Lazarus Group

Threat Actor updated a day ago (2024-09-10T04:17:49.343Z)
Download STIX
Preview STIX
The Lazarus Group, also known as APT38, is a notorious threat actor believed to be backed by the North Korean regime. This group has been associated with several high-profile cyber attacks and thefts, including the infamous $600 million Ronin sidechain exploit in 2022. Known for their sophisticated techniques such as compromising cryptographic keys of multi-signature wallets through social engineering attacks, they have reportedly stolen over $2 billion in cryptoassets from exchanges and DeFi services. The US Department of Justice and various cybersecurity firms have consistently attributed these malicious activities to the Lazarus Group. In Spain, the Lazarus Group was linked to Operation DreamJob, an attack that we can attribute with a high level of confidence. One of their significant exploits includes the attack on the Harmony blockchain, which resulted in the theft of $100 million in virtual currency from Harmony's Horizon bridge in June 2022. This incident was later confirmed by the FBI to be the work of the Lazarus Group. Their exploitation activity often aims to establish kernel read/write primitives, enabling them to gain kernel-level access and disable security software, as evidenced in their exploitation of a zero-day Windows AppLocker driver. The Lazarus Group's activities extend beyond cyber theft. They have been implicated in money laundering operations, with a Russian national arrested in Argentina for laundering proceeds from illicit actors, including the Lazarus Group. In another instance, cybersecurity firm Mandiant attributed an attack on enterprise directory-as-a-service provider JumpCloud to the Lazarus Group after a security oversight exposed the threat's actual IP address in North Korea. These incidents underscore the global reach and persistent threat posed by the Lazarus Group.
Description last updated: 2024-09-10T03:18:46.757Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Labyrinth Chollima
5
Labyrinth Chollima, a threat actor linked to North Korea, has been active since 2009 and is known for conducting operations aimed at collecting political, military, and economic intelligence on North Korea’s foreign adversaries, as well as currency generation campaigns. This group, also known by var
Andariel
5
Andariel, also known as Jumpy Pisces and Onyx Sleet, is a threat actor primarily involved in cyberespionage and ransomware activities. Originating from North Korea, this group has been linked to several malicious cyber activities alongside other groups like Lazarus Group and Bluenoroff. The group's
Sinbad
4
Sinbad is a threat actor suspected to be operated by North Korean operatives, primarily for the purpose of laundering stolen cryptocurrency. According to Chainalysis, Sinbad processed $24 million in December and January, indicating its use as a new mixing service. However, it's effectiveness is yet
APT38
4
APT38, a threat actor suspected to be backed by the North Korean regime, has been responsible for some of the largest cyber heists observed to date. The group has conducted operations in over 16 organizations across at least 11 countries, primarily targeting financial institutions worldwide. Despite
Kimsuky
3
Kimsuky, also known as Springtail, ARCHIPELAGO, Black Banshee, Thallium, Velvet Chollima, and APT43, is a North Korea-linked threat actor first identified by a Kaspersky researcher in 2013. This cyberespionage group has been associated with various malicious activities, including spear-phishing camp
Tradertraitor
3
TraderTraitor, a threat actor attributed to the North Korean government's APT38 hacking group also known as Lazarus, has been implicated in a series of cyberattacks targeting cryptocurrency platforms. The FBI has recently linked TraderTraitor to the theft of hundreds of millions of dollars in crypto
ZINC
3
Zinc, also known as Diamond Sleet, is a North Korea-based threat actor group that has been active since 2009. This group is notorious for its cyber-attacks aimed at collecting political, military, and economic intelligence on North Korea's foreign adversaries, and executing currency generation campa
Diamond Sleet
3
Diamond Sleet, a threat actor linked to North Korea, has been identified as a significant cybersecurity concern. This group, also known as Selective Pisces, has targeted various sectors including media, defense, and IT organizations. The advanced persistent threat (APT) group is known for its supply
Operation Dreamjob
3
