JSAC2024_1_6_dongwook-kim_seulgi-lee_en.pdf (3 MB)

KISA and JPCERT/CC JSAC slides describe Lazarus operations against South Korea in 2023 that combined watering-hole activity with attacks involving financial security software. The excerpt links the activity to zero-day exploit code, targeted initial access, fake-license installation, spear-phishing and article-viewing lures, and web-based command and control. It also names service-based malware execution and persistence artifacts under C:\Windows\System32, with representative files including asap.dll, cgproc.sys, thproc.sys, WndmPmSps.dll, gmasvc.dll, srcsvc.dat, and Ntmssvc.dll.