logo svg
logo

July 14, 2026

Updated: July 14, 2026

Lazarus Group: North Korea’s Cyber Operations, Attacks, and Tactics

Who Is Lazarus Group? Attacks, Tactics and Defense

Mohammed Khalil

Mohammed Khalil

Featured Image

Last updated: July 14, 2026 · Research verified through: July 14, 2026

Lazarus Group is a public threat-intelligence label for North Korean state-linked cyber activity. Governments and security researchers have attributed operations under this name to the country’s Reconnaissance General Bureau, while reported objectives span espionage, financial theft, disruption, and strategic access. The label is imprecise: sources divide North Korean operators differently, and not every DPRK-linked intrusion is Lazarus Group activity. This guide explains the evidence, major campaigns, recurring behaviors, and defensive priorities without treating overlapping names as interchangeable.

Important attribution note. Threat-actor names are analytical labels, and different sources may split or combine the same activity. An alias can represent a government label, vendor cluster, subgroup, campaign, or public persona. The article therefore retains each source’s wording, date, and material caveats.

Executive summary

Quick answer: What is the Lazarus Group?

Lazarus Group is a widely used name for North Korean state-linked cyber operations associated in public reporting with espionage, destructive activity, strategic access, bank theft, and cryptocurrency theft. The current MITRE ATT&CK profile attributes the group to North Korea’s Reconnaissance General Bureau and notes that “Lazarus Group” is often used as an umbrella for several operators that may share personnel, infrastructure, malware, and tradecraft. That matters because public labels do not map cleanly: a government advisory may use a broad DPRK label, while a vendor tracks a narrower cluster or campaign. Responsible analysis therefore separates incident facts, technical clustering, and sponsor attribution and does not assume every North Korean operation belongs to Lazarus.

Key defensive priorities

Lazarus Group at a glance

FieldVerified summarySource / caveat
Common nameLazarus GroupBroad public label; scope varies by source
First publicly reported activity rangeActive since at least 2009MITRE ATT&CK G0032, modified May 12, 2026; no precise “founded” date asserted — https://attack.mitre.org/groups/G0032/
Commonly attributed sponsorNorth Korea’s Reconnaissance General BureauMITRE; U.S. Treasury designation, September 13, 2019 — https://home.treasury.gov/news/press-releases/sm774
Primary objectivesEspionage, strategic access, financial theft, disruption, and intelligence collectionObjective varies by operation and tracked cluster
Common targetsFinance, cryptocurrency, defense, aerospace, technology, software, media, government, research, and selected critical sectorsDo not generalize one cluster’s victimology to the entire umbrella
Geographic reachGlobalPublic cases include targets in the United States, United Kingdom, Bangladesh, Japan, and multinational cryptocurrency ecosystems
Common operational themesTailored social engineering, fake-job approaches, malware delivery, credential and identity access, legitimate-tool abuse, supply-chain access, collection, theft, and destructive impactNo single fixed sequence or toolset
MITRE ATT&CK referenceGroup G0032, version 5.0Last modified May 12, 2026
Important naming caveatRelated labels can describe a government category, vendor cluster, subgroup, campaign, or personaExact equivalence should never be assumed without the source and date
Last verifiedJuly 14, 2026Public attribution and naming may change

Who is the Lazarus Group?

In public threat intelligence, “Lazarus Group” is best understood as an attribution container rather than a precise corporate-style organization. MITRE’s May 2026 update says the name is often used as an umbrella for multiple North Korean operators conducting espionage, destructive attacks, and financially motivated campaigns. It also notes that units can share personnel, infrastructure, malware, and tradecraft as national priorities change. Those overlaps help analysts connect campaigns, but they also make a clean organizational boundary difficult to defend.

Government and vendor reports can differ without contradicting one another. A government may use a broad DPRK label, while a vendor tracks a narrower cluster or campaign. Those labels reflect different evidence, thresholds, and collection periods.

The public record spans destructive impact at Sony Pictures, attempted financial-transfer abuse at Bangladesh Bank, WannaCry disruption, cryptocurrency theft, and recruitment or supply-chain campaigns targeting technology and defense communities.

Reducing Lazarus to a malware family would therefore be misleading. Tooling changes, malware names can be vendor-specific, and legitimate utilities may appear alongside custom implants. Reducing it to cryptocurrency theft is also incomplete: the umbrella’s public history includes intelligence collection, destructive activity, and access to strategically valuable organizations. Readers who need broader context on state-sponsored hacking groups should treat the Lazarus label as one example of a wider attribution problem not as a benchmark for ranking actors.

Is Lazarus Group connected to North Korea?

Multiple governments have publicly linked Lazarus-related activity to North Korea. MITRE attributes G0032 to the Reconnaissance General Bureau. On September 13, 2019, the U.S. Treasury sanctioned Lazarus Group, Bluenoroff, and Andariel, describing them as North Korean state-sponsored malicious cyber groups controlled by the RGB. The U.S. Department of Justice’s 2018 complaint alleged that a North Korean programmer participated in a Lazarus-linked conspiracy involving Sony Pictures, Bangladesh Bank, WannaCry, and other targets. A 2021 superseding case expanded the allegations against three RGB-linked programmers.

The United Kingdom has also issued actor-level assessments. In December 2017, the UK government said the National Cyber Security Centre assessed it was highly likely Lazarus was behind WannaCry. That wording is important: “highly likely” communicates an assessment, not direct courtroom proof.

Official attribution may combine technical evidence, intelligence, infrastructure analysis, victimology, and policy judgment. Technical clustering is narrower. Sanctions are executive actions, while complaints and indictments contain allegations that should remain described as allegations unless adjudicated.

Accordingly, the article separates incident facts, technical clustering, and sponsor attribution. Defenders still need to contain the intrusion even when actor attribution remains incomplete.

