Lazarus-campaigns-and-backdoors-in-2022-2023.pdf (4 MB)

ESET's Virus Bulletin paper details Lazarus campaigns and backdoors observed in 2022 and 2023, tying activity to a North Korea-aligned threat actor through toolset similarities, shared infrastructure, telemetry, and related clustering. The excerpt describes decoy programming challenges against a Spanish aerospace company, Coinbase-themed lures with Windows and macOS payloads targeting individuals in South America, fake Signature Bank and MUFG job offers aimed at banking entities in the United States and Tanzania, an OpenSSL-based backdoor at a South Korean agriculture-related entity, and a Linux lure linked to the 3CX supply-chain case. Lazarus operators are described as relying mostly on social engineering through bogus job offers, crypto news, or investment themes delivered as malicious documents, ZIP files, ISO images, and VHDs, although unknown-vulnerability exploitation is also noted. The malware chain commonly uses droppers, loaders, and downloaders to establish footholds before deploying full-featured RATs and more complex downloaders with encrypted HTTP(S) client-server protocols and multi-step network authentication. The activity matters because the campaigns span Windows, Linux, and macOS and align with espionage, sabotage, financial theft, and cryptocurrency-focused objectives.