Operation SyncHole: Lazarus cyber-attack on South Korean companies

The Lazarus hacking group from North Korea has targeted several companies in South Korea through a campaign called “Operation SyncHole”, which took place between November 2024 and February 2025. The threat actor combined a watering hole attack strategy with an exploit for a vulnerability in a file transfer client, that is required in South Korea to complete certain financial and administrative tasks.

This campaign has been reported by Karspersky threat intelligence team. In this report, it is explained that victims were redirected from compromised media sites to fake software vendor sites, where malware was delivered in a executable file via malicious JavaScript. Kaspersky observed multiple infection chains across six confirmed victims, with several differences in earlier and later phases of the attack, only the initial infection being the common ground. Based on these tactics and the malware samples detected in Operation SyncHole, it has been proven that Lazarus is moving towards lightweight and modular tools that are both stealthier and more configurable.

During the attack analysis, researchers also found a non-exploited zero-day flaw (KVE-2024-0014) in specific versions of a file-sharing platform called “Innorix Agent”, which allowed arbitrary file downloads. The security issue was reported through the Korea Internet & Security Agency (KrCERT), and vendor released patches for the exploited software.