North Korean Hacking Groups Target Critical Sectors Worldwide with Zero-Day Exploits

Two of North Korea’s most active state-sponsored Advanced Persistent Threat (APT) groups, Kimsuky and Lazarus, have joined forces to conduct a wave of cyberattacks targeting governments, blockchain firms, and critical infrastructure.

According to Trend Micro’s latest report, the partnership marks a dangerous shift combining Kimsuky’s intelligence-gathering capabilities with Lazarus’s focus on financial theft and zero-day exploitation.

Coordinated Espionage and Financial Theft

The groups’ cooperation forms a “spy and thief” partnership. Kimsuky acts as North Korea’s digital reconnaissance arm, launching phishing campaigns disguised as academic conference invitations to gather intelligence on high-value targets.

In one major 2024 operation, the group used a fake email about a “Blockchain Security Symposium” to deliver a malicious HWP file embedded with the FPSpy backdoor. Once opened, the malware activated a keylogger named KLogEXE, allowing credential theft and internal network mapping.

This data was then shared with Lazarus, which exploited a Windows zero-day vulnerability (CVE-2024-38193) to gain system-level privileges. The group sent infected Node.js project files posing as open-source tools to compromise enterprise servers.

Using the InvisibleFerret backdoor, Lazarus exfiltrated cryptocurrency wallet and transaction data while employing anti-detection modules such as Fudmodule to evade endpoint defenses. In less than two days, over $30 million in digital assets were stolen without triggering security alerts.

Further investigation revealed that both APT groups used overlapping command-and-control (C2) infrastructure to issue cleanup commands and erase evidence.

The same IP clusters had previously been observed in North Korea-linked operations, such as the 2014 South Korean nuclear facility attack.

Expanding Threat to Global Sectors

Kimsuky and Lazarus operate under the North Korea Reconnaissance General Bureau, coordinating through shared servers, intelligence, and exploit tools.

While Kimsuky focuses on espionage, using advanced remote access tools such as MoonPeak for surveillance and file theft, Lazarus prioritizes large-scale financial gain through zero-day vulnerabilities and supply-chain infiltration.

Recent activity indicates a widening scope of attacks beyond defense and finance. In early 2025, European energy firms received phishing emails aimed at stealing power grid data, signalling an expansion into critical infrastructure and energy sectors.

Experts warn that such operations may aim not only to fund North Korea’s sanctions-hit economy but also to disrupt strategic global systems.

Security researchers urge organizations to strengthen their defenses through timely patching, strict email verification, and hardening blockchain wallets.

Key indicators of compromise include processes spawning winlogon.exe after opening HWP files, unexplained access to wallet directories, and signs of privilege escalation linked to unpatched systems.

The evolving collaboration between Kimsuky and Lazarus highlights North Korea’s growing capacity for coordinated cyberwarfare, combining espionage precision with financial aggression.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post North Korean Hacking Groups Target Critical Sectors Worldwide with Zero-Day Exploits appeared first on Cyber Security News.