Lazarus Group

Threat Actor updated a day ago (2024-11-20T17:37:10.106Z)
Download STIX
Preview STIX
The Lazarus Group, a notorious North Korean state-sponsored threat actor, is among the most prolific and dangerous cyber threat actors in operation. The group has been involved in several high-profile cyber-attacks, including Operation DreamJob in Spain, with the primary objective of funding North Korea's nuclear program through stolen money. The group employs sophisticated methods to evade detection, such as encoding command-and-control (C2) communications on GitHub and mimicking tactics associated with other groups, which complicates attribution. In recent years, the Lazarus Group has expanded its target base to include macOS systems using cross-platform languages. A significant development was the discovery of the RustBucket backdoor, written in Rust, first spotted on macOS in 2023. This move towards cross-platform attacks indicates a strategic shift in the group's approach, raising questions about what had previously deterred them from targeting Mac users. Most notably, the Lazarus Group exploited a zero-day vulnerability (CVE-2024-4947) in Google Chrome via a fake DeFi game website to target cryptocurrency users. This campaign stands out due to the effort put into its social engineering aspect, including the use of a well-designed fake game website, professional LinkedIn accounts, AI-generated images, and other tricks. Another exploited Chrome vulnerability observed by Kaspersky in the latest Lazarus Group exploit does not appear to have a formal identifier, further demonstrating the group's evolving sophistication.
Description last updated: 2024-11-15T16:10:58.650Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Labyrinth Chollima is a possible alias for Lazarus Group. Labyrinth Chollima, a threat actor linked to North Korea, has been active since 2009 and is known for conducting operations aimed at collecting political, military, and economic intelligence on North Korea’s foreign adversaries, as well as currency generation campaigns. This group, also known by var
5
Andariel is a possible alias for Lazarus Group. Andariel, a threat actor controlled by North Korea's military intelligence agency, the Reconnaissance General Bureau, has been actively conducting cyber espionage and ransomware operations. The group funds its activities through ransomware attacks primarily targeting U.S. healthcare entities. In som
5
Sinbad is a possible alias for Lazarus Group. Sinbad is a threat actor suspected to be operated by North Korean operatives, primarily for the purpose of laundering stolen cryptocurrency. According to Chainalysis, Sinbad processed $24 million in December and January, indicating its use as a new mixing service. However, it's effectiveness is yet
4
APT38 is a possible alias for Lazarus Group. APT38, a threat actor suspected to be backed by the North Korean regime, has been responsible for some of the largest cyber heists observed to date. The group has conducted operations in over 16 organizations across at least 11 countries, primarily targeting financial institutions worldwide. Despite
4
HIDDEN COBRA is a possible alias for Lazarus Group. Hidden Cobra, also known as Lazarus Group and Guardians of Peace, is a North Korean government-linked threat actor known for its malicious cyber activities. The group has primarily conducted cyberespionage but has also been involved in ransomware activity. The U.S. Government refers to this team's s
3
Kimsuky is a possible alias for Lazarus Group. Kimsuky, also known as Springtail, ARCHIPELAGO, Black Banshee, Thallium, Velvet Chollima, and APT43, is a North Korea-linked Advanced Persistent Threat (APT) group that has been active since it was first spotted by Kaspersky researchers in 2013. The group is notorious for its cyber espionage activit
3
Tradertraitor is a possible alias for Lazarus Group. TraderTraitor, a threat actor attributed to the North Korean government's APT38 hacking group also known as Lazarus, has been implicated in a series of cyberattacks targeting cryptocurrency platforms. The FBI has recently linked TraderTraitor to the theft of hundreds of millions of dollars in crypto
3
