As part of the observed attacks, the group used an updated DeathNote malware cluster, which includes a slightly modified version of BLINDINGCAN, a piece of malware that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) associated with the group.

A new variant of COPPERHEDGE, which Lazarus has been using for at least two years, was also used in these attacks.

The updated malware cluster was used in attacks against a “South Korean think-tank and an IT asset monitoring solution vendor,” Kaspersky said in its quarterly APT trends report.