Lazarus Group: DPRK's Evolving Hybrid Threat
- Suspected Origin
- North Korea
- Motivation
- Financial Gain, Espionage, Sabotage
- Aliases
- Labyrinth Chollima, HIDDEN COBRA, Guardians of Peace, ZINC, NICKEL ACADEMY, Diamond Sleet
- Target Sectors
- Financial Services, Government, Critical Infrastructure, Defense, Healthcare, Media, Technology, Cryptocurrency, Aerospace, Education, Energy, Industrial, Telecommunications, Pharmaceutical
- Associated Malware
- WannaCry, Destover, DarkSeoul, Manuscrypt, RATANKBA, AppleJeus, BLINDINGCAN, COPPERHEDGE, Dtrack, MATA, FASTCash, Appleseed, HardRain, BadCall, Hidden Cobra, Destroyer, Duuzer, OpenCarrot, KLIPO, Fallchill, Joanap, Brambul, IndiaIndia, Cryptoistic, SierraCharlie, BeaverTail, InvisibleFerret
Overview
The Lazarus Group (G0032) is a formidable North Korean state-sponsored advanced persistent threat (APT) actor, widely recognized as one of the most prolific and adaptive in the global landscape. Active since at least 2007-2009, this group is directly attributed to the Reconnaissance General Bureau (RGB), North Korea’s primary intelligence agency. What distinguishes Lazarus from many other nation-state actors is its unique “dual mandate” – simultaneously pursuing strategic intelligence objectives, large-scale financially motivated cybercrime, and destructive sabotage operations. These diverse activities are all geared towards supporting the North Korean regime, funding its heavily sanctioned economy, and advancing its military and nuclear weapons programs.
The term “Lazarus Group” often functions as an umbrella designation for several sub-groups with specialized operational mandates, reflecting North Korea’s adaptive cyber strategy. Key subgroups include BlueNoroff (also tracked as APT38), which focuses extensively on financial theft, targeting banks, cryptocurrency exchanges, and payment systems, and Andariel, which primarily conducts cyber espionage against military and government targets, particularly in South Korea, though it has increasingly engaged in financially motivated attacks, including ransomware. This organizational structure allows Lazarus to maintain multiple, concurrent campaigns globally, continuously evolving its tradecraft to bypass international sanctions and achieve national objectives. While their operational scope is global, there has been a historical emphasis on targets in South Korea and, more recently, a pervasive focus on the cryptocurrency and financial technology sectors worldwide.
Tactics & Techniques
Lazarus Group employs an expansive arsenal of Tactics, Techniques, and Procedures (TTPs) that span nearly every stage of the cyber kill chain, blending low-cost social engineering with sophisticated exploits.
Initial access frequently relies on highly targeted spear-phishing campaigns. These often involve malicious documents (macro-laced Word files) or links embedded in fake job offers and recruitment messages, delivered via professional networking sites like LinkedIn, Twitter, and Discord, or even direct messaging services like WhatsApp. They impersonate HR personnel or legitimate software vulnerability researchers to gain trust. The group is also adept at exploiting known software vulnerabilities and, in some cases, zero-day exploits, quickly weaponizing them to establish initial footholds. Watering hole attacks are another common tactic, where they compromise websites frequented by target demographics, injecting malicious code to infect visitors’ systems. Increasingly, Lazarus has shown proficiency in supply chain compromises, targeting trusted third-party vendors, legitimate software updates, and even injecting malware into open-source repositories like NPM packages.
For persistence, Lazarus utilizes various stealthy techniques such as creating scheduled tasks (e.g., “Windows Java Vpn Interface”), modifying registry run keys, and deploying custom malware implants. In advanced cases, they employ DLL Side-Loading and have even demonstrated kernel-level persistence using weaponized Word macros that modify kernel callbacks, making detection exceptionally difficult.
Lateral movement within a compromised network often involves standard Windows tools and protocols. They leverage Remote Desktop Protocol (RDP), collect credentials via tools like Mimikatz, and use utilities such as AdFind, SMBMap, and Responder to enumerate network information and identify valuable targets. PowerShell and cmd.exe are commonly used for executing commands and malicious code.
Defense evasion is a core component of their operations. Lazarus malware often uses fileless techniques, disguises itself as legitimate software, and has been observed digitally signing malware. They employ extensive obfuscation methods including Themida protection, XOR, AES, RC4, and Base64 encoding for payloads and configuration data. Furthermore, they modify Windows firewall settings to allow connections or disable it entirely. Their command-and-control (C2) infrastructure frequently involves compromised legitimate websites or hidden services on the TOR network, communicating via custom encryption protocols that sometimes mimic TLS (e.g., FakeTLS) to evade detection.
For data exfiltration, Lazarus groups collected data, archives it (often using RAR or zip formats), and encrypts it with techniques like Zlib, XOR, or Base64 before sending it to C2 servers, minimizing volume and disguising suspicious traffic.
Notable Campaigns
Lazarus Group has been behind some of the most impactful and widely reported cyber incidents of the past decade.
Early campaigns like Operation Troy (2009-2012) and DarkSeoul (2013) demonstrated their initial focus on cyber espionage and disruptive attacks against South Korean government and financial entities, utilizing DDoS and wiper malware.
