On 23 November 2023, the United Kingdom's National Cyber Security Centre (NCSC) and South Korea's National Intelligence Service (NIS) released a joint advisory that reconstructed a series of attacks observed since March 2023. The events were attributed to the Democratic People's Republic of Korea (DPRK or North Korea)-linked Lazarus Group.
The attack employed a watering hole technique, compromising a media outlet and subsequently impacting systems that ran vulnerable versions of MagicLine4NX (versions from 1.0.0.1 to 1.0.0.26 were vulnerable). When internet-connected, the impacted system would connect to the attacker-controlled command-and-control (C2) downloading a malicious code. The latter exfiltrated initial beacon data and downloaded and executed encrypted payloads.