ALL MENU

Technology
S2W's Technology
AI
Big Data
Security
Products
SAIP
QUAXAR
XARVIS
EYEZ
Services
AI Data Consulting
Penetration Testing
Incident Response
Request for Intelligence
Resources
Event
Webinar
SIS
Conference
About S2W
About S2W
History
News

QUICK LINKS

Resources
  • Research
  • Threat Intelligence Reports
IoC Update of Lazarus Group’s Recent Attack Campaign Targeting South Korea
2025.10.28

✅ Report Title: IoC Update of Lazarus Group’s Recent Attack Campaign Targeting South Korea



✅ Executive Summary:


- S2W Threat Intelligence Center (TALON) has recently analyzed malware samples distributed by the North Korea-linked APT group Lazarus, which targeted entities in South Korea.


- The acquired samples were identified as three types of Loader malware and one FastCopy tool.


- Through the Loader malware, a privilege escalation malware and a payload capable of capturing screenshots and recording logs were executed in memory.



📌 How Does the Malware Operate?


- The Loader-type malware decrypts and loads its payload, which exists in encrypted or encoded form, into memory using AES or XOR operations.



📌 Correlation With Previous Cases


- The AES and XOR key values used for decryption are delivered through execution arguments, and it was confirmed that the XOR key used by the Lazarus group in the 2023 LazarLoader campaign was reused in this attack.


- In addition, the FastCopy tool used for file and directory duplication was identified as the same version (v.3.6.1) that has been used by the Lazarus group since at least 2022.



📌 Malware Functionalities


- Loader (1): A VMProtect-packed DLL-type Loader malware known as LazarLoader. It uses execution arguments as keys to recover embedded payloads through XOR SUB operations and loads them into memory for execution.
  - 8d2efe5dba73e84f308fb0b954dbec12 (sub.tmp)


- Loader (2): A DLL-type Loader malware that performs byte-level XOR operations on the execution argument and executable filename with a hardcoded seed string to construct the final key. It then generates an AES key schedule, decrypts the payload, and executes it in memory.
  - d9b7a2bdda52e08fb1cbd018aafb9f1a (mscoree.dll)
  - ffc693542abc34331e967da85fc2221e (mscoree_1.dll)


- Loader (3): Executes the payload in memory by performing XOR operations using a hardcoded key string embedded in the binary.
  - bdadbf4af5b65131b081323417c36c82 (netuser.ini)


- FastCopy (v.3.6.1): A legitimate file-copying and backup utility identified as being used by the Lazarus group.
  - 66165f3705d558235cd1dbe5f41c2866 (sub.obj)


- Privilege Escalation Malware: A privilege escalation tool referencing publicly available UACMe source code.
  - c58cd3b53f535f0388deefe77b918d8b


- Screenshot Malware: Detects user input (keyboard/mouse) activity to trigger operations, captures the screen, and records the output to log files.
  - 7f5e0edaf3fbf38a5635d4cd0b84b57a



✅ Recommended Threat Detection and Mitigation Actions:


- The initial infection vector of the malware has not been clearly identified at this time. However, based on recent reports of Lazarus conducting initial intrusions through watering hole attacks or known vulnerabilities, such infection routes are considered plausible.


- The Lazarus group continues to reuse previously employed malware to distribute additional malicious payloads.


- It is recommended to review compromise indicators, update detection rules, and monitor systems accordingly.



📝 You Might Also Like



🧑‍💻 Author: S2W TALON


👉 Contact us: https://s2w.inc/en/contact


*The full report is available upon request or with a subscription to the S2W platform. 


AI Trends
How AI is Transforming Cyber Threats and the Cyber Insurance Industry
2025.10.24
Previous
News Highlights
Weekly Darkweb in October W4
2025.10.29
Next
List