Operation DreamJob is a campaign attributed to the Lazarus group, a North Korea-aligned group infamous for its cyberespionage and financial theft activities. The campaign was first coined in a blog post by ClearSky in August 2020, where it described Lazarus' attempts to target defense and aerospace
Sapphire Sleet
2
Sapphire Sleet is a North Korea-linked Advanced Persistent Threat (APT) group known for its malicious activities. As a threat actor, Sapphire Sleet has been identified as the entity behind the execution of actions with harmful intent. The group's operations are sophisticated and persistent, targetin
HIDDEN COBRA
2
Hidden Cobra, also known as Lazarus Group, TEMP.Hermit, and several other names, is a threat actor attributed to the North Korean government by the U.S. Government. The group has been involved in various malicious cyber activities, including cyberespionage, ransomware attacks, and destructive operat
Stardust Chollima
2
Stardust Chollima is a recognized threat actor in the cybersecurity industry, primarily known for its malicious activities aimed at acquiring funds. This group has been linked to various high-profile cyber-attacks and fraudulent activities since 2015. Stardust Chollima has been associated with the f
Emerald Sleet
2
Emerald Sleet, a threat actor associated with North Korea, has been identified as a significant player in cyber espionage. This group is known for its sophisticated use of artificial intelligence and machine learning models (LLMs), leveraging them to enhance spear-phishing campaigns, research public
temp.hermit
2
Temp.Hermit, also known as Selective Pisces or Diamond Sleet, is a cyber threat actor linked to North Korea. This group has been active since 2013 and targets governments, defense, telecommunications, and financial services sectors with cyberespionage operations. Temp.Hermit's activities often overl
Apt43
2
APT43, also known as Kimsuky, Sparkling Pisces, Emerald Sleet, and Velvet Chollima among other names, is a North Korean state-sponsored advanced persistent threat (APT) group involved in cybercrime and espionage. This threat actor conducts intelligence collection and uses cybercrime to fund its espi
Unc4736
2
UNC4736, a threat actor suspected to have North Korean connections, has been implicated in a series of cybersecurity breaches. The group gained initial access to the 3CX environment when an employee downloaded a financial trading package named X_TRADER from Trading Technologies' website. Unbeknownst
TA444
2
TA444, also known as BlueNoroff, APT28, Nickel Gladstone, Sapphire Sleet, Stardust Chollima, and other monikers, is a prolific North Korean state-backed threat actor known for its malicious cyber activities. The group has been continuously generating proprietary malware, distinguishing it from other
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Apt
Ransomware
Exploit
State Sponso...
Vulnerability
exploitation
Tornado Cash
Infiltration
Espionage
Backdoor
Kaspersky
Korean
Reconnaissance
Payload
Sinbad
Bitcoin
Windows
Macos
Phishing
Microsoft
Laundering
Cybercrime
3cx
Fbi
Eset
Treasury
Dprk
State Sponso...
Jumpcloud
Github
Implant
Zero Day
DreamJob
Manageengine
Coinex
Operation Dr...
Operation Dr...
Avast
Financial
Trojan
Ransom
Talos
flaw
Russia
Iis
Healthcare
Health
Facebook
Operation Bl...
Spyware
Scams
Source
Curl
Rootkit
Pypi
Mandiant
Lateral Move...
Loader Malware
Exploits
Downloader
Tool
Encrypt
CISA
Cisco
Spearphishing
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
IDTypeVotesProfile Description
QuiteratUnspecified
4
QuiteRAT is a new type of malware associated with the North Korea-linked Lazarus Group, known for their use of custom malware. Built using the Qt framework, QuiteRAT is smaller in size compared to MagicRAT, another malware linked to the group, due to its incorporation of fewer Qt libraries and lack
MagicratUnspecified
4
MagicRAT is a type of malware, first observed by Cisco Talos in 2022, that was used by the Lazarus Group to exploit vulnerabilities in publicly exposed VMWare Horizon platforms, primarily targeting energy companies worldwide. This malicious software, which can infiltrate systems through suspicious d
WannaCryUnspecified
4
WannaCry is a type of malware, specifically ransomware, that emerged as one of the most significant cybersecurity threats in 2017. It exploited Windows' SMBv1 Remote Code Execution Vulnerabilities (CVE-2017-0144, CVE-2017-0145, CVE-2017-0143), allowing it to spread across networks and encrypt files,
KandykornUnspecified
4
KandyKorn is a type of malware, first discovered in 2023, that targets macOS systems. Developed by the Lazarus hacking group, this malicious software specifically aims at blockchain engineers. The known infection process begins with social engineering tactics, tricking the victim into downloading a
