Evolution of Lazarus’ DeathNote cluste

Kaspersky recently investigated the DeathNote, one of clusters that belong to the infamous Lazarus group. DeathNote has transformed drastically over the years, beginning in 2019 with attacks on cryptocurrency-related businesses worldwide. By the end of 2022, it was responsible for targeted campaigns that affected IT companies and defense companies in Europe, Latin America, South Korea, and Africa. The latest report by Kaspersky tracks a shift in DeathNote’s targets as well as the development and refinement of their tools, techniques, and procedures during the last four years.

The infamous threat actor, Lazarus, has persistently targeted cryptocurrency-related businesses for a long time. While monitoring the actor’s activities, Kaspersky noticed that they employed a significantly changed malware in one case. In mid-October 2019, we came across a suspicious document uploaded to VirusTotal. The malware author used decoy documents that were related to the cryptocurrency business. These include a questionnaire on specific cryptocurrency purchasing, an introduction to a particular cryptocurrency, and an introduction to a bitcoin mining company. This was the first time the DeathNote campaign came into play, targeting individuals and companies involved in cryptocurrency in Cyprus, the United States, Taiwan and Hong Kong.


However, in April 2020 Kaspersky saw a significant shift in the DeathNote’s infection vectors. Research revealed that the DeathNote cluster was employed in the targeting of the automotive and academic organizations in Eastern Europe linked to the defense industry. At this time, the actor switched all decoy documents related to job descriptions from defense contractors and diplomatic-related ones. Besides that, the actor elaborated its infection chain, using the remote template injection technique in their weaponized documents, and utilized Trojanized open-source PDF viewer software. Both of these methods of infection result in the same malware (DeathNote downloader), which is responsible for uploading the victim’s information.

In May 2021, Kaspersky observed that an IT company in Europe, which provides solutions for network device and server monitoring, was compromised by the DeathNote cluster. Moreover, in early June 2021, this Lazarus subgroup began utilizing a new mechanism to infect targets in South Korea. What caught the researchers’ attention was that the initial stage of the malware was executed by legitimate software, which is widely used for security in South Korea.

While monitoring DeathNote during 2022, Kaspersky researchers discovered that the cluster has been responsible for attacks on a defense contractor in Latin America. The initial infection vector was similar to what we’ve seen with other defense industry targets, involving the use of a Trojanized PDF reader with a crafted PDF file. However, in this particular case, the actor adopted a side-loading technique to execute the final payload.

In the ongoing campaign that was first discovered in July 2022, it was revealed that the Lazarus group had successfully breached a defense contractor in Africa. The initial infection was a suspicious PDF application, which had been sent via Skype messenger. Upon executing the PDF reader, it created both a legitimate file (CameraSettingsUIHost.exe) and malicious file (DUI70.dll) in the same directory.
“The Lazarus group is an infamous and highly skilled threat actor. Our analysis of the DeathNote cluster reveals a rapid evolution in its tactics, techniques, and procedures over the years. In this campaign, Lazarus isn’t confined to crypto-related business but has gone much further. It deploys both legitimate software and malicious files to compromise defense enterprises. As the Lazarus group continues to refine its approaches, it is crucial for organizations to maintain vigilance and take proactive measures to defend against its malicious activities,” comments Seongsu Park, lead security researcher, GReAT at Kaspersky.

To find out more about Lazarus’ DeathNote cluster, different stages of campaign and its TTPs, check the full report on Securelist.

To avoid falling victim to targeted attacks by known or unknown threat actors, Kaspersky researchers recommend implementing the following measures:

  • Carry out a cybersecurity audit and monitor your networks constantly to rectify any weaknesses or malicious elements discovered in the perimeter or inside the network.
  • Provide your staff with basic cybersecurity hygiene training, as many targeted attacks start with phishing or other social engineering techniques.
  • Educate your employees to download software and mobile apps only from trusted sources and official app stores.
  • Use EDR product to enable timely incident detection and response to advanced threats. A service such as Kaspersky Managed Detection and Response provides threat hunting capabilities against targeted attacks.
  • Adopt an anti-fraud solution that can protect cryptocurrency transactions by detecting and preventing account theft, unverified transactions and money laundering.