← threatfilter.dev / all groups / Lazarus Group

Lazarus Group

G0032 North Korea EspionageSabotage MITRE ATT&CK →

Also known as: Labyrinth Chollima · HIDDEN COBRA · Guardians of Peace · ZINC · NICKEL ACADEMY · Diamond Sleet

Overview

Lazarus Group is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). Lazarus Group has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. North Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses “Lazarus Group” as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns.

Targets

Government · Private sector

Regions

Australia · Bangladesh · Bangladesh Bank · Brazil · Canada · China · Cryptocurrency exchanges in South Korea · France · Germany · Guatemala · Hong Kong · India · Japan · Sony Pictures Entertainment · South Korea · Thailand · United Kingdom · United States

Capabilities

Destructive / data-wiping operations — ATT&CK T1485, T1561.001, T1561.002
Exploitation of public-facing / client applications — ATT&CK T1203
Custom malware/implant development — ATT&CK: 22 attributed custom malware families

TTPs — 93 techniques across 14 tactics

Reconnaissance

T1589.002 Email Addresses
T1591 Gather Victim Org Information

Resource Development

T1583.001 Domains
T1583.006 Web Services
T1584.004 Server
T1585.001 Social Media Accounts
T1585.002 Email Accounts
T1587.001 Malware
T1588.002 Tool
T1588.004 Digital Certificates

Initial Access

Defense Impairment

Credential Access

T1110.003 Password Spraying
T1557.001 Name Resolution Poisoning and SMB Relay

Discovery

T1010 Application Window Discovery
T1012 Query Registry
T1016 System Network Configuration Discovery
T1033 System Owner/User Discovery
T1046 Network Service Discovery
T1049 System Network Connections Discovery
T1057 Process Discovery
T1082 System Information Discovery
T1083 File and Directory Discovery
T1124 System Time Discovery
T1680 Local Storage Discovery

Lateral Movement

T1021.001 Remote Desktop Protocol
T1021.002 SMB/Windows Admin Shares
T1021.004 SSH

Collection

Command and Control

T1001.003 Protocol or Service Impersonation
T1008 Fallback Channels
T1071.001 Web Protocols
T1090.001 Internal Proxy
T1090.002 External Proxy
T1102.002 Bidirectional Communication
T1104 Multi-Stage Channels
T1105 Ingress Tool Transfer
T1132.001 Standard Encoding
T1571 Non-Standard Port
T1573.001 Symmetric Cryptography

Exfiltration

T1041 Exfiltration Over C2 Channel
T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol

Impact

Tools & malware (26)

RawDisk · Proxysvc · BADCALL · FALLCHILL · WannaCry · MagicRAT · HOPLIGHT · TYPEFRAME · Dtrack · HotCroissant · HARDRAIN · Dacls · KEYMARBLE · TAINTEDSCRIBE · AuditCred · netsh · ECCENTRICBANDWAGON · AppleJeus · route · BLINDINGCAN · ThreatNeedle · Volgmer · Cryptoistic · Responder · RATANKBA · Bankshot

Reporting (3)

Tempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus’s Subgroup — 佐々木勇人 Hayato Sasaki
Assessed Cyber Structure and Alignments of North Korea in 2023 — Michael Barnhart, Austin Larsen, Jeff Johnson, Taylor Long, Michelle Cantos, Adrian Hernandez
How Microsoft names threat actors — Microsoft