nassess with medium confidence that the redirected site may have executed a malicious script (T1189), targeting a\r\npotential flaw in Cross EX (T1190) installed on the target PC, and launching malware. The script then ultimately\r\nexecuted the legitimate SyncHost.exe and injected a shellcode that loaded a variant of ThreatNeedle into that\r\nprocess. This chain, which ends with the malware being injected into SyncHost.exe, was common to all of the\r\naffected organizations we identified, meaning that the Lazarus group has conducted extensive operations against\r\nSouth Korea over the past few months with the same vulnerability and the same exploit.\r\nExecution flow\r\nWe have divided this operation into two phases based on the malware used. The first phase focused primarily on\r\nthe execution chain involving ThreatNeedle and wAgent. It was then followed by the second phase which\r\ninvolved the use of SIGNBT and COPPERHEDGE.\r\nhttps://securelist.com/operation-synchole-watering-hole-attacks-by-lazarus/116326/\r\nPage 4 of 16\n\nWe derived a total of four different malware execution chains based on these phases from at least six affected\r\norganizations. In the first infection case, we found a variant of the ThreatNeedle malware, but in subsequent\r\nattacks, the SIGNBT malware took its place, thus launching the second phase. We believe this is due to the quick\r\nand aggressive action we took with the first victim. In subsequent attacks, the Lazarus group introduced three\r\nupdated infection chains including SIGNBT, and we observed a wider range of targets and more frequent attacks.\r\nThis suggests that the group may have realized that their carefully prepared attacks had been exposed, and\r\nextensively leveraged the vulnerability from then on.\r\nChains of infection across the operation\r\nFirst-phase malware\r\nhttps://securelist.com/operation-synchole-watering-hole-attacks-by-lazarus/116326/\r\nPage 5 of 16\n\nIn the first infection chain, many updated versions of the malware previously used by the Lazarus group were\r\nused.\r\nVariant of ThreatNeedle\r\nThe ThreatNeedle sample used in this campaign was also referred to as “ThreatNeedleTea” in a research paper\r\npublished by ESET; we believe this is an updated version of the early ThreatNeedle. However, the ThreatNeedle\r\nseen in this attack had been modified with additional features.\r\nThis version of ThreatNeedle is divided into a Loader and Core samples. The Core version retrieves five\r\nconfiguration files from C_27098.NLS to C_27102.NLS, and contains a total of 37 commands. The Loader\r\nversion, meanwhile, references only two configuration files and implements only four commands.\r\nThe Core component receives a specific command from the C2, resulting in an additional loader file being created\r\nfor the purpose of persistence. This file can be disguised as the ServiceDLL value of a legitimate service in the\r\nnetsvcs group (T1543.003), the IKEEXT service (T1574.001), or registered as a Security Service Provider (SSP)\r\n(T1547.005). It ultimately loads the ThreatNeedle Loader component.\r\nBehavior flow to load ThreatNeedle Loader by target service\r\nThe updated ThreatNeedle generates a random key pair based on the Curve25519 algorithm (T1573.002), sends\r\nthe public key to the C2 server, and then receives the attacker’s public key. Finally, the generated private key and\r\nthe attacker’s public key are scalar-operated to create a shared key, which is then used as the key for the\r\nChaCha20 algorithm to encrypt the data (T1573.001). The data is sent and received in JSON format.\r\nLPEClient\r\nLPEClient is a tool known for victim profiling and payload delivery (T1105) that has previously been observed in\r\nattacks on defense contractors and the cryptocurrency industry. We disclosed that this tool had been loaded by\r\nSIGNBT when we first documented SIGNBT malware. However, we did not observe LPEClient being loaded by\r\nSIGNBT in this campaign. It was only loaded by the variant of ThreatNeedle.