Lazarus Group Threat Actor Intelligence Profile

Tracking started: a year ago, last updated: Thu Apr 11 2024, uuid: 38244ea1-b5ca-4a22-a2c1-f906538e9b69

Lazarus Group Description

Generated from Cybergeist context 6 days ago. This description is learned via the associations below
The Lazarus Group, a malicious threat actor widely attributed to North Korea, has been implicated in a series of high-profile cyberattacks globally. They have been notably involved in Operation DreamJob in Spain and have used sophisticated tactics such as IKEEXT authentication service exploitation, previously employed by APT41. The group is also known for deploying malware that targets databases and system integrity protection (SIP) functionalities. The Lazarus Group's activities extend beyond conventional cyber espionage, with a particular focus on the cryptocurrency sector. In 2023 alone, the Lazarus Group was responsible for 17% of the total $1.8 billion lost to crypto hacks and scams, according to a report by Immunefi. Over the past six years, their orchestrated attacks have resulted in losses exceeding $3 billion, as reported by cybersecurity firm Recorded Future. Their operations have evolved to include complex crypto laundering schemes, such as using Tornado Cash, a virtual currency mixer, to launder stolen cryptocurrency. Despite sanctions and attempts by U.S. agencies to disrupt their operations, including targeting other Lazarus Group options like Bitcoin-based mixers Blender and Sinbad, the Lazarus Group continues to be active and successful in its illicit activities. Their return to using Tornado Cash for laundering operations reflects the limitations of current measures to curb their actions effectively. This persistent threat underscores the need for continued vigilance and improved strategies to counteract the group's evolving tactics.
Lazarus Group STIX 2.1 Package Preview
STIX package updated 6 days ago
aliasaliasaliasaliasaliasaliasaliasaliasaliasaliasaliasaliasaliasaliasaliasaliasaliasaliasaliasrelated-torelated-torelated-torelated-torelated-torelated-torelated-torelated-torelated-torelated-torelated-torelated-toDARKReadingCERT-EUCybergeistmagicratWannaCryLightlesscanQuiteratDtrackAppleJeusearlyratkandykorncollectionratspectralblurcve-2023-42793Log4ShellNorth Korean hackers are laundering millions worth of crypto through a sanctioned 'mixer'DPRK Exploits 2 MITRE Sub-Techniques: Phantom DLL Hijacking, TCC AbuseRemilia Founder Claims Hacking Amid Ether and NFT Transfers | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security ConsultingLazarus Group taps Tornado Cash to launder Heco Bridge, HTX hack proceeds | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security ConsultingHackers like Lazarus continue to use Tornado Cash despite US sanctions | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security ConsultingLazarus GroupLazarusLabyrinth Chollimatornado cashtemp.hermitTA444unc4736diamond sleetZINCThe Lazarus GroupTradertraitorsapphire sleetapt43APT38sinbadStardust ChollimaHIDDEN COBRAAndarielemerald sleetKimsuky

Lazarus Group Association List

The following associations have been automatically determined. Expand the row to see evidence. Votes are automatically added when the same assertion is recorded from different sourced, or updated by human users.
Associated Object
Votes/Source
Classification
Association Type
Malware
11
Threat Classunspecified
Apt
10
Threat Classunspecified
Ransomware
8
Threat Classunspecified
Exploit
8
Threat Classunspecified
State Sponso...
6
Threat Classunspecified
Vulnerability
6
Threat Classunspecified
Reconnaissance
5
Tacticunspecified
Backdoor
5
Threat Classunspecified
Infiltration
5
Tacticunspecified
Kaspersky
5
Company/Organizationunspecified
Relevance to PIRs (disabled)
Priority Intel Requirements
Information about why this intelligence profile is relevant to your requirements would be displayed here. Create an account to get started.
Context provided by 18 Sources
CSO Online
CSO serves enterprise security decision-makers and users with the critical information they need to stay ahead of evolving threats and defend against criminal cyberattacks. With incisive content that addresses all security disciplines from risk management to network defense to fraud and data loss prevention, CSO offers unparalleled depth and insight to support key decisions and investments for IT security professionals.
Krypos Logic
Securityaffairs
Checkpoint
Checkpoint Research
BAE Systems
CERT-EU
Securelist
Recorded Future
Recorded Future is a leading authority on cybersecurity, creating actionable intelligence that informs and influences policy and nation-state interactions.
Krebs on Security
InfoSecurity-magazine
SecurityIntelligence.com
ESET
BankInfoSecurity
BankInfoSecurity is a multi-media website published by Information Security Media Group, Corp. (ISMG)
MITRE
MITRE began in 1958, sponsored by the U.S. Air Force to bridge across the academic research community and industry to architect the Semi-Automatic Ground Environment, or SAGE, a key component of Cold War-era air defense.
Flashpoint
Flashpoint’s purpose is to help organizations protect what they value and cherish most, and to do our part to make the world a safer place. Every day, commercial and governmental organizations, as well as other public entities, leverage Flashpoint’s threat intelligence platform and industry expertise to keep their employees and assets safe from harm.
Malwarebytes
Unit42
DARKReading
Comments (disabled)
Log in to view comments

