Kaspersky researchers saw The North Korean state APT use a new variant of the BlindingCan RAT to breach a Latvian IT vendor and then a South Korean think tank.
The MATA malware framework can target three operating systems: Windows, Linux and macOS. MATA has historically been used to steal customer databases and to spread ransomware in various industries, but in June, Kaspersky researchers tracked Lazarus using MATA for cyber-espionage.
“The actor delivered a Trojanized version of an application known to be used by their victim of choice – a well-known Lazarus characteristic,” they wrote in Kaspersky’s latest quarterly threat intelligence report, released on Tuesday.
This is hardly the first time that Lazarus has attacked the defense industry, Kaspersky noted, pointing to the similar, mid-2020 ThreatNeedle campaign.
Lazarus Ramps Up Supply-Chain Attacks
Researchers have also seen Lazarus building supply-chain attack capabilities with an updated DeathNote (aka Operation Dream Job) malware cluster that consists of a slightly updated variant of the North Korean remote-access trojan (RAT) known as BlindingCan.
The U.S. Cybersecurity