North Korean hackers use Windows Update and GitHub in spear phishing attack

Windows Update Insider
Windows Update Insider (Image credit: Windows Central)

What you need to know

  • A new campaign by the North Korean advanced persistent threat group Lazarus was recently discovered.
  • The campaign used malicious documents pretending to be about a job for Lockheed Martin as part of spear phishing attacks.
  • The Lazarus group also took advantage of Windows Update to bypass security detection mechanisms.

Malwarebytes recently discovered a campaign perpetrated by the advanced persistent threat group (APT) known as Lazarus. The campaign used spear phishing attacks that included malicious documents disguised as information about job opportunities with Lockheed Martin. As part of its attack methodology, the Lazarus group uses Windows Update and GitHub to bypass security software.

Malwarebytes thoroughly breaks down the attack in technical terms. One part of the campaign uses Windows Update to bypass security detection mechanisms. Malwarebytes notes that this is a "clever" use of Windows Update.

"This is an interesting technique used by Lazarus to run its malicious DLL using the Windows Update Client to bypass security detection mechanisms," said Malwarebytes. "With this method, the threat actor can execute its malicious code through the Microsoft Windows Update client..."

Latest Videos From

The Lazarus group also used GitHub in its attack. Using GitHub makes it difficult for security products to tell the difference between malicious and legitimate content. This is the first time that Malwarebytes has observed the group using GitHub in this way.

"Rarely do we see malware using GitHub as C2 and this is the first time we've observed Lazarus leveraging it," explained Malwarebytes. "Using GitHub as a C2 has its own drawbacks but it is a clever choice for targeted and short term attacks as it makes it harder for security products to differentiate between legitimate and malicious connections."

The Lazarus group previously used spear phishing tactics to obtain COVID-19 research. Lazarus was also connected to the well-known attack on Sony and the WannaCry ransomware attack.

Lazarus was also alleged to be involved in the theft of $400 million worth of cryptocurrency in 2021.

Sean Endicott
News Writer

Sean Endicott is a News Writer at Windows Central, where he covers Windows 11, Surface hardware, Microsoft 365, AI, apps, and the broader PC ecosystem. Since joining the site in 2017, he has written well over a thousand articles across the Microsoft landscape, covering breaking news, analysis, and feature reporting.

He writes Windows Wrap, a weekly column covering the biggest stories in Windows and the PC industry, and what they mean for the platform going forward.

Before joining Windows Central full-time, Sean worked in journalism and media production after earning a First Class degree in Broadcast Journalism from Nottingham Trent University. Outside of tech, he is an award-winning American football coach based in Nottingham, England, and was named BAFCA Youth Coach of the Year in 2024.