A newly uncovered cyber campaign, attributed to the infamous Lazarus advanced persistent threat (APT) group, has targeted at least six major South Korean organizations through an attack chain leveraging watering hole techniques and the exploitation of recently patched (“one-day”) vulnerabilities in local security and file transfer software.
Security researchers monitoring the campaign since November 2024 have designated the operation as “SyncHole,” highlighting the attackers’ strategic understanding of South Korea’s software ecosystem and their ability to rapidly weaponize vulnerabilities in widely deployed native applications.
Operation “SyncHole” Exposes South Korea’s Software Supply Chain Weaknesses
The campaign’s infection vector relied on the compromise of legitimate South Korean media websites, which surreptitiously redirected select visitors identified based on server-side filtering to attacker-controlled infrastructure.
Upon successful targeting, visitors’ systems were exploited through vulnerabilities in software such as Cross EX a critical component enabling digital signatures and anti-keylogging features for online banking and government portals and Innorix Agent, a file transfer solution extensively utilized in financial and administrative workflows.
The Lazarus operators exploited a vulnerability in Cross EX, delivering a payload via a malicious script to launch the ThreatNeedle backdoor within the SyncHost.exe process.
In parallel, a flaw in Innorix Agent facilitated lateral movement, enabling the deployment of additional malware across internal hosts.
Malware analysis revealed evolving variants of known Lazarus toolsets, including updated ThreatNeedle (with enhanced loader and core modules), wAgent, SIGNBT, Agamemnon downloader, and COPPERHEDGE implants.
Notably, the ThreatNeedle variant employed Curve25519-based asymmetric encryption and ChaCha20 for secure command and control (C2) communications.
While the new wAgent leveraged the open-source GMP library for RSA computations and utilized novel payload delivery mechanisms, including plugin loading and reflective injection via open-source tools like Tartarus-TpAllocInject.
SIGNBT appeared in two versions (0.0.1 and 1.2), with the latter streamlined for remote payload execution and improved C2 configuration management through encrypted channels.
Advanced Malware Shows Rapid Adaptation and Modular Design
The operation was split into two phases: The first delivered ThreatNeedle and wAgent, often using supply chain attacks seeded via compromised software update channels; the second introduced SIGNBT and COPPERHEDGE, focusing on advanced post-exploitation with credential dumping, internal reconnaissance, and data exfiltration.
COPPERHEDGE, a longstanding Lazarus backdoor, enabled extensive host enumeration through a diversified command set and the use of alternate data streams (ADS) for configuration management.
Throughout, attackers leveraged legitimate but compromised South Korean websites for C2 communications, with evidence suggesting the re-registration of abandoned domains to evade detection.
Rapid response by security vendors led to prompt notification of the Korea Internet & Security Agency (KrCERT/CC) and the release of critical patches for all discovered vulnerabilities.
Still, researchers emphasize the continuing risks, warning that repeated compromises of South Korean software vendors mean that similar supply chain attacks remain likely.
According to the Report, The Lazarus group’s demonstrated ability to modularize, update, and integrate open-source evasion techniques with custom malware highlights a trend towards lighter, more agile attack tooling designed to circumvent detection and facilitate staged intrusions.
“Operation SyncHole” underscores both the technical sophistication and the persistence of the Lazarus APT, which continues to exploit systemic weaknesses in software supply chains for strategic espionage and potentially destructive operations.
Organizations are urged to employ robust endpoint security solutions, monitor for indicators of compromise, and prioritize timely patch management, particularly for domestic software and digital authentication tools critical to their operational environment.
Indicators of Compromise (IoCs)
| Type | Value | Location |
|---|---|---|
| ThreatNeedle Loader | f1bcb4c5aa35220757d09fc5feea193b | C:\System32\PCAuditex.dll |
| wAgent Loader | dc0e17879d66ea9409cdf679bfea388c | C:\ProgramData\intel\util.dat |
| COPPERHEDGE Dropper | 2d47ef0089010d9b699cd1bbbc66f10a | %AppData%\hnc_net.tmp |
| C2 Server | www.smartmanagerex[.]com | – |
| C2 Server | hxxps://thek-portal[.]com/eng/career/index.asp | – |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
 group.){kind=link}