Stop unwanted interruptions before they stop your workflow. Learn how.
Utility navigation bar redirect icon
Portal LoginSupportBlogContact
Search
Portal LoginSupportBlogContact
Search
Get a Demo
Start for Free
HomeThreat LibraryThreat Actors
Lazarus Group
Threat Actor Profile

Lazarus Group

The Lazarus Group, also tracked as HIDDEN COBRA, ZINC, Labyrinth Chollima, and Guardians of Peace, is a North Korean state-sponsored cybercriminal organization. Operating since at least 2009, Lazarus encompasses a cluster of North Korean cyber operations specialising in financial theft, cyber espionage, and destructive cyberattacks. They have targeted industries such as finance, government, and critical infrastructure, utilizing sophisticated tactics and custom malware.

Threat Actor Profile

Lazarus Group

Country of Origin

Lazarus Group is linked to North Korea and is believed to operate under the Reconnaissance General Bureau, the primary intelligence agency of the Democratic People’s Republic of Korea (DPRK). The group’s activities align with state objectives, including financial gain for an economy burdened by international sanctions and furthering the regime’s political goals.

Members

The Lazarus Group is structured into specialized subgroups with distinct operational mandates. Bluenoroff (also tracked as APT38, Stardust Chollima, Sapphire Sleet) targets large-scale financial heists, cryptocurrency exchanges, and SWIFT banking systems — responsible for the Bangladesh Bank heist and billions in subsequent crypto theft. Andariel focuses on espionage operations primarily targeting South Korean defense, government, and critical infrastructure entities, and has increasingly conducted ransomware operations against healthcare organizations globally.

Leadership

The leadership of the Lazarus Group remains largely unidentified. However, it is reportedly governed by North Korea’s Reconnaissance General Bureau. Notably, Park Jin Hyok, a member of the Chosun Expo Joint Venture, was charged in 2018 by the U.S. Department of Justice for his involvement in Lazarus-associated operations.

Lazarus Group TTPs

Tactics

  • Financial theft and fund transfer manipulation, such as SWIFT attacks.

  • Espionage campaigns for collecting confidential data.

  • Disruption through ransomware and wiper malware.

Techniques

  1. Initial Access: Spear-phishing emails and watering hole attacks.

  2. Execution: Use of PowerShell scripts and malicious macros in documents.

  3. Persistence: Scheduled tasks, registry run keys, or custom malware implants.

  4. Privilege Escalation: Exploitation of software vulnerabilities.

  5. Defense Evasion: Fileless malware and disguise as legitimate software.

  6. Credential Access: Keylogging and credential dumping via Mimikatz.

  7. Discovery: Network and system enumeration using tools like Nmap.

  8. Lateral Movement: Pass-the-hash and PsExec for network traversal.

  9. Collection: Data staging and exfiltration tools like RAR archives.

  10. C2 (Command & Control): Use of compromised servers and encrypted channels.

  11. Exfiltration: HTTP/HTTPS protocols for data theft.

Impact: Deploying ransomware like WannaCry to disrupt critical services.

Procedures

Lazarus continuously develops custom tools and evolves methods. Key malware includes:

  • WannaCry ransomware.

  • AppleJeus cryptocurrency malware.

  • RATANKBA (remote access tools)

Want to Shut Down Threats Before They Start?

Schedule a Demo Today

Indicators of Compromise (IoCs)

Lazarus Group IoCs rotate frequently across campaigns. The file paths and domains below represent documented indicators from published research. For maintained, live feeds consult CISA advisories (AA22-108A, AA21-048A) and MITRE ATT&CK G0032.

Malware file paths (documented across campaigns)

  • /Users/shared/.log — AppleJeus macOS implant staging path
  • /Library/Caches/com.apple.safari.ck — AppleJeus persistence artifact
  • %TEMP%\[random].dll — BLINDINGCAN/HOPLIGHT staging (Windows)
  • %APPDATA%\Microsoft\[random].exe — common Lazarus implant persistence path

Known C2 infrastructure (historical — may be sinkholed)

  • msstorageazure[.]com — documented Lazarus C2 domain
  • rgedist[.]com — documented Lazarus C2 domain
  • 23.254.226[.]90 — documented C2 IP (verify current status before blocking)
  • 198.244.135[.]250 — documented C2 IP (verify current status before blocking)

Behavioural indicators

  • Spear-phishing emails via Social Engineering: Job offer lures (Operation Dream Job) targeting defense, aerospace, cryptocurrency sector employees via professional networking platforms (MITRE T1566.002)
  • Supply Chain / Trojanized Software: Delivery of cryptocurrency trading applications or browser extensions from unknown vendors (AppleJeus delivery method) (MITRE T1195.002)
  • Living off the Land: PowerShell executing encoded commands from unusual parent processes. (MITRE T1059.001)
  • Anomalous Network Activity: Outbound connections to blockchain, crypto-mining, or cryptocurrency exchange domains from non-finance or unauthorized workstations. (MITRE T1071.001)

Key Victims

  1. Sony Pictures Entertainment (2014): Significant data breach and system destruction.

  2. Bangladesh Bank Heist (2016): Attempted $1 billion theft via SWIFT, $81 million stolen.

  3. WannaCry Ransomware Attack (2017): Global ransomware operation impacting over 200,000 systems in 150 countries.

  4. Cryptocurrency Heists (2019-present): Targeted exchanges, including the KuCoin breach ($275 million stolen).

Notable Cyberattacks

Sony Pictures Entertainment Hack

Targeting Sony for the movie "The Interview," Lazarus exposed sensitive internal data, employee information, and unreleased films.

Bangladesh Bank Heist

Lazarus exploited vulnerabilities in SWIFT banking systems to siphon $81 million, emphasizing their capability to blend financial crime with state-sponsored motives

WannaCry Ransomware Attack

This ransomware affected industries like healthcare and transportation, leveraging the EternalBlue exploit for propagation.

Cryptocurrency Exchange Attacks

Through phishing, fake apps, and supply-chain exploits, Lazarus has stolen hundreds of millions in cryptocurrency.

Law Enforcement & Arrests

The U.S. Department of Justice indicted Park Jin Hyok in 2018 for his alleged role in Lazarus operations. Sanctions have been imposed on North Korean entities accused of supporting cyber campaigns, which include Lazarus (source).

Glitch effectGlitch effect

How to Defend Against Lazarus Group

1

Endpoint Detection and Response (EDR): Solutions like Huntress can detect threats at multiple stages of an attack, preventing compromise from escalating.

2

Network Segmentation: Restrict lateral movement by isolating sensitive systems.

3

Threat Intelligence Monitoring: Track Lazarus-specific IOCs to block malicious infrastructure.

4

User Awareness Training: Reduce phishing susceptibility through training initiatives.

5

Secure Configurations: Harden systems by patching known vulnerabilities and disabling unnecessary services.

Huntress solutions help protect organizations by monitoring endpoints, detecting intrusions, and mitigating threats like Lazarus Group with enterprise-grade technology.

Schedule a Demo
Glitch effectGlitch effect

Detect, Respond, Protect

See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.

Try Huntress for Free