Lazarus Group

Introduction

Lazarus Group is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). US-CERT HIDDEN COBRA June 2017 Treasury North Korean Cyber Groups September 2019 Lazarus Group has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. Novetta Blockbuster North Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses “Lazarus Group” as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns. Mandiant DPRK Laz Org Breakdown 2022 Mandiant DPRK Groups 2023 JPCert Blog Laz Subgroups 2025

Activities and Tactics

Targeted Sectors: Financial, Cryptocurrency, Entertainment, Government, Private sector

Country of Origin: 🇰🇵 North Korea

Risk Level: Critical

First Seen: 2009

Last Activity: 2024

Incident Type: [“Espionage”, “Sabotage”]

Suspected Victims: South Korea, Bangladesh Bank, Sony Pictures Entertainment, United States, Thailand, France, China, Hong Kong, United Kingdom, Guatemala…

Notable Campaigns

• Operation Dream Job (C0022): Operation Dream Job was a cyber espionage operation likely conducted by Lazarus Group that targeted the defense, aerospace, government, and other sectors in the United States, Israel, Australia, Russia, and India. In at least one case, the cyber actors tried to monetize their network access to conduct a business email compromise (BEC) operation. In 2020, security researchers noted overlapping TTPs, to include fake job lures and code similarities, between Operation Dream Job, Operation North Star,

Tactics, Techniques, and Procedures (TTPs)

• T1059.003 Windows Command Shell
• T1566.001 Spearphishing Attachment
• T1202 Indirect Command Execution
• T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol
• T1001.003 Protocol or Service Impersonation
• T1584.004 Server
• T1105 Ingress Tool Transfer
• T1218.005 Mshta
• T1010 Application Window Discovery
• T1587.001 Malware
• T1134.002 Create Process with Token
• T1021.004 SSH
• T1098 Account Manipulation
• T1564.001 Hidden Files and Directories
• T1485 Data Destruction
• T1591 Gather Victim Org Information
• T1106 Native API
• T1078 Valid Accounts
• T1027.009 Embedded Payloads
• T1012 Query Registry
• T1090.002 External Proxy
• T1027.013 Encrypted/Encoded File
• T1104 Multi-Stage Channels
• T1046 Network Service Discovery
• T1005 Data from Local System
• T1489 Service Stop
• T1016 System Network Configuration Discovery
• T1588.004 Digital Certificates
• T1573.001 Symmetric Cryptography
• T1082 System Information Discovery
• T1033 System Owner/User Discovery
• T1620 Reflective Code Loading
• T1041 Exfiltration Over C2 Channel
• T1102.002 Bidirectional Communication
• T1560 Archive Collected Data
• T1203 Exploitation for Client Execution
• T1059.001 PowerShell
• T1566.002 Spearphishing Link
• T1074.001 Local Data Staging
• T1036.003 Rename Legitimate Utilities
• T1047 Windows Management Instrumentation
• T1071.001 Web Protocols
• T1557.001 Name Resolution Poisoning and SMB Relay
• T1057 Process Discovery
• T1547.001 Registry Run Keys / Startup Folder
• T1685 Disable or Modify Tools
• T1589.002 Email Addresses
• T1561.001 Disk Content Wipe
• T1491.001 Internal Defacement
• T1588.002 Tool
• T1547.009 Shortcut Modification
• T1059.005 Visual Basic
• T1542.003 Bootkit
• T1218.011 Rundll32
• T1583.006 Web Services
• T1056.001 Keylogging
• T1571 Non-Standard Port
• T1132.001 Standard Encoding
• T1189 Drive-by Compromise
• T1110.003 Password Spraying
• T1204.002 Malicious File
• T1553.002 Code Signing
• T1218 System Binary Proxy Execution
• T1560.002 Archive via Library
• T1027.007 Dynamic API Resolution
• T1070.004 File Deletion
• T1090.001 Internal Proxy
• T1008 Fallback Channels
• T1140 Deobfuscate/Decode Files or Information
• T1680 Local Storage Discovery
• T1561.002 Disk Structure Wipe
• T1583.001 Domains
• T1053.005 Scheduled Task
• T1566.003 Spearphishing via Service
• T1036.005 Match Legitimate Resource Name or Location
• T1070 Indicator Removal
• T1083 File and Directory Discovery
• T1574.013 KernelCallbackTable
• T1055.001 Dynamic-link Library Injection
• T1585.001 Social Media Accounts
• T1021.001 Remote Desktop Protocol
• T1529 System Shutdown/Reboot
• T1124 System Time Discovery
• T1036.004 Masquerade Task or Service
• T1070.006 Timestomp
• T1070.003 Clear Command History
• T1574.001 DLL
• T1686.003 Windows Host Firewall
• T1543.003 Windows Service
• T1021.002 SMB/Windows Admin Shares
• T1585.002 Email Accounts
• T1049 System Network Connections Discovery
• T1560.003 Archive via Custom Method
• T0865 Spearphishing Attachment

Notable Indicators of Compromise (IOCs)

No atomic indicators are listed in this profile. The APTnotes snapshot indexes 18 public reports that may contain IOCs; see Source Attribution for dataset links.

Malware and Tools

• Wiper
• RemoteCMD
• Remote Utilities
• RemotePC
• Whois Wiper:

MITRE ATT&CK Software

• RawDisk (S0364) — tool
• Proxysvc (S0238) — malware
• BADCALL (S0245) — malware
• FALLCHILL (S0181) — malware
• WannaCry (S0366) — malware
• MagicRAT (S1182) — malware
• HOPLIGHT (S0376) — malware
• TYPEFRAME (S0263) — malware
• Dtrack (S0567) — malware
• HotCroissant (S0431) — malware
• HARDRAIN (S0246) — malware
• Dacls (S0497) — malware
• KEYMARBLE (S0271) — malware
• TAINTEDSCRIBE (S0586) — malware
• AuditCred (S0347) — malware
• netsh (S0108) — tool
• ECCENTRICBANDWAGON (S0593) — malware
• AppleJeus (S0584) — malware
• route (S0103) — tool
• BLINDINGCAN (S0520) — malware
• ThreatNeedle (S0665) — malware
• Volgmer (S0180) — malware
• Cryptoistic (S0498) — malware
• Responder (S0174) — tool
• RATANKBA (S0241) — malware
• Bankshot (S0239) — malware

Attribution and Evidence

Country of Origin: North Korea Additional attribution information pending cataloguing.

References

[1] MITRE ATT&CK MITRE ATT&CK entry [2] US-CERT HIDDEN COBRA June 2017 [3] Treasury North Korean Cyber Groups September 2019 [4] Novetta Blockbuster [5] Mandiant DPRK Laz Org Breakdown 2022 [6] Mandiant DPRK Groups 2023 [7] JPCert Blog Laz Subgroups 2025

Recent News

Latest articles from security news feeds mentioning this actor.

• Lazarus Deploys RemotePE Memory-Only RAT Against Financial and Crypto Firms The Hacker News - 2026-05-25T