Lazarus Group names, aliases, and related clusters

The following table is a crosswalk, not a declaration that every row is an exact synonym.

NameUsed byActor, subgroup, campaign, or labelRelationshipConfidence / caveat
Lazarus GroupMITRE, governments, vendors, mediaBroad actor or umbrella labelPublicly associated with DPRK/RGB activityScope differs substantially between sources
HIDDEN COBRAU.S. governmentGovernment labelRefers broadly to malicious cyber activity by the North Korean governmentBroader than a precise Lazarus cluster; MITRE records it as an associated name — https://attack.mitre.org/groups/G0032/
Labyrinth ChollimaCrowdStrike and industry reportingVendor cluster / associated labelLong associated with Lazarus-related activityCurrent Microsoft mapping places “LABYRINTH CHOLLIMA” across more than one North Korean cluster, showing that equivalence is not universal
ZINC / Diamond SleetMicrosoftVendor cluster; Diamond Sleet is Microsoft’s current name for former ZINC trackingMicrosoft connects the cluster with Lazarus-related reporting and espionage, theft, and disruptive activityA Microsoft activity set, not a universal name for every Lazarus operation; see Microsoft’s naming taxonomy — https://learn.microsoft.com/en-us/unified-secops/microsoft-threat-actor-naming
Guardians of PeacePublic persona in the Sony attack; government and industry reportingCampaign-specific public personaClaimed responsibility for the Sony Pictures incidentDo not treat a self-claimed persona as a durable organizational synonym; FBI attribution was to the North Korean government — https://www.fbi.gov/news/press-releases/update-on-sony-investigation
TraderTraitorU.S. government, FBI, CISAActivity or campaign labelCISA said the activity is commonly tracked as Lazarus Group; later FBI statements use it for specific DPRK cryptocurrency thefts — https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-108aCampaign scope is narrower than the full Lazarus umbrella; vendor mappings vary
APT38 / BlueNoroffMandiant, MITRE, Treasury, Microsoft and othersFinancially focused cluster; Treasury-described subgroupTreasury described BlueNoroff as a Lazarus subgroup; MITRE tracks APT38 separately with Bluenoroff among associated names — https://attack.mitre.org/groups/G0082/Closely associated, but not a substitute for every Lazarus operation
Andariel / APT45 / Onyx SleetTreasury, Mandiant, Microsoft, MITRE and othersReported subgroup or distinct vendor clusterTreasury described Andariel as a Lazarus subgroup; MITRE tracks Andariel as G0138 — https://attack.mitre.org/groups/G0138/Mandiant’s APT45 analysis emphasizes a distinct cluster and malware lineage; relationship depends on taxonomy — https://cloud.google.com/blog/topics/threat-intelligence/apt45-north-korea-digital-military-machine
Figure 1. Public reporting uses overlapping but non-identical names for Lazarus-related activity. Relationships should be interpreted according to the source and date. Sources: MITRE ATT&CK G0032/G0082/G0138, U.S. Treasury (2019), Microsoft threat-actor naming (2026), and Mandiant (2023–2024).

Figure 1. Public reporting uses overlapping but non-identical names for Lazarus-related activity. Relationships should be interpreted according to the source and date. Sources: MITRE ATT&CK G0032/G0082/G0138, U.S. Treasury (2019), Microsoft threat-actor naming (2026), and Mandiant (2023–2024).

Groups that should not automatically be treated as Lazarus

Kimsuky is a separately tracked DPRK espionage actor. MITRE G0094 lists names including APT43 and Emerald Sleet, but it does not make Kimsuky an alias for Lazarus Group. Similarly, MITRE G0067 tracks APT37 with ScarCruft among its associated names. Shared sponsorship, geography, target interest, or even technique overlap does not collapse these clusters into one actor.

North Korean remote IT-worker fraud is another important boundary. The scheme can involve people obtaining employment under false identities to generate revenue and, in some cases, gain access or steal data. It is a serious enterprise and supply-chain risk, but it should not be labeled Lazarus without incident-specific evidence. DeepStrike’s separate guide to North Korean remote IT-worker schemes covers that intent without conflating it with this actor profile.

For newly named DPRK clusters, retain the source’s original label, date, and confidence instead of normalizing every operation into “Lazarus.”

What are Lazarus Group’s objectives?

The public record supports several coexisting objectives:

Espionage and strategic intelligence. Campaigns linked to defense, aerospace, technology, researchers, and governments can seek sensitive technical or policy information. Access to developers and source repositories can reveal intellectual property, product roadmaps, credentials, and downstream trust relationships.

Financial theft and revenue generation. Public cases include bank-transfer fraud and cryptocurrency theft. Treasury’s 2019 designation described BlueNoroff as focused on overseas financial institutions to generate revenue for the North Korean government. An operation aimed at funds can still include lengthy reconnaissance, credential access, and lateral movement.

Disruption and coercion. Sony Pictures and WannaCry illustrate destructive or disruptive effects attributed to North Korean activity. The operational objective may include reputational pressure, denial of service, data destruction, or broad impact rather than quiet collection.

Long-term access. A foothold in a technology company, cloud tenant, software provider, or developer environment can provide intelligence today and optional access later. Supply-chain compromise is strategically valuable because one trusted delivery path may reach multiple organizations.

Cryptocurrency acquisition. Digital assets offer speed, global reach, and targets whose business processes include direct asset custody. But “crypto theft” is an outcome, not one technique. Reported cases have involved social engineering, employee access, software trust, cloud or identity compromise, and transaction manipulation.

Objectives can overlap and change. Defenders should model the outcome relevant to their assets rather than assume one fixed, financially motivated playbook.

Who does Lazarus Group target?

