Under Review ACTIVE

Lazarus Group

Also known as: HIDDEN COBRA, Zinc, Labyrinth Chollima

Affiliation North Korea (Reconnaissance General Bureau)

Motivation Financial / Espionage

Status active

Country North Korea

First Seen 2009

Last Seen 2025

Target Sectors Financial Services, Cryptocurrency, Government, Defense, Technology, Entertainment

Target Geographies Global, United States, South Korea, Japan

Executive Summary

The Lazarus Group, also tracked as HIDDEN COBRA by the U.S. government, is a North Korean state-sponsored threat actor attributed to the Reconnaissance General Bureau (RGB), Pyongyang’s primary intelligence agency. Active since at least 2009, Lazarus conducts both espionage and financially motivated operations. Public reporting treats Lazarus as an umbrella label that contains multiple sub-clusters, so operations such as APT38/Bluenoroff, AppleJeus, or Dream Job are often best understood as parts of the Lazarus ecosystem rather than as proof that every DPRK intrusion belongs to one monolithic unit.

Lazarus is responsible for the 2014 Sony Pictures breach, the 2017 WannaCry ransomware outbreak, and a long-running stream of cryptocurrency theft and sanctions-evasion operations. Major financial operations such as the Bangladesh Bank heist are often attributed to Lazarus-associated subgroups including APT38/Bluenoroff, which is why the broader Lazarus label is best used as an umbrella attribution rather than a substitute for all subgroup identities.

Notable Campaigns

2014 — Sony Pictures Entertainment Breach

Lazarus conducted a destructive attack against Sony Pictures, deploying disk-wiping malware and exfiltrating and leaking terabytes of internal data, including unreleased films, executive emails, and employee personal information. The attack was conducted in retaliation for the film “The Interview.”

2016 — Bangladesh Bank SWIFT Heist

Lazarus compromised Bangladesh Bank’s SWIFT terminal and attempted to transfer $951 million, successfully stealing $81 million through accounts in the Philippines. This operation (attributed to the APT38/Bluenoroff sub-group) demonstrated the group’s deep understanding of interbank payment systems.

2017 — WannaCry Ransomware

Lazarus deployed the WannaCry ransomware worm, which infected over 200,000 systems in 150 countries using the EternalBlue exploit (CVE-2017-0144). The UK’s NHS was among the most affected organizations. Despite its global impact, the ransomware generated relatively modest ransom payments.

2022 — Ronin Network Bridge Theft

Lazarus stole approximately $620 million in Ethereum and USDC from the Ronin Network blockchain bridge used by the Axie Infinity game. The FBI attributed the theft to Lazarus Group and the U.S. Treasury sanctioned the wallet addresses involved.

Technical Capabilities

Lazarus maintains a broad and evolving toolkit. The group develops cross-platform malware targeting Windows, macOS, and Linux. AppleJeus is a trojanized cryptocurrency trading application used to target financial institutions and individual cryptocurrency holders. The MATA framework provides modular multi-platform backdoor capabilities.

The group conducts sophisticated social engineering campaigns, including fake job recruitment (“Operation Dream Job”) targeting defense and technology sector employees through LinkedIn and other platforms. Lazarus has demonstrated supply chain compromise capabilities and zero-day exploitation.

For financial theft, the group combines deep SWIFT system knowledge with cryptocurrency expertise, using chain-hopping, mixing services, and DeFi protocols to launder stolen funds.

Attribution

The U.S. government has issued multiple attributions and indictments. In February 2021, the DOJ indicted three North Korean military hackers (Jon Chang Hyok, Kim Il, and Park Jin Hyok) for a range of operations including the Sony breach, Bangladesh Bank heist, and WannaCry. The U.S. Treasury sanctioned Lazarus Group, Bluenoroff, and Andariel (sub-groups) in 2019. CISA, FBI, and international partners have published numerous joint advisories on Lazarus operations.

MITRE ATT&CK Profile

Initial Access: Spearphishing (T1566.001) with job recruitment themes, supply chain compromise (T1195.002) via trojanized applications, and watering hole attacks (T1189).

Persistence: Registry modifications (T1547.001), scheduled tasks (T1053), and custom backdoors installed as services.

Impact: Financial theft (T1657), data destruction (T1485), ransomware (T1486), and disk wiping (T1561).

Command and Control: Custom C2 protocols (T1071.001), multi-stage proxy chains, and use of legitimate cloud services.

Sources & References

MITRE ATT&CK: Lazarus Group — MITRE ATT&CK
CISA: Advisory AA22-108A - North Korean State-Sponsored Crypto Theft — CISA, 2022-04-18
US DOJ: Three North Korean Military Hackers Indicted — US Department of Justice, 2021-02-17
US Treasury: North Korea Cyber Sanctions — US Department of the Treasury, 2019-09-13

Known Tools

Manuscrypt FALLCHILL HOPLIGHT AppleJeus BLINDINGCAN DTrack MATA Framework