North Korean state-sponsored hacking group Lazarus has launched sophisticated cyber attacks against employees of a nuclear organization, according to cybersecurity researchers at Kaspersky.
The attacks, discovered earlier this year, showcase an evolution in the group's tactics, particularly in their approach to targeting workers in sensitive industries through deceptive job opportunities.
While the specific nuclear organization and its location remain undisclosed, investigators found that hackers deployed an intricate infection chain involving multiple malware types, including downloaders, loaders, and backdoors.
The initial compromise occurred when targets received a trojanized virtual network computing (VNC) utility disguised as a skills assessment test. Once installed, the malware called "CookieTime" served as a gateway to download additional malicious code, including a newly identified modular malware dubbed "CookiePlus."
Security experts warn that CookiePlus poses unique challenges for defenders due to its ability to function as a downloader while masking whether it's deploying minor plugins or major payloads. The malware appears to be in active development, suggesting potential expansion of its capabilities.
In a parallel development, South Korean cybersecurity firm ASEC reported that another North Korean hacking group, Andariel, is actively exploiting domestic asset management software and document centralization solutions using SmallTiger malware.
These developments highlight the persistent threat posed by North Korean cyber operations, which typically aim for financial gain while demonstrating increasingly sophisticated technical capabilities targeting critical infrastructure sectors.