ZINC is a possible alias for Lazarus Group. Zinc, also known as Diamond Sleet, is a North Korea-based threat actor group that has been active since 2009. This group is notorious for its cyber-attacks aimed at collecting political, military, and economic intelligence on North Korea's foreign adversaries, and executing currency generation campa
3
Diamond Sleet is a possible alias for Lazarus Group. Diamond Sleet, a threat actor linked to North Korea, has been identified as a significant cybersecurity concern. This group, also known as Selective Pisces, has targeted various sectors including media, defense, and IT organizations. The advanced persistent threat (APT) group is known for its supply
3
Operation Dreamjob is a possible alias for Lazarus Group. Operation DreamJob is a campaign attributed to the Lazarus group, a North Korea-aligned group infamous for its cyberespionage and financial theft activities. The campaign was first coined in a blog post by ClearSky in August 2020, where it described Lazarus' attempts to target defense and aerospace
3
Sapphire Sleet is a possible alias for Lazarus Group. Sapphire Sleet is a North Korea-linked Advanced Persistent Threat (APT) group known for its malicious activities. As a threat actor, Sapphire Sleet has been identified as the entity behind the execution of actions with harmful intent. The group's operations are sophisticated and persistent, targetin
2
Stardust Chollima is a possible alias for Lazarus Group. Stardust Chollima is a recognized threat actor in the cybersecurity industry, primarily known for its malicious activities aimed at acquiring funds. This group has been linked to various high-profile cyber-attacks and fraudulent activities since 2015. Stardust Chollima has been associated with the f
2
Emerald Sleet is a possible alias for Lazarus Group. Emerald Sleet, a threat actor associated with North Korea, has been identified as a significant player in cyber espionage. This group is known for its sophisticated use of artificial intelligence and machine learning models (LLMs), leveraging them to enhance spear-phishing campaigns, research public
2
Guardians of Peace is a possible alias for Lazarus Group. The Guardians of Peace, a threat actor with alleged ties to North Korea, came to prominence in 2014 following a massive cyberattack on Sony Pictures Entertainment. The group, also known as the Lazarus Group or the Whois Team, infiltrated Sony's systems and leaked sensitive data, including private de
2
temp.hermit is a possible alias for Lazarus Group. Temp.Hermit, also known as Selective Pisces or Diamond Sleet, is a cyber threat actor linked to North Korea. This group has been active since 2013 and targets governments, defense, telecommunications, and financial services sectors with cyberespionage operations. Temp.Hermit's activities often overl
2
Apt43 is a possible alias for Lazarus Group. APT43, also known as Kimsuky, is a North Korean Advanced Persistent Threat (APT) group that has been active since at least 2013. The group is known for its intelligence collection activities and using cybercrime to fund espionage. It has been linked to several aliases including Springtail, ARCHIPELA
2
Unc4736 is a possible alias for Lazarus Group. UNC4736, a threat actor suspected to have North Korean connections, has been implicated in a series of cybersecurity breaches. The group gained initial access to the 3CX environment when an employee downloaded a financial trading package named X_TRADER from Trading Technologies' website. Unbeknownst
2
TA444 is a possible alias for Lazarus Group. TA444, also known as BlueNoroff, APT28, Nickel Gladstone, Sapphire Sleet, Stardust Chollima, and other monikers, is a prolific North Korean state-backed threat actor known for its malicious cyber activities. The group has been continuously generating proprietary malware, distinguishing it from other
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Apt
Exploit
Ransomware
State Sponso...
Vulnerability
exploitation
Cybercrime
Infiltration
Macos
Espionage
Backdoor
Kaspersky
Korean
Tornado Cash
Reconnaissance
Laundering
Sinbad
Payload
Bitcoin
State Sponso...
Windows
Zero Day
Phishing
Microsoft
Fbi
Eset
Treasury
Chrome
Dprk
Jumpcloud
Github
Implant
DreamJob
Trojan
Manageengine
Coinex
Operation Dr...
Source
Operation Dr...
Exploits
Avast
3cx
Talos
flaw
Russia
Iis
Healthcare
Health
Facebook
Spyware
Scams
Operation Bl...
Curl
Rootkit
Lateral Move...