AppleJeusUnspecified
3
AppleJeus is a potent malware designed to infiltrate systems and steal cryptocurrency-related assets. It was first identified by the Cybersecurity and Infrastructure Security Agency (CISA) in 2021 as part of a cryptocurrency-themed Kupay Wallet macOS malware package during an AppleJeus campaign. The
DtrackUnspecified
3
Dtrack is a type of malware, or malicious software, that infiltrates systems to steal personal information, disrupt operations, and potentially hold data for ransom. The Andariel group, a subset of the Lazarus Group, is known for its utilization of Dtrack malware and Maui ransomware. In mid-2022, An
EarlyratUnspecified
3
EarlyRat is a previously undocumented malware discovered by Kaspersky researchers in June. The North Korea-linked Advanced Persistent Threat (APT) group Andariel used EarlyRat in attacks exploiting the Log4j Log4Shell vulnerability last year. The malware was first noticed in one of the Log4j cases,
CollectionratUnspecified
3
CollectionRAT is a malicious software (malware) first identified in a Cisco Talos report in 2023, with samples dating as far back as 2021. This Windows-based Remote Access Trojan (RAT) is believed to be connected to the Jupiter/EarlyRAT malware family, which has previously been linked to a Lazarus s
LightlesscanUnspecified
3
LightlessCan is a new and advanced malware, discovered by ESET, that has been added to North Korea's Lazarus group's arsenal. The malware is a successor to the group's flagship HTTP(S) Lazarus Remote Access Trojan (RAT) named BlindingCan. LightlessCan represents a significant advancement in maliciou
SpectralblurUnspecified
2
SpectralBlur is a newly detected malware, identified as a macOS backdoor, that has been making headlines since the start of 2024. It was first spotted by cybersecurity experts who have tentatively attributed its creation and deployment to the Bluenoroff group. This malicious software, like others of
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
IDTypeVotesProfile Description
Technical Reconnaissance BureauUnspecified
4
The Technical Reconnaissance Bureau (TRB), also known as the Fourteenth Bureau, is a North Korea-based threat actor that leads the Democratic People's Republic of Korea's (DPRK) development of offensive cyber tactics and tools. The TRB conducts mail inspection, telecommunications inspection and cont
Bluenoroffis related to
4
BlueNoroff, a threat actor closely associated with the Lazarus hacking group, has been identified as a significant cybersecurity risk. Known for their financially motivated attacks, BlueNoroff targets banks, casinos, fintech companies, POST software and cryptocurrency businesses, and ATMs. They have
APT37Unspecified
3
APT37, also known as ScarCruft, Reaper, or Group123, is a threat actor suspected to be linked to North Korea. It primarily targets South Korea but has also extended its activities to Japan, Vietnam, and the Middle East, focusing on various industry verticals such as chemicals, electronics, manufactu
Onyx SleetUnspecified
3
Onyx Sleet, also known as Andariel, DarkSeoul, Silent Chollima, and Stonefly/Clasiopa, is a North Korean state-sponsored cyber group associated with the Democratic People’s Republic of Korea (DPRK)’s Reconnaissance General Bureau (RGB) 3rd Bureau based in Pyongyang and Sinuiju. This threat actor pri
sinbad.ioUnspecified
3
Sinbad.io, a threat actor identified as a popular money-laundering outlet for state-sponsored crypto thieves, emerged as a significant player in the cybercrime landscape over the past few years. Following U.S. sanctions on Tornado Cash, a previously favored service by North Korean hackers to obfusca
Reconnaissance General BureauUnspecified
2
The Reconnaissance General Bureau (RGB) is a North Korean intelligence agency responsible for clandestine operations abroad, and it is believed to coordinate the nation's cyber activities. The RGB has been linked to several advanced persistent threat (APT) groups, including BeagleBoyz, Kimsuky, Anda
Wicked PandaUnspecified
2
Wicked Panda, also known as APT41, Double Dragon, and Bronze Atlas, is a state-sponsored threat actor originating from China. The Department of Health and Human Services' Health Sector Cybersecurity Coordination Center has identified it as one of the top cyber threats. Over the years, security resea
ThalliumUnspecified
2
Thallium, also known as Kimsuky, APT43, Velvet Chollima, and Black Banshee, is a significant threat actor that has been active since at least 2012. This group, believed to be operating on behalf of the North Korean regime, conducts intelligence collection and uses cybercrime to fund espionage activi
