Cybersecurity solutions provider Kaspersky discovered a cyberattack campaign targeting key industries in South Korea. The attackers used a method called a watering hole attack, along with known and unknown software vulnerabilities, to get inside several companies’ systems.
Revealed during GITEX Asia, the findings point to a detailed operation by the Lazarus Group, a well-known threat actor active since at least 2009. Kaspersky researchers have named the campaign Operation SyncHole and say it affected at least six organizations in South Korea, including companies in software, IT, finance, semiconductor, and telecommunications.
The attack involved the use of a browser-based tool called Innorix Agent, which is widely used in South Korea for secure file transfers. The attackers took advantage of a one-day vulnerability in the tool to install additional malware on targeted systems. This allowed them to move within internal networks and deploy Lazarus-linked malware like ThreatNeedle and LPEClient.
Uncovering unknown vulnerabilities
“A proactive approach to cybersecurity is essential, and it was thanks to this mindset that our in-depth malware analysis uncovered a previously unknown vulnerability before any signs of active exploitation appeared. Early detection of such threats is key to preventing broader compromise across systems,” said Sojun Ryu, security researcher at Kaspersky’s GReAT.
As researchers continued to study the malware’s behavior, they also found a separate zero-day vulnerability that allowed arbitrary file downloads. Kaspersky quickly reported both issues to the Korea Internet & Security Agency (KrCERT) and the software vendor. Patches have already been issued, and the vulnerabilities are now being tracked under the identifier KVE-2025-0014.
Software loopholes in CrossEX
Beyond Innorix Agent, the attackers also used another software called CrossEX, which is used in South Korea to support browser-based security tools. In several cases, malware was found running within a legitimate process tied to this software. The infection likely began from a security issue in CrossEX, which was later confirmed and patched by KrCERT.
“Together, these findings reinforce a broader security concern: third-party browser plugins and helper tools significantly increase the attack surface, particularly in environments that rely on region-specific or outdated software,” said Igor Kuznetsov, director of Kaspersky’s Global Research and Analysis Team (GReAT). These components often run with elevated privileges, remain in memory, and interact deeply with browser processes, making them highly attractive and often easier targets for attackers than modern browsers themselves.”
How the attack worked
Lazarus Group used watering hole attacks, which involved compromising online news websites popular among users in target organizations. The attackers then filtered site visitors to find those of interest, redirecting them to malicious websites that began the infection process.
These latest discoveries show how threat actors like Lazarus use complex techniques and detailed knowledge of local software systems to carry out targeted attacks. Kaspersky recommends regular software updates and greater caution when using third-party tools integrated into browsers.