North Korea’s Lazarus hacking group has been implicated in a new cyber campaign, Operation Blacksmith, which utilizes previously unknown remote access trojans (RATs) and a malware downloader exploiting the Log4Shell vulnerability (CVE-2021-44228). This campaign was uncovered by Cisco Talos researchers.

The malware, including two RATs named NineRAT and DLRAT, and a downloader known as BottomLoader, is notable for its use of DLang, an uncommon programming language in cyber attacks. This choice may have helped Lazarus evade detection. NineRAT notably employs Telegram bots and channels for command and control communications.

Operation Blacksmith, active since around March 2023, initially targeted a South American agricultural organization and later a European manufacturing company in September 2023. Lazarus, active since about 2010, has engaged in diverse cyber operations against sectors like government, defense, finance, media, healthcare, and critical infrastructure. Their motives range from espionage and data theft to financial gains aiding state objectives.

This operation exploits organizations with vulnerable infrastructure, specifically those affected by the Log4j vulnerability (CVE-2021-44228), which was first identified by a member of the Alibaba Cloud Security Team and has since been patched.

This attack by Lazarus underscores the importance of promptly applying security updates to all internet-connected devices to mitigate such threats.