Lazarus APT Resurfaces to Exploit Windows Update and GitHub

One month into 2022, there is no foreseeable slump in attacks; on the contrary, the cybersecurity field is bustling. The landscape is familiar: lurking hackers and security practitioners working doggedly to ensure no rest for the former.

Late January, a new attack campaign, launched by a North Korea-linked APT, was discovered by the Malwarebytes Threat Intelligence team. This time, the state-sponsored actor utilizes Windows Update service to distribute malware and leverages GitHub as a command-and-control server.


The Lazarus Group is a notorious hacking organization sponsored by the North Korean government. This gang has been on the radar since at least 2009 and is suspected of being behind a number of high-profile campaigns, including cyberwarfare, cyberespionage, and ransomware attacks.

North Korea’s cyber program poses a persistent espionage, theft, and attack threat, by providing substantial support to numerous malicious cyber clusters. To remove any misnamings in the vast field of criminal cyber activities sponsored by the North Korean government, it is in place to indicate that Lazarus Group is known under many monikers, some of which, like Andariel, Kimsuky, APT37, APT38, relate to subgroups, and an umbrella name HIDDEN COBRA used to refer to malicious cyber activity run by North Korean state in general.

The gang’s most used methods are malware dissemination, zero-days, spear phishing, disinformation, and backdoors.

The Latest Attack Kill Chain

The most recent Lazarus attack instances were reported on January 18, 2022. Yet there is data that suggest the campaign was in operation since late 2021. This time, Lazarus Group aims at exploiting Windows Update and Github to bypass detections.To Infect PCs with malware, the attack begins with implementing malicious macros implanted in the Word document. More precisely, current data suggest threat actors’ use of two macro-embedded documents, enticing users with new job opportunities at Lockheed Martin global corporation:



When the victim opens a weaponized file, the malware executes a series of injections in order to gain startup persistence on the target device: an embedded macro drops a WindowsUpdateConf.lnk file in the startup folder and a DLL file (wuaueng.dll) in Windows/System32 folder.

Malicious DDL is then run using Windows Update Client to avoid detection. Another technique aimed at remaining under the security radar is the adoption of GitHub for C2 communication.

Detecting the Latest Lazarus Attack

To identify possible attacks and remediate the novel Lazarus spear phishing compromise, opt for downloading a batch of free Sigma rules. The content was released by our keen Threat Bounty developers Nattatorn Chuensangarun and Onur Atali.

Lazarus APT Execute the Malicious Macros via process creation

North Korea’s Lazarus APT GitHub Campaign via file event

Lazarus APT leverages Windows Update Client, GitHub via file event

The complete list of detections related to the Lazarus APT in the Threat Detection Marketplace repository of the SOC Prime platform is available here.

Sign up for free at SOC Prime’s Detection as Code platform to detect the latest threats within your security environment, improve log source and MITRE ATT&CK coverage, and overall boost the organization’s cyber defense capabilities. Eager to craft your own Sigma rules? Join our Threat Bounty program and get rewarded for your valuable contribution.

Go to Platform Join Threat Bounty

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts