Lazarus Group

Threat Actor updated 7 days ago (2024-10-10T21:00:58.559Z)
Download STIX
Preview STIX
The Lazarus Group, a notorious threat actor attributed to North Korea, has been implicated in a series of high-profile cyberattacks and illicit activities. The group is known for its sophisticated operations, including Operation DreamJob, which targeted Spain with a high level of confidence. Over the past year, Lazarus Group has been observed exploiting unpatched Zimbra servers to steal intelligence from organizations in healthcare and energy sectors, as reported by W Labs. In addition, the group's VMConnect campaign, which targets developers with malicious software packages on open source repositories, remains an active threat according to ReversingLabs. The Lazarus Group has also been linked to significant financial exploits involving cryptocurrencies. The U.S. government filed forfeiture complaints seeking to recover $2.67 million linked to two major exploits: $1.7 million in Tether from the $28 million Deribit hack and $971,000 in Bitcoin from the $41 million Stake.com hack. These funds were laundered by the Lazarus Group through Tornado Cash, converted to Ethereum, and then transferred as USDT on the Tron blockchain. This activity underscores the group's ability to exploit digital platforms for financial gain. Furthermore, the Lazarus Group was suspected to be behind the $600 million Ronin sidechain exploit in 2022, one of their most high-profile thefts. Most recently, they are suspected to have stolen funds from WazirX, leading to the cancellation of trades and ongoing attempts to recover the funds. These incidents highlight the persistent and evolving threat posed by the Lazarus Group, necessitating continued vigilance and robust cybersecurity measures.
Description last updated: 2024-10-10T20:15:39.772Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Labyrinth Chollima is a possible alias for Lazarus Group. Labyrinth Chollima, a threat actor linked to North Korea, has been active since 2009 and is known for conducting operations aimed at collecting political, military, and economic intelligence on North Korea’s foreign adversaries, as well as currency generation campaigns. This group, also known by var
5
Andariel is a possible alias for Lazarus Group. Andariel, also known as Jumpy Pisces, is a threat actor group primarily associated with cyberespionage and ransomware activities. The group has been linked to North Korea's Reconnaissance General Bureau and other APT groups such as Kimsuky and Onyx Sleet. Andariel has been noted for its aggressive t
5
Sinbad is a possible alias for Lazarus Group. Sinbad is a threat actor suspected to be operated by North Korean operatives, primarily for the purpose of laundering stolen cryptocurrency. According to Chainalysis, Sinbad processed $24 million in December and January, indicating its use as a new mixing service. However, it's effectiveness is yet
4
APT38 is a possible alias for Lazarus Group. APT38, a threat actor suspected to be backed by the North Korean regime, has been responsible for some of the largest cyber heists observed to date. The group has conducted operations in over 16 organizations across at least 11 countries, primarily targeting financial institutions worldwide. Despite
4
HIDDEN COBRA is a possible alias for Lazarus Group. Hidden Cobra, also known as Lazarus Group and Guardians of Peace, is a North Korean government-linked threat actor known for its malicious cyber activities. The group has primarily conducted cyberespionage but has also been involved in ransomware activity. The U.S. Government refers to this team's s
3
Kimsuky is a possible alias for Lazarus Group. Kimsuky, also known as Springtail, ARCHIPELAGO, Black Banshee, Thallium, Velvet Chollima, and APT43, is a North Korea-linked Advanced Persistent Threat (APT) group first identified by Kaspersky researchers in 2013. The group has been involved in various cyber espionage activities against global targ
3
Tradertraitor is a possible alias for Lazarus Group. TraderTraitor, a threat actor attributed to the North Korean government's APT38 hacking group also known as Lazarus, has been implicated in a series of cyberattacks targeting cryptocurrency platforms. The FBI has recently linked TraderTraitor to the theft of hundreds of millions of dollars in crypto
3
