North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign
2022-01-27 • Malwarebytes •
Malwarebytes analyzed a Lazarus job-themed spear-phishing campaign using Lockheed Martin decoy documents observed in late 2021 and early 2022. The macro used KernelCallbackTable control-flow hijacking to execute shellcode, which decrypted and manually mapped DLL stages before injecting into explorer.exe and other processes. Later stages abused the Windows Update client by dropping a deceptive wuaueng.dll path and used GitHub as command-and-control infrastructure, a tactic Malwarebytes noted as unusual for Lazarus and difficult for defenders to distinguish from legitimate traffic. The report links the activity to North Korea’s Lazarus APT and emphasizes the group’s continued use of defense-sector recruitment lures and stealthy living-off-the-land execution.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | markettrendingcenter.com | 2022-01-27 | 2023-10-04 |
| DOMAIN | lm-career.com | 2022-01-27 | 2023-10-04 |
| HASH | f14b1a91ed1ecd365088ba6de584678… | 2022-01-27 | 2022-04-01 |
| HASH | 0d01b24f7666f9bccf0f16ea97e41e0… | 2022-01-27 | 2022-04-01 |
| HASH | 829eceee720b0a3e505efbd3262c387… | 2022-01-27 | 2022-04-01 |
| URL | https://markettrendingcenter.co… | 2022-01-27 | 2022-02-08 |
| HASH | 660e60cc1fd3e155017848a1f6befc4… | 2022-01-27 | 2022-01-27 |
| HASH | 11b5944715da95e4a57ea54968439d9… | 2022-01-27 | 2022-01-27 |
| HASH | 0160375e19e606d06f672be6e43f70f… | 2022-01-27 | 2022-01-27 |
| HASH | 4216f63870e2cdfe499d09fce9caa30… | 2022-01-27 | 2022-01-27 |
| HASH | c677a79b853d3858f8c8b86ccd8c76e… | 2022-01-27 | 2022-01-27 |
| HASH | 9d18defe7390c59a1473f79a2407d07… | 2022-01-27 | 2022-01-27 |
| HASH | 5098ec21c88e14d9039d232106560b3… | 2022-01-27 | 2022-01-27 |