Researchers have uncovered a series of highly sophisticated cyberattacks by the notorious Lazarus group, targeting web servers in South Korea.
The attackers have been infiltrating IIS servers to deploy ASP-based web shells, which serve as the first-stage Command and Control (C2) servers. These initial C2 servers act as intermediaries, relaying communications to secondary C2 infrastructure, allowing deeper penetration into compromised systems.
First identified in January 2025, these latest attacks showcase an advancement of similar methods observed in May 2024, highlighting the persistent and evolving strategies employed by this state-sponsored group. The Lazarus group has consistently exploited legitimate web servers to establish attack infrastructures, refining their approach over time.
According to the AhnLab Security Intelligence Centre (ASEC), the latest campaign involved the installation of multiple ASP-based web shells on vulnerable IIS servers. One notable addition is the modified version of the "RedHat Hacker" web shell, stored under the filename "function2.asp." Unlike previous versions that used "1234qwer" as the authentication password, the latest variant now requires "2345rdx," reflecting an enhancement in security measures.
Other deployed web shells, such as "file_uploader_ok.asp" and "find_pwd.asp," grant the attackers extensive control over compromised servers. These tools enable file manipulation, process execution, and even SQL query operations.
To evade detection, these web shells employ advanced obfuscation techniques, remaining encoded in VBE format even after initial decoding. This complexity makes security analysis and detection significantly more challenging.
The structure of the malicious code further demonstrates the sophistication of these attacks. Initialization packets are verified by checking whether the second and third bytes contain the string "OK," while the first byte serves as an encryption key.
C2 Script Enhancements
The C2 script utilized in the January 2025 campaign acts as an intermediary between compromised servers and the attackers' infrastructure. Unlike previous versions, the updated script supports both form data and cookie-based communication, demonstrating ongoing refinements in Lazarus’ toolset.
Depending on the "code" field in the form data, the script executes different commands, including:
- "MidRequest" – Data redirection
- "ProxyCheck" – Mid Info storage
- "ReadFile" and "WriteFile" – File manipulation
- "ClientHello" – Response handling with Mid Info
These commands enable attackers to exert comprehensive control over infiltrated systems.
Beyond web shells, the attackers deployed the LazarLoader malware to download additional payloads. This advanced loader decrypts and executes payloads directly in memory, utilizing a 16-byte key identified as "Node.Js_NpmStart."
The attack sequence typically begins with web shell installation, followed by LazarLoader deployment via the w3wp.exe IIS web server process. To escalate privileges, the attackers use a malware component named "sup.etl," which functions as a packer for bypassing User Account Control (UAC).
Security experts strongly advise administrators to inspect web servers for vulnerabilities that could permit unauthorized file uploads, particularly targeting ASP-based web shells.
To minimize risks, organizations should implement:
- Strict access controls to prevent lateral movement post-compromise.
- Regular password rotation for enhanced security.
- Continuous monitoring for unusual process activity, especially instances where w3wp.exe spawns unexpected processes.
- Timely security updates to detect and mitigate known
As Lazarus continues to refine its attack methodologies, proactive security measures are essential in defending against this persistent and highly sophisticated threat actor targeting critical infrastructure worldwide.
