July 14, 2026
Updated: July 14, 2026
Who Is Lazarus Group? Attacks, Tactics and Defense
Mohammed Khalil

Last updated: July 14, 2026 · Research verified through: July 14, 2026
Lazarus Group is a public threat-intelligence label for North Korean state-linked cyber activity. Governments and security researchers have attributed operations under this name to the country’s Reconnaissance General Bureau, while reported objectives span espionage, financial theft, disruption, and strategic access. The label is imprecise: sources divide North Korean operators differently, and not every DPRK-linked intrusion is Lazarus Group activity. This guide explains the evidence, major campaigns, recurring behaviors, and defensive priorities without treating overlapping names as interchangeable.
Important attribution note. Threat-actor names are analytical labels, and different sources may split or combine the same activity. An alias can represent a government label, vendor cluster, subgroup, campaign, or public persona. The article therefore retains each source’s wording, date, and material caveats.
Lazarus Group is a widely used name for North Korean state-linked cyber operations associated in public reporting with espionage, destructive activity, strategic access, bank theft, and cryptocurrency theft. The current MITRE ATT&CK profile attributes the group to North Korea’s Reconnaissance General Bureau and notes that “Lazarus Group” is often used as an umbrella for several operators that may share personnel, infrastructure, malware, and tradecraft. That matters because public labels do not map cleanly: a government advisory may use a broad DPRK label, while a vendor tracks a narrower cluster or campaign. Responsible analysis therefore separates incident facts, technical clustering, and sponsor attribution and does not assume every North Korean operation belongs to Lazarus.
| Field | Verified summary | Source / caveat |
|---|---|---|
| Common name | Lazarus Group | Broad public label; scope varies by source |
| First publicly reported activity range | Active since at least 2009 | MITRE ATT&CK G0032, modified May 12, 2026; no precise “founded” date asserted — https://attack.mitre.org/groups/G0032/ |
| Commonly attributed sponsor | North Korea’s Reconnaissance General Bureau | MITRE; U.S. Treasury designation, September 13, 2019 — https://home.treasury.gov/news/press-releases/sm774 |
| Primary objectives | Espionage, strategic access, financial theft, disruption, and intelligence collection | Objective varies by operation and tracked cluster |
| Common targets | Finance, cryptocurrency, defense, aerospace, technology, software, media, government, research, and selected critical sectors | Do not generalize one cluster’s victimology to the entire umbrella |
| Geographic reach | Global | Public cases include targets in the United States, United Kingdom, Bangladesh, Japan, and multinational cryptocurrency ecosystems |
| Common operational themes | Tailored social engineering, fake-job approaches, malware delivery, credential and identity access, legitimate-tool abuse, supply-chain access, collection, theft, and destructive impact | No single fixed sequence or toolset |
| MITRE ATT&CK reference | Group G0032, version 5.0 | Last modified May 12, 2026 |
| Important naming caveat | Related labels can describe a government category, vendor cluster, subgroup, campaign, or persona | Exact equivalence should never be assumed without the source and date |
| Last verified | July 14, 2026 | Public attribution and naming may change |
In public threat intelligence, “Lazarus Group” is best understood as an attribution container rather than a precise corporate-style organization. MITRE’s May 2026 update says the name is often used as an umbrella for multiple North Korean operators conducting espionage, destructive attacks, and financially motivated campaigns. It also notes that units can share personnel, infrastructure, malware, and tradecraft as national priorities change. Those overlaps help analysts connect campaigns, but they also make a clean organizational boundary difficult to defend.
Government and vendor reports can differ without contradicting one another. A government may use a broad DPRK label, while a vendor tracks a narrower cluster or campaign. Those labels reflect different evidence, thresholds, and collection periods.
The public record spans destructive impact at Sony Pictures, attempted financial-transfer abuse at Bangladesh Bank, WannaCry disruption, cryptocurrency theft, and recruitment or supply-chain campaigns targeting technology and defense communities.
Reducing Lazarus to a malware family would therefore be misleading. Tooling changes, malware names can be vendor-specific, and legitimate utilities may appear alongside custom implants. Reducing it to cryptocurrency theft is also incomplete: the umbrella’s public history includes intelligence collection, destructive activity, and access to strategically valuable organizations. Readers who need broader context on state-sponsored hacking groups should treat the Lazarus label as one example of a wider attribution problem not as a benchmark for ranking actors.
Multiple governments have publicly linked Lazarus-related activity to North Korea. MITRE attributes G0032 to the Reconnaissance General Bureau. On September 13, 2019, the U.S. Treasury sanctioned Lazarus Group, Bluenoroff, and Andariel, describing them as North Korean state-sponsored malicious cyber groups controlled by the RGB. The U.S. Department of Justice’s 2018 complaint alleged that a North Korean programmer participated in a Lazarus-linked conspiracy involving Sony Pictures, Bangladesh Bank, WannaCry, and other targets. A 2021 superseding case expanded the allegations against three RGB-linked programmers.
The United Kingdom has also issued actor-level assessments. In December 2017, the UK government said the National Cyber Security Centre assessed it was highly likely Lazarus was behind WannaCry. That wording is important: “highly likely” communicates an assessment, not direct courtroom proof.