SectorWhy it may be targetedReported operational themesDefensive priority
Cryptocurrency exchanges, DeFi, bridges, and wallet providersDirect access to digital assets and transaction systemsTailored employee approaches, credential or session theft, developer compromise, transaction-workflow abuseIsolate critical roles, harden identity, segregate wallets, and require multi-person approvals
Financial institutionsAccess to payment systems and transferable fundsLong dwell time, credential access, payment-message manipulation, operational reconnaissanceSegment payment environments, monitor privileged access, and validate transfer controls
Defense and aerospaceStrategic and technical intelligenceRecruitment themes, spearphishing, malware, long-term collectionProtect developer and researcher endpoints, repositories, and sensitive project identities
Technology and software companiesIntellectual property and trusted distribution pathsDeveloper targeting, source-control access, signed or trojanized software, supply-chain compromiseEnforce protected branches, artifact provenance, isolated builds, and code-signing controls
Media and entertainmentStrategic messaging, coercion, or disruptive impactAccount compromise, data theft, public disclosure, destructive malwareSegment critical systems, protect backups, and rehearse crisis communications
Government and researchPolicy, national-security, scientific, or technical intelligenceTailored social engineering, credential theft, malware-assisted collectionPhishing-resistant MFA, information segmentation, and high-value user monitoring
Security researchersInsight into defensive research, vulnerabilities, and detection capabilityFalse personas, professional trust-building, links or project materialVerify contacts out of band and review untrusted material in isolated environments
Selected healthcare, pharmaceutical, and critical sectorsResearch value or strategic access reported for specific DPRK clustersSpearphishing, exploitation, collection, and occasionally disruptive activityApply cluster-specific intelligence; do not assume every case is Lazarus

Victimology supports an assessment but does not prove it. Analysts still need the technical timeline, infrastructure, malware, identity activity, and source reporting.

Major Lazarus Group attacks and campaigns

The timeline separates official attribution, legal allegations, and multi-source technical assessments. Each row preserves the source-level caveat.

Incident or campaignIncident dateTarget / sectorWhat happenedPublic attribution sourceConfidence / caveat
Sony Pictures EntertainmentNovember 2014Media and entertainmentData theft, public release, and destructive impact disrupted the companyFBI, December 19, 2014; DOJ, September 6, 2018 — https://www.fbi.gov/news/press-releases/update-on-sony-investigation ; https://www.justice.gov/archives/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-andOfficial attribution to North Korea; DOJ later alleged a Lazarus-linked conspiracy
Bangladesh Bank theftFebruary 2016Banking and SWIFT-related financial operationsFraudulent transfer messages led to the theft of $81 million; other attempted transfers were blockedDOJ complaint, September 6, 2018; Treasury, September 13, 2019 — https://home.treasury.gov/news/press-releases/sm774Official legal allegation and sanctions narrative; often associated with APT38/BlueNoroff
WannaCryMay 2017Global, cross-sectorRansomware with worm-like propagation caused widespread operational disruptionUK government/NCSC, December 19, 2017; DOJ, September 6, 2018 — https://www.gov.uk/government/news/foreign-office-minister-condemns-north-korean-actor-for-wannacry-attacksUK assessed “highly likely” Lazarus; DOJ alleged DPRK involvement
Operation Dream JobSeptember 2019–August 2020 in MITRE’s campaign recordDefense, aerospace, and other professionalsRecruitment-themed social engineering supported malware delivery and intelligence collectionMITRE ATT&CK C0022 based on multiple original research sources — https://attack.mitre.org/campaigns/C0022/Multi-source technical assessment; campaign dates describe observed reporting, not all later fake-job activity
Ronin NetworkMarch 2022Blockchain bridgeCompromise led to a major virtual-asset theftFBI statement, April 2022; Treasury, May 6, 2022 — https://www.fbi.gov/news/press-releases/fbi-statement-on-attribution-of-malicious-cyber-activity-posed-by-the-democratic-peoples-republic-of-korea ; https://home.treasury.gov/news/press-releases/jy0768Official attribution to Lazarus Group and APT38
Horizon BridgeJune 2022Blockchain bridgeVirtual assets were stolen; later tracing and cooperation froze a portion of the fundsFBI, January 23, 2023 — https://www.fbi.gov/news/press-releases/fbi-confirms-lazarus-group-cyber-actors-responsible-for-harmonys-horizon-bridge-currency-theftOfficial attribution to Lazarus Group and APT38
Atomic Wallet and related 2023 theftsJune–July 2023Wallet and cryptocurrency servicesFBI linked stolen funds from several incidents to TraderTraitor-affiliated actorsFBI, August 22, 2023 — https://www.fbi.gov/news/press-releases/fbi-identifies-cryptocurrency-funds-stolen-by-dprkOfficial DPRK/TraderTraitor attribution; FBI also used Lazarus Group/APT38 associations
DMM BitcoinMay 2024Cryptocurrency exchangeA social-engineering and identity-compromise chain preceded manipulation of a transaction requestFBI and Japan NPA, December 23, 2024 — https://www.fbi.gov/news/press-releases/fbi-dc3-and-npa-identification-of-north-korean-cyber-actors-tracked-as-tradertraitor-responsible-for-theft-of-308-million-from-bitcoindmmcomOfficial attribution to TraderTraitor; mapped by the statement to several vendor labels, not solely “Lazarus”
BybitFebruary 21, 2025Cryptocurrency exchangeNorth Korean actors stole approximately $1.5 billion in virtual assets, according to the FBIFBI, February 26, 2025 — https://www.fbi.gov/investigate/cyber/alerts/2025/north-korea-responsible-for-1-5-billion-bybit-hackOfficial attribution to North Korea; FBI identified the specific activity as TraderTraitor
Figure 2. Selected Lazarus-related incidents based on publicly available attribution, with confidence and source type shown separately. Amounts are omitted from the visual. Sources: FBI, DOJ, UK NCSC, U.S. Treasury, CISA, and MITRE ATT&CK.

