Operation SyncHole” Exploits Vulnerabilities in Domestic Software to Breach Semiconductor and Software Companies

In a brazen display of cyber warfare, the North Korean Lazarus Group has launched a targeted campaign against at least six South Korean organizations, compromising companies in the semiconductor, software, IT, finance, and telecommunications sectors.

Dubbed Operation SyncHole, the campaign employed a combination of watering hole tactics and software exploits to breach the security of its targets between November 2024 and February 2025. According to Kaspersky, a leading cybersecurity firm, the attackers used a methodical two-phase attack that began with the deployment of the ThreatNeedle malware and transitioned to more advanced tools like SIGNBT and COPPERHEDGE.

The infection chain was initiated through compromised South Korean media websites, which selectively redirected visitors to attacker-controlled domains posing as legitimate services. One such domain, http://www.smartmanagerex[.]com, impersonated software linked to Cross EX, a component often mandated for secure online transactions in Korea.

A suspected vulnerability in Cross EX was exploited to execute malicious scripts and inject the ThreatNeedle malware into SyncHost.exe, a legitimate process used to facilitate compatibility between security software and various web browsers in Korea. The attackers also exploited a one-day vulnerability in Innorix Agent, a file transfer tool commonly installed on corporate and government machines, to deliver malware across internal hosts without validation checks.

Lazarus’s Arsenal of Malware

The Lazarus Group deployed several well-known malware strains, each updated with new capabilities. The Agamemnon downloader introduced Tartarus-TpAllocInject-based reflective loading, a method derived from a lineage of open-source evasion tools, highlighting the attackers’ deep understanding of anti-EDR tactics.

South Korea’s reliance on proprietary security software for government and financial services has created an ecosystem vulnerable to local software exploitation. This dependency, combined with legacy software requirements, has been repeatedly exploited by Lazarus. Both Cross EX and Innorix Agent are commonly mandated in sectors that value high-assurance security features, making them ideal vectors for nation-state attackers seeking to blend in with legitimate software behavior.

A Long-Term Plan

Infrastructure analysis revealed that most C2 servers were either legitimate South Korean websites that had been compromised or purpose-built domains mimicking local services. Hosting arrangements and domain reuse patterns further suggest deliberate, long-term planning by the threat actor.

As the cybersecurity landscape continues to evolve, it is clear that nation-state attackers like Lazarus will stop at nothing to achieve their goals. It is imperative that organizations prioritize their security and take proactive measures to protect themselves against these sophisticated threats.