Their global notoriety surged with the 2014 Sony Pictures Entertainment hack, a destructive wiper attack involving data theft and public leaks, reportedly in retaliation for a film critical of North Korea’s leadership.
In 2016, the group orchestrated the infamous Bangladesh Bank heist, attempting to steal nearly $1 billion via the SWIFT banking network and successfully exfiltrating $81 million. This marked a significant pivot towards large-scale financial crime. This was followed by similar attacks on banks in Ecuador, Vietnam, Poland, Mexico, and Taiwan.
The WannaCry ransomware attack in May 2017 was another globally disruptive incident, infecting hundreds of thousands of computers across 150 countries, including critical infrastructure like the UK’s National Health Service, using a worm-like spread.
Since 2017, Lazarus has increasingly concentrated on cryptocurrency theft, a consistent and vital revenue stream for the regime. Major incidents include the theft of $620 million from the Ronin Network (2022), $100 million from Harmony’s Horizon bridge (2022), over $100 million from Atomic Wallet users (2023), $41 million from Stake.com (2023), $308 million from DMM Bitcoin (2024), $235 million from WazirX (2024), and the largest crypto heist in history, approximately $1.5 billion from Bybit in February 2025, achieved through a sophisticated supply chain attack targeting wallet infrastructure. The $292 million exploit of Kelp DAO in April 2026 was also attributed to them.
Other notable activities include the FASTCash campaigns (2018, 2020) involving coordinated ATM cash-outs, attacks targeting cybersecurity researchers in January 2021, and continuous supply chain attacks, such as those exploiting WIZVERA VeraPort (2020), 3CX (2023), and a zero-day in MagicLine4NX software (2023), primarily affecting South Korean organizations. The ongoing “Operation Dream Job” utilizes fake job offers to gain initial access.
Associated Malware & Tools
Lazarus Group’s operational effectiveness is underpinned by a diverse and constantly evolving malware arsenal, often custom-developed, alongside the strategic use of legitimate and publicly available tools.
Their destructive attacks have involved wipers such as Destover (used in the Sony Pictures hack), DarkSeoul-like variants, Mydoom, and Dozer. For ransomware, the infamous WannaCry worm is attributed to them.
Key backdoors and Remote Access Trojans (RATs) include Manuscrypt (also known as NukeSped), RATANKBA, BLINDINGCAN, COPPERHEDGE, Appleseed, HardRain, BadCall, Hidden Cobra, Destroyer, Duuzer, OpenCarrot, KLIPO, DESTOVER, Fallchill, Joanap, Brambul, IndiaIndia, Cryptoistic, and SierraCharlie. More recent campaigns (2024-2026) have seen the deployment of Python-based scripts like BeaverTail (a credential and crypto wallet stealer) and InvisibleFerret (a Python backdoor) delivered via malicious NPM packages.
Lazarus also employs modular frameworks and loaders such as MATA, Dtrack, Sumarta, DBLL Dropper, Torisma, and DRATzarus. The AppleJeus family of malware is specifically designed for cryptocurrency theft.
Beyond custom implants, they integrate various off-the-shelf and legitimate system tools to blend in and achieve their objectives. These include network reconnaissance tools like AdFind, SMBMap, and Responder, as well as utilities for lateral movement and credential access such as PuTTy PSCP, Mimikatz, Nmap, and ProcDump. They extensively use native Windows command-line tools like PowerShell, cmd.exe, and Windows Management Instrumentation (WMIC) for execution and environmental discovery. File archiving is often done with WinRAR. For C2 communication, custom encryption methods like FakeTLS, AES, RC4, XOR, and Caracachs are observed.
Current Status
The Lazarus Group remains highly active and continues to evolve its operational capabilities at a rapid pace. Recent reporting, extending through 2024, 2025, and into 2026, confirms their ongoing and significant threat.
Their relentless focus on financially motivated cybercrime, particularly large-scale cryptocurrency heists, persists as a primary driver, aimed at circumventing international sanctions and funding North Korea’s strategic programs. Campaigns like the $1.5 billion Bybit heist in 2025 and the $292 million Kelp DAO exploit in 2026 underscore their continued success and audacity in this domain.
Lazarus is actively incorporating AI-driven techniques into its attack strategies, enhancing the sophistication of its social engineering efforts. This includes leveraging AI-generated profiles and content on professional networking platforms to create more credible lures for fake job offers, targeting individuals in the technology, financial, and cybersecurity sectors. They are also expanding their targeting of cloud infrastructure, developer environments, and software supply chains, as demonstrated by campaigns involving malicious NPM packages and the compromise of third-party wallet infrastructure providers.
The group’s adaptability allows them to multitask effectively, conducting parallel campaigns for espionage, sabotage, and revenue generation. While their global reach is extensive, South Korea, alongside financial institutions and technology companies worldwide, remains a consistent target. The security community assesses that Lazarus Group will continue to operate with a high degree of motivation and sophistication for the foreseeable future, necessitating continuous vigilance and robust defensive measures against their constantly shifting TTPs.
Related content
APT38: North Korea's Relentless Financial Cyber Offensive
Adversary ProfileThreat Profile: Contagious Interview (G1052)
Adversary ProfileKimsuky (G0094): North Korea's Relentless Cyber Espionage Arm
Adversary ProfileAndariel (G0138): North Korea's Dual-Threat Cyber Espionage and Ransomware Group
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call