Official attribution may combine technical evidence, intelligence, infrastructure analysis, victimology, and policy judgment. Technical clustering is narrower. Sanctions are executive actions, while complaints and indictments contain allegations that should remain described as allegations unless adjudicated.
Accordingly, the article separates incident facts, technical clustering, and sponsor attribution. Defenders still need to contain the intrusion even when actor attribution remains incomplete.
The following table is a crosswalk, not a declaration that every row is an exact synonym.
| Name | Used by | Actor, subgroup, campaign, or label | Relationship | Confidence / caveat |
|---|---|---|---|---|
| Lazarus Group | MITRE, governments, vendors, media | Broad actor or umbrella label | Publicly associated with DPRK/RGB activity | Scope differs substantially between sources |
| HIDDEN COBRA | U.S. government | Government label | Refers broadly to malicious cyber activity by the North Korean government | Broader than a precise Lazarus cluster; MITRE records it as an associated name — https://attack.mitre.org/groups/G0032/ |
| Labyrinth Chollima | CrowdStrike and industry reporting | Vendor cluster / associated label | Long associated with Lazarus-related activity | Current Microsoft mapping places “LABYRINTH CHOLLIMA” across more than one North Korean cluster, showing that equivalence is not universal |
| ZINC / Diamond Sleet | Microsoft | Vendor cluster; Diamond Sleet is Microsoft’s current name for former ZINC tracking | Microsoft connects the cluster with Lazarus-related reporting and espionage, theft, and disruptive activity | A Microsoft activity set, not a universal name for every Lazarus operation; see Microsoft’s naming taxonomy — https://learn.microsoft.com/en-us/unified-secops/microsoft-threat-actor-naming |
| Guardians of Peace | Public persona in the Sony attack; government and industry reporting | Campaign-specific public persona | Claimed responsibility for the Sony Pictures incident | Do not treat a self-claimed persona as a durable organizational synonym; FBI attribution was to the North Korean government — https://www.fbi.gov/news/press-releases/update-on-sony-investigation |
| TraderTraitor | U.S. government, FBI, CISA | Activity or campaign label | CISA said the activity is commonly tracked as Lazarus Group; later FBI statements use it for specific DPRK cryptocurrency thefts — https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-108a | Campaign scope is narrower than the full Lazarus umbrella; vendor mappings vary |
| APT38 / BlueNoroff | Mandiant, MITRE, Treasury, Microsoft and others | Financially focused cluster; Treasury-described subgroup | Treasury described BlueNoroff as a Lazarus subgroup; MITRE tracks APT38 separately with Bluenoroff among associated names — https://attack.mitre.org/groups/G0082/ | Closely associated, but not a substitute for every Lazarus operation |
| Andariel / APT45 / Onyx Sleet | Treasury, Mandiant, Microsoft, MITRE and others | Reported subgroup or distinct vendor cluster | Treasury described Andariel as a Lazarus subgroup; MITRE tracks Andariel as G0138 — https://attack.mitre.org/groups/G0138/ | Mandiant’s APT45 analysis emphasizes a distinct cluster and malware lineage; relationship depends on taxonomy — https://cloud.google.com/blog/topics/threat-intelligence/apt45-north-korea-digital-military-machine |

Figure 1. Public reporting uses overlapping but non-identical names for Lazarus-related activity. Relationships should be interpreted according to the source and date. Sources: MITRE ATT&CK G0032/G0082/G0138, U.S. Treasury (2019), Microsoft threat-actor naming (2026), and Mandiant (2023–2024).
Kimsuky is a separately tracked DPRK espionage actor. MITRE G0094 lists names including APT43 and Emerald Sleet, but it does not make Kimsuky an alias for Lazarus Group. Similarly, MITRE G0067 tracks APT37 with ScarCruft among its associated names. Shared sponsorship, geography, target interest, or even technique overlap does not collapse these clusters into one actor.
North Korean remote IT-worker fraud is another important boundary. The scheme can involve people obtaining employment under false identities to generate revenue and, in some cases, gain access or steal data. It is a serious enterprise and supply-chain risk, but it should not be labeled Lazarus without incident-specific evidence. DeepStrike’s separate guide to North Korean remote IT-worker schemes covers that intent without conflating it with this actor profile.
For newly named DPRK clusters, retain the source’s original label, date, and confidence instead of normalizing every operation into “Lazarus.”
The public record supports several coexisting objectives:
Espionage and strategic intelligence. Campaigns linked to defense, aerospace, technology, researchers, and governments can seek sensitive technical or policy information. Access to developers and source repositories can reveal intellectual property, product roadmaps, credentials, and downstream trust relationships.
Financial theft and revenue generation. Public cases include bank-transfer fraud and cryptocurrency theft. Treasury’s 2019 designation described BlueNoroff as focused on overseas financial institutions to generate revenue for the North Korean government. An operation aimed at funds can still include lengthy reconnaissance, credential access, and lateral movement.
Disruption and coercion. Sony Pictures and WannaCry illustrate destructive or disruptive effects attributed to North Korean activity. The operational objective may include reputational pressure, denial of service, data destruction, or broad impact rather than quiet collection.
Long-term access. A foothold in a technology company, cloud tenant, software provider, or developer environment can provide intelligence today and optional access later. Supply-chain compromise is strategically valuable because one trusted delivery path may reach multiple organizations.
