D1T220-20Lazarus20Groups20Undercover20Operations20-20Large-Scale20_tO1DZLd.pdf (7 MB)

The HITB/KrCERT slide deck describes Lazarus large-scale infection operations in 2022-2023 that abused Korean financial-security software and compromised media infrastructure for drive-by compromise and malware propagation. The excerpt links initial access to file-download functionality, malware distribution servers, a Windows EventLog application stack-buffer overflow, and persistence through LSA SecurityPackages and service execution. Malware cases include ScskAppLink.dll, lrmons.dll, *proc.sys, and mi.dll/wsmprovhost.exe loaders using registry data, RC5 or AES decryption, memory injection, and C2 paths on Korean web services. The presentation ties these techniques to BookCodes, GoldGoblin, DreamJob/DeathNote, cryptocurrency, defense, press, marine, hosting, and financial software development targets.