\r\nhttps://securelist.com/operation-synchole-watering-hole-attacks-by-lazarus/116326/\r\nPage 6 of 16\n\nVariant of wAgent\r\nIn addition to the variant of ThreatNeedle, a variant of the wAgent malware was also discovered in the first\r\naffected organization. wAgent is a malicious tool that we documented in 2020, and a similar version was\r\nmentioned in Operation GoldGoblin by KrCERT. The origin of its creation is still shrouded in mystery, but we\r\ndiscovered that the wAgent loader was disguised as liblzma.dll and executed via the command line rundll32.exe\r\nc:\\Programdata\\intel\\util.dat, afunix 1W2-UUE-ZNO-B99Z (T1218.011). The export function retrieves the given\r\nfilename 1W2-UUE-ZNO-B99Z in C:\\ProgramData, which also serves as the decryption key. After converting\r\nthis filename into wide bytes, it uses the highest 16 bytes of the resulting value as the key for the AES-128-CBC\r\nalgorithm and decrypts (T1140) the contents of the file located in C:\\ProgramData (T1027.013). The upper four\r\nbytes of the decrypted data subsequently represent the size of the payload (T1027.009), which we identified as an\r\nupdated version of the wAgent malware.\r\nThe variant of wAgent has the ability to receive data in both form-data and JSON formats, depending on the C2\r\nserver it succeeds in reaching. Notably, it includes the __Host-next-auth-token key within the Cookie field in the\r\nrequest header during the communication (T1071.001), carrying the sequence of communication appended by\r\nrandom digits. In this version, the new observed change is that an open-source GNU Multiple-Precision (GMP)\r\nlibrary is employed to carry out RSA encryption computations, which is a previously unseen library in malware\r\nused by the Lazarus group. According to the wAgent configuration file, it is identified as the x64_2.1 version. This\r\nversion manages payloads using a C++ STL map, with emphasis on receiving additional payloads from the C2 and\r\nloading them directly into memory, along with creating a shared object. With this object, the main module is able\r\nto exchange command parameters and execution results with the delivered plugins.\r\nhttps://securelist.com/operation-synchole-watering-hole-attacks-by-lazarus/116326/\r\nPage 7 of 16\n\nOperational structure of the wAgent variant\r\nVariant of the Agamemnon downloader\r\nThe Agamemnon downloader is also responsible for downloading and executing additional payloads received\r\nfrom the C2 server. Although we did not obtain the configuration file of Agamemnon, it receives commands from\r\nthe C2 and executes the payload by parsing the commands and parameters based on ;; characters, which serve as\r\ncommand and parameter delimiters. The value of the mode in response passed with a 2 command determines how\r\nto execute the additional payload, which is delivered along with a 3 command. There are two methods of\r\nexecution: the first one is to load the payload reflectively (T1620), which is commonly used in malware, whereas\r\nthe second one is to utilize the open-source Tartarus-TpAllocInject technique, which we have not previously seen\r\nin malware from the Lazarus group.\r\nhttps://securelist.com/operation-synchole-watering-hole-attacks-by-lazarus/116326/\r\nPage 8 of 16\n\nStructure of the commands where additional data is passed\r\nThe open-source loader is built on top of another open-source loader named Tartarus’ Gate. Tartarus’ Gate is based\r\non Halo’s Gate, which is in turn based on Hell’s Gate. All of these techniques are designed to bypass security\r\nproducts such as antivirus and EDR solutions, but they load the payload in different ways.\r\nInnorix Agent exploit for lateral movement\r\nUnlike the previously mentioned tools, the Innorix abuser is used for lateral movement. It is downloaded by the\r\nAgamemnon downloader (T1105) and exploits a specific version of a file transfer software tool developed in\r\nSouth Korea, Innorix Agent, to fetch additional malware on internal hosts (T1570). Innorix Agent is another\r\nsoftware product that is mandatory for some financial and administrative tasks in the South Korean internet\r\nenvironment, meaning that it is likely to be installed on many PCs of both corporations and individuals in South\r\nKorea, and any user with a vulnerable version is potentially a target. The malware embeds a license key allegedly\r\nbound to version 9.2.18.496, which allows it to perform lateral movement by generating malicious traffic\r\ndisguised as legitimate traffic against targeted network PCs.\r\nThe Innorix abuser is given parameters from the Agamemnon downloader: the target IP, URL to download a file,\r\nand file size. It then delivers a request to that target IP to check if Innorix Agent is installed and running. If a\r\nsuccessful response is returned, the malware assumes that the software is running properly on the targeted host\r\nand transmits traffic that allows the target to download the additional files from the given URL due to a lack of\r\ntraffic validation.