ZINC is a possible alias for Lazarus Group. Zinc, also known as Diamond Sleet, is a North Korea-based threat actor group that has been active since 2009. This group is notorious for its cyber-attacks aimed at collecting political, military, and economic intelligence on North Korea's foreign adversaries, and executing currency generation campa
3
Diamond Sleet is a possible alias for Lazarus Group. Diamond Sleet, a threat actor linked to North Korea, has been identified as a significant cybersecurity concern. This group, also known as Selective Pisces, has targeted various sectors including media, defense, and IT organizations. The advanced persistent threat (APT) group is known for its supply
3
Operation Dreamjob is a possible alias for Lazarus Group. Operation DreamJob is a campaign attributed to the Lazarus group, a North Korea-aligned group infamous for its cyberespionage and financial theft activities. The campaign was first coined in a blog post by ClearSky in August 2020, where it described Lazarus' attempts to target defense and aerospace
3
Sapphire Sleet is a possible alias for Lazarus Group. Sapphire Sleet is a North Korea-linked Advanced Persistent Threat (APT) group known for its malicious activities. As a threat actor, Sapphire Sleet has been identified as the entity behind the execution of actions with harmful intent. The group's operations are sophisticated and persistent, targetin
2
Emerald Sleet is a possible alias for Lazarus Group. Emerald Sleet, a threat actor associated with North Korea, has been identified as a significant player in cyber espionage. This group is known for its sophisticated use of artificial intelligence and machine learning models (LLMs), leveraging them to enhance spear-phishing campaigns, research public
2
Guardians of Peace is a possible alias for Lazarus Group. The Guardians of Peace, a threat actor with alleged ties to North Korea, came to prominence in 2014 following a massive cyberattack on Sony Pictures Entertainment. The group, also known as the Lazarus Group or the Whois Team, infiltrated Sony's systems and leaked sensitive data, including private de
2
Stardust Chollima is a possible alias for Lazarus Group. Stardust Chollima is a recognized threat actor in the cybersecurity industry, primarily known for its malicious activities aimed at acquiring funds. This group has been linked to various high-profile cyber-attacks and fraudulent activities since 2015. Stardust Chollima has been associated with the f
2
temp.hermit is a possible alias for Lazarus Group. Temp.Hermit, also known as Selective Pisces or Diamond Sleet, is a cyber threat actor linked to North Korea. This group has been active since 2013 and targets governments, defense, telecommunications, and financial services sectors with cyberespionage operations. Temp.Hermit's activities often overl
2
Apt43 is a possible alias for Lazarus Group. APT43, also known as Kimsuky, is a North Korean Advanced Persistent Threat (APT) group that has been active since at least 2013. The group is known for its intelligence collection activities and using cybercrime to fund espionage. It has been linked to several aliases including Springtail, ARCHIPELA
2
Unc4736 is a possible alias for Lazarus Group. UNC4736, a threat actor suspected to have North Korean connections, has been implicated in a series of cybersecurity breaches. The group gained initial access to the 3CX environment when an employee downloaded a financial trading package named X_TRADER from Trading Technologies' website. Unbeknownst
2
TA444 is a possible alias for Lazarus Group. TA444, also known as BlueNoroff, APT28, Nickel Gladstone, Sapphire Sleet, Stardust Chollima, and other monikers, is a prolific North Korean state-backed threat actor known for its malicious cyber activities. The group has been continuously generating proprietary malware, distinguishing it from other
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Apt
Ransomware
Exploit
State Sponso...
Vulnerability
exploitation
Cybercrime
Infiltration
Espionage
Backdoor
Kaspersky
Korean
Tornado Cash
Reconnaissance
Sinbad
Laundering
Macos
Windows
Bitcoin
Payload
Microsoft
Phishing
State Sponso...
Fbi
Eset
Treasury
Dprk
Jumpcloud
Github
Implant
Zero Day
DreamJob
Trojan
Manageengine
Coinex
Operation Dr...
Source
Operation Dr...
Exploits
Avast
3cx
Financial
CISA
Russia
flaw
Iis
Healthcare
Health
Facebook
Scams
Operation Bl...
Curl
Lateral Move...
