Executive Summary
In November 2025, the Lazarus Group executed a sophisticated multi-vector attack campaign targeting several high-profile Web3 and cryptocurrency organizations. Utilizing social engineering and supply-chain attacks, the threat actors exploited newly disclosed vulnerabilities in trusted hardware (including Intel and AMD TEEs) mere hours after public disclosures. Attackers employed encrypted C2 channels, lateral movement tools, and advanced ransomware, allowing them to bypass internal segmentation and traverse east-west across internal networks. The result was significant compromise of sensitive assets, encrypted backups, and leakage of confidential data, leading to operational disruption and reputational harm to victims.
This incident is especially noteworthy due to the rapid attacker adaptation to zero-day vulnerabilities, the blending of traditional and cloud-native threat techniques, and Lazarus’s evolution in targeting decentralized platforms. The attack highlights the increasing complexity and urgency of defending distributed infrastructure against agile, persistent threat actors.
Why This Matters Now
The Lazarus campaign demonstrates the rising threat of well-resourced actors leveraging freshly disclosed vulnerabilities and multi-layered tactics to infiltrate complex, hybrid-cloud environments. As organizations expand into Web3 and distributed tech, rapid exploitation windows and insufficient segmentation create urgent risks to core assets and regulatory compliance.
Attack Path Analysis
Attackers initiated the campaign through phishing and the exploitation of newly disclosed vulnerabilities to compromise cloud and web3 environments. Once in, they escalated privileges by leveraging weak IAM permissions and exploiting trusted service misconfigurations. The adversaries moved laterally across segmented workloads and cloud regions, expanding their foothold through east-west internal traffic. Command & Control was maintained via covert encrypted channels and abuse of outbound network paths. Sensitive data and backups were exfiltrated using disguised outbound flows to external cloud resources. Finally, attackers deployed ransomware, disrupted operations, and tested encrypted backups to maximize business impact.
Kill Chain Progression
Initial Compromise
Description
Attackers used phishing campaigns and newly discovered cloud vulnerabilities to gain initial access to cloud workloads and web3 systems.
Related CVEs
CVE-2024-36349
CVSS 3.8A vulnerability in AMD processors allows for information disclosure through transient execution attacks.
Affected Products:
AMD EPYC – Various
AMD Ryzen – Various
AMD Instinct – Various
AMD Athlon – Various
Exploit Status:
no public exploitCVE-2024-36348
CVSS 3.8A vulnerability in AMD processors allows for information disclosure through transient execution attacks.
Affected Products:
AMD EPYC – Various
AMD Ryzen – Various
AMD Instinct – Various
AMD Athlon – Various
Exploit Status:
no public exploitCVE-2024-36357
CVSS 5.6A vulnerability in AMD processors allows for information disclosure through transient execution attacks.
Affected Products:
AMD EPYC – Various
AMD Ryzen – Various
AMD Instinct – Various
AMD Athlon – Various
Exploit Status:
no public exploitCVE-2024-36350
CVSS 5.6A vulnerability in AMD processors allows for information disclosure through transient execution attacks.
Affected Products:
AMD EPYC – Various
AMD Ryzen – Various
AMD Instinct – Various
AMD Athlon – Various
Exploit Status:
no public exploitCVE-2025-30185
CVSS 8.3A vulnerability in Intel UEFI Server Firmware allows privileged users to gain ring-0 access, potentially leading to full system control or denial-of-service.
Affected Products:
Intel UEFI Server Firmware – Various
Exploit Status:
no public exploitCVE-2021-46750
CVSS 7.9Failure to validate the address and size in TEE (Trusted Execution Environment) may allow a malicious x86 attacker to send malformed messages to the graphics mailbox, resulting in an overlap of a Trusted Memory Region allocated by the ASP bootloader, leading to a potential loss of integrity.
Affected Products:
AMD Ryzen 7035 Series Processors – Various
Exploit Status:
no public exploitCVE-2021-26383
CVSS 7.9Insufficient bounds checking in AMD TEE (Trusted Execution Environment) could allow an attacker with a compromised userspace to invoke a command with malformed arguments, leading to out-of-bounds memory access, potentially resulting in loss of integrity or availability.