Cryptocurrency acquisition. Digital assets offer speed, global reach, and targets whose business processes include direct asset custody. But “crypto theft” is an outcome, not one technique. Reported cases have involved social engineering, employee access, software trust, cloud or identity compromise, and transaction manipulation.
Objectives can overlap and change. Defenders should model the outcome relevant to their assets rather than assume one fixed, financially motivated playbook.
| Sector | Why it may be targeted | Reported operational themes | Defensive priority |
|---|---|---|---|
| Cryptocurrency exchanges, DeFi, bridges, and wallet providers | Direct access to digital assets and transaction systems | Tailored employee approaches, credential or session theft, developer compromise, transaction-workflow abuse | Isolate critical roles, harden identity, segregate wallets, and require multi-person approvals |
| Financial institutions | Access to payment systems and transferable funds | Long dwell time, credential access, payment-message manipulation, operational reconnaissance | Segment payment environments, monitor privileged access, and validate transfer controls |
| Defense and aerospace | Strategic and technical intelligence | Recruitment themes, spearphishing, malware, long-term collection | Protect developer and researcher endpoints, repositories, and sensitive project identities |
| Technology and software companies | Intellectual property and trusted distribution paths | Developer targeting, source-control access, signed or trojanized software, supply-chain compromise | Enforce protected branches, artifact provenance, isolated builds, and code-signing controls |
| Media and entertainment | Strategic messaging, coercion, or disruptive impact | Account compromise, data theft, public disclosure, destructive malware | Segment critical systems, protect backups, and rehearse crisis communications |
| Government and research | Policy, national-security, scientific, or technical intelligence | Tailored social engineering, credential theft, malware-assisted collection | Phishing-resistant MFA, information segmentation, and high-value user monitoring |
| Security researchers | Insight into defensive research, vulnerabilities, and detection capability | False personas, professional trust-building, links or project material | Verify contacts out of band and review untrusted material in isolated environments |
| Selected healthcare, pharmaceutical, and critical sectors | Research value or strategic access reported for specific DPRK clusters | Spearphishing, exploitation, collection, and occasionally disruptive activity | Apply cluster-specific intelligence; do not assume every case is Lazarus |
Victimology supports an assessment but does not prove it. Analysts still need the technical timeline, infrastructure, malware, identity activity, and source reporting.
The timeline separates official attribution, legal allegations, and multi-source technical assessments. Each row preserves the source-level caveat.
| Incident or campaign | Incident date | Target / sector | What happened | Public attribution source | Confidence / caveat |
|---|---|---|---|---|---|
| Sony Pictures Entertainment | November 2014 | Media and entertainment | Data theft, public release, and destructive impact disrupted the company | FBI, December 19, 2014; DOJ, September 6, 2018 — https://www.fbi.gov/news/press-releases/update-on-sony-investigation ; https://www.justice.gov/archives/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and | Official attribution to North Korea; DOJ later alleged a Lazarus-linked conspiracy |
| Bangladesh Bank theft | February 2016 | Banking and SWIFT-related financial operations | Fraudulent transfer messages led to the theft of $81 million; other attempted transfers were blocked | DOJ complaint, September 6, 2018; Treasury, September 13, 2019 — https://home.treasury.gov/news/press-releases/sm774 | Official legal allegation and sanctions narrative; often associated with APT38/BlueNoroff |
| WannaCry | May 2017 | Global, cross-sector | Ransomware with worm-like propagation caused widespread operational disruption | UK government/NCSC, December 19, 2017; DOJ, September 6, 2018 — https://www.gov.uk/government/news/foreign-office-minister-condemns-north-korean-actor-for-wannacry-attacks | UK assessed “highly likely” Lazarus; DOJ alleged DPRK involvement |
| Operation Dream Job | September 2019–August 2020 in MITRE’s campaign record | Defense, aerospace, and other professionals | Recruitment-themed social engineering supported malware delivery and intelligence collection | MITRE ATT&CK C0022 based on multiple original research sources — https://attack.mitre.org/campaigns/C0022/ | Multi-source technical assessment; campaign dates describe observed reporting, not all later fake-job activity |
| Ronin Network | March 2022 | Blockchain bridge | Compromise led to a major virtual-asset theft | FBI statement, April 2022; Treasury, May 6, 2022 — https://www.fbi.gov/news/press-releases/fbi-statement-on-attribution-of-malicious-cyber-activity-posed-by-the-democratic-peoples-republic-of-korea ; https://home.treasury.gov/news/press-releases/jy0768 | Official attribution to Lazarus Group and APT38 |
| Horizon Bridge | June 2022 | Blockchain bridge | Virtual assets were stolen; later tracing and cooperation froze a portion of the funds | FBI, January 23, 2023 — https://www.fbi.gov/news/press-releases/fbi-confirms-lazarus-group-cyber-actors-responsible-for-harmonys-horizon-bridge-currency-theft | Official attribution to Lazarus Group and APT38 |
| Atomic Wallet and related 2023 thefts | June–July 2023 | Wallet and cryptocurrency services | FBI linked stolen funds from several incidents to TraderTraitor-affiliated actors | FBI, August 22, 2023 — https://www.fbi.gov/news/press-releases/fbi-identifies-cryptocurrency-funds-stolen-by-dprk | Official DPRK/TraderTraitor attribution; FBI also used Lazarus Group/APT38 associations |
| DMM Bitcoin | May 2024 | Cryptocurrency exchange | A social-engineering and identity-compromise chain preceded manipulation of a transaction request | FBI and Japan NPA, December 23, 2024 — https://www.fbi.gov/news/press-releases/fbi-dc3-and-npa-identification-of-north-korean-cyber-actors-tracked-as-tradertraitor-responsible-for-theft-of-308-million-from-bitcoindmmcom | Official attribution to TraderTraitor; mapped by the statement to several vendor labels, not solely “Lazarus” |
| Bybit | February 21, 2025 | Cryptocurrency exchange | North Korean actors stole approximately $1.5 billion in virtual assets, according to the FBI | FBI, February 26, 2025 — https://www.fbi.gov/investigate/cyber/alerts/2025/north-korea-responsible-for-1-5-billion-bybit-hack | Official attribution to North Korea; FBI identified the specific activity as TraderTraitor |

Figure 2. Selected Lazarus-related incidents based on publicly available attribution, with confidence and source type shown separately. Amounts are omitted from the visual. Sources: FBI, DOJ, UK NCSC, U.S. Treasury, CISA, and MITRE ATT&CK.
