Security News > 2022 > January > Lazarus APT Uses Windows Update to Spew Malware

Lazarus Group is using Windows Update to spray malware in a campaign powered by a GitHub command-and-control server, researchers have found.
Lazarus did the same thing last July: At that time, the APT was identified as being behind a campaign that was spreading malicious documents to job-seeking engineers, impersonating defense contractors who were purportedly seeking job candidates at Airbus, General Motors and Rheinmetall.
LNK files are Windows shortcut files, as in, pointers to original files in Windows.
"With this method, the threat actor can execute its malicious code through the Microsoft Windows Update client by passing the following arguments: /UpdateDeploymentProvider, Path to malicious DLL and /RunHandlerComServer argument after the DLL," the researchers explained.
"This is an interesting technique used by Lazarus to run its malicious DLL using the Windows Update Client to bypass security detection mechanisms," the threat-intelligence team noted.
"With this method, the threat actor can execute its malicious code through the Microsoft Windows Update client by passing the following arguments: /UpdateDeploymentProvider, Path to malicious DLL and /RunHandlerComServer argument after the DLL.".
News URL
https://threatpost.com/lazarus-apt-windows-update-malware-github/178096/
Related news
- WhatsApp vulnerability could be used to infect Windows users with malware (CVE-2025-30401) (source)
- North Korean Konni APT Targets Ukraine with Malware to track Russian Invasion Progress (source)
- South Asian Ministries Hit by SideWinder APT Using Old Office Flaws and Custom Malware (source)
- ⚡ Weekly Recap: APT Campaigns, Browser Hijacks, AI Malware, Cloud Breaches and Critical CVEs (source)