Loader Malware
Downloader
Pypi
Mandiant
Tool
Encrypt
Cisco
Spearphishing
Financial
CISA
Ransom
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Quiterat Malware is associated with Lazarus Group. QuiteRAT is a new type of malware associated with the North Korea-linked Lazarus Group, known for their use of custom malware. Built using the Qt framework, QuiteRAT is smaller in size compared to MagicRAT, another malware linked to the group, due to its incorporation of fewer Qt libraries and lack Unspecified
4
The WannaCry Malware is associated with Lazarus Group. WannaCry is a type of malware, specifically ransomware, that made headlines in 2017 as one of the most devastating cyberattacks in recent history. The WannaCry ransomware exploited vulnerabilities in Windows' Server Message Block protocol (SMBv1), specifically CVE-2017-0144, CVE-2017-0145, and CVE-2Unspecified
4
The Kandykorn Malware is associated with Lazarus Group. KandyKorn is a type of malware, first discovered in 2023, that targets macOS systems. Developed by the Lazarus hacking group, this malicious software specifically aims at blockchain engineers. The known infection process begins with social engineering tactics, tricking the victim into downloading a Unspecified
4
The Magicrat Malware is associated with Lazarus Group. MagicRAT is a type of malware, first observed by Cisco Talos in 2022, that was used by the Lazarus Group to exploit vulnerabilities in publicly exposed VMWare Horizon platforms, primarily targeting energy companies worldwide. This malicious software, which can infiltrate systems through suspicious dUnspecified
4
The AppleJeus Malware is associated with Lazarus Group. AppleJeus is a malware attributed with medium confidence to the North Korea-linked APT group "Gleaming Pisces," also known as Citrine Sleet, by researchers at Palo Alto's Unit 42. The group has been notorious for distributing versions of AppleJeus malware disguised as legitimate cryptocurrency tradiUnspecified
3
The Dtrack Malware is associated with Lazarus Group. DTrack is a malicious software (malware) known for its data theft capabilities. It was first associated with North Korean threat groups and has been used in numerous cyber attacks globally. The malware infiltrates systems through suspicious downloads, emails, or websites, and once inside, it collectUnspecified
3
The Earlyrat Malware is associated with Lazarus Group. EarlyRat is a previously undocumented malware discovered by Kaspersky researchers in June. The North Korea-linked Advanced Persistent Threat (APT) group Andariel used EarlyRat in attacks exploiting the Log4j Log4Shell vulnerability last year. The malware was first noticed in one of the Log4j cases, Unspecified
3
The Collectionrat Malware is associated with Lazarus Group. CollectionRAT is a malicious software (malware) first identified in a Cisco Talos report in 2023, with samples dating as far back as 2021. This Windows-based Remote Access Trojan (RAT) is believed to be connected to the Jupiter/EarlyRAT malware family, which has previously been linked to a Lazarus sUnspecified
3
The Lightlesscan Malware is associated with Lazarus Group. LightlessCan is a new and advanced malware, discovered by ESET, that has been added to North Korea's Lazarus group's arsenal. The malware is a successor to the group's flagship HTTP(S) Lazarus Remote Access Trojan (RAT) named BlindingCan. LightlessCan represents a significant advancement in maliciouUnspecified
3
The Spectralblur Malware is associated with Lazarus Group. SpectralBlur is a newly detected malware, identified as a macOS backdoor, that has been making headlines since the start of 2024. It was first spotted by cybersecurity experts who have tentatively attributed its creation and deployment to the Bluenoroff group. This malicious software, like others ofUnspecified
2
The Rustbucket Malware is associated with Lazarus Group. RustBucket is a malicious software (malware) specifically targeting macOS systems, first reported in 2023 and attributed to the North Korea-linked threat actor group, BlueNoroff. This malware was initially uncovered in 2021 as part of the RustBucket campaign and has since evolved into multiple variaUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Bluenoroff Threat Actor is associated with Lazarus Group. BlueNoroff, a threat actor group linked to North Korea, has been identified as the malicious entity behind several high-profile cyber-attacks. Since first making headlines with an attack on Sony Pictures in 2014, BlueNoroff and its parent group Lazarus have been involved in numerous notorious securiis related to
4
The Technical Reconnaissance Bureau Threat Actor is associated with Lazarus Group. The Technical Reconnaissance Bureau (TRB), also known as the Fourteenth Bureau, is a North Korea-based threat actor that leads the Democratic People's Republic of Korea's (DPRK) development of offensive cyber tactics and tools. The TRB conducts mail inspection, telecommunications inspection and contUnspecified
4
The sinbad.io Threat Actor is associated with Lazarus Group. Sinbad.io, a threat actor identified as a popular money-laundering outlet for state-sponsored crypto thieves, emerged as a significant player in the cybercrime landscape over the past few years. Following U.S. sanctions on Tornado Cash, a previously favored service by North Korean hackers to obfuscaUnspecified
3
