Lazarus Hacker Group Evolves Means In DeathNote Campaign

By   Adeola Adegunwa
Writer , Informationsecuritybuzz | Apr 13, 2023 03:56 am PST

DeathNote’s Lazarus Hacker Squad Evolves Its Strategies, Tools, and Targets as part of a long-running operation known as DeathNote. The Lazarus hacker Group, a North Korean threat actor, has been observed swiftly developing its tools and methods and shifting its focus.

In what is viewed as a “major” move, the nation-state adversary, well-known for its relentless attacks on the cryptocurrency sector, has also targeted the automotive, academic, and defense industries in Eastern Europe and other areas.

Seongsu Park, a researcher at Kaspersky, noted in a study released on Wednesday that “at this time, the actor altered all the decoy papersto job descriptions for diplomatic services and defense contractors.”

According to reports, the targeted divergence and the deployment of modernized infection vectors happened in April 2020. It’s important to note that the DeathNote cluster is also monitored as NukeSped or Operation Dream Job. Google-owned Mandiant linked a portion of the activity to a group called UNC2970.

To install the Manuscrypt (also known as NukeSped) backdoor on the compromised machine, attackers often use email communications with lures with Bitcoin mining themes to tempt potential targets into opening the documents.

According to information provided by the Russian cybersecurity company in October 2021, the Lazarus hacker Group’s attacks against the defense sector as a whole are linked to the targeting of the automotive and academic sectors and resulted in the use of the implants BLINDINGCAN (also known as AIRDRY or ZetaNile) and COPPERHEDGE.

In a different attack chain, the threat actor started its harmful routine by using a trojanized version of the genuine PDF reader program SumatraPDF Reader. Microsoft previously disclosed The Lazarus hacker Group’s use of malicious PDF reader software.

These attacks were aimed against a South Korean think tank and a Latvian distributor of IT asset monitoring solutions, the latter involving the misuse of genuine security software that is extensively used in that nation.

At the time, Kaspersky stated that the twin attacks “suggest to Lazarus strengthening supply chain attack capabilities.” Since then, the supply chain attack on enterprise VoIP service provider 3CX that was discovered last month has been attributed to the hostile team.

According to Kaspersky, the same security software was used in a second attack in March 2022 that targeted several victims in South Korea and sent downloader malware with the ability to provide a backdoor and an information thief for gathering keyboard and clipboard data.

The newly implanted backdoor, according to Park, is “responsible for gathering and reporting the victim’s information” and “capable of executing a retrieved payload with named-pipe communication.”

The same backdoor is alleged to have been used at around the same time to compromise a South American defense contractor utilizing DLL side-loading methods upon reading a specially-crafted PDF file using a trojanized PDF reader.

The Lazarus hacker Group was also implicated in a successful hack of a different defense contractor in Africa that occurred in July. In that incident, a “suspicious PDF application” was distributed through Skype before dropping the ThreatNeedle backdoor version and the ForestTiger data exfiltration implant.

According to Park, the Lazarus organization is a well-known and expert threat actor. Organizations must be vigilant and take preventive action to guard against the Lazarus hacker group’s nefarious actions as it continues to hone its tactics.


As part of a ” DeathNote ” campaign by Kaspersky, the North Korean threat actor known as Lazarus hacker Group has been detected switching targets and honing their tactics. Seongsu Park, a senior security researcher at Kaspersky, described the discovery in an earlier advisory. He claimed the team has been monitoring the effort, also known as Operation DreamJob or NukeSped, since 2019. According to Park, “the malware creator used decoy papers relevant to the cryptocurrency business, like a questionnaire about purchasing particular cryptocurrencies, an introduction to a particular cryptocurrency, and an introduction to a bitcoin mining company.” However, in April 2020, Kaspersky discovered a substantial change in the attack’s targets and fresh infection channels.

The warning claims that “our analysis revealed that the DeathNote cluster targets the automobile and academic sectors in Eastern Europe, both of which are tied to the defense industry.” At this point, the actor changed the job descriptions on all the bogus documents to those for defense contractors and diplomatic services. The infection chain was also improved, relying on trojanized open-source PDF viewer software in addition to the remote template injection method used in weaponized documents. The DeathNote campaign then began focusing on numerous targets in South Korea and an IT company in Europe that supplied solutions for monitoring network devices and servers in May 2021.

One factor that attracted their interest was the fact that legitimate security software that is widely used in South Korea was utilized to run the malware’s initial stage, according to Park. We found that the same security program had been hacked to spread similar downloader malware to many victims in South Korea almost a year later, in March 2022. Find out more about related attacks here: Using a zero-day bug, Lazarus hacker Group targets a South Korean financial institution. The identical backdoor was utilized to hack a South American defense contractor, which Kaspersky detected at about the same time. “We discovered that the Lazarus hacker organization had successfully compromised a defense contractor in Africa in July 2022,” Park continued. The identical DLL side-loading method we saw in the last scenario was prominently utilized in this attack. The information about the victim was collected and reported by the payload that was initially installed and run by the PDF reader.

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x