- ITDM 2025 전망 | “비전을 품은 기술 투자, 모두가 주춤한 시기에 진가 발휘할 것” 컬리 박성철 본부장
- 최형광 칼럼 | 2025 CES @혁신기술 리터러시
- The Model Context Protocol: Simplifying Building AI apps with Anthropic Claude Desktop and Docker | Docker
- This robot vacuum and mop performs as well as some flagship models - but at half the price
- Finally, a ThinkPad model that checks all the boxes for me as a working professional
North Korean Lazarus Group Hacked Energy Providers Worldwide
A malicious campaign conducted by the North Korean threat actor Lazarus Group targeted energy providers around the world between February and July 2022.
The campaign was previously partially disclosed by Symantec and AhnLab in April and May, respectively, but Cisco Talos is now providing more details about it.
Writing in an advisory on Thursday, the security researchers said the Lazarus campaign involved the exploitation of vulnerabilities in VMWare Horizon to gain initial access to targeted organizations.
“The initial vector was the exploitation of the Log4j vulnerability on exposed VMware Horizon servers. Successful post–exploitation led to the download of their toolkit from web servers,” the team wrote.
“In most instances, the attackers instrumented the reverse shell to create their own user accounts on the endpoints they had initial access to.”
In terms of the tools used in these attacks, Cisco Talos said they discovered the use of two known malware families, VSingle and YamaBot, alongside the deployment of a recently disclosed implant they called ‘MagicRAT.’
“Once the backdoors and implants were persisted and activated on the endpoint, the reverse shell used to perform cleanup[…], this included deleting all files in the infection folder along with the termination of the PowerShell tasks,” explained Cisco Talos.
“The attacker–created accounts were removed and finally, the Windows Event logs […] would be purged.”
According to Cisco Talos, organizations targeted in the recent Lazarus attacks included energy providers from different countries, including the US, Canada and Japan.
“The campaign is meant to infiltrate organizations around the world for establishing long–term access and subsequently exfiltrating data of interest to the adversary’s nation–state,” reads the technical write–up.
The new Cisco Talos advisory is only the latest in a long list describing the Lazarus Group’s hacking operations over the summer.
In June, blockchain analytics company Elliptic suggested the threat actor may be behind the $100m theft from cryptocurrency firm Harmony. More recently, The Block connected the group to Axie Infinity’s $600m hack.