TTPs10_Operation_GoldGoblin.pdf (9 MB)

The Operation GoldGoblin analysis describes a Lazarus campaign that abused security software and media websites for initial access into South Korean targets. Attackers inserted malicious scripts into news-article pages to create watering-hole sites and used vulnerabilities in security software to install malware on visitors' systems. The report says Lazarus stole source code from a security-solution developer to build exploit code and also abused domestic infrastructure, including media sites, groupware, and hosting providers, to expand command-and-control operations.