Recent statements about Lazarus Group

Recent statements allow a quick snapshot for understanding how this object is evolving. Click the row to see the full report context
Source
Statement Text
The Mixin intrusion comes about a week after Elliptic blamed https://www.elliptic.co/blog/how-the-lazarus-group-is-stepping-up-crypto-hacks-and-changing-its-tactics North Korea's Lazarus Group for the $54 million CoinEx heist https://www.theregister....(read more)
Sindbad is believed https://www.elliptic.co/blog/analysis/over-1-billion-stolen-from-bridges-so-far-in-2022-as-harmony-s-horizon-bridge-becomes-latest-victim-in-100-million-hack/hss_channeltw-1344645140 to be a successor of Blender.io, a cryptocurren...(read more)
Alongside, the Lazarus group’s exploitation of a Windows Kernel 0-day vulnerability in the wild demonstrates the increasing sophistication of cyber-attacks.
For years, the Lazarus Group has carried out some of the most brazen cryptocurrency heists the industry has seen.
“The root cause of the incident is inadequate wallet access control. Notably, the exchange had previously been alerted to potential vulnerabilities in July 2023 by Cyvers, when the Coinspaid system and Alphapo suffered a $100 million theft linked to ...(read more)
Lazarus Group’s Web3 Rampage https://www.certik.com/resources/blog/216tegKHtRmx5pOI3UgYCX-lazarus-groups-web3-rampage
Related Cryptocurrency laundering spike driven by Lazarus Group https://www.scmagazine.com/brief/cryptocurrency-laundering-spike-driven-by-lazarus-group SC Staffhttps://www.scmagazine.com/contributor/sc-staff October 9, 2023 Nearly $900 million worth...(read more)
“In July 2022, we observed that the Lazarus group had successfully breached a defense contractor in Africa,” Park added.
The Lazarus Group is singularly the largest source of all illicit funds laundered through cross-chain bridges and the third largest source of all cross-chain crime overall, having laundered over $900 million through cross-chain methods.
HLOADER was identified through the use of a macOS binary code-signing technique that has been previously linked https://objective-see.org/blog/blog_0x73.html to the DPRK’s Lazarus Group 3CX intrusion https://www.eset.com/int/about/newsroom/press-rele...(read more)
This attack has a medium confidence connection to financially-motivated AppleJeus activity by Lazarus Group, while also displaying some weak infrastructure connection to APT43, both being North Korea-sponsored groups.
Read more on healthcare breaches: Lazarus Group Targets Internet Infrastructure and Healthcare with ‘QuiteRAT’ Malwarehttps://www.infosecurity-magazine.com/news/lazarus-internet-healthcare/
Elliptic observed laundering techniques used in previous Lazarus Group attacks and believes the stolen assets may have been stored in wallets linked to past heists.
For example, In March 2022, Lazarus Group, a cybercrime group based out of North Korea, stole $620 million worth of USDC and ETH from Ronin Network.
The domain bitscrunnch.linkpc[.]net has been attributed https://twitter.com/tiresearch1/status/1708141542261809360?s=20 to other Lazarus Group intrusions.
This discovery helped the team confirm “with a high level of confidence” that the Lazarus Group conducted the recent 3CX supply-chain attack.
The Lazarus group is known for the use of custom malware, and both the MagicRAT and the QuiteRAT have been linked to the group.
The Lazarus Group used phishing emails impersonating recruiters at Disney, Google, and Oracle with fake job opportunities, which included malicious links to spoofed Indeed and ZipRecruiter websites.
Origins Of The Lazarus Group
The Lazarus Group is a hacker group allegedly tied to North Korea.
Documents discussing Lazarus Group
Relevance score is determined via Machine Learning, to identify what documents could be most valuable to read
Logo
Created At
Title (Open original source)
7 months ago
North Korean Threat Actors Stole $41 Million in Online Casino Heist | IT Security News
7 months ago
The “DAO Jungle” Chronicles: Federal Judge Upholds Treasury Department’s Sanction of Tornado Cash for Involvement in Laundering Hacking Proceeds | Patton Sullivan Brodehl LLP | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
7 months ago
North Korean Hackers Turning to Russian Exchanges to Launder Stolen Crypto: Chainalysis | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
5 months ago
North Korean Hackers Now Merging macOS Malware Strains
7 months ago
Connect the Dots on State-Sponsored Cyber Incidents - Targeting of 3CXDesktopApp customers and crypto firms
3 months ago
North Korea’s Cyber Strategy | Recorded Future
3 months ago
Turkish APT 'Sea Turtle' Resurfaces to Spy on Kurdish Opposition
4 months ago
Hackers stole $2 billion in crypto in 2023, data shows | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
a year ago
How the US Government is Fighting Back Against Ransomware | #ransomware | #cybercrime – National Cyber Security Consulting
a year ago
Sophisticated 3CX Software Supply Chain Attack Affects Millions of Users
5 months ago
Crypto exchange Poloniex hacked for more than $100M
7 months ago
North Korean hackers stole $70M from Hong Kong crypto exchange, researchers say | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
a year ago
Lazarus Subgroup Targeting Apple Devices with New RustBucket macOS Malware
6 months ago
A cascade of compromise: unveiling Lazarus' new campaign
a year ago
La crypto face aux risques cyber : "Un bug peut mettre en danger des millions d’euros"
a year ago
North Korean APT Group Now Deploying Linux Malware Variant
8 months ago
Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT
a month ago
South Korean chipmakers subjected to North Korean cyberattacks
2 months ago
Microsoft Zero Day Used by Lazarus in Rootkit Attack
a year ago
Seoul Sanctions North Korea Over Crypto Theft – Bitcoin News
Associated Indicators (631)
Log in / sign up to view IoCs