Lazarus APT updates its toolset in watering hole attacks

April 24, 2025, 1:41 p.m.

Description

The Lazarus group has launched a sophisticated attack campaign dubbed 'Operation SyncHole' targeting South Korean organizations. The operation combines watering hole attacks with exploitation of vulnerabilities in South Korean software. At least six organizations in the software, IT, financial, semiconductor manufacturing, and telecommunications industries were compromised. The attackers utilized updated versions of known Lazarus malware tools, including ThreatNeedle, wAgent, and COPPERHEDGE. They also exploited vulnerabilities in Cross EX and Innorix Agent software for initial access and lateral movement. The campaign demonstrates Lazarus' ongoing focus on supply chain attacks targeting South Korean entities and their deep understanding of the local software ecosystem.

External References

https://securelist.com/operation-synchole-watering-hole-attacks-by-lazarus/116326/
https://otx.alienvault.com/pulse/6809f295fb213f24e9df9228
Tags
apt
supply chain
south korea
vulnerability exploitation
watering hole
2025-04-24
copperhedge
signbt
threatneedle
agamemnon downloader
wagent

Date

  • Created: April 24, 2025, 8:13 a.m.
  • Published: April 24, 2025, 8:13 a.m.
  • Modified: April 24, 2025, 1:41 p.m.

Attack Patterns

  • Agamemnon downloader
  • wAgent
  • ThreatNeedle - S0665
  • SIGNBT
  • COPPERHEDGE
  • Lazarus

Additional Informations

  • Technology
  • Finance
  • Telecommunications
  • Manufacturing