K-8.pdf (3 MB)

ENKI and S2W describe Lazarus operations against domestic and foreign security researchers that used social media contact and zero-day browser exploit delivery. The actors posed as vulnerability researchers on Twitter, LinkedIn, Telegram, Discord, and related channels, then sent tailored Visual Studio projects, MHT technical documents, or links to attacker-controlled exploit blogs. The report highlights IE and Chrome zero-day use, ThreatNeedle malware, registry based encrypted configuration, and targeting of offensive security researchers and Korean security firms before the public Google and Microsoft disclosures.