The incidents illustrate different risks: destructive impact, payment-process compromise, widespread disruption, abuse of professional trust, and attacks on asset custody and approval workflows.
The timeline is not a claim that one team, one intrusion chain, or one malware family executed every operation. It is a selection of cases with direct public attribution. DeepStrike’s analysis of North Korean cryptocurrency operations owns the detailed loss and tracing intent; this article retains only the context needed to understand the Lazarus entity.
Lazarus-related operations do not follow one sequence. The lifecycle below is a set of defensive possibilities, not a universal intrusion playbook:
Use the lifecycle to frame questions: what executed, which identities were used, what resources were reached, and whether the evidence matches a known campaign.
The Lazarus Attribution-to-Defense Model is a DeepStrike framework for converting public reporting into testable defensive questions. It is not an industry standard or an attribution score.
Its five layers record the attribution source, likely objective, exposed attack surface, observed behavior, and defensive evidence needed to validate or reject the working hypothesis.
| Scenario | Attribution | Objective | Attack surface | Observed behavior | Defensive evidence |
|---|---|---|---|---|---|
| Fake recruiter | Official or vendor report | Espionage or strategic access | Developer endpoint and identity | Impersonation followed by credential access | IdP, EDR, collaboration, and source-control logs |
| Cloud identity | Multi-source assessment | Long-term or privileged access | Cloud identity, roles, and tokens | Session reuse or privileged-role change | IdP and protected cloud audit trails |
| Crypto employee | Official incident attribution | Financial theft | Employee identity and approval workflow | Identity use followed by transaction change | Wallet, signer, API, and approval telemetry |
| Supply chain | Vendor technical assessment | Strategic access or downstream reach | Source, build, and software delivery | Artifact or release tampering | Repository, CI/CD, signing, and release evidence |

Figure 3. The DeepStrike Lazarus Attribution-to-Defense Model links public reporting to the telemetry and controls defenders can validate. Example paths are defensive hypotheses, not fixed campaign sequences.
A fake-recruiter report should trigger review of the developer endpoint, identity sessions, collaboration history, and source-control events. Cloud, cryptocurrency, and supply-chain cases should similarly connect the suspected behavior to protected audit, approval, build, signing, and release evidence.
A government statement can support sponsor attribution, while EDR or identity logs establish behavior in the incident. Record those conclusions separately.
The MITRE ATT&CK Lazarus Group entry contains a broad set of mappings accumulated across campaigns and years. The following selection emphasizes recurring behaviors with practical defensive value; it is not a checklist that every intrusion will exhibit.