\r\nhttps://securelist.com/operation-synchole-watering-hole-attacks-by-lazarus/116326/\r\nPage 9 of 16\n\nSteps to deploy additional malware via the Innorix abuser\r\nThe actor created a legitimate AppVShNotify.exe and a malicious USERENV.dll file in the same path via the\r\nInnorix abuser, and then executed the former using a legitimate feature of the software. The USERENV.dll was\r\nsideloaded (T1574.002) as a result, which ultimately led to the execution of ThreatNeedle and LPEClient on the\r\ntargeted hosts, thus launching the infection chain on previously unaffected machines.\r\nWe reported this vulnerability to KrCERT due to the potentially dangerous impact of the Innorix abuser, but were\r\ninformed that the vulnerability has been exploited and reported in the past. We have confirmed that this malware\r\ndoes not work effectively in environments with Innorix Agent versions other than 9.2.18.496.\r\nIn addition, while digging into the malware’s behavior, we identified another additional arbitrary file download\r\nvulnerability that applies to versions up to 9.2.18.538. It is tracked as KVE-2025-0014 and we have not yet found\r\nany evidence of its use in the wild. KVE is a vulnerability identification number issued exclusively by KrCERT.\r\nWe successfully contacted Innorix to share our findings containing the vulnerabilities via KrCERT, and they\r\nmanaged to release a patched version in March with both vulnerabilities fixed.\r\nSecond phase malware\r\nhttps://securelist.com/operation-synchole-watering-hole-attacks-by-lazarus/116326/\r\nPage 10 of 16\n\nThe second phase of the operation also introduces newer versions of malicious tools previously seen in Lazarus\r\nattacks.\r\nSIGNBT\r\nThe SIGNBT we documented in 2023 was version 1.0, but in this attack, version 0.0.1 was used at the forefront.\r\nIn addition, we identified a more recent version, SIGNBT 1.2. Unlike versions 1.0 and 0.0.1, the 1.2 version had\r\nminimal remote control capabilities and was focused on executing additional payloads. The malware developers\r\nnamed this version “Hijacking”.\r\nIn the second phase of this operation, SIGNBT 0.0.1 was the initial implant executed in memory in SyncHost.exe\r\nto fetch additional malware. In this version, the C2 server was hardcoded without reference to any configuration\r\nfiles. During this investigation, we found a credential dumping tool that was fetched by SIGNBT 0.0.1, identical\r\nto what we have seen in previous attacks.\r\nAs for version 1.2, it fetches the path to the configuration file from its resources and retrieves the file to obtain C2\r\nserver addresses. We were able to extract two configuration file paths from each identified SIGNBT 1.2 sample,\r\nwhich are shown below. Another change in SIGNBT 1.2 is that the number of prefixes starting with SIGN are\r\nreduced to only three: SIGNBTLG, SIGNBTRC, and SIGNBTSR. The malware receives an RSA public key from\r\nthe C2 and encrypts a randomly generated AES key using the public key. All traffic is encrypted with the\r\ngenerated AES key.\r\nConfiguration file path 1: C:\\ProgramData\\Samsung\\SamsungSettings\\settings.dat\r\nConfiguration file path 2: C:\\ProgramData\\Microsoft\\DRM\\Server\\drm.ver\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n{\r\nproxylist: [{ // C2 server list\r\n              proxy: \"https%0x3A//builsf[.]com/inc/left.php\"\r\n     },\r\n     {\r\n              proxy: \"https%0x3A//www.rsdf[.]kr/wp-content/uploads/2024/01/index.php\"\r\n     },\r\n     {\r\n              proxy: \"http%0x3A//www.shcpump[.]com/admin/form/skin/formBasic/style.php\"\r\n     },\r\n     {\r\nhttps://securelist.com/operation-synchole-watering-hole-attacks-by-lazarus/116326/\r\nPage 11 of 16\n\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n              proxy: \"https%0x3A//htns[.]com/eng/skin/member/basic/skin.php\"\r\n     },\r\n     {\r\n              proxy: \"https%0x3A//kadsm[.]org/skin/board/basic/write_comment_skin.php\"\r\n     },\r\n     {\r\n              proxy: \"http%0x3A//bluekostec[.]com/eng/community/write.asp\"\r\n     },\r\n     {\r\n              proxy: \"http%0x3A//dream.bluit.gethompy[.]com/mobile/skin/board/gallery/index.skin.php\"\r\n     }],\r\nwake: 1739839071, // Timestamp of Tuesday, February 18, 2025 12:37:51 AM\r\nstatus: 1 // It means the scheduled execution time is set.