20231013_Lazarus_OP.Dream_Magic.pdf (2 MB)

AhnLab attributes Operation Dream Magic to Lazarus activity that abused a MagicLine software vulnerability in a watering hole campaign. The group reused a pattern seen in earlier INISAFE exploitation: malicious links placed in selected news articles, vulnerable Korean websites repurposed as C2 infrastructure, and IP filtering to limit who received the payload. AhnLab says its teams coordinated detection logic, customer log and sample collection, and analysis with national agencies, then named the operation after MagicLine and the vendor. The source frames the report around malware analysis, detection status, victim log review, and the evidence behind the Lazarus attribution.