Lazarus targeted at least six South Korean organizations in software, IT, finance, semiconductor manufacturing, and telecommunications through Operation SyncHole, combining watering-hole delivery with exploitation of South Korea-specific security software. The initial chain involved visits to South Korean online media sites, redirection to attacker-controlled infrastructure, suspected Cross EX exploitation, execution of legitimate SyncHost.exe, and injection of a ThreatNeedle variant. The campaign also used an Innorix Agent vulnerability for lateral movement and introduced updated Lazarus tooling including ThreatNeedle, wAgent, SIGNBT, COPPERHEDGE, and Agamemnon downloader variants. The activity matters because it shows Lazarus adapting its toolset and exploiting locally deployed Korean software to reach high-value South Korean sectors.