The APT37 Threat Actor is associated with Lazarus Group. APT37, also known as RedAnt, RedEyes, ScarCruft, and Group123, is a threat actor suspected to be backed by North Korea. It has been active since at least 2012, primarily targeting South Korea across various industry verticals such as chemicals, electronics, manufacturing, aerospace, automotive, and Unspecified
3
The Onyx Sleet Threat Actor is associated with Lazarus Group. Onyx Sleet, also known as Andariel, Silent Chollima, and Stonefly, is a North Korean state-sponsored cyber group under the RGB 3rd Bureau. This threat actor utilizes an array of malware to gather intelligence for North Korea, primarily conducting cyberespionage, but also engaging in ransomware activUnspecified
3
The ScarCruft Threat Actor is associated with Lazarus Group. ScarCruft, also known as APT37, Inky Squid, RedEyes, Reaper, or Group123, is a North Korean state-sponsored threat actor known for targeting high-value individuals and organizations to further North Korea's geopolitical objectives. This group has shown its agility in adopting new malware delivery meUnspecified
2
The Wicked Panda Threat Actor is associated with Lazarus Group. Wicked Panda, also known as APT41, Double Dragon, and Brass Typhoon, is a prominent threat actor in the cybersecurity landscape. This China state-sponsored group has been identified as one of the top threat actors by the Department of Health and Human Services' Health Sector Cybersecurity CoordinatiUnspecified
2
The Thallium Threat Actor is associated with Lazarus Group. Thallium, also known as Kimsuky, APT43, Velvet Chollima, and Black Banshee, is a significant threat actor that has been active since at least 2012. This group, believed to be operating on behalf of the North Korean regime, conducts intelligence collection and uses cybercrime to fund espionage activiUnspecified
2
The APT41 Threat Actor is associated with Lazarus Group. APT41, also known as Winnti, is a threat actor suspected to be originating from China, with its activities dating back to as early as 2012. It has targeted organizations in at least 14 countries and has been associated with the use of at least 46 different code families and tools. The group's activiUnspecified
2
The Reconnaissance General Bureau Threat Actor is associated with Lazarus Group. The Reconnaissance General Bureau (RGB) is a North Korean intelligence agency known for its clandestine operations abroad. Its cyber activities, believed to be coordinated by the secretive organization, have been linked to various threat actors since at least 2014. Notable entities include the BeaglUnspecified
2
The APT28 Threat Actor is associated with Lazarus Group. APT28, also known as Fancy Bear and Unit 26165 of the Russian Main Intelligence Directorate, is a threat actor linked to Russia with a history of cyber-espionage activities. The group has been involved in several high-profile attacks, including the hacking of the Democratic National Committee (DNC) Unspecified
2
The Double Dragon Threat Actor is associated with Lazarus Group. Double Dragon, also known as APT41, Winnti, or Barium, is a prominent Advanced Persistent Threat (APT) group believed to have originated from China. As a threat actor, Double Dragon represents a human entity with the intent to execute actions of a malicious nature. The group has been identified by tUnspecified
2
The APT33 Threat Actor is associated with Lazarus Group. APT33, also known as Peach Sandstorm, is an Iran-linked threat actor associated with the Iranian Islamic Revolutionary Guard Corps (IRGC). This group has targeted communication equipment, government agencies, and the oil-and-gas industry in the United Arab Emirates and the United States, primarily fUnspecified
2
The Rgb Threat Actor is associated with Lazarus Group. RGB is a notorious threat actor, primarily associated with North Korea's Reconnaissance General Bureau (RGB), a military intelligence agency. This organization falls under the General Staff Bureau of the DPRK Korean People's Army and has been linked to numerous cyber-attacks against international enUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The Log4Shell Vulnerability is associated with Lazarus Group. Log4Shell is a significant software vulnerability (CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105) that exists in the Log4j Java-based logging utility. It was exploited by various Advanced Persistent Threat (APT) actors, including LockBit affiliates and GOLD MELODY (UNC961), to gain unauthorizedUnspecified
4
The CVE-2023-42793 Vulnerability is associated with Lazarus Group. CVE-2023-42793 is a critical security vulnerability identified in JetBrains TeamCity build management and continuous integration server. This flaw, characterized by an authentication bypass, was exploited by multiple threat actors throughout 2023 and into 2024. The first notable exploitation occurreUnspecified
3
Source Document References
Information about the Lazarus Group Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
a year ago
DARKReading
6 days ago
BankInfoSecurity
21 days ago
Checkpoint
23 days ago
DARKReading
a month ago
Flashpoint
a month ago
Securityaffairs
a month ago
BankInfoSecurity
a month ago
DARKReading
2 months ago
Checkpoint
2 months ago
Checkpoint
2 months ago
InfoSecurity-magazine
2 months ago
Unit42
2 months ago
BankInfoSecurity
3 months ago
BankInfoSecurity
3 months ago
Securityaffairs
3 months ago
DARKReading
3 months ago
Securityaffairs
3 months ago
CERT-EU
a year ago
CERT-EU
10 months ago