Figure 2. Selected Lazarus-related incidents based on publicly available attribution, with confidence and source type shown separately. Amounts are omitted from the visual. Sources: FBI, DOJ, UK NCSC, U.S. Treasury, CISA, and MITRE ATT&CK.

The incidents illustrate different risks: destructive impact, payment-process compromise, widespread disruption, abuse of professional trust, and attacks on asset custody and approval workflows.

The timeline is not a claim that one team, one intrusion chain, or one malware family executed every operation. It is a selection of cases with direct public attribution. DeepStrike’s analysis of North Korean cryptocurrency operations owns the detailed loss and tracing intent; this article retains only the context needed to understand the Lazarus entity.

How Lazarus Group operations typically develop

Lazarus-related operations do not follow one sequence. The lifecycle below is a set of defensive possibilities, not a universal intrusion playbook:

  1. Target research. Operators may study an organization, employee roles, professional networks, suppliers, software, or financial processes.
  2. Trust building or social engineering. A persona, recruiter approach, business conversation, or compromised relationship may make later content appear credible.
  3. Initial access. Reported paths include phishing, links or files delivered through services, trojanized applications, exposed software, or trusted third-party distribution.
  4. Execution or malware delivery. User action or a compromised software path can start an implant or script. Defenders should focus on the process chain and origin rather than reproduce the execution method.
  5. Credential and identity access. Sessions, tokens, passwords, browser data, or application credentials may become more valuable than the first endpoint.
  6. Persistence or continued access. Campaigns may seek recurring endpoint, cloud, application, or account access. The mechanism varies by platform and operation.
  7. Discovery and lateral movement. The actor may identify users, hosts, repositories, cloud services, payment systems, or other high-value resources.
  8. Collection or financial access. Espionage operations collect data; theft operations position access around approvals, keys, transaction systems, or asset custody.
  9. Exfiltration, theft, or disruption. Outcomes can include data removal, unauthorized transfer, public release, service disruption, or destructive impact.
  10. Infrastructure change or attempted re-entry. External infrastructure and access methods can rotate. Containment that addresses only the first malware sample may leave identity or third-party access intact.

Use the lifecycle to frame questions: what executed, which identities were used, what resources were reached, and whether the evidence matches a known campaign.

The Lazarus Attribution-to-Defense Model

The Lazarus Attribution-to-Defense Model is a DeepStrike framework for converting public reporting into testable defensive questions. It is not an industry standard or an attribution score.

Its five layers record the attribution source, likely objective, exposed attack surface, observed behavior, and defensive evidence needed to validate or reject the working hypothesis.

ScenarioAttributionObjectiveAttack surfaceObserved behaviorDefensive evidence
Fake recruiterOfficial or vendor reportEspionage or strategic accessDeveloper endpoint and identityImpersonation followed by credential accessIdP, EDR, collaboration, and source-control logs
Cloud identityMulti-source assessmentLong-term or privileged accessCloud identity, roles, and tokensSession reuse or privileged-role changeIdP and protected cloud audit trails
Crypto employeeOfficial incident attributionFinancial theftEmployee identity and approval workflowIdentity use followed by transaction changeWallet, signer, API, and approval telemetry
Supply chainVendor technical assessmentStrategic access or downstream reachSource, build, and software deliveryArtifact or release tamperingRepository, CI/CD, signing, and release evidence
Figure 3. The DeepStrike Lazarus Attribution-to-Defense Model links public reporting to the telemetry and controls defenders can validate. Example paths are defensive hypotheses, not fixed campaign sequences.

Figure 3. The DeepStrike Lazarus Attribution-to-Defense Model links public reporting to the telemetry and controls defenders can validate. Example paths are defensive hypotheses, not fixed campaign sequences.

A fake-recruiter report should trigger review of the developer endpoint, identity sessions, collaboration history, and source-control events. Cloud, cryptocurrency, and supply-chain cases should similarly connect the suspected behavior to protected audit, approval, build, signing, and release evidence.

A government statement can support sponsor attribution, while EDR or identity logs establish behavior in the incident. Record those conclusions separately.

Lazarus Group tactics and MITRE ATT&CK techniques

The MITRE ATT&CK Lazarus Group entry contains a broad set of mappings accumulated across campaigns and years. The following selection emphasizes recurring behaviors with practical defensive value; it is not a checklist that every intrusion will exhibit.

