IoC Update of Lazarus Group’s Recent Attack Campaign Targeting South Korea
Contents
IoC Update of Lazarus Group’s Recent Attack Campaign Targeting South Korea
2025.10.28
✅ Report Title: IoC Update of Lazarus Group’s Recent Attack Campaign Targeting South Korea
✅ Executive Summary:
- S2W Threat Intelligence Center (TALON) has recently analyzed malware samples distributed by the North Korea-linked APT group Lazarus, which targeted entities in South Korea.
- The acquired samples were identified as three types of Loader malware and one FastCopy tool.
- Through the Loader malware, a privilege escalation malware and a payload capable of capturing screenshots and recording logs were executed in memory.
📌 How Does the Malware Operate?
- The Loader-type malware decrypts and loads its payload, which exists in encrypted or encoded form, into memory using AES or XOR operations.
📌 Correlation With Previous Cases
- The AES and XOR key values used for decryption are delivered through execution arguments, and it was confirmed that the XOR key used by the Lazarus group in the 2023 LazarLoader campaign …
2025.10.28
✅ Report Title: IoC Update of Lazarus Group’s Recent Attack Campaign Targeting South Korea
✅ Executive Summary:
- S2W Threat Intelligence Center (TALON) has recently analyzed malware samples distributed by the North Korea-linked APT group Lazarus, which targeted entities in South Korea.
- The acquired samples were identified as three types of Loader malware and one FastCopy tool.
- Through the Loader malware, a privilege escalation malware and a payload capable of capturing screenshots and recording logs were executed in memory.
📌 How Does the Malware Operate?
- The Loader-type malware decrypts and loads its payload, which exists in encrypted or encoded form, into memory using AES or XOR operations.
📌 Correlation With Previous Cases
- The AES and XOR key values used for decryption are delivered through execution arguments, and it was confirmed that the XOR key used by the Lazarus group in the 2023 LazarLoader campaign …