The North Korea-linked Lazarus Group has launched a sophisticated campaign targeting at least six South Korean organizations across software, IT, financial, semiconductor manufacturing, and telecommunications sectors. Dubbed Operation SyncHole, the attack leverages zero-day vulnerabilities in Cross EX and Innorix Agent software, deploying malware such as ThreatNeedle, AGAMEMNON, and SIGNBT1. Kaspersky’s report confirms the earliest compromises date back to November 2024, with infrastructure and tactics aligning with previous Lazarus operations2.
TL;DR: Key Findings
- Targets: South Korean IT, finance, semiconductor, and telecom firms
- Exploits: Zero-days in Cross EX (unpatched) and Innorix Agent (KVE-2025-0014, patched)
- Malware: ThreatNeedle, AGAMEMNON, wAgent, SIGNBT, COPPERHEDGE
- Tactics: Watering-hole attacks, lateral movement via Innorix flaw, credential dumping
- Infrastructure: C2 domains (e.g., naveicoip[.]tech) linked to IP 23.81.246[.]131
Technical Analysis of Operation SyncHole
The campaign exploits two critical vulnerabilities: an unpatched flaw in Cross EX and CVE-2025-0014 in Innorix Agent, which allows arbitrary file downloads. Attackers used these to deploy LPEClient for victim profiling before executing Agamemnon malware with Tartarus’ Gate evasion techniques2. Kaspersky observed GMT+09 timestamps in C2 communications, reinforcing North Korean attribution.
Zscaler’s historical analysis reveals infrastructure reuse from 2021-2022 campaigns, including spoofed domains mimicking Naver and AhnLab. CHM files delivered malware like IntelRST.exe with anti-analysis checks, while exfiltration occurred via attacker-controlled Dropbox accounts (e.g., peterstewart0326@gmail[.]com)3.
| Indicator Type | Value |
|---|---|
| Malware Hashes | d7f6b09775b8d90d79404eda715461b7 (document) 210db61d1b11c1d233fd8a0645946074 (CHM) |
| C2 Domains | naveicoip[.]tech navercorpservice[.]com |
| peterstewart0326@gmail[.]com |
Mitigation and Detection Strategies
Organizations should prioritize patching Innorix Agent and implement workarounds for Cross EX until official updates are available. Kaspersky recommends endpoint detection for Trojan.Win64.Lazarus, while network monitoring should focus on:
“C2 traffic to naveicoip[.]tech and memory processes containing ThreatNeedle/SIGNBT payloads. Blocking Dropbox API connections from unauthorized accounts is also advised.”2
Zscaler emphasizes checking for IntelRST.exe persistence mechanisms and anomalous CHM file executions, particularly those terminating AhnLab processes3.
Historical Context and Evolution
Lazarus has consistently targeted South Korean supply chains since 2020, with 2023’s SIGNBT attacks showing similar TTPs. The group’s malware has grown increasingly modular, with ThreatNeedle demonstrating advanced process injection and DNS-over-HTTPS C2 capabilities1. CHOSUNBIZ confirmed breaches in Daesang Group’s supply chain through compromised CAS Corporation systems4.
This campaign reflects Lazarus’ shift toward exploiting regional software vulnerabilities, contrasting with broader phishing themes observed in 2021-2022 operations. The reuse of infrastructure (e.g., devguardmap[.]org) suggests long-term planning and resource allocation3.
Conclusion
Operation SyncHole demonstrates Lazarus Group’s continued focus on South Korean critical industries, with technical innovations in evasion and exploitation. The combination of zero-day exploits and multi-stage malware deployment poses significant challenges for defensive teams. Organizations should review IoCs, update detection rules, and monitor for related phishing campaigns spoofing Naver and cryptocurrency services.
References
- “Lazarus Hits 6 South Korean Firms via Cross EX, Innorix Flaws and ThreatNeedle Malware,” The Hacker News, 2025-04-23.
- “Operation SyncHole: Watering Hole Attacks by Lazarus,” Kaspersky Securelist, 2025-04-23.
- “The Never-Ending Game: Tracking Lazarus APT Infrastructure,” Zscaler ThreatLabz, 2022-04-26.
- “Daesang Group Confirms Supply Chain Breach via CAS Corporation Systems,” CHOSUNBIZ, 2025-04-23.