ATT&CK tacticVerified techniqueHigh-level behaviorDefender telemetrySource
ReconnaissanceT1593.001 Search Open Websites/Domains: Social Media — https://attack.mitre.org/techniques/T1593/001/Researches people, roles, relationships, and target contextReports of impersonation, brand-monitoring findings, exposed staff-role data, suspicious profile contactsMITRE G0032 / Operation Dream Job references
ReconnaissanceT1684.001 Social Engineering: Impersonation — https://attack.mitre.org/techniques/T1684/001/Uses a person or organization identity to establish trustEmail, messaging, recruiter-verification, collaboration, and identity-provider recordsMITRE G0032; FBI crypto social-engineering advisory
Initial accessT1566.003 Phishing: Spearphishing via Service — https://attack.mitre.org/techniques/T1566/003/Delivers links or material through social, messaging, or collaboration servicesSecure email gateway, collaboration audit, URL detonation, browser, and EDR telemetryMITRE G0032/C0022
ExecutionT1204.002 User Execution: Malicious File — https://attack.mitre.org/techniques/T1204/002/Relies on a user opening or running content presented as legitimateFile origin, Mark-of-the-Web, application-control, process ancestry, and sandbox evidenceMITRE G0032/C0022
Persistence / privilege / defense evasionT1078 Valid Accounts — https://attack.mitre.org/techniques/T1078/Uses compromised legitimate identities or sessionsSign-in risk, device posture, token use, new locations, impossible sequences, and privilege changesMITRE G0032 and FBI DMM case context
ExecutionT1059.001 PowerShell and T1059.003 Windows Command Shell — https://attack.mitre.org/techniques/T1059/001/ ; https://attack.mitre.org/techniques/T1059/003/Uses native interpreters in reported Windows campaignsScript-block logging, command-line lineage, EDR events, constrained-language and application-control outcomesMITRE G0032
Defense evasionT1218 System Binary Proxy Execution — https://attack.mitre.org/techniques/T1218/Abuses signed system binaries to run unexpected contentParent-child process relationships, signed-binary network activity, file provenance, and application controlMITRE G0032/C0022
Persistence / executionT1053.005 Scheduled Task — https://attack.mitre.org/techniques/T1053/005/Creates or changes scheduled execution in some campaignsTask creation and modification, creator identity, target binary, and EDR correlationMITRE G0032/C0022
DiscoveryT1087.002 Domain Account — https://attack.mitre.org/techniques/T1087/002/Enumerates identities and privileged roles after accessDirectory queries, unusual account enumeration, endpoint process and identity contextMITRE G0032/C0022
CollectionT1005 Data from Local System — https://attack.mitre.org/techniques/T1005/Collects files and other data from compromised systemsFile-access telemetry, sensitive-data labels, staging behavior, EDR and DLP eventsMITRE G0032
CollectionT1560.001 Archive via Utility — https://attack.mitre.org/techniques/T1560/001/Packages data before transfer in reported campaignsUnexpected archive creation, process ancestry, file volume, destination, and DLP evidenceMITRE G0032/C0022
ImpactT1485 Data Destruction — https://attack.mitre.org/techniques/T1485/Deletes or overwrites data in destructive operationsMass file changes, storage and endpoint events, backup alerts, administrative activityMITRE G0032; campaign-specific evidence required

ATT&CK describes behavior; it does not prove attribution. Technique matches become useful only when they align with the incident’s timing, victimology, infrastructure, and technical evidence.

Social engineering and fake job campaigns

Recruiter and employer impersonation borrows a legitimate workflow. Public reporting describes tailored roles, professional-network contact, interview tasks, and movement to messaging or collaboration services often aimed at developers and cryptocurrency personnel with privileged access.

The FBI’s September 2024 advisory warned that DPRK actors conduct highly tailored social engineering against employees in decentralized-finance and cryptocurrency businesses. The DMM Bitcoin attribution later described a recruiter-themed approach that ultimately enabled impersonation and manipulation of a transaction request. These cases show why awareness training alone is insufficient: the workflow can span weeks and use channels outside the corporate email gateway.

Verify unusual recruiters and professional requests through an independently obtained channel. Review unfamiliar projects in isolated, non-privileged environments; keep production secrets and signing access off test systems; use phishing-resistant MFA; protect source control; and provide a low-friction reporting path.

Cryptocurrency and blockchain operations

Cryptocurrency organizations combine high-value assets, globally connected infrastructure, software-heavy workflows, and employees with direct or indirect custody privileges. Relevant surfaces include identities, cloud accounts, source code, build systems, signing, transaction creation, and wallet approval.

Keep three evidence types separate: intrusion evidence explains access, attribution evidence links activity to a cluster or sponsor, and blockchain tracing follows assets. A transaction path alone does not prove the intrusion method or operator.

Loss figures also change meaning over time. An attempted transfer is not necessarily a completed theft; stolen assets may later be frozen or recovered; valuations change; and annual estimates can overlap. This article therefore includes only incident amounts stated directly by authoritative sources where they materially identify the event. It does not aggregate them. Readers seeking totals and methodology should use the dedicated DeepStrike coverage of crypto crime trends and North Korean cryptocurrency operations.

Do not assign every DPRK-linked cryptocurrency theft to Lazarus. Public sources use labels such as TraderTraitor, APT38, BlueNoroff, Slow Pisces, and Jade Sleet with different boundaries; preserve the attributing source’s label.

Malware and tooling associated with Lazarus Group

Malware or tool familyPlatformReported purposeSourceNaming caveat
AppleJeusWindows and macOSUmbrella name for malware delivered through apparently legitimate cryptocurrency applicationsMITRE S0584; CISA TraderTraitor advisory — https://attack.mitre.org/software/S0584/Describes related malware/app campaigns, not every cryptocurrency operation
BLINDINGCANWindowsRemote-access capability reported against defense, engineering, and government targetsMITRE S0520 — https://attack.mitre.org/software/S0520/Associated with Lazarus reporting; sample-level attribution still requires evidence
DaclsWindows, Linux, and macOSModular remote-access capabilityMITRE S0497 — https://attack.mitre.org/software/S0497/Cross-platform family; vendor naming and version scope can differ
ThreatNeedleWindowsBackdoor used in reported defense and other targeted operationsMITRE S0665 — https://attack.mitre.org/software/S0665/Campaign-specific reporting should anchor any detection claim
DRATzarusWindowsRemote-access tool linked to Operation Dream Job reportingMITRE S0694 — https://attack.mitre.org/software/S0694/Tool name is not an actor synonym
DtrackWindowsReconnaissance, collection, and destructive capability reported in several sectorsMITRE S0567 — https://attack.mitre.org/software/S0567/Public reporting connects versions to multiple operations; do not generalize one sample
WannaCryWindowsRansomware with worm-like spread used in the May 2017 outbreakMITRE S0366; UK and DOJ attribution — https://attack.mitre.org/software/S0366/A historical campaign-linked family, not a current all-purpose Lazarus signature

This is a selected set, not a malware catalogue. Tools and infrastructure change, and some names describe delivery applications or campaign-specific families. A hash or domain may identify only one sample or infrastructure period.