Loader Malware
Downloader
Rootkit
Spyware
Tool
Encrypt
Cisco
Pypi
Spearphishing
Mandiant
Ransom
Talos
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Magicrat Malware is associated with Lazarus Group. MagicRAT is a type of malware, first observed by Cisco Talos in 2022, that was used by the Lazarus Group to exploit vulnerabilities in publicly exposed VMWare Horizon platforms, primarily targeting energy companies worldwide. This malicious software, which can infiltrate systems through suspicious dUnspecified
4
The WannaCry Malware is associated with Lazarus Group. WannaCry, a potent malware, emerged as one of the most destructive cyberattacks in recent history when it struck in May 2017. Leveraging Windows SMBv1 Remote Code Execution vulnerabilities (CVE-2017-0144, CVE-2017-0145, and CVE-2017-0143), WannaCry rapidly spread across systems worldwide, encryptingUnspecified
4
The Kandykorn Malware is associated with Lazarus Group. KandyKorn is a type of malware, first discovered in 2023, that targets macOS systems. Developed by the Lazarus hacking group, this malicious software specifically aims at blockchain engineers. The known infection process begins with social engineering tactics, tricking the victim into downloading a Unspecified
4
The Quiterat Malware is associated with Lazarus Group. QuiteRAT is a new type of malware associated with the North Korea-linked Lazarus Group, known for their use of custom malware. Built using the Qt framework, QuiteRAT is smaller in size compared to MagicRAT, another malware linked to the group, due to its incorporation of fewer Qt libraries and lack Unspecified
4
The AppleJeus Malware is associated with Lazarus Group. AppleJeus is a notorious malware attributed to the North Korean hacker group, also known as Citrine Sleet. This group gained notoriety by distributing versions of AppleJeus malware primarily targeting cryptocurrency traders. The malware has evolved over time, with multiple versions being identified,Unspecified
3
The Dtrack Malware is associated with Lazarus Group. DTrack is a type of malware, short for malicious software, that is designed to exploit and damage computers or devices. It can infiltrate systems through suspicious downloads, emails, or websites and once inside, it can steal personal information, disrupt operations, or even hold data hostage for raUnspecified
3
The Earlyrat Malware is associated with Lazarus Group. EarlyRat is a previously undocumented malware discovered by Kaspersky researchers in June. The North Korea-linked Advanced Persistent Threat (APT) group Andariel used EarlyRat in attacks exploiting the Log4j Log4Shell vulnerability last year. The malware was first noticed in one of the Log4j cases, Unspecified
3
The Collectionrat Malware is associated with Lazarus Group. CollectionRAT is a malicious software (malware) first identified in a Cisco Talos report in 2023, with samples dating as far back as 2021. This Windows-based Remote Access Trojan (RAT) is believed to be connected to the Jupiter/EarlyRAT malware family, which has previously been linked to a Lazarus sUnspecified
3
The Lightlesscan Malware is associated with Lazarus Group. LightlessCan is a new and advanced malware, discovered by ESET, that has been added to North Korea's Lazarus group's arsenal. The malware is a successor to the group's flagship HTTP(S) Lazarus Remote Access Trojan (RAT) named BlindingCan. LightlessCan represents a significant advancement in maliciouUnspecified
3
The Spectralblur Malware is associated with Lazarus Group. SpectralBlur is a newly detected malware, identified as a macOS backdoor, that has been making headlines since the start of 2024. It was first spotted by cybersecurity experts who have tentatively attributed its creation and deployment to the Bluenoroff group. This malicious software, like others ofUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Bluenoroff Threat Actor is associated with Lazarus Group. BlueNoroff, a threat actor closely associated with the Lazarus hacking group, has been identified as a significant cybersecurity risk. Known for their financially motivated attacks, BlueNoroff targets banks, casinos, fintech companies, POST software and cryptocurrency businesses, and ATMs. They haveis related to
4
The Technical Reconnaissance Bureau Threat Actor is associated with Lazarus Group. The Technical Reconnaissance Bureau (TRB), also known as the Fourteenth Bureau, is a North Korea-based threat actor that leads the Democratic People's Republic of Korea's (DPRK) development of offensive cyber tactics and tools. The TRB conducts mail inspection, telecommunications inspection and contUnspecified
4
The sinbad.io Threat Actor is associated with Lazarus Group. Sinbad.io, a threat actor identified as a popular money-laundering outlet for state-sponsored crypto thieves, emerged as a significant player in the cybercrime landscape over the past few years. Following U.S. sanctions on Tornado Cash, a previously favored service by North Korean hackers to obfuscaUnspecified
3
The APT37 Threat Actor is associated with Lazarus Group. APT37, also known as InkSquid, RedEyes, BadRAT, Reaper, ScarCruft, and Ricochet Chollima, is a threat actor suspected to be backed by North Korea. It primarily targets South Korea, but its activities have extended to Japan, Vietnam, the Middle East, and recently Cambodia, across various industry verUnspecified
