A stealthy espionage campaign led by North Korea’s Lazarus Group has compromised multiple organizations in South Korea across the IT, finance, and telecom sectors. Dubbed ‘Operation SyncHole’ by researchers, the cyberattack leveraged a file transfer software exploit, watering hole techniques, and multiple advanced malware strains to exfiltrate sensitive data and maintain covert access.
Silent Entry: How Lazarus Infiltrated South Korea’s Digital Backbone
In a newly exposed cyber-espionage campaign, North Korea-linked Lazarus Group compromised at least six South Korean organizations between November 2024 and February 2025, with actual numbers believed to be higher.
According to cybersecurity researchers, the threat actor used a watering hole strategy—compromising legitimate South Korean media websites to redirect visitors to fake domains mimicking trusted software vendors.
Once redirected, the targets unknowingly downloaded malware embedded in JavaScript designed to exploit vulnerabilities in a file transfer client called Cross EX.
This software is commonly used in South Korea to perform secure online banking and complete government tasks, making it a high-value attack surface.
Although the exact exploit chain remains unclear, experts note that the attackers successfully escalated privileges, often executing malware with high-integrity processes on the host system.
The initial infection launches the legitimate ‘SyncHost.exe’ process and injects shellcode to deliver the ‘ThreatNeedle’ backdoor, capable of executing 37 remote commands.
Modular Mayhem: A Deep Dive into the Attack Arsenal
The Lazarus Group employed a multi-stage attack model. After establishing initial access via Cross EX, they deployed a combination of backdoors and lateral movement tools depending on the targeted environment. These included:
- ThreatNeedle: Used for reconnaissance and further malware delivery
- LPEClient: Conducts detailed system profiling
- wAgent / Agamemnon: Secondary payload downloaders
- Innorix Abuser: Exploits a vulnerability in Innorix Agent v9.2.18.496 for internal movement
- SIGNBT & Copperhedge: Alternate malware implants for stealth and deeper penetration
Notably, in some attacks, Lazarus bypassed ThreatNeedle entirely in favor of SIGNBT, demonstrating their increasing reliance on lightweight, modular, and stealthier payloads.
Experts also discovered a non-exploited zero-day flaw in Innorix Agent (versions 9.2.18.001 to 9.2.18.538), labeled KVE-2024-0014, which could allow attackers to download arbitrary files. This security issue was reported to the Korea Internet & Security Agency (KrCERT/CC), and the vendor patched it in a subsequent release.
Espionage Meets Exploit: Attribution and National Cybersecurity Risk
The breadth of the campaign—spanning software development, IT, financial services, semiconductor manufacturing, and telecommunications—suggests a nation-state-backed intelligence-gathering mission. The campaign is attributed to Lazarus based on:
- Unique tactics, techniques, and procedures (TTPs)
- Working hours aligned with North Korean time zones
- Use of Lazarus-linked malware families previously identified in other operations
ALSO READ: Call for Cyber Experts: Join FCRF Academy as Trainers and Course Creators
The attack exposes gaps in supply chain security and the dependence on vulnerable software widely used for administrative functions in South Korea.
Despite the scale and sophistication of the breach, patches have been released for the affected applications. Still, the incident underscores a troubling trend: North Korea’s cyber units are evolving, deploying increasingly modular, scalable, and configurable malware capable of evading detection for months.