North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign

Share This Post

The APT known as Lazarus conducted spear phishing attacks with weaponized documents masquerading as Lockheed Martin. These weaponized documents perform a series of injections to achieve startup persistence on the victims system. As part of this killchain the Windows Update service is abused for payload execution and Github is utilzed as a C2 to deliver remote commands.

Malwarebytes researches have shared a full synopsis here:

https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/

MITRE ATT&CK Lazarus profile:

https://attack.mitre.org/groups/G0032/



Reach out to our incident response team for help

More To Explore

Information Security News – 6/30/2025

Ransomware Disruptions Contributed to a Patient Death, NHS Finds Article Link: https://www.techradar.com/pro/security/ransomware-disruptions-contributed-to-a-patient-death-nhs-finds Scans Probing for MOVEit Systems May Be Precursor to Attacks Article Link: https://www.databreachtoday.com/scans-probing-for-moveit-systems-may-be-precursor-to-attacks-a-28832

Information Security News – 6/23/2025

Law Enforcement Takedowns Disrupt Cybercrimes Across the Globe Article Link: https://cyberscoop.com/cybercrime-crackdown-operation-endgame-operation-secure/   Microsoft 365 to Block File Access Via Legacy Auth by Default Article link:

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.