Lazarus and Kimsuky Behind 86 North Korean APT Attacks... IT and Finance Sectors Under Broad Targeting
Advanced Malicious Document Disguises and Overwhelming Activity from China and Russia
Upbit Hacking Case Reveals Similarities to Lazarus Tactics
It has been revealed that half of the advanced persistent threat (APT) attacks that occurred over the past year were carried out by North Korean hacking groups. The Lazarus group, a hacking organization under North Korea’s Reconnaissance General Bureau, is also strongly suspected to be behind the Upbit cryptocurrency exchange hacking incident, which involved assets worth 44.5 billion won.
According to AhnLab’s report, “2025 Cyber Threat Trends & 2026 Security Outlook,” released on November 30, the Lazarus group was the most frequently mentioned APT group, with 31 recorded activities, in an analysis of APT group operations disclosed between October of last year and September of this year. This was followed by Kimsuky, another hacking group under North Korea’s Reconnaissance General Bureau, with 27 cases. APT refers to sophisticated, long-term hacking methods conducted at the national level.
During the same period, North Korea accounted for the highest number of activities by country, with 86 cases. This was followed by China with 27 cases, Russia and India with 18 cases each, and Pakistan with 17 cases.
According to AhnLab, Lazarus and Kimsuky have been targeting financial gain and intelligence gathering using advanced attack techniques such as spear phishing, supply chain attacks, multi-platform malware, privilege escalation, and multi-factor authentication (MFA) bypass. In particular, Lazarus has recently expanded its targets to include cryptocurrencies, finance, information technology (IT), and defense sectors. The group has developed numerous multi-platform malware strains that support both Mac operating systems (OS) and Linux, which include features such as clipboard monitoring and cryptocurrency wallet information theft.
Lazarus was found to have compromised at least six organizations in South Korea, including those in the IT and financial sectors, through an “Operation Sinkhole” attack that exploited software vulnerabilities. This attack structure combines the watering hole technique, which infects users when they visit legitimate websites that have been compromised with malware. The method involves exploiting vulnerabilities in software widely used in South Korea.
Recent investigations into the Upbit hacking case have also uncovered multiple similarities with Lazarus’s previous tactics. In attacks on overseas cryptocurrency exchanges, Lazarus has used a combination of wallet signature process tampering, address-swapping malware, MFA bypass, and supply chain infiltration. The Upbit incident is similar to previous Lazarus attacks in that abnormal manipulation occurred during the signing process, large-scale assets were transferred, the transfer routes were discreetly dispersed, and there is a possibility of wallet address tampering.
Kimsuky is characterized by its use of disguise and social engineering spear phishing. The group has launched attacks by distributing malicious files disguised as lecture requests or interview invitations. It has also used Russian email domains and Hangul-based free domains such as “naedomain.kr” to conceal the origin of its attacks. Attacks using ISO files or Hangul documents were also frequent.
Kimsuky has employed multi-stage attack techniques across various social platforms such as Facebook and Telegram, and there have been recent indications of the use of AI-generated fake IDs. The subgroup “Larva-24005” was found to have capabilities for stealing user keystrokes, while “Larva-24009” reportedly conducted link-based attacks targeting South Korean users.
In addition, other North Korean APT groups such as Andariel, Konni, and TA-RedAnt have continued to attack various industries in South Korea.
Hot Picks Today
Where Is the "Lifetime Job" With a Monthly Sala...
- Trump Boasts of $300 Billion Mega-Deal... "This Market" Thrives Amid Iran War [U...
- "He Didn't Even Flinch": Knife-Wielding Attacker Withstands Taser, Finally Subdu...
- "Serious Consequences" If Left Untreated... Increases Risk of Kidney Damage and ...
- "Dokdo? It's Japanese Territory... I Will Make This Clear to the World," Says Ta...
The AhnLab report stated, “If the advanced infiltration techniques of hacking groups are combined with ransomware-as-a-service (RaaS) mechanisms, both the success rate of attacks and the scale of damage could increase further.” “As North Korean APT groups continue to develop malware specialized in cryptocurrency theft, South Korea, with its high level of digital dependency, is highly likely to remain a primary target for concentrated attacks,” the report added.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