| ATT&CK tactic | Verified technique | High-level behavior | Defender telemetry | Source |
|---|---|---|---|---|
| Reconnaissance | T1593.001 Search Open Websites/Domains: Social Media — https://attack.mitre.org/techniques/T1593/001/ | Researches people, roles, relationships, and target context | Reports of impersonation, brand-monitoring findings, exposed staff-role data, suspicious profile contacts | MITRE G0032 / Operation Dream Job references |
| Reconnaissance | T1684.001 Social Engineering: Impersonation — https://attack.mitre.org/techniques/T1684/001/ | Uses a person or organization identity to establish trust | Email, messaging, recruiter-verification, collaboration, and identity-provider records | MITRE G0032; FBI crypto social-engineering advisory |
| Initial access | T1566.003 Phishing: Spearphishing via Service — https://attack.mitre.org/techniques/T1566/003/ | Delivers links or material through social, messaging, or collaboration services | Secure email gateway, collaboration audit, URL detonation, browser, and EDR telemetry | MITRE G0032/C0022 |
| Execution | T1204.002 User Execution: Malicious File — https://attack.mitre.org/techniques/T1204/002/ | Relies on a user opening or running content presented as legitimate | File origin, Mark-of-the-Web, application-control, process ancestry, and sandbox evidence | MITRE G0032/C0022 |
| Persistence / privilege / defense evasion | T1078 Valid Accounts — https://attack.mitre.org/techniques/T1078/ | Uses compromised legitimate identities or sessions | Sign-in risk, device posture, token use, new locations, impossible sequences, and privilege changes | MITRE G0032 and FBI DMM case context |
| Execution | T1059.001 PowerShell and T1059.003 Windows Command Shell — https://attack.mitre.org/techniques/T1059/001/ ; https://attack.mitre.org/techniques/T1059/003/ | Uses native interpreters in reported Windows campaigns | Script-block logging, command-line lineage, EDR events, constrained-language and application-control outcomes | MITRE G0032 |
| Defense evasion | T1218 System Binary Proxy Execution — https://attack.mitre.org/techniques/T1218/ | Abuses signed system binaries to run unexpected content | Parent-child process relationships, signed-binary network activity, file provenance, and application control | MITRE G0032/C0022 |
| Persistence / execution | T1053.005 Scheduled Task — https://attack.mitre.org/techniques/T1053/005/ | Creates or changes scheduled execution in some campaigns | Task creation and modification, creator identity, target binary, and EDR correlation | MITRE G0032/C0022 |
| Discovery | T1087.002 Domain Account — https://attack.mitre.org/techniques/T1087/002/ | Enumerates identities and privileged roles after access | Directory queries, unusual account enumeration, endpoint process and identity context | MITRE G0032/C0022 |
| Collection | T1005 Data from Local System — https://attack.mitre.org/techniques/T1005/ | Collects files and other data from compromised systems | File-access telemetry, sensitive-data labels, staging behavior, EDR and DLP events | MITRE G0032 |
| Collection | T1560.001 Archive via Utility — https://attack.mitre.org/techniques/T1560/001/ | Packages data before transfer in reported campaigns | Unexpected archive creation, process ancestry, file volume, destination, and DLP evidence | MITRE G0032/C0022 |
| Impact | T1485 Data Destruction — https://attack.mitre.org/techniques/T1485/ | Deletes or overwrites data in destructive operations | Mass file changes, storage and endpoint events, backup alerts, administrative activity | MITRE G0032; campaign-specific evidence required |
ATT&CK describes behavior; it does not prove attribution. Technique matches become useful only when they align with the incident’s timing, victimology, infrastructure, and technical evidence.
Recruiter and employer impersonation borrows a legitimate workflow. Public reporting describes tailored roles, professional-network contact, interview tasks, and movement to messaging or collaboration services often aimed at developers and cryptocurrency personnel with privileged access.
The FBI’s September 2024 advisory warned that DPRK actors conduct highly tailored social engineering against employees in decentralized-finance and cryptocurrency businesses. The DMM Bitcoin attribution later described a recruiter-themed approach that ultimately enabled impersonation and manipulation of a transaction request. These cases show why awareness training alone is insufficient: the workflow can span weeks and use channels outside the corporate email gateway.
Verify unusual recruiters and professional requests through an independently obtained channel. Review unfamiliar projects in isolated, non-privileged environments; keep production secrets and signing access off test systems; use phishing-resistant MFA; protect source control; and provide a low-friction reporting path.
Cryptocurrency organizations combine high-value assets, globally connected infrastructure, software-heavy workflows, and employees with direct or indirect custody privileges. Relevant surfaces include identities, cloud accounts, source code, build systems, signing, transaction creation, and wallet approval.
Keep three evidence types separate: intrusion evidence explains access, attribution evidence links activity to a cluster or sponsor, and blockchain tracing follows assets. A transaction path alone does not prove the intrusion method or operator.
Loss figures also change meaning over time. An attempted transfer is not necessarily a completed theft; stolen assets may later be frozen or recovered; valuations change; and annual estimates can overlap. This article therefore includes only incident amounts stated directly by authoritative sources where they materially identify the event. It does not aggregate them. Readers seeking totals and methodology should use the dedicated DeepStrike coverage of crypto crime trends and North Korean cryptocurrency operations.
Do not assign every DPRK-linked cryptocurrency theft to Lazarus. Public sources use labels such as TraderTraitor, APT38, BlueNoroff, Slow Pisces, and Jade Sleet with different boundaries; preserve the attributing source’s label.
| Malware or tool family | Platform | Reported purpose | Source | Naming caveat |
|---|---|---|---|---|
| AppleJeus | Windows and macOS | Umbrella name for malware delivered through apparently legitimate cryptocurrency applications | MITRE S0584; CISA TraderTraitor advisory — https://attack.mitre.org/software/S0584/ | Describes related malware/app campaigns, not every cryptocurrency operation |
| BLINDINGCAN | Windows | Remote-access capability reported against defense, engineering, and government targets | MITRE S0520 — https://attack.mitre.org/software/S0520/ | Associated with Lazarus reporting; sample-level attribution still requires evidence |
| Dacls | Windows, Linux, and macOS | Modular remote-access capability | MITRE S0497 — https://attack.mitre.org/software/S0497/ | Cross-platform family; vendor naming and version scope can differ |
| ThreatNeedle | Windows | Backdoor used in reported defense and other targeted operations | MITRE S0665 — https://attack.mitre.org/software/S0665/ | Campaign-specific reporting should anchor any detection claim |
| DRATzarus | Windows | Remote-access tool linked to Operation Dream Job reporting | MITRE S0694 — https://attack.mitre.org/software/S0694/ | Tool name is not an actor synonym |
| Dtrack | Windows | Reconnaissance, collection, and destructive capability reported in several sectors | MITRE S0567 — https://attack.mitre.org/software/S0567/ | Public reporting connects versions to multiple operations; do not generalize one sample |
| WannaCry | Windows | Ransomware with worm-like spread used in the May 2017 outbreak | MITRE S0366; UK and DOJ attribution — https://attack.mitre.org/software/S0366/ | A historical campaign-linked family, not a current all-purpose Lazarus signature |
This is a selected set, not a malware catalogue. Tools and infrastructure change, and some names describe delivery applications or campaign-specific families. A hash or domain may identify only one sample or infrastructure period.
