IT Brief Asia - Technology news for CIOs & IT decision-makers
Asia
Guides
#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things
Search
Story image
#
Network Security
#
Financial Systems
#
Cybersecurity

Lazarus Group targets South Korean supply chains via software flaws

Today
Author image
By Catherine Knowles, Journalist

Kaspersky's Global Research and Analysis Team (GReAT) has identified a new cyber campaign led by the Lazarus Group targeting supply chains in South Korea through combined watering hole attacks and exploitation of vulnerabilities in third-party software.

The campaign, dubbed "Operation SyncHole," was observed targeting at least six organisations across the software, IT, financial, semiconductor, and telecommunications sectors. According to the Kaspersky GReAT report, the actual number of victims could be higher than those identified.

Kaspersky researchers discovered that the attackers leveraged a one-day vulnerability in Innorix Agent, a browser-integrated tool widely used for secure file transfers, particularly in administrative and financial systems within South Korea. This vulnerability allowed for lateral movement within targeted networks, ensuing in the installation of additional malware, including Lazarus's signature tools ThreatNeedle and LPEClient. These attacks were facilitated through the Agamemnon downloader and specifically targeted a vulnerable version of Innorix (9.2.18.496).

During the malware analysis, the GReAT team also uncovered a previously unknown zero-day vulnerability in the Innorix Agent software, which had not yet been exploited by attackers. The issue was reported to the Korea Internet & Security Agency (KrCERT) and the software vendor. The vendor has since issued a patched version addressing the vulnerability, now catalogued as KVE-2025-0014.

Sojun Ryu, Security Researcher at Kaspersky's GReAT, commented: "A proactive approach to cybersecurity is essential, and it was thanks to this mindset that our in-depth malware analysis uncovered a previously unknown vulnerability before any signs of active exploitation appeared. Early detection of such threats is key to preventing broader compromise across systems."

Before this recent discovery related to Innorix Agent, Kaspersky had identified that variants of the ThreatNeedle and SIGNBT backdoors were used in subsequent attacks against South Korea. The malware operated within the memory of a legitimate process, SyncHost.exe, and was initiated as a subprocess of Cross EX, a South Korean software application designed to facilitate the use of security tools across various browsers.

The investigation revealed that five additional organisations were affected through the same attack vector. In all instances, the infection appeared to stem from a vulnerability in Cross EX, which served as the entry point for the larger campaign. A recent security advisory from KrCERT confirmed the existence of a vulnerability in CrossEX, which has since been patched.

Igor Kuznetsov, Director of Kaspersky's GReAT, said: "Together, these findings reinforce a broader security concern: third-party browser plugins and helper tools significantly increase the attack surface, particularly in environments that rely on region-specific or outdated software. These components often run with elevated privileges, remain in memory, and interact deeply with browser processes, making them highly attractive and often easier targets for attackers than modern browsers themselves."

The Lazarus Group initiated their operation by compromising online media websites popular with many users. Utilising the watering hole technique, the actors filtered web traffic to single out individuals of interest, then selectively redirected those targets to attacker-controlled websites where the malicious attack chain commenced. This approach underscores the targeted and strategic methods employed by the group.

Kaspersky has updated its products to detect the exploits and malware used in these attacks, with detections labelled under various names including Trojan.Win64.Lazarus.*, MEM:Trojan.Win32.Cometer.gen, and others.

In response to these findings, Kaspersky has issued several recommendations for organisations seeking to defend against Lazarus and other advanced persistent threat (APT) attacks. The company advises keeping all software updated to mitigate vulnerabilities, conducting cybersecurity audits to identify and address system weaknesses, and using technologies offering real-time protection, threat visibility, and advanced response capabilities. Organisations are also encouraged to equip their information security staff with up-to-date threat intelligence to enable timely identification and management of cyber risks.

The Lazarus Group has been recognised as a highly resourced and persistent threat actor since at least 2009, consistently targeting critical sectors with complex multi-stage cyberattacks tailored to exploit region-specific technologies and software ecosystems.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
HPE unveils all-in-one secure gateway for small businesses
IT leaders embrace hybrid AI strategies amid rising challenges
Evernet to boost managed IT services with LogicMonitor AI tools
Survey shows enterprises shift towards software-driven pentesting
Quantum AI seeing rising business interest despite high costs
Top stories
Astrikos.Ai appoints four senior leaders to drive global growth
Iktos makes Makya drug design AI accessible on AWS Marketplace
How outsourcing and automation plug the cybersecurity skills gap
How ‘Cloud Adjudication’ benefits retailers in Southeast Asia
Nutanix & Pure Storage team up for flexible virtual workloads