![[The AI Show Episode 144]: ChatGPT’s New Memory, Shopify CEO’s Leaked “AI First” Memo, Google Cloud Next Releases, o3 and o4-mini Coming Soon & Llama 4’s Rocky Launch](https://www.marketingaiinstitute.com/hubfs/ep%20144%20cover.png)
.jpg?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
-Resident-Evil-4-Remake-Review---SPOILER-FREE-RESIDENT-EVIL-4-REVIEW-00-04-20.png?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
![Some of the best Pixel 9 Pro Fold accessories for you to try [Video]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2024/11/Pixel-9-Pro-Fold-accessories-3.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1){kind=tracking}
![Apple to Shift Robotics Unit From AI Division to Hardware Engineering [Report]](https://www.iclarified.com/images/news/97128/97128/97128-640.jpg)
![Apple Shares New Ad for iPhone 16: 'Trust Issues' [Video]](https://www.iclarified.com/images/news/97125/97125/97125-640.jpg)
Lazarus APT Attacking Organizations by Exploiting One-Day vulnerabilities
Cybersecurity experts have identified a sophisticated campaign by the North Korean state-sponsored Lazarus APT group targeting critical infrastructure and financial organizations worldwide. The threat actor has shifted tactics to exploit recently patched vulnerabilities—known as one-day vulnerabilities—before organizations can implement necessary updates. This campaign, active since January 2025, has already compromised networks across multiple sectors in […] The post Lazarus APT Attacking Organizations by Exploiting One-Day vulnerabilities appeared first on Cyber Security News.
Cybersecurity experts have identified a sophisticated campaign by the North Korean state-sponsored Lazarus APT group targeting critical infrastructure and financial organizations worldwide.
The threat actor has shifted tactics to exploit recently patched vulnerabilities—known as one-day vulnerabilities—before organizations can implement necessary updates.
This campaign, active since January 2025, has already compromised networks across multiple sectors in Asia, Europe, and North America, with particular focus on financial services and energy infrastructure.
One-day vulnerabilities represent a dangerous attack vector as they target flaws that have been publicly disclosed and patched but not yet widely implemented across vulnerable systems.
Unlike zero-days which are completely unknown, these vulnerabilities exist in the critical window between patch release and widespread deployment, giving attackers a roadmap to exploit systems while defenders scramble to update.
In this latest campaign, Lazarus has demonstrated remarkable speed, weaponizing patches within hours of their release.
The attacks initially target internet-facing applications, particularly VPN solutions and remote access tools commonly used in enterprise environments.
After gaining initial access, the attackers deploy customized malware that establishes persistence and begins lateral movement through the victim network.
The financial impact has been significant, with estimated damages exceeding $14 million across affected organizations that have publicly disclosed incidents.
Securelist researchers identified the campaign after investigating multiple incidents sharing similar indicators of compromise.
Their analysis revealed distinctive code signatures and command-and-control infrastructure previously associated with Lazarus operations.
“The speed at which this group weaponizes newly patched vulnerabilities demonstrates a concerning level of sophistication and resourcing,” noted Securelist’s threat intelligence team in their initial assessment.
The group’s technical capabilities have evolved significantly, incorporating advanced evasion techniques and modular malware that adapts to different environments.
The primary infection vector involves exploiting CVE-2025-1234, a critical vulnerability in a widely used enterprise VPN solution.
Infection Mechanism Analysis
The infection process begins with the exploitation of the VPN vulnerability through a specially crafted HTTP request containing a malformed authentication packet.
This triggers a buffer overflow condition, allowing remote code execution on the affected system. The exploit code appears as follows:-
def craft_exploit_packet(target_ip, target_port):
header = b'\x41\x41\x41\x41'
payload_len = struct.pack('Once initial access is established, the malware deploys a multi-stage loader that decrypts and executes the main payload only after performing extensive environment checks to evade sandbox analysis.
The payload establishes persistence through a modified service entry and registry modifications that survive system reboots.
.webp)
These chains shows the complete attack sequence from initial exploitation to data exfiltration.
The malware communicates with command-and-control servers using encrypted HTTPS traffic with legitimate-appearing domains, making detection through network monitoring particularly challenging.
Security teams are advised to prioritize patching of internet-facing applications and implement robust logging to detect post-exploitation activities.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
The post Lazarus APT Attacking Organizations by Exploiting One-Day vulnerabilities appeared first on Cyber Security News.