Prefer behavior-based detection that correlates provenance, process ancestry, identity context, persistence, and network activity. Use static indicators only with dates and source context.
For Windows endpoints, collect process creation, script and command-line telemetry, file origin, service or task changes, security-control events, and identity context. Baselining and process lineage help distinguish legitimate administration from abuse.
Treat developer Macs as managed enterprise assets. Enforce supported versions, EDR, application trust, browser and identity controls, secrets hygiene, and restricted production access.
Cloud identities can outlive the first affected endpoint. Review authentication, token use, role assignments, applications, storage access, and conditional-access decisions before closing the incident.
Developer ecosystems expand the evidence surface. Source-control events, package registry access, CI/CD worker logs, artifact provenance, secret scanning, code-signing systems, branch protection, release approvals, and dependency changes all matter. Microsoft’s 2023 Diamond Sleet report described a compromised software supply chain that distributed a modified installer, underscoring the need to monitor both producer and delivery paths.
Remote work can connect personal social accounts, messaging services, corporate endpoints, SSO, repositories, and cloud systems. Incident plans should support lawful evidence collection across those transitions.
Living off the land means abusing capabilities already present in the environment or otherwise legitimate software. Native interpreters, system binaries, remote services, and cloud services are not suspicious by presence alone.
Detection should therefore combine context. Ask who launched the process, from which parent, under what device and identity state, with which file origin, toward what destination, and after which earlier event. An unusual signed binary reaching the network after a recruiter-delivered file has different significance from the same binary launched by approved management software. DeepStrike’s guide to living-off-the-land techniques explains the concept in depth; this page focuses on its relevance to Lazarus-related defense.
Detection is an evidence-integration problem. No single alert, domain, wallet, malware name, or ATT&CK technique confirms Lazarus attribution.
| Telemetry source | Behaviors to investigate | Why it matters | Limitation |
|---|---|---|---|
| Identity-provider logs | New devices, unusual token use, risky sign-ins, MFA changes, session reuse, privilege assignment | Valid identities can bridge endpoint, cloud, repository, and financial systems | Travel, VPNs, and automation create legitimate anomalies |
| Email security | Impersonation, newly registered lookalike domains, external reply-chain shifts, link and attachment verdicts | Captures part of the trust-building and delivery path | Many approaches begin on social or messaging services |
| Endpoint detection and response | File origin, process ancestry, interpreter use, persistence changes, credential-store access, unusual outbound connections | Establishes what executed and what the endpoint touched | One host may be only the entry point; coverage gaps matter |
| DNS, network, and proxy logs | First-seen domains, rare destinations, unexpected web-service use, beacon-like patterns, data-volume changes | Helps reconstruct infrastructure and cross-host activity | Encryption and legitimate cloud services reduce specificity |
| Cloud audit logs | Token and API activity, role changes, mailbox/storage access, new applications, logging changes | Finds access that persists beyond the initial endpoint | Logging must be enabled, retained, and centrally protected |
| Source-control logs | New tokens or keys, repository cloning, branch and workflow changes, suspicious release activity | Developer access can expose code, secrets, and downstream trust | Normal development produces high-volume activity |
| CI/CD logs | Runner registration, secret access, pipeline edits, artifact changes, signing or deployment anomalies | Shows whether compromise reached software delivery | Ephemeral workers require centralized log export |
| Package and dependency telemetry | New maintainers, package-source changes, lockfile drift, unreviewed dependency additions | Supports supply-chain investigation and prevention | A new dependency is not inherently malicious |
| Collaboration-platform logs | External invitations, file sharing, unusual direct messages, new integrations | May capture a path that bypasses email controls | Personal accounts and encrypted services may be outside visibility |
| Wallet and financial systems | New destinations, altered transaction construction, approval bypass, unusual signer or API activity | Connects identity compromise to attempted asset movement | Blockchain activity alone may not reveal the intrusion path |
| Privileged access management | Emergency access, unusual checkout, off-hours elevation, new privileged sessions | Validates whether high-impact rights were used | Unmanaged privilege will not appear in PAM |
| DLP and data-access logs | Bulk access, unusual archives, sensitive repository or document reads, external upload | Supports collection and exfiltration analysis | Classification and tuning quality determine value |
| Threat-intelligence matches | Dated infrastructure, malware, certificates, wallet alerts, campaign context | Accelerates triage and scope when provenance is clear | Indicators expire, can be shared, or can produce false positives |
High-confidence detection combines behavior, context, infrastructure, malware analysis, victimology, and time. Preserve negative evidence too: expected automation may refute an alert, while a routine valid-account event can become high priority after a tailored approach and sensitive access.
