Lazarus Group’s Undercover Operations: Large-Scale Infection Campaigns 2022 – 2023


August 24, 2023




Track 2

The Lazarus Group is one of the major threat actors targeting South Korea. In this talk, we will cover the activities of Lazarus Group’s threat campaigns in South Korea from at least 2022 to the present in 2023.

KrCert/CC has detected the Lazarus group’s undercover information gathering activities targeting major companies in Korea. This campaign was carried out through a large-scale infection method using vulnerabilities in financial security solutions and watering hole techniques. We investigated the campaign by examining over 60 companies and more than 200 hosts to identify the threat actors’ TTPs. In this talk, we will cover:


The Lazarus Group hacked into websites visited by a large number of people and set up watering hole pages. After the target accessed the watering hole pages, the group infected their target with malware by exploiting vulnerabilities in financial security software (the misused financial security software was the security software used by most Koreans and companies).

Lateral movement

The group carried out internal propagation using various methods depending on the target’s situation. They performed internal spread by scanning networks, exploiting SMB services, and taking advantage of vulnerabilities in financial security software.


Threat actors compromised the company’s key servers for information leakage. The compromised servers have been abuse as a major hub for information leakage.

We will also provide detailed information and TTPs to trace and respond to the threat actors involved in the “large-scale infection campaign using vulnerabilities in financial security solutions and watering hole techniques” campaign conducted by Lazarus Group, which has been confirmed through our investigation process.

Malicious Code Analyst

Korea Internet Security Center (KISC)

Lee Tae-woo is in charge of analysis malicious code and IR at the Korea Internet Security Center (KISC) of that Korea Internet & Security Agency (KISA). Before worked in the KISA, he was a malware analyst at an anti-virus company in Korea(ROK).

Currently, He is conducting a research groups who are carry out the attacks, like Ransomware, Supply Chain Attack and Information Leakage, which is threatening cyber security in Korea. Especially he is interested in the research related preventing cyberattacks occured by groups composed attackers who speak Korean.

Malware Analyst

Korea Internet & Security Agency (KISA)

Seulgi Lee is currently a malware analyst at Korea Internet & Security Agency. He carried out research into cyber security such as cyber threat intelligence, SIEM for 7 years from 2012 in the R&D department. After moving to KrCERT/CC position, He has been analyzing threats targeting Korea and sharing insights based on the results to prevent the infringement cases and minimize the damage in Korea.

Cyber Incident Response

Korea Internet & Security Agency (KISA/KrCert)

Dongwook has been working for Korea Internet Security Agency since 2013 as a Computer Incident Analyst. His team has a lot of experiences related to internet security incident response (Supply Chain Attacks, cryptocurrency exchange hacking and so on). Recently, has has been working on tracking and analyzing specific hacking group targeting Korea.