Novel malware deployed in Andariel-like ERP update exploitation attack

Defense and manufacturing organizations across South Korea have been subjected to attacks deploying the new Xctdoor malware through a hacked South Korean enterprise resource planning software update server, echoing a technique previously leveraged by North Korean state-sponsored advanced persistent threat operation and Lazarus Group sub-cluster Andariel to facilitate the delivery of the HotCroissant and Riffdoor backdoors, according to The Register.

advanced advanced persistent threat andariel attack attacks cluster defense delivery enterprise erp exploitation hacked korea lazarus lazarus group malware manufacturing network security north north korean novel organizations persistent persistent threat planning resource server software software update south south korea sponsored state threat threat intelligence update xctdoor