Prefer behavior-based detection that correlates provenance, process ancestry, identity context, persistence, and network activity. Use static indicators only with dates and source context.

Windows, macOS, cloud, and developer ecosystem risk

For Windows endpoints, collect process creation, script and command-line telemetry, file origin, service or task changes, security-control events, and identity context. Baselining and process lineage help distinguish legitimate administration from abuse.

Treat developer Macs as managed enterprise assets. Enforce supported versions, EDR, application trust, browser and identity controls, secrets hygiene, and restricted production access.

Cloud identities can outlive the first affected endpoint. Review authentication, token use, role assignments, applications, storage access, and conditional-access decisions before closing the incident.

Developer ecosystems expand the evidence surface. Source-control events, package registry access, CI/CD worker logs, artifact provenance, secret scanning, code-signing systems, branch protection, release approvals, and dependency changes all matter. Microsoft’s 2023 Diamond Sleet report described a compromised software supply chain that distributed a modified installer, underscoring the need to monitor both producer and delivery paths.

Remote work can connect personal social accounts, messaging services, corporate endpoints, SSO, repositories, and cloud systems. Incident plans should support lawful evidence collection across those transitions.

Living-off-the-land and legitimate tool abuse

Living off the land means abusing capabilities already present in the environment or otherwise legitimate software. Native interpreters, system binaries, remote services, and cloud services are not suspicious by presence alone.

Detection should therefore combine context. Ask who launched the process, from which parent, under what device and identity state, with which file origin, toward what destination, and after which earlier event. An unusual signed binary reaching the network after a recruiter-delivered file has different significance from the same binary launched by approved management software. DeepStrike’s guide to living-off-the-land techniques explains the concept in depth; this page focuses on its relevance to Lazarus-related defense.

How to detect Lazarus Group activity

Detection is an evidence-integration problem. No single alert, domain, wallet, malware name, or ATT&CK technique confirms Lazarus attribution.

Telemetry sourceBehaviors to investigateWhy it mattersLimitation
Identity-provider logsNew devices, unusual token use, risky sign-ins, MFA changes, session reuse, privilege assignmentValid identities can bridge endpoint, cloud, repository, and financial systemsTravel, VPNs, and automation create legitimate anomalies
Email securityImpersonation, newly registered lookalike domains, external reply-chain shifts, link and attachment verdictsCaptures part of the trust-building and delivery pathMany approaches begin on social or messaging services
Endpoint detection and responseFile origin, process ancestry, interpreter use, persistence changes, credential-store access, unusual outbound connectionsEstablishes what executed and what the endpoint touchedOne host may be only the entry point; coverage gaps matter
DNS, network, and proxy logsFirst-seen domains, rare destinations, unexpected web-service use, beacon-like patterns, data-volume changesHelps reconstruct infrastructure and cross-host activityEncryption and legitimate cloud services reduce specificity
Cloud audit logsToken and API activity, role changes, mailbox/storage access, new applications, logging changesFinds access that persists beyond the initial endpointLogging must be enabled, retained, and centrally protected
Source-control logsNew tokens or keys, repository cloning, branch and workflow changes, suspicious release activityDeveloper access can expose code, secrets, and downstream trustNormal development produces high-volume activity
CI/CD logsRunner registration, secret access, pipeline edits, artifact changes, signing or deployment anomaliesShows whether compromise reached software deliveryEphemeral workers require centralized log export
Package and dependency telemetryNew maintainers, package-source changes, lockfile drift, unreviewed dependency additionsSupports supply-chain investigation and preventionA new dependency is not inherently malicious
Collaboration-platform logsExternal invitations, file sharing, unusual direct messages, new integrationsMay capture a path that bypasses email controlsPersonal accounts and encrypted services may be outside visibility
Wallet and financial systemsNew destinations, altered transaction construction, approval bypass, unusual signer or API activityConnects identity compromise to attempted asset movementBlockchain activity alone may not reveal the intrusion path
Privileged access managementEmergency access, unusual checkout, off-hours elevation, new privileged sessionsValidates whether high-impact rights were usedUnmanaged privilege will not appear in PAM
DLP and data-access logsBulk access, unusual archives, sensitive repository or document reads, external uploadSupports collection and exfiltration analysisClassification and tuning quality determine value
Threat-intelligence matchesDated infrastructure, malware, certificates, wallet alerts, campaign contextAccelerates triage and scope when provenance is clearIndicators expire, can be shared, or can produce false positives

High-confidence detection combines behavior, context, infrastructure, malware analysis, victimology, and time. Preserve negative evidence too: expected automation may refute an alert, while a routine valid-account event can become high priority after a tailored approach and sensitive access.