APT41Unspecified
2
APT41, a threat actor attributed to China, has been actively targeting organizations in at least 14 countries since 2012. The group is known for its use of an extensive range of malware, with at least 46 different code families and tools observed in their operations. They are associated with various
ScarCruftUnspecified
2
ScarCruft, also known as APT37, Inky Squid, RedEyes, Reaper, or Group123, is a North Korean threat actor group associated with malicious cyber activities. Their actions have been linked to the execution of targeted attacks against individual Android devices, as outlined in a VB2023 paper titled "Int
APT28Unspecified
2
APT28, also known as Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM, is a threat actor linked to Russia that has been active since at least 2007. The group has targeted governments, militaries, and security organizations worldwide, including the German Social Democratic Party
Double DragonUnspecified
2
Double Dragon, also known as APT41, Winnti, or Barium, is a prominent Advanced Persistent Threat (APT) group believed to have originated from China. As a threat actor, Double Dragon represents a human entity with the intent to execute actions of a malicious nature. The group has been identified by t
APT33Unspecified
2
APT33, an Iran-linked threat actor also known as Peach Sandstorm, Holmium, Elfin, Refined Kitten, and Magic Hound, has been involved in a series of cyber espionage activities targeting various sectors. The group's primary targets include the government, defense, satellite, oil, and gas sectors in th
RgbUnspecified
2
RGB is a threat actor group, part of North Korea's Reconnaissance General Bureau (RGB), a military intelligence agency under the General Staff Bureau of the Korean People's Army. Over the years, the RGB has revealed at least six threat groups, including Andariel, also known as Onyx Sleet, formerly P
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
IDTypeVotesProfile Description
Log4ShellUnspecified
4
Log4Shell is a significant software vulnerability, specifically a flaw in the design or implementation of Log4j, a popular Java-based logging utility. This vulnerability, officially known as CVE-2021-44228, allows malicious actors to execute arbitrary code on affected systems, providing an avenue fo
CVE-2023-42793Unspecified
3
CVE-2023-42793 is a critical security vulnerability identified in JetBrains TeamCity build management and continuous integration server. This flaw, characterized by an authentication bypass, was exploited by multiple threat actors throughout 2023 and into 2024. The first notable exploitation occurre
Source Document References
Information about the Lazarus Group Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Unit42
a day ago
Threat Assessment: North Korean Threat Groups
BankInfoSecurity
6 days ago
Cryptohack Roundup: Focus on Pig Butchering
BankInfoSecurity
13 days ago
Cryptohack Roundup: SEC Sends Wells Notice to OpenSea
Securityaffairs
18 days ago
Russian national arrested in Argentina for laundering money of crooks and Lazarus APT
DARKReading
20 days ago
'Styx Stealer' Blows Its Own Cover With Sloppy OpSec Mistake
Securityaffairs
23 days ago
Microsoft Zero-Day CVE-2024-38193 was exploited by North Korea-linked Lazarus APT
CERT-EU
9 months ago
Specialist lawyers lead cyber counterattack
CERT-EU
8 months ago
North Korean Hacking Group Lazarus Withdraws $1.2M of Bitcoin From Coin Mixer | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker
CERT-EU
8 months ago
North Korean hackers, criminals share money laundering networks | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker
CERT-EU
6 months ago
Beware of Typos that May lead to malicious PyPI Package Installation
BankInfoSecurity
2 months ago
Cryptohack Roundup: $230M WazirX Exploit in India
DARKReading
2 months ago
Euro 2024 Becomes Latest Sporting Event to Attract Cyberattacks
BankInfoSecurity
2 months ago
Cryptohack Roundup: Conviction in Home Invasions Case
BankInfoSecurity
3 months ago
Cryptohack Roundup: Norway Freezes Hacked Ronin Funds
DARKReading
3 months ago
Russia Aims Cyber Operations at Summer Olympics
DARKReading
3 months ago
LilacSquid APT Employs Open Source Tools, QuasarRAT
BankInfoSecurity
3 months ago
RedTail Cryptomining Malware Exploits PAN-OS Vulnerability
BankInfoSecurity
3 months ago
Microsoft Warns of North Korea's 'Moonstone Sleet'
Fortinet
4 months ago
Key Findings from the 2H 2023 FortiGuard Labs Threat Report | FortiGuard Labs
BankInfoSecurity
4 months ago
Cryptohack Roundup: Geosyn Fraud Lawsuit