North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign

Oscar Minks
January 28, 2022

Share This Post

The APT known as Lazarus conducted spear phishing attacks with weaponized documents masquerading as Lockheed Martin. These weaponized documents perform a series of injections to achieve startup persistence on the victims system. As part of this killchain the Windows Update service is abused for payload execution and Github is utilzed as a C2 to deliver remote commands.

Malwarebytes researches have shared a full synopsis here:

https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/

MITRE ATT&CK Lazarus profile:

https://attack.mitre.org/groups/G0032/

Reach out to our incident response team for help

More To Explore

Bleeding Edge or Just Bleeding? CitrixBleed is Back

Citrix is back with vulnerability news no one wanted. CitrixBleed2 is affecting Citrix NetScaler ADC and Gateway devices between versions 14.1 and 47.46. Exploitation of

Brad Nigh July 7, 2025

Information Security News – 7/7/2025

The Top Red Teamer in the US Is an AI Bot Article Link: https://www.csoonline.com/article/4012801/the-top-red-teamer-in-the-us-is-an-ai-bot.html FDA Expands Premarket Medical Device Cyber Guidance Article Link: https://www.govinfosecurity.com/fda-expands-premarket-medical-device-cyber-guidance-a-28850 Malicious

Marcus Cylar July 7, 2025

North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign

Share This Post

More To Explore

Bleeding Edge or Just Bleeding? CitrixBleed is Back

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.

Follow Us:

Privacy Policy

© 2025 FRSecure LLC