The Lazarus Group, a group linked to the North Korean regime, carried out a series of cyberattacks that led to the introduction of a new modular CookiePlus backdoor.
The attacks were aimed at employees of the nuclear organization in January 2024. The main attack method was to send infected utilities, such as VNC Trojans, to assess the technical skills of the victim. One of the attacks, called “DeathNote,” used the “AmazonVNC.exe” malware to introduce the MISTPEN backdoor and the new CookiePlus module. CookiePlus, which was named so because CookiePlus was disguised as a Notepad++ plugin. The module was capable of collecting system information, executing malicious commands and running in the background. To spread, the module used a sideloading DLL to obtain encrypted data from the control server (C2). The CookiePlus module shows similarities to the previous MISTPEN malware, confirming that the Lazarus arsenal is evolving.
Lazarus is known for its sophisticated espionage operations, such as NukeSped and DeathNote, targeting key sectors including the nuclear, defense and cryptocurrency industries. The group uses both technological innovation and social engineering to gain access to its targets’ systems. In 2024, special attention was paid to the development of modular software that can be adapted for different purposes. Using CookiePlus has become an important step in bypassing the latest protection systems. It was an important step.
Lazarus Group cyber attacks using CookiePlus confirm the growing threat to key sectors of the economy. This highlights the need to strengthen cybersecurity, especially in the context of modular malware.