Kaspersky’s GReAT team has uncovered a sophisticated new Lazarus campaign, combining a watering hole attack with the exploitation of vulnerabilities in third-party software to target organizations in South Korea. During the research, company experts have also discovered a zero-day vulnerability in the widely used South Korean software Innorix Agent, which was promptly patched. Revealed during GITEX Asia, the findings highlight how Lazarus, leveraging its deep understanding of South Korea’s software ecosystem, is capable of executing highly sophisticated, multi-stage cyberattacks.
According to a new report from Kaspersky GReAT (Global Research and Analysis Team), the attackers targeted at least six organizations across the software, IT, financial, semiconductor, and telecommunications sectors in South Korea. However, the actual number of victims may be higher. Kaspersky researchers have dubbed this campaign “Operation SyncHole”.
The Lazarus Group, active since at least 2009, is a well-resourced and notorious threat actor. In a recent campaign, the group was observed exploiting a one-day vulnerability in Innorix Agent, a third-party browser-integrated tool used for secure file transfers in administrative and financial systems. By exploiting this vulnerability, the attackers were able to facilitate lateral movement, enabling the installation of additional malware on a targeted host. This ultimately led to deployment of Lazarus signature malware, such as ThreatNeedle and LPEClient, which expanded their foothold within internal networks. This exploit was part of a larger attack chain, delivered via the Agamemnon downloader, and specifically targeted a vulnerable version of Innorix (9.2.18.496).
While analyzing the malware’s behavior, Kaspersky’s GReAT experts discovered another additional arbitrary file download zero-day vulnerability, which they managed to find before any threat actors used it in their attacks. Kaspersky has reported issues in Innorix Agent to the Korea Internet & Security Agency (KrCERT) and the vendor. The software has since been updated with patched versions, while the vulnerability was assigned with the KVE-2025-0014 identifier.
“A proactive approach to cybersecurity is essential, and it was thanks to this mindset that our in-depth malware analysis uncovered a previously unknown vulnerability before any signs of active exploitation appeared. Early detection of such threats is key to preventing broader compromise across systems,” comments Sojun Ryu, security researcher at Kaspersky’s GReAT (Global Research and Analysis Team).
Prior to findings related to INNORIX, Kaspersky experts had previously discovered the use of a variant of the ThreatNeedle and SIGNBT backdoor in subsequent attacks against South Korea. The malware was running in the memory of a legitimate SyncHost.exe process, and was created as a subprocess of Cross EX, legitimate South Korean software designed to support the use of security tools across various browser environments.
The detailed analysis of the campaign confirmed that the same attack vector was consistently identified in five more organizations in South Korea. The infection chain in each case appeared to originate from a potential vulnerability in Cross EX, suggesting it was the starting point of the infection within the entire operation. Notably, a recent security advisory published by KrCERT confirmed the existence of a vulnerability in CrossEX, which has since been patched during the timeframe of this research.
“Together, these findings reinforce a broader security concern: third-party browser plugins and helper tools significantly increase the attack surface, particularly in environments that rely on region-specific or outdated software. These components often run with elevated privileges, remain in memory, and interact deeply with browser processes, making them highly attractive and often easier targets for attackers than modern browsers themselves,” comments Igor Kuznetsov, Director of Kaspersky’s GReAT (Global Research and Analysis Team).