Defensive controls mapped to observed behavior

Observed riskPreventive controlDetective controlResponse preparation
Recruiter or employer impersonationOut-of-band verification; isolated review environment; block production credentials on test devicesBrand and domain monitoring; collaboration and endpoint telemetryReporting path for suspicious approaches; preserve messages and files
Stolen credentials or sessionsPhishing-resistant MFA; device-bound access; conditional access; short-lived tokensSign-in risk, token reuse, device and location correlationRapid session revocation and credential/key rotation playbook
Developer workstation compromiseManaged endpoints; application control; least privilege; secrets isolationEDR, file provenance, process lineage, repository-access correlationClean-room rebuild and developer-identity recovery process
Malicious dependencies or packagesApproved registries; lockfiles; dependency review; provenance and signingPackage-source changes, maintainer events, SBOM and artifact comparisonDependency quarantine, release rollback, and customer notification plan
Cloud identity abuseWorkload identity hygiene; least privilege; separate administration; conditional accessCentral cloud audit, privilege and application-consent alertsBreak-glass governance and tested tenant containment
Privileged accessPAM, just-in-time elevation, separate admin identitiesPrivilege checkout, anomalous elevation, session recording where lawfulPredefined privilege revocation and owner contacts
Cryptocurrency transfer riskWallet segregation, withdrawal limits, allowlists, multi-person approvals, independent transaction displayDestination, signer, API, approval-chain, and velocity monitoringFreeze/escalation contacts, asset-tracing and law-enforcement procedures
Endpoint malwareSupported platforms, application control, EDR, restricted scriptingBehavior analytics, process and network correlationIsolation, forensic capture, and rebuild criteria
Data exfiltrationSegmentation, least privilege, data classification, egress controlsDLP, archive and upload anomalies, storage accessEvidence preservation and disclosure decision process
Supply-chain compromiseIsolated builds, protected signing, reproducible artifacts, release separationPipeline, runner, signing, package, and release auditingRevoke signing trust, halt releases, identify downstream exposure
Remote accessApproved tools, MFA, access brokers, device postureNew tool, geography, account, and session alertsDisable access paths without losing needed evidence
Third-party accessTime-bounded accounts, least privilege, contractual logging and notificationVendor-account and integration monitoringContact tree, token revocation, and coordinated containment exercise

Controls reduce probability and impact; they do not guarantee prevention. Prioritize independent approval for high-impact actions, protected telemetry, and rehearsed access revocation.

Incident response: what to do when Lazarus-related activity is suspected

  1. Preserve volatile and identity evidence. Capture the relevant endpoint, memory, active sessions, identity-provider records, cloud audit trails, collaboration history, repository events, and financial logs according to the organization’s legal and forensic procedures.
  2. Activate the incident-response plan. Assign an incident lead, establish a secure communications channel, and separate confirmed facts from working attribution.
  3. Isolate affected systems carefully. Contain confirmed or high-risk endpoints and access paths while considering business continuity and evidence preservation.
  4. Revoke compromised sessions and credentials. Rotate passwords, tokens, keys, application secrets, and signing access based on the established scope not just the first user account.
  5. Review cloud and source-control access. Examine role changes, tokens, clones, workflow edits, releases, integrations, and secrets exposure.
  6. Protect financial and cryptocurrency workflows. Pause or add independent review to high-risk transfers; secure transaction creation, approval, signing, and wallet operations.
  7. Investigate related accounts and devices. Look for shared personas, messages, infrastructure, process patterns, identity sessions, and access to the same sensitive resources.
  8. Engage external obligations and contacts. Coordinate legal, privacy, regulatory, insurance, specialist response, and law-enforcement contacts where appropriate to the jurisdiction and impact.
  9. Validate containment. Confirm that endpoint, identity, cloud, third-party, repository, and financial access paths are closed and that clean systems do not inherit compromised secrets.
  10. Monitor for re-entry. Heighten monitoring around the affected users, suppliers, domains, repositories, cloud resources, and financial controls.
  11. Record attribution confidence separately. Maintain a timeline of incident facts, technical cluster assessment, and sponsor attribution with source dates and confidence.

Adapt containment to the organization and preserve evidence. Do not delay urgent action merely to prove the actor name; business impact and access scope come first.

Lazarus Group versus other DPRK-linked actors

Public labelCommonly reported focusNaming sourceImportant caveat
Lazarus Group / G0032Broad mix of espionage, destructive, and financially motivated operationsMITRE and wide public reportingOften an umbrella; boundaries vary
APT38 / BlueNoroffFinancial institutions and cryptocurrency-related theftMandiant, MITRE G0082, TreasuryTreasury calls BlueNoroff a Lazarus subgroup; MITRE tracks a separate group entry
Andariel / APT45 / Onyx SleetMilitary, government, defense, technology, and selected revenue operationsTreasury, Mandiant, Microsoft, MITRE G0138Subgroup in some official reporting; distinct vendor cluster in other taxonomies
Kimsuky / APT43 / Emerald SleetEspionage and intelligence collectionMITRE G0094 and vendor reportingSeparate actor; do not merge into Lazarus
APT37 / ScarCruftEspionage, historically focused on South Korea with broader targeting over timeMITRE G0067 and vendor reportingSeparate actor; technique or sponsor overlap is not identity proof
DPRK remote IT-worker schemesRevenue generation through fraudulent employment; possible access or data riskFBI/DOJ and multi-government advisoriesA scheme and workforce threat, not automatically Lazarus activity

This is not an actor ranking. The practical question is which source-defined cluster and objective best fit the evidence.

Common misconceptions

Every North Korean cyberattack is Lazarus Group. Public reporting tracks multiple DPRK clusters and schemes. Preserve the source’s label and scope.

Every alias is interchangeable. HIDDEN COBRA, Diamond Sleet, TraderTraitor, Guardians of Peace, BlueNoroff, and Andariel represent different taxonomies or scopes.

Lazarus only steals cryptocurrency. Public attribution also covers espionage, bank theft, strategic access, destructive attacks, and disruption.

Lazarus uses one fixed malware toolkit. Tools, platforms, delivery paths, and infrastructure change across operations.

Static indicators provide permanent detection. Hashes, domains, accounts, certificates, and wallets are time-bounded evidence.

A famous attribution proves later allegations. Every incident needs its own evidence, source, date, and confidence.

One security product can stop a state-sponsored actor. Prevention, detection, approvals, segmentation, logging, and response readiness must work together.

Penetration testing can certify an organization as Lazarus-proof. Testing validates a defined scope and time; it cannot guarantee resistance to a changing actor.

ATT&CK technique overlap proves actor identity. Common techniques are shared by many actors and legitimate administrators.

Every developer-targeting campaign is Lazarus. A lure theme is an investigative lead, not an attribution conclusion.

