In a recent surge of cyber activity attributed to North Korea’s notorious Lazarus Group, six South Korean firms across various industries have fallen victim to a targeted supply chain cyberattack campaign known as “Operation SyncHole.” The campaign, active since November 2024, was disclosed by Kaspersky’s Global Research and Analysis Team (GReAT) in an in-depth threat intelligence report.
Industries Targeted and Entry Point
The affected organizations span key sectors including IT, finance, semiconductors, telecommunications, and software. Lazarus Group infiltrated their systems through a strategic watering hole attack, compromising South Korean online media platforms frequented by the targeted companies’ employees. The attackers used these compromised websites to redirect visitors to malicious payloads hosted on attacker-controlled infrastructure.
The initial access was gained by exploiting a vulnerability in Cross EX, a legitimate application used widely in South Korea for online banking and government services. A further layer of complexity was added with the exploitation of a one-day (previously unknown) vulnerability in Innorix Agent—a file transfer software often deployed within enterprise environments.
Malware Deployed and Attack Chain
Once the target accessed the malicious content, Lazarus leveraged Cross EX to load a malicious DLL inside a trusted process (SyncHost.exe). This technique allowed the attackers to bypass security controls and establish a stealthy foothold. From there, they deployed a suite of custom malware, including:
- ThreatNeedle – for data theft and remote control
- AGAMEMNON – a downloader used for delivering additional payloads
- wAgent – for persistence and communication with C2 servers
- SIGNBT – for command execution and surveillance
- COPPERHEDGE – known for credential harvesting and lateral movement
The attackers also used “Hell’s Gate” — a technique that allows direct system call invocation — to evade endpoint detection and response (EDR) systems.
Zero-Day in Innorix Agent
Further investigation revealed that the Lazarus Group exploited a zero-day vulnerability in Innorix Agent, allowing for arbitrary file downloads to infected systems. This vulnerability enabled attackers to deliver second-stage payloads post-compromise. Kaspersky responsibly disclosed the flaw to Innorix, and a patch has since been released.
Strategic Implications and Recommendations
Lazarus Group’s activities represent a significant escalation in North Korea’s cyber-espionage operations. Their deep understanding of South Korea’s software landscape and ability to weaponize trusted applications underscores the ongoing risks of supply chain attacks.
Kaspersky warns that such attacks are likely to continue, especially given the Lazarus Group’s established history of targeting financial and critical infrastructure in South Korea. Organizations are strongly encouraged to:
- Immediately patch known vulnerabilities in Cross EX and Innorix Agent
- Monitor unusual DLL injections and process spawning behavior
- Deploy behavior-based EDR systems
- Conduct supply chain risk assessments regularly
As nation-state actors refine their tactics, defending against supply chain attacks will require vigilance, threat intelligence integration, and close coordination between public and private cybersecurity efforts.