Affected Products:
AMD Various – Various
Exploit Status:
no public exploitReferences:
MITRE ATT&CK® Techniques
Phishing
Exploit Public-Facing Application
Gather Victim Identity Information
Command and Scripting Interpreter
Valid Accounts
Data Encrypted for Impact
Obfuscated Files or Information
Data from Local System
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Access Control for System Components
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Training and Monitoring
Control ID: 500.14
DORA – ICT Risk Management Framework
Control ID: Art. 9
CISA ZTMM 2.0 – Strong Authentication and Access Management
Control ID: Identity Pillar - Discrete Authentication
NIS2 Directive – Incident Handling
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Multi-vector campaigns targeting encrypted traffic and east-west flows threaten banking systems, requiring enhanced zero trust segmentation and egress security controls.
Information Technology/IT
Web3 attacks and TEE vulnerabilities expose cloud infrastructure, demanding stronger Kubernetes security, threat detection, and cloud-native security fabric implementations.
Health Care / Life Sciences
Ransomware and lateral movement threats compromise patient data protection, necessitating HIPAA-compliant encrypted traffic monitoring and anomaly detection capabilities.
Telecommunications
Salt Typhoon-style attacks on encrypted communications infrastructure require robust multicloud visibility, secure hybrid connectivity, and inline intrusion prevention systems.
Sources
- ⚡ Weekly Recap: Lazarus Hits Web3, Intel/AMD TEEs Cracked, Dark Web Leak Tool & Morehttps://thehackernews.com/2025/11/weekly-recap-lazarus-hits-web3-intelamd.htmlVerified
- AMD warns worrying new Spectre, Meltdown-esque flaw could affect top CPUs - here's what we knowhttps://www.techradar.com/pro/security/amd-uncovers-new-spectre-meltdown-esque-flaw-affecting-cpus-heres-what-we-knowVerified
- Intel software fixes stamp down privilege escalation vulnerabilities, while microcode updates clean up CPU messes - chipmaker has its own Patch Tuesday as it stomps down 30 bugshttps://www.tomshardware.com/software/intel-software-fixes-stamp-down-privilege-escalation-vulnerabilities-while-microcode-updates-clean-up-cpu-messes-chipmaker-has-its-own-patch-tuesday-as-it-stomps-down-30-bugsVerified
- CVE-2021-46750 : Failure to validate the address and size in TEE (Trusted Execution Environment)https://www.cvedetails.com/cve/CVE-2021-46750/Verified
- CVE-2021-26383 - Exploits & Severity - Feedlyhttps://feedly.com/cve/CVE-2021-26383Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, workload and network microsegmentation, egress policy enforcement, and distributed threat detection would have sharply limited attacker progression, contained lateral movement, and blocked unauthorized data exfiltration at multiple stages of the kill chain.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Inline enforcement at ingress can detect anomalous patterns and resist initial exploit attempts.
Control: Zero Trust Segmentation
Mitigation: Microsegmentation limits attacker movement and deters privilege misuse.
Control: East-West Traffic Security
Mitigation: Lateral traversal across networks and workloads is blocked by enforced segmentation.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound communications are tightly filtered, limiting C2 possibilities.
Control: Encrypted Traffic (HPE) & Cloud Firewall (ACF)
Mitigation: Unauthorized outbound data flows are blocked or monitored for anomalies.
Detection and rapid containment of disruptive activity minimize operational impact.
Impact at a Glance
Affected Business Functions
- Cryptocurrency Transactions
- Software Development
- Data Security
Estimated downtime: 7 days
Estimated loss: $1,500,000
Potential exposure of sensitive data, including cryptographic keys and user credentials, due to exploitation of vulnerabilities in trusted execution environments.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce zero trust segmentation and microsegmentation policies to minimize attacker lateral movement.
- • Enable egress policy enforcement and FQDN filtering to restrict unauthorized data exfiltration and command channels.
- • Deploy continuous east-west traffic inspection and anomaly detection to rapidly spot covert attacker actions.
- • Adopt cloud-native, distributed enforcement fabrics to maintain policy consistency and real-time threat visibility across all environments.
- • Regularly review IAM, Kubernetes, and workload segmentation policies to eliminate unnecessary privileges and access paths.
