Kaspersky Uncovers Sophisticated Lazarus Cyberattack Campaign Targeting South Korea

Cybersecurity experts from Kaspersky’s Global Research and Analysis Team (GReAT) have uncovered a new and highly sophisticated cyberattack campaign by the Lazarus Group, targeting multiple organizations in South Korea. The campaign, named “Operation SyncHole,” was revealed during the GITEX Asia conference.

The Lazarus Group, a well-known state-sponsored threat actor active since 2009, used a combination of watering hole attacks and software vulnerabilities to breach targeted systems. At least six organizations in the software, IT, finance, semiconductor, and telecom sectors were affected, though the actual number may be higher.

Kaspersky researchers found that attackers exploited a one-day vulnerability in the South Korean file transfer software Innorix Agent (version 9.2.18.496). This allowed them to move laterally within networks and deploy malware such as ThreatNeedle and LPEClient. The attack chain was delivered through a downloader tool named Agamemnon.

During their analysis, Kaspersky experts also discovered a zero-day vulnerability in Innorix Agent that had not yet been used in attacks. The flaw allowed arbitrary file downloads and was reported to the Korea Internet & Security Agency (KrCERT) and the software vendor. It has been patched and assigned the identifier KVE-2025-0014.

In addition, the team found that Lazarus exploited another vulnerability in the South Korean browser plugin Cross EX. Malware was detected running in the memory of a legitimate process, SyncHost.exe, which had been launched by Cross EX. KrCERT later confirmed the vulnerability and issued a patch.

According to Kaspersky, all six cases involved a similar infection chain, pointing to Cross EX as a common entry point.

The campaign began with watering hole attacks, where compromised media websites redirected selected visitors to attacker-controlled pages. These pages initiated the infection process in a highly targeted manner.

Igor Kuznetsov, Director at Kaspersky’s GReAT, warned that third-party browser plugins and helper tools increase cybersecurity risks, especially when outdated or region-specific software is involved. “These components often have deep access to systems and are attractive targets for attackers,” he said.

Kaspersky emphasized the importance of proactive cybersecurity practices, noting that early discovery of vulnerabilities helps prevent larger-scale attacks.