Kaspersky exposes new and very sophisticated attacks targeting South Korean companies, led by Lazarus, the hacking group allegedly run by the government of North Korea. Kaspersky’s Global Research and Analysis Team (GReAT) finds the group exploiting vulnerabilities in third-party software combined with a water hole attack. It stands as a highly sophisticated and multi-stage cyberattack that has been named “SyncHole.” 

The team has also found a zero-day vulnerability in the widely used South Korean file-transfer software Innorix Agent, which was quickly patched. As per the report by ET, the attackers targeted at least six organizations across the software, IT, financial, semiconductor, and telecommunications sectors in South Korea. However, the actual number of victims cannot be ascertained.

SyncHole: What has the group done? 

In this attack, the Lazarus Group exploited a one-day vulnerability in Innorix Agent — a third-party, browser-integrated tool commonly used for secure file transfers in administrative and financial systems. This allowed the attackers to move laterally within the network, paving the way for the installation of additional malware. Ultimately, signature Lazarus tools like ThreatNeedle and LPEClient were deployed, expanding the group’s foothold across internal systems.

To read about Skype's retirement, click here! 

SyncHole: How did they manage to do this? 

The Lazarus Group employed compromised online media websites—frequented by large numbers of users—as lures in a classic watering hole attack. They filtered incoming traffic to identify high-value targets, selectively redirecting them to attacker-controlled sites where a tailored attack chain was triggered. This approach underscores the group’s highly targeted and strategic tactics.

SyncHole: A Uniform Approach 

Before uncovering the issues related to INNORIX, Kaspersky researchers had already identified the use of modified variants of the ThreatNeedle and SIGNBT backdoors in follow-up attacks targeting South Korea.

To read about the latest reveal of MetaAI's AI training Manual- Permitting Flirty but Non-sexual Prompts, click here! 

A thorough analysis of the campaign revealed a consistent attack vector across five additional South Korean organizations. In each case, the infection chain appeared to originate from a suspected vulnerability in Cross EX, indicating it may have served as the initial entry point for the broader operation.