North Korean hacking groups Kimsuky and Lazarus have combined efforts in a coordinated attack campaign targeting critical sectors worldwide. This collaboration signifies a major shift in state-sponsored threat operations, evolving from isolated attacks to integrated campaigns focused on stealing sensitive intelligence and cryptocurrencies.
The campaign begins with Kimsuky conducting reconnaissance. The group crafts phishing emails disguised as academic conference invitations or research collaboration requests. These messages deliver malicious attachments in HWP or MSC formats. When recipients open these attachments, the FPSpy backdoor deploys. Once installed, FPSpy activates KLogEXE, a keylogger that captures passwords, email content, and system information. This initial phase maps the target’s network architecture and identifies valuable assets.
Kimsuky then transfers control to the Lazarus group. Lazarus exploits zero-day vulnerabilities to gain deeper access into compromised systems. The group weaponized CVE-2024-38193, a Windows privilege escalation flaw, to deploy malicious Node.js packages that appear legitimate. When executed, these packages provide attackers with SYSTEM-level privileges. Lazarus then installs the InvisibleFerret backdoor, which uses the Fudmodule malware component to bypass endpoint detection tools. CN-SEC security researchers noted Lazarus’s use of these sophisticated tactics.
Technical Breakdown of the InvisibleFerret Backdoor
The InvisibleFerret backdoor exhibits advanced evasion capabilities. It disguises its network traffic as normal HTTPS web requests, making detection via traffic analysis challenging for security teams. The malware specifically targets blockchain wallets, scanning system memory for private keys and transaction data stored in browser extensions and desktop applications. Attackers, in one documented instance, transferred $32 million in cryptocurrency within 48 hours without triggering security alerts.
The backdoor communicates with command and control (C2) servers through encrypted channels. These channels rotate daily, employing a domain polling strategy. Each C2 domain is disguised as a legitimate e-commerce or news website to evade suspicion.
After completing their objectives, both Kimsuky and Lazarus coordinate to erase all traces of their activity. They overwrite malicious files with legitimate system processes and thoroughly clear their digital footprints through shared infrastructure. Organizations across the defense, finance, energy, and blockchain sectors face the highest risk from this coordinated threat.