3
The Onyx Sleet Threat Actor is associated with Lazarus Group. Onyx Sleet, a threat actor also known as Andariel, Silent Chollima, and Stonefly, is a North Korean state-sponsored cyber group under the RGB 3rd Bureau. This group, based in Pyongyang and Sinuiju, has been associated with various malicious activities including cyber espionage and ransomware attacksUnspecified
3
The Wicked Panda Threat Actor is associated with Lazarus Group. Wicked Panda, also known as APT41, Double Dragon, and Brass Typhoon, is a prominent threat actor in the cybersecurity landscape. This China state-sponsored group has been identified as one of the top threat actors by the Department of Health and Human Services' Health Sector Cybersecurity CoordinatiUnspecified
2
The Thallium Threat Actor is associated with Lazarus Group. Thallium, also known as Kimsuky, APT43, Velvet Chollima, and Black Banshee, is a significant threat actor that has been active since at least 2012. This group, believed to be operating on behalf of the North Korean regime, conducts intelligence collection and uses cybercrime to fund espionage activiUnspecified
2
The APT41 Threat Actor is associated with Lazarus Group. APT41, also known as Winnti, Wicked Panda, and Brass Typhoon, is a threat actor suspected to be linked to China. This group has been active since at least 2012 and has targeted organizations in over 14 countries. They have used a variety of sophisticated techniques and malware, including at least 46Unspecified
2
The Reconnaissance General Bureau Threat Actor is associated with Lazarus Group. The Reconnaissance General Bureau (RGB) is a North Korean intelligence agency responsible for clandestine operations abroad and is considered a significant threat actor in the cybersecurity landscape. The RGB has been linked to various Advanced Persistent Threat (APT) groups, including the BeagleBoyUnspecified
2
The ScarCruft Threat Actor is associated with Lazarus Group. ScarCruft, also known as APT37, Inky Squid, RedEyes, Reaper, or Group123, is a North Korean threat actor group associated with malicious cyber activities. Their actions have been linked to the execution of targeted attacks against individual Android devices, as outlined in a VB2023 paper titled "IntUnspecified
2
The APT28 Threat Actor is associated with Lazarus Group. APT28, also known as Fancy Bear, Forest Blizzard, and Unit 26165 of the Russian Main Intelligence Directorate, is a Russia-linked threat actor that has been active since at least 2007. This group has targeted governments, militaries, and security organizations worldwide with a particular focus on thUnspecified
2
The Double Dragon Threat Actor is associated with Lazarus Group. Double Dragon, also known as APT41, Winnti, or Barium, is a prominent Advanced Persistent Threat (APT) group believed to have originated from China. As a threat actor, Double Dragon represents a human entity with the intent to execute actions of a malicious nature. The group has been identified by tUnspecified
2
The APT33 Threat Actor is associated with Lazarus Group. APT33, also known as Peach Sandstorm, is an Iran-linked threat actor associated with the Iranian Islamic Revolutionary Guard Corps (IRGC). This group has targeted communication equipment, government agencies, and the oil-and-gas industry in the United Arab Emirates and the United States, primarily fUnspecified
2
The Rgb Threat Actor is associated with Lazarus Group. RGB is a threat actor group, part of North Korea's Reconnaissance General Bureau (RGB), a military intelligence agency under the General Staff Bureau of the Korean People's Army. Over the years, the RGB has revealed at least six threat groups, including Andariel, also known as Onyx Sleet, formerly PUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The Log4Shell Vulnerability is associated with Lazarus Group. Log4Shell is a critical software vulnerability (CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105) in the Apache Log4j library. This flaw in software design or implementation allows for remote code execution, providing attackers with potential access to victims' systems. Notably, LockBit affiliatesUnspecified
4
The CVE-2023-42793 Vulnerability is associated with Lazarus Group. CVE-2023-42793 is a critical security vulnerability identified in JetBrains TeamCity build management and continuous integration server. This flaw, characterized by an authentication bypass, was exploited by multiple threat actors throughout 2023 and into 2024. The first notable exploitation occurreUnspecified
3
Source Document References
Information about the Lazarus Group Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securityaffairs
2 days ago
BankInfoSecurity
7 days ago
DARKReading
16 days ago
Checkpoint
17 days ago
Checkpoint
23 days ago
InfoSecurity-magazine
a month ago
Unit42
a month ago
BankInfoSecurity
a month ago
BankInfoSecurity
2 months ago
Securityaffairs
2 months ago
DARKReading
2 months ago
Securityaffairs
2 months ago
CERT-EU
10 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
CERT-EU
8 months ago
BankInfoSecurity
3 months ago
DARKReading
3 months ago
BankInfoSecurity
4 months ago
BankInfoSecurity
4 months ago