Security News > 2022 > May > Lazarus hackers target VMware servers with Log4Shell exploits

The North Korean hacking group known as Lazarus is exploiting the Log4J remote code execution vulnerability to inject backdoors that fetch information-stealing payloads on VMware Horizon servers.
According to a report published by analysts at Ahnlab's ASEC, Lazarus has been targeting vulnerable VMware products via Log4Shell since April 2022.
NukeSped is a backdoor malware first associated with DPRK hackers in the summer of 2018 and then linked to a 2020 campaign orchestrated by Lazarus.
Lazarus uses NukeSped to install an additional console-based information-stealer malware, which collects information stored on web browsers.
In some attacks, Lazarus was observed deploying Jin Miner instead of NukeSped by leveraging Log4Shell.
Since Jin Miner is a cryptocurrency miner, Lazarus probably used it on less critical systems targeted for monetary gains instead of cyber-espionage.
News URL
Related news
- Hackers Exploit Paragon Partition Manager Driver Vulnerability in Ransomware Attacks (source)
- Hackers Exploit AWS Misconfigurations to Launch Phishing Attacks via SES and WorkMail (source)
- Over 37,000 VMware ESXi servers vulnerable to ongoing attacks (source)
- Hackers Exploit Severe PHP Flaw to Deploy Quasar RAT and XMRig Miners (source)
- Update VMware Tools for Windows Now: High-Severity Flaw Lets Hackers Bypass Authentication (source)
- Top 3 MS Office Exploits Hackers Use in 2025 – Stay Alert! (source)
- Hackers Exploit WordPress mu-Plugins to Inject Spam and Hijack Site Images (source)
- Russian Hackers Exploit CVE-2025-26633 via MSC EvilTwin to Deploy SilentPrism and DarkWisp (source)
- Hackers exploit WordPress plugin auth bypass hours after disclosure (source)
- Hackers exploit old FortiGate vulnerabilities, use symlink trick to retain limited access to patched devices (source)