Threat ActorLazarus
Description
Lazarus, also widely referred to as HIDDEN COBRA, is a North Korean Advanced Persistent Threat group that has been active since at least 2009. The group is notorious for its destructive cyber operations, financial heists, and espionage campaigns targeting multiple industries worldwide. It first gained significant attention for attacks on South Korea’s financial and broadcasting sectors in 2013, where it deployed the DarkSeoul malware. In 2014, it carried out the high-profile attack on Sony Pictures using the Destover wiper malware, allegedly in response to The Interview, a film that portrayed North Korea’s leader in an unfavorable light.
Beyond disruptive attacks, Lazarus has been heavily involved in financial cybercrime, orchestrating large-scale heists against cryptocurrency exchanges and financial institutions worldwide. These operations have resulted in the theft of hundreds of millions of dollars, with funds often used to evade international sanctions and finance North Korea’s regime. The group’s targets span across industries, including aerospace, defense, education, energy, financial services, government agencies, industrial sectors, media, technology, and telecommunications. It is also believed to operate through multiple sub-groups, such as Andariel and Bluenoroff, each specializing in different aspects of cyber operations, from espionage to financial fraud.
Since at least October 2024, Lazarus has been integrating AI-driven techniques into its cyberattack strategies, significantly increasing the sophistication and effectiveness of its operations. In one of its latest campaigns, reported in February 2025, the group exploited a zero-day vulnerability in Google Chrome to distribute malware through a legitimate-looking gaming website. AI-generated content and images were used to enhance the credibility of the fake site, making it appear authentic and luring victims into downloading malicious software.
The group has also employed AI in social engineering attacks, leveraging AI-generated profiles on professional networking platforms such as LinkedIn. This campaign specifically targeted employees in the technology and cybersecurity sectors, with fake recruiters sending highly personalized job offers containing malicious attachments or phishing links. These attacks were designed to establish initial access to corporate networks for espionage and data theft.
In late February 2025, a subgroup of Lazarus carried out a sophisticated attack, executing one of the biggest heists in crypto history. They stole approximately $1.5 billion in Ethereum by creating a counterfeit wallet management interface, deceiving Bybit executives into authorizing the transfer of over 400,000 ETH from the exchange's cold wallet to an unknown hot wallet.
Lazarus continues to evolve its tactics, incorporating AI-driven automation and deception techniques to expand its reach and refine the effectiveness of its cyber operations.
Aliases
- DARK SEOUL
- Diamond Sleet
- APT38
- Lazarus Group
- Fancy Lazarus
- HIDDEN COBRA
- Labyrinth Chollima
Common Vulnerabilities and Exposures
Targeted Industries
- Aerospace & Defense
- Civil Society
- Education
- Financial Services
- Government
- Health Care
- Manufacturing
- Media
- Technology
Objectives
Espionage: Engages in cyber espionage to steal sensitive political, military, and technological data from foreign governments and industries.
Financial Theft: Involved in cyber crime, targeting financial institutions and cryptocurrency platforms to generate funds for North Korea.
Sabotage: Conducts destructive cyberattacks, such as the Sony Pictures hack, to disrupt operations and create economic or political instability.
Political and Strategic Influence: Carries out cyberattacks to undermine rival nations and advance North Korea's political and diplomatic interests.
Cyber Warfare Capabilities: Develops cyber warfare tools to enhance North Korea’s defense strategies and engage in digital combat.
Known Tools Used
- AppleJeus
- Appleseed
- AuditCred
- BadCall
- BadPotato
- Bankshot
- BlackRAT
- BLINDINGCAN
- BlindToad
- BootWreck
- Brambul
- CheeseTray
- CleanToad
- CloseShave
- CollectionRAT
- Cryptoistic
- Dacls
- DarkComet
- Destroyer
- DRATzarus
- Dtrack
- Duuzer
- DyePack
- DyePack.fox
- ECCENTRICBANDWAGON EfsPotato Fallchill
- FudModule
- GoatRAT
- HardRain
- Hermes
- Hidden Cobra
- HOPLIGHT
- HotCroissant
- Hotwax
- Joanap
- JspSpy
- JuicyPotato
- KandyKorn
- Keylime
- KEYMARBLE
- KillDisk
- Ladon
- LPEClient
- MagicRAT
- MapMaker
- Mimikatz
- NachoCheese
- NestEgg
- NetCat
- netsh
- NukeSped
- PetitPotato
- PrintSpoofer
- Proxysvc
- QuickCafe
- QuickRide
- QuickRide.power
- QuietRAT
- RATANKBA
- Ratankbapos
- RawDisk
- RawHide
- RedShawl
- Responder
- Rifdoor
- route
- RustBucket
- Scout
- ScruBrush
- ShadyCat
- SIGNBT
- SlimDown
- SmoothRide
- SorryBrute
- TAINTEDSCRIBE
- ThreatNeedle
- TigerRAT
- Torisma
- Troy
- TYPEFRAME
- Volgmer
- Wannacry
- WhiteOut
- WormHole
Known Infection Vectors
- Phishing and Social Engineering
- Trojanized Software
- Supply Chain Attacks
- Exploiting Vulnerabilities
- Watering Hole Attacks
References
FortiGuard Outbreak Alert
Lazarus RAT Attack | Outbreak Alert | FortiGuard Labs
Apache Log4j2 Vulnerability | Outbreak Alert | FortiGuard Labs
Synacor Zimbra Collaboration MBoxImport Vulnerabilities | Outbreak Alert | FortiGuard Labs
Lazarus Group (Wikipedia)
https://en.wikipedia.org/wiki/Lazarus_Group
Lazarus Group (MITRE)
https://attack.mitre.org/groups/G0032/
North Korean Regime-Backed Programmer Charged with Conspiracy to Conduct Multiple Cyber Attacks and Intrusions (U.S. Department of Justice)
https://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and
Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups (U.S. Department of the Treasury)
https://home.treasury.gov/news/press-releases/sm774