| Observed risk | Preventive control | Detective control | Response preparation |
|---|---|---|---|
| Recruiter or employer impersonation | Out-of-band verification; isolated review environment; block production credentials on test devices | Brand and domain monitoring; collaboration and endpoint telemetry | Reporting path for suspicious approaches; preserve messages and files |
| Stolen credentials or sessions | Phishing-resistant MFA; device-bound access; conditional access; short-lived tokens | Sign-in risk, token reuse, device and location correlation | Rapid session revocation and credential/key rotation playbook |
| Developer workstation compromise | Managed endpoints; application control; least privilege; secrets isolation | EDR, file provenance, process lineage, repository-access correlation | Clean-room rebuild and developer-identity recovery process |
| Malicious dependencies or packages | Approved registries; lockfiles; dependency review; provenance and signing | Package-source changes, maintainer events, SBOM and artifact comparison | Dependency quarantine, release rollback, and customer notification plan |
| Cloud identity abuse | Workload identity hygiene; least privilege; separate administration; conditional access | Central cloud audit, privilege and application-consent alerts | Break-glass governance and tested tenant containment |
| Privileged access | PAM, just-in-time elevation, separate admin identities | Privilege checkout, anomalous elevation, session recording where lawful | Predefined privilege revocation and owner contacts |
| Cryptocurrency transfer risk | Wallet segregation, withdrawal limits, allowlists, multi-person approvals, independent transaction display | Destination, signer, API, approval-chain, and velocity monitoring | Freeze/escalation contacts, asset-tracing and law-enforcement procedures |
| Endpoint malware | Supported platforms, application control, EDR, restricted scripting | Behavior analytics, process and network correlation | Isolation, forensic capture, and rebuild criteria |
| Data exfiltration | Segmentation, least privilege, data classification, egress controls | DLP, archive and upload anomalies, storage access | Evidence preservation and disclosure decision process |
| Supply-chain compromise | Isolated builds, protected signing, reproducible artifacts, release separation | Pipeline, runner, signing, package, and release auditing | Revoke signing trust, halt releases, identify downstream exposure |
| Remote access | Approved tools, MFA, access brokers, device posture | New tool, geography, account, and session alerts | Disable access paths without losing needed evidence |
| Third-party access | Time-bounded accounts, least privilege, contractual logging and notification | Vendor-account and integration monitoring | Contact tree, token revocation, and coordinated containment exercise |
Controls reduce probability and impact; they do not guarantee prevention. Prioritize independent approval for high-impact actions, protected telemetry, and rehearsed access revocation.
Adapt containment to the organization and preserve evidence. Do not delay urgent action merely to prove the actor name; business impact and access scope come first.
| Public label | Commonly reported focus | Naming source | Important caveat |
|---|---|---|---|
| Lazarus Group / G0032 | Broad mix of espionage, destructive, and financially motivated operations | MITRE and wide public reporting | Often an umbrella; boundaries vary |
| APT38 / BlueNoroff | Financial institutions and cryptocurrency-related theft | Mandiant, MITRE G0082, Treasury | Treasury calls BlueNoroff a Lazarus subgroup; MITRE tracks a separate group entry |
| Andariel / APT45 / Onyx Sleet | Military, government, defense, technology, and selected revenue operations | Treasury, Mandiant, Microsoft, MITRE G0138 | Subgroup in some official reporting; distinct vendor cluster in other taxonomies |
| Kimsuky / APT43 / Emerald Sleet | Espionage and intelligence collection | MITRE G0094 and vendor reporting | Separate actor; do not merge into Lazarus |
| APT37 / ScarCruft | Espionage, historically focused on South Korea with broader targeting over time | MITRE G0067 and vendor reporting | Separate actor; technique or sponsor overlap is not identity proof |
| DPRK remote IT-worker schemes | Revenue generation through fraudulent employment; possible access or data risk | FBI/DOJ and multi-government advisories | A scheme and workforce threat, not automatically Lazarus activity |
This is not an actor ranking. The practical question is which source-defined cluster and objective best fit the evidence.
Every North Korean cyberattack is Lazarus Group. Public reporting tracks multiple DPRK clusters and schemes. Preserve the source’s label and scope.
Every alias is interchangeable. HIDDEN COBRA, Diamond Sleet, TraderTraitor, Guardians of Peace, BlueNoroff, and Andariel represent different taxonomies or scopes.
Lazarus only steals cryptocurrency. Public attribution also covers espionage, bank theft, strategic access, destructive attacks, and disruption.
Lazarus uses one fixed malware toolkit. Tools, platforms, delivery paths, and infrastructure change across operations.
Static indicators provide permanent detection. Hashes, domains, accounts, certificates, and wallets are time-bounded evidence.
A famous attribution proves later allegations. Every incident needs its own evidence, source, date, and confidence.
One security product can stop a state-sponsored actor. Prevention, detection, approvals, segmentation, logging, and response readiness must work together.
Penetration testing can certify an organization as Lazarus-proof. Testing validates a defined scope and time; it cannot guarantee resistance to a changing actor.
ATT&CK technique overlap proves actor identity. Common techniques are shared by many actors and legitimate administrators.
