In a recent cyber espionage operation, the notorious Lazarus hacker group, believed to be affiliated with North Korea, has targeted multiple organizations in South Korea spanning industries like software, IT, finance, semiconductor manufacturing, and telecommunications. The group utilized a watering hole attack tactic in conjunction with exploiting a vulnerability in a file transfer client that is commonly used in South Korea for financial and administrative purposes. This campaign, dubbed ‘Operation SyncHole’ by researchers at Kaspersky, resulted in the compromise of at least six organizations between November 2024 and February 2025.
While the identified victims include organizations in various sectors, Kaspersky experts are confident that there are likely more affected entities across a wider range of industries due to the popularity of the exploited software within this campaign. The hackers leveraged an exploit that was already known to the software vendor but had been utilized in previous attacks by malicious actors.
The attack methodology employed by Lazarus hackers began with individuals visiting legitimate South Korean media portals that had been previously compromised by the threat group. These portals were rigged with server-side scripts designed to profile visitors and redirect selected targets to malicious domains. Victims were redirected to fake websites imitating software vendors, such as the distributor of Cross EX, a tool essential for secure online interactions like banking and government transactions in South Korea.
Although the exact mechanism through which Cross EX was exploited to deliver malware remains unclear, Kaspersky’s investigation indicates that the attackers elevated their privileges during the exploitation process, often executing operations with high integrity levels. The malicious JavaScript on the fraudulent website was used to exploit the Cross EX software and facilitate malware delivery to the victims.
The exploitation chain initiated by the attackers deployed the ‘SyncHost.exe’ process and injected shellcode to load the ‘ThreatNeedle’ backdoor, which is capable of executing multiple commands on the compromised host. Kaspersky observed various infection chains among the confirmed victims, with differences in the initial and subsequent stages of the attack, highlighting the attackers’ adaptability and diverse tactics.
Attributing the compromises to the Lazarus hacker group, Kaspersky pointed out distinct characteristics and techniques specific to the threat actor, indicating their connection to the North Korean government. The cybersecurity firm also noted that Lazarus is transitioning towards utilizing lightweight and modular tools to enhance stealthiness and configurability, as evidenced by recent malware samples from Operation SyncHole.
Following their investigation, Kaspersky shared their findings with the Korea Internet & Security Agency (KrCERT/CC) and confirmed that patches have been released to address the vulnerabilities exploited in this campaign. Additionally, the researchers discovered a previously unknown zero-day vulnerability in Innorix Agent software, which allowed arbitrary file downloads. This security issue was responsibly disclosed to the vendor and promptly addressed in a subsequent update.
Overall, Operation SyncHole underscores the persistent and evolving cyber threats faced by organizations, highlighting the importance of proactive cybersecurity measures and swift patching of software vulnerabilities to mitigate potential risks posed by sophisticated threat actors like Lazarus.