PhiShark Logo
Back to blog
Phishing Case StudiesJune 12, 20265 min readOzan İsmail Çolhak

Why Do Million-Dollar Castles Collapse With a Single Link? (Part 2)

How Lazarus Group used a single PDF to target global banks — and why traditional security tools could not stop it.

PhishingCase StudyLazarus GroupPDF PhishingPhiSharkAI Security

A few days ago, we talked about how Google and Facebook were defrauded of 120 million dollars through fake invoice links that bypassed corporate email filters, and how PhiShark's agentic AI could have prevented it.

But on the cyber front line, attackers do not always launch a direct attack by sending an obvious link. Sometimes, they hide that poisoned link inside a file that all of us open dozens of times every day in corporate life, a file that looks completely harmless and trustworthy: a PDF.

This time, we are looking at one of the most dangerous threat groups in the world and how global financial institutions were targeted through carefully prepared phishing documents.

attachments.pdf: The Lazarus Playbook Against Global Banks

One of the most notorious cyber threat groups in modern history is Lazarus, a North Korea-linked group known for some of the most destructive and financially motivated cyber operations ever observed. The same attacker ecosystem has been associated with major incidents ranging from the Sony Pictures attack to large-scale bank heists targeting international financial systems.

When Lazarus and related North Korean threat actors targeted global banks, they did not begin by directly breaking through a hardened financial network. Once again, they started from the weakest link: the human.

Bank employees and financial-sector personnel were targeted with highly convincing spear-phishing messages. These campaigns used professional-looking documents disguised as job offers, salary scales, recruitment materials, or internal financial communications. At first glance, these files looked ordinary. They did not look like a cyber weapon. They looked like something a busy employee could easily open during a normal workday.

That is exactly what made them dangerous.

From a cybersecurity perspective, what happened here? Why was this not stopped?

Firewalls, corporate email filters, and traditional security tools scanned the incoming message and the attached file. In most cases, these systems were looking for known phishing patterns, suspicious file behavior, dangerous scripts, or previously identified attack infrastructure.

But the real danger was not visible at the first layer.

The PDF looked like a normal document. It contained text, branding, a short instruction, and a link that appeared to be part of a legitimate verification process. The employee saw a message similar to:

"This document is protected. To view the full content, please verify with your corporate account."

At that moment, the file itself was no longer the final weapon. It became the delivery mechanism.

The actual attack started when the employee clicked the embedded link.

That link redirected the victim to a fake login page designed to imitate a trusted corporate or banking system. Once the employee entered their credentials, the attackers used that access to move deeper into the network, search for sensitive financial systems, and eventually reach the infrastructure used for international money transfers.

This is how a harmless-looking document became the beginning of a financial disaster.

The result of these banking operations was enormous. North Korean-linked actors were accused of attempting to steal more than 1.2 billion dollars from banks around the world by compromising bank networks and sending fraudulent SWIFT messages. In the Bangladesh Bank heist alone, attackers attempted to move nearly 1 billion dollars and successfully stole 81 million dollars before the full operation was stopped.

From the outside, these banks looked like fortresses.

They had strict access controls, internal procedures, financial monitoring systems, and global banking infrastructure around them.

But the first crack did not appear inside the SWIFT network.

It began with a single employee opening a file that looked like attachments.pdf.

What Would Have Changed If PhiShark Had Been There?

Traditional products are static. They inspect a file while it is entering through the email server, scan it once, label it as "clean," and leave it there. What happens after the file is opened is often outside their field of vision.

This is exactly where PhiShark's protection logic shines a light on the blind spot.

The moment a user uploads this suspicious PDF directly from the "Scan File" section of our Browser Extension, PhiShark would not scan the file only on the surface. It would extract the URL hidden inside the document, pass it through our agentic AI analysis modules, and detect within seconds that the final destination was a phishing trap.

Even if the PDF itself looked clean, PhiShark would understand the real intent behind it.

Because in modern phishing, the malicious part is not always the file itself.

Sometimes, the file is only the door.

That way, the attackers' carefully prepared phishing trap would be neutralized at the very beginning, before the employee entered their credentials, before the attackers reached internal systems, and before a single fraudulent transfer instruction was sent.

A million-dollar banking disaster could be stopped inside a single PDF.

The cyber front line is now multidimensional. It is moving from traditional links to PDFs, and now from the physical world into the digital world. In the next and final part of our series, we will talk about "QR Phishing" or "Quishing" attacks that leave traditional security tools completely blind, and PhiShark's ecosystem architecture.

Stay safe. Read the original article on our blog and try PhiShark or install the PhiShark Browser Phishing Protection Extension.

Oh, and the final part is coming soon — QR codes are about to get interesting. Stay tuned. :D

Best, Ozan.