\r\n}\r\nCOPPERHEDGE\r\nCOPPERHEDGE is a malicious tool that was named by US-CERT in 2020. It is a Manuscrypt variant and was\r\nprimarily used in the DeathNote cluster attacks. Unlike the other malware used in this operation,\r\nCOPPERHEDGE has not changed dramatically, with only several commands being slightly changed compared to\r\nthe older versions. This version, however, retrieves configuration information such as the C2 server address from\r\nthe ADS %appdata%\\Microsoft\\Internet Explorer\\brndlog.txt:loginfo (T1564.004). The malware then sends HTTP\r\ntraffic to C2 with three or four parameters for each request, where the parameter name is chosen randomly out of\r\nthree names in any order.\r\nFirst HTTP parameter name: bih, aqs, org\r\nSecond HTTP parameter name: wib, rlz, uid\r\nThird HTTP parameter name: tib, hash, lang\r\nFourth HTTP parameter name: ei, ie, oq\r\nThe actor primarily used the COPPERHEDGE malware to conduct internal reconnaissance in this operation.\r\nThere are a total of 30 commands from 0x2003 to 0x2032, and 11 response codes from 0x2040 to 0x2050 inside\r\nthe COPPERHEDGE backdoor.\r\nhttps://securelist.com/operation-synchole-watering-hole-attacks-by-lazarus/116326/\r\nPage 12 of 16\n\nThe evolution of Lazarus malware\r\nIn recent years, the malware used by the Lazarus group has been rapidly evolving to include lightweighting and\r\nmodularization. This applies not only to newly added tools, but also to malware that has been used in the past. We\r\nhave observed such changes for a few years, and we believe there are more on the way.\r\nUse of asymmetric\r\nencryption\r\nLoad\r\nplugins\r\nDivided into core and loader\r\nversion\r\nMISTPEN – O –\r\nCookiePlus O (RSA) O –\r\nThreatNeedle O (Curve25519) O O\r\nwAgent (downloader) O (RSA) O –\r\nAgamemnon\r\ndownloader\r\n– – –\r\nSIGNBT O (RSA) O O\r\nCOPPERHEDGE O (RSA) – O\r\nDiscoveries\r\nDuring our investigation into this campaign, we gained extensive insight into the Lazarus group’s post-exploitation strategy. After installing the COPPERHEDGE malware, the actor executed numerous Windows\r\ncommands to gather basic system information (T1082, T1083, T1057, T1049, T1016, T1087.001), create a\r\nmalicious service (T1569.002, T1007) and attempt to find valuable hosts to perform lateral movement\r\n(T1087.002, T1135).\r\nWhile analyzing the commands executed by the actor, we were able to identify the actor’s mistake when using the\r\ntaskkill command: the /im parameter when using taskkill means imagename, which should specify the image\r\nname of the process, not the process id. This shows that the actor is still performing internal reconnaissance by\r\nmanually entering commands.\r\nInfrastructure\r\nThroughout this operation, most of the C2 servers were legitimate but compromised websites in South Korea\r\n(T1584.001), further indicating that this operation was highly focused on South Korea. In the first phase, other\r\nmedia sites were utilized as C2 servers to avoid detection of media-initiated watering hole attacks. However, as\r\nthe infection chain turned to the second phase, legitimate sites in various other industries were additionally\r\nexploited.\r\nhttps://securelist.com/operation-synchole-watering-hole-attacks-by-lazarus/116326/\r\nPage 13 of 16\n\nUnlike other cases, LPEClient’s C2 server was hosted by the same hosting company as\r\nwww.smartmanagerex[.]com, which was deliberately created for initial compromise. Given that LPEClient is\r\nheavily relied upon by the Lazarus group for delivering additional payloads, it is likely that the attackers\r\ndeliberately rented and configured the server (T1583.003), assigning a domain under their control to maintain full\r\noperational flexibility. In addition to this, we also found that two domains that were exploited as C2 servers for\r\nSIGNBT 0.0.1 resolved to the same hosting company’s IP range.\r\nWe confirmed that the domain thek-portal[.]com belonged to a South Korean ISP until 2020 and was the\r\nlegitimate domain of an insurance company that was acquired by another company. Since then, the domain had\r\nbeen parked and its status was changed in February 2025, indicating that the Lazarus group re-registered the\r\ndomain to leverage it in this operation.\r\nAttribution\r\nThroughout this campaign, several malware samples were used that we managed to attribute to the Lazarus group\r\nthrough our ongoing and dedicated research conducted for a long time. Our attribution is supported by the\r\nhistorical use of the malware strains, as well as their TTPs, all of which have been well documented by numerous\r\nsecurity solutions vendors and governments. Furthermore, we have analyzed the execution time of the Windows\r\ncommands delivered by the COPPERHEDGE malware, the build timestamps of all malicious samples we\r\ndescribed above, and the time of initial compromise per host, demonstrating that the timeframes were mostly\r\nconcentrated between GMT 00:00 and 09:00. Based on our knowledge of normal working hours in various time\r\nzones, we can infer that the actor is located in the GMT+09 time zone.