What security leaders should prioritize

Cryptocurrency organizations: isolate high-value roles, protect employee and developer identity, segregate wallets, require independent transaction verification, centralize approval evidence, and rehearse a rapid freeze process.

Financial institutions: segment payment environments, constrain privilege, monitor message creation and approval separately, and test response decisions for attempted, blocked, completed, and recovered transfers.

Software and developer teams: manage endpoints; keep production secrets out of interview or test environments; protect repositories, CI/CD, signing, registries, dependencies, and release approvals.

Cloud-first organizations: treat identity as the control plane with phishing-resistant MFA, device posture, least privilege, protected logging, service-principal governance, and tested token revocation.

Defense and research organizations: map sensitive programs to people, repositories, suppliers, and endpoints; support safe reporting of unusual professional approaches; monitor high-value identities.

General enterprises: identify paths that combine external trust, privilege, sensitive data, software delivery, and financial authority. Reduce, instrument, and test those paths.

Frequently asked questions

What is the Lazarus Group?

Lazarus Group is a public label for North Korean state-linked cyber activity associated with the Reconnaissance General Bureau. Reported operations include espionage, financial theft, strategic access, disruption, and destructive activity. MITRE notes that the name is often used as an umbrella, not one fixed team.

Is Lazarus Group part of the North Korean government?

U.S. Treasury and MITRE attribute Lazarus Group to North Korea’s Reconnaissance General Bureau, and U.S. and UK agencies have made public attributions in major cases. Open reporting does not provide a complete organizational chart, so sanctions, legal allegations, and technical assessments should remain distinct.

What other names are used for Lazarus Group?

Associated names include Labyrinth Chollima, HIDDEN COBRA, Guardians of Peace, ZINC, and Diamond Sleet. Reporting also connects BlueNoroff/APT38, Andariel, and TraderTraitor to parts of the activity. These labels may represent different government, vendor, subgroup, campaign, or persona scopes.

Are BlueNoroff and Andariel the same as Lazarus Group?

Not exactly. U.S. Treasury described BlueNoroff and Andariel as Lazarus subgroups in 2019, while MITRE and vendors also track them as distinguishable clusters. Retain the original source’s taxonomy rather than replacing every label with “Lazarus Group.”

What attacks has Lazarus Group been linked to?

Public sources link Lazarus-related activity to Sony Pictures, Bangladesh Bank, WannaCry, Operation Dream Job, Ronin, Horizon Bridge, and other cryptocurrency incidents. Later DMM Bitcoin and Bybit statements used the narrower TraderTraitor label, so each case needs its own source and caveat.

Was Lazarus Group responsible for WannaCry?

The UK government said the NCSC assessed it was highly likely Lazarus was behind WannaCry. A 2018 U.S. Department of Justice complaint also alleged North Korean involvement. Those qualified terms should not be rewritten as proof of every operational detail.

Why does Lazarus Group target cryptocurrency companies?

Cryptocurrency businesses combine transferable assets with cloud, software, signing, wallet, and approval systems. Public reporting connects several DPRK clusters to this objective; blockchain tracing alone does not explain the original intrusion or prove that every case is Lazarus.

What malware does Lazarus Group use?

MITRE and government reporting associate Lazarus-related activity with tools such as AppleJeus, BLINDINGCAN, Dacls, ThreatNeedle, DRATzarus, Dtrack, and the historical WannaCry outbreak. Tooling changes across campaigns, so behavior, provenance, and context matter more than a static family list.

How does Lazarus Group gain initial access?

Reported access paths include tailored phishing, fake employment themes, social or collaboration services, trojanized applications, compromised software delivery, and exploitation in some campaigns. There is no single entry method; defenders should focus on trust, identity, file origin, endpoint behavior, and software provenance.

How can organizations detect Lazarus Group activity?

Correlate identity, collaboration, endpoint, network, cloud, source-control, CI/CD, package, and financial telemetry. Look for a coherent sequence rather than one IOC or ATT&CK technique; attribution also requires infrastructure, malware, victimology, timing, and source context.

How can companies reduce their exposure?

Prioritize phishing-resistant MFA, least privilege, managed developer endpoints, application control, EDR, protected cloud and repository logs, secure build controls, segmentation, independent financial approvals, wallet segregation, and rehearsed incident response. These controls reduce likelihood and impact but do not guarantee prevention.

Is every North Korean cyberattack carried out by Lazarus Group?

No. Public reporting separately tracks Kimsuky/APT43, APT37/ScarCruft, Andariel/APT45, BlueNoroff/APT38, other clusters, and remote IT-worker schemes. Sponsorship, target similarity, or shared techniques do not establish exact actor identity.

Conclusion

Lazarus Group remains important because public attribution connects the label with espionage, disruption, financial theft, and access to valuable technology ecosystems. Because taxonomies overlap, defensible analysis must preserve the source, date, evidence, and confidence.

Security leaders should protect identity, developer endpoints, cloud control planes, source and build systems, third-party trust, and financial approvals and rehearse access revocation, transaction pauses, containment validation, and re-entry monitoring.

No single security assessment can guarantee protection from Lazarus Group or any other state-sponsored actor. Where it fits an organization’s risk model, DeepStrike’s verified penetration testing services can help test scoped web, API, cloud, network, mobile, and internal attack paths and support remediation validation. The result should be treated as evidence about the tested scope and time not as certification against a named adversary.

Author and review information

Author: Mohammed Khalil, CISSP, OSCP, OSWE
Last reviewed: July 14, 2026
Research verified through: July 14, 2026

Actor naming and attribution can change as new evidence appears. Recheck primary sources before future material updates.

background
Let's hack you before real hackers do

Stay secure with DeepStrike penetration testing services. Reach out for a quote or customized technical proposal today

Contact Us