Every developer-targeting campaign is Lazarus. A lure theme is an investigative lead, not an attribution conclusion.
Cryptocurrency organizations: isolate high-value roles, protect employee and developer identity, segregate wallets, require independent transaction verification, centralize approval evidence, and rehearse a rapid freeze process.
Financial institutions: segment payment environments, constrain privilege, monitor message creation and approval separately, and test response decisions for attempted, blocked, completed, and recovered transfers.
Software and developer teams: manage endpoints; keep production secrets out of interview or test environments; protect repositories, CI/CD, signing, registries, dependencies, and release approvals.
Cloud-first organizations: treat identity as the control plane with phishing-resistant MFA, device posture, least privilege, protected logging, service-principal governance, and tested token revocation.
Defense and research organizations: map sensitive programs to people, repositories, suppliers, and endpoints; support safe reporting of unusual professional approaches; monitor high-value identities.
General enterprises: identify paths that combine external trust, privilege, sensitive data, software delivery, and financial authority. Reduce, instrument, and test those paths.
Lazarus Group is a public label for North Korean state-linked cyber activity associated with the Reconnaissance General Bureau. Reported operations include espionage, financial theft, strategic access, disruption, and destructive activity. MITRE notes that the name is often used as an umbrella, not one fixed team.
U.S. Treasury and MITRE attribute Lazarus Group to North Korea’s Reconnaissance General Bureau, and U.S. and UK agencies have made public attributions in major cases. Open reporting does not provide a complete organizational chart, so sanctions, legal allegations, and technical assessments should remain distinct.
Associated names include Labyrinth Chollima, HIDDEN COBRA, Guardians of Peace, ZINC, and Diamond Sleet. Reporting also connects BlueNoroff/APT38, Andariel, and TraderTraitor to parts of the activity. These labels may represent different government, vendor, subgroup, campaign, or persona scopes.
Not exactly. U.S. Treasury described BlueNoroff and Andariel as Lazarus subgroups in 2019, while MITRE and vendors also track them as distinguishable clusters. Retain the original source’s taxonomy rather than replacing every label with “Lazarus Group.”
Public sources link Lazarus-related activity to Sony Pictures, Bangladesh Bank, WannaCry, Operation Dream Job, Ronin, Horizon Bridge, and other cryptocurrency incidents. Later DMM Bitcoin and Bybit statements used the narrower TraderTraitor label, so each case needs its own source and caveat.
The UK government said the NCSC assessed it was highly likely Lazarus was behind WannaCry. A 2018 U.S. Department of Justice complaint also alleged North Korean involvement. Those qualified terms should not be rewritten as proof of every operational detail.
Cryptocurrency businesses combine transferable assets with cloud, software, signing, wallet, and approval systems. Public reporting connects several DPRK clusters to this objective; blockchain tracing alone does not explain the original intrusion or prove that every case is Lazarus.
MITRE and government reporting associate Lazarus-related activity with tools such as AppleJeus, BLINDINGCAN, Dacls, ThreatNeedle, DRATzarus, Dtrack, and the historical WannaCry outbreak. Tooling changes across campaigns, so behavior, provenance, and context matter more than a static family list.
Reported access paths include tailored phishing, fake employment themes, social or collaboration services, trojanized applications, compromised software delivery, and exploitation in some campaigns. There is no single entry method; defenders should focus on trust, identity, file origin, endpoint behavior, and software provenance.
Correlate identity, collaboration, endpoint, network, cloud, source-control, CI/CD, package, and financial telemetry. Look for a coherent sequence rather than one IOC or ATT&CK technique; attribution also requires infrastructure, malware, victimology, timing, and source context.
Prioritize phishing-resistant MFA, least privilege, managed developer endpoints, application control, EDR, protected cloud and repository logs, secure build controls, segmentation, independent financial approvals, wallet segregation, and rehearsed incident response. These controls reduce likelihood and impact but do not guarantee prevention.
No. Public reporting separately tracks Kimsuky/APT43, APT37/ScarCruft, Andariel/APT45, BlueNoroff/APT38, other clusters, and remote IT-worker schemes. Sponsorship, target similarity, or shared techniques do not establish exact actor identity.
Lazarus Group remains important because public attribution connects the label with espionage, disruption, financial theft, and access to valuable technology ecosystems. Because taxonomies overlap, defensible analysis must preserve the source, date, evidence, and confidence.
Security leaders should protect identity, developer endpoints, cloud control planes, source and build systems, third-party trust, and financial approvals and rehearse access revocation, transaction pauses, containment validation, and re-entry monitoring.
No single security assessment can guarantee protection from Lazarus Group or any other state-sponsored actor. Where it fits an organization’s risk model, DeepStrike’s verified penetration testing services can help test scoped web, API, cloud, network, mobile, and internal attack paths and support remediation validation. The result should be treated as evidence about the tested scope and time not as certification against a named adversary.
Author: Mohammed Khalil, CISSP, OSCP, OSWE
Last reviewed: July 14, 2026
Research verified through: July 14, 2026
Actor naming and attribution can change as new evidence appears. Recheck primary sources before future material updates.

Stay secure with DeepStrike penetration testing services. Reach out for a quote or customized technical proposal today
Contact Us