\r\nTimeline of malicious activity\r\nVictims\r\nhttps://securelist.com/operation-synchole-watering-hole-attacks-by-lazarus/116326/\r\nPage 14 of 16\n\nWe identified at least six software, IT, financial, semiconductor manufacturing and telecommunication\r\norganizations in South Korea that fell victim to “Operation SyncHole”. However, we are confident that there are\r\nmany more affected organizations across a broader range of industries, given the popularity of the software\r\nexploited by Lazarus in this campaign.\r\nConclusion\r\nThis is not the first time that the Lazarus group exploited supply chains with a full understanding of the software\r\necosystem in South Korea. We have already described similar attacks in our analysis reports on the Bookcode\r\ncluster in 2020, the DeathNote cluster in 2022, and the SIGNBT malware in 2023. All of these cases targeted\r\nsoftware developed by South Korean vendors that required installation for online banking and government\r\nservices. Both of the software products exploited in this case are in line with past cases, meaning that the Lazarus\r\ngroup is endlessly adopting an effective strategy based on cascading supply chain attacks.\r\nThe Lazarus group’s specialized attacks targeting supply chains in South Korea are expected to continue in the\r\nfuture. Our research over the past few years provided evidence that many software development vendors in Korea\r\nhave already been attacked, and if the source code of a product has been compromised, other zero-day\r\nvulnerabilities may continue to be discovered. The attackers are also making efforts to minimize detection by\r\ndeveloping new malware or enhancing existing malware. In particular, they introduce enhancements to the\r\ncommunication with the C2, command structure, and the way they send and receive data.\r\nWe have proven that accurate detection and quick response can effectively deter their tactics, and in the meantime,\r\nwe were able to remediate vulnerabilities and mitigate attacks to minimize damage. We will continue to monitor\r\nthe activity of this group and remain agile in responding to their changes. We also recommend using reliable\r\nsecurity solutions to stay alert and mitigate potential risks. Our product line for businesses helps identify and\r\nprevent attacks of any complexity at an early stage.\r\nKaspersky products detect the exploits and malware used in this attack with the following verdicts:\r\nTrojan.Win64.Lazarus.*, Trojan.Win32.Lazarus.*, MEM:Trojan.Win32.Cometer.gen,\r\nMEM:Trojan.Win32.SEPEH.gen, Trojan.Win32.Manuscrypt.*, Trojan.Win64.Manuscrypt.*,\r\nTrojan.Win32.Zenpak.*.\r\nIndicators of Compromise\r\nMore IoCs are available to customers of the Kaspersky Intelligence Reporting Service. Contact:\r\nintelreports@kaspersky.com.\r\nVariant of the ThreatNeedle loader\r\nf1bcb4c5aa35220757d09fc5feea193b C:\\System32\\PCAuditex.dll\r\nVariant of the wAgent loader\r\ndc0e17879d66ea9409cdf679bfea388c C:\\ProgramData\\intel\\util.dat\r\nCOPPERHEDGE dropper\r\n2d47ef0089010d9b699cd1bbbc66f10a %AppData%\\hnc\\_net.tmp\r\nhttps://securelist.com/operation-synchole-watering-hole-attacks-by-lazarus/116326/\r\nPage 15 of 16\n\nC2 servers\r\nwww[.]smartmanagerex[.]com\r\nhxxps://thek-portal[.]com/eng/career/index.asp\r\nhxxps://builsf[.]com/inc/left.php\r\nhxxps://www[.]rsdf[.]kr/wp-content/uploads/2024/01/index.php\r\nhxxp://www[.]shcpump[.]com/admin/form/skin/formBasic/style.php\r\nhxxps://htns[.]com/eng/skin/member/basic/skin.php\r\nhxxps://kadsm[.]org/skin/board/basic/write_comment_skin.php\r\nhxxp://bluekostec[.]com/eng/community/write.asp\r\nhxxp://dream.bluit.gethompy[.]com/mobile/skin/board/gallery/index.skin.php\r\nSource: https://securelist.com/operation-synchole-watering-hole-attacks-by-lazarus/116326/\r\nhttps://securelist.com/operation-synchole-watering-hole-attacks-by-lazarus/116326/\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://securelist.com/operation-synchole-watering-hole-attacks-by-lazarus/116326/" ], "report_names": [ "116326" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434336, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6f74388bf9e24ad594c4d19b7d4e14e4b255ca62.pdf", "text": "https://archive.orkl.eu/6f74388bf9e24ad594c4d19b7d4e14e4b255ca62.txt", "img": "https://archive.orkl.eu/6f74388bf9e24ad594c4d19b7d4e14e4b255ca62.jpg" } }