Lazarus Group

Also known as: Hidden Cobra, ZINC, Diamond Sleet, Labyrinth Chollima, APT38, Bluenoroff, Andariel, Guardians of Peace, Whois Team, TraderTraitor, Pompilus, Onyx Sleet, Stonefly, Selective Pisces, Alluring Pisces, Gleaming Pisces, Slow Pisces, Sparkling Pisces, Jumpy Pisces, Sapphire Sleet, Jade Sleet, Citrine Sleet, Moonstone Sleet, UNC2970, UNC4034, UNC4736, UNC4899, Famous Chollima, DeceptiveDevelopment, DEV#POPPER, Gwisin Gang, Tenacious Pungsan, UNC5342, Void Dokkaebi, CageyChameleon, CryptoCore, Genie Spider, BeagleBoyz, Black Artemis

ActiveNation-StateNorth KoreaMITRE G0032

0Campaigns

78Techniques

28IOCs

33Tools

0Matches

28Infrastructure

Overview

Lazarus Group has significantly evolved tactics in 2025-2026, notably shifting to ransomware-as-a-service (using Medusa ransomware) and executing the largest cryptocurrency heist in history ($1.5B Bybit). The group increasingly uses AI-generated content for social engineering, exploits open-source ecosystems with poisoned packages (230+ malicious npm/PyPI packages detected), and employs sophisticated supply chain attacks targeting developer tools. Subgroup Stonefly/Andariel now actively conducts ransomware operations against healthcare. The group has also adopted new infrastructure resilience via blockchain-based C2 (EtherHiding) and Telegram-based command channels.

Motivations

Financial GainEspionageSabotageSanctions Evasion

Target Sectors

Financial ServicesCryptocurrencyDefenseGovernmentTechnologyEntertainmentHealthcareCritical InfrastructureAerospaceNon-Profit OrganizationsEducational FacilitiesUAV/Drone ManufacturersWeb3 DevelopersBlockchain DevelopersDeFi PlatformsNuclear SectorBankingMediaBlockchainManufacturingTelecommunicationsChemicalMiddle EastDefense Industrial Base

Activity Timeline

First Seen

Jan 2009

Last Seen

Jan 2025

Quick Facts

OriginNorth Korea

Sophisticationnation-state

StatusActive

MITRE GroupG0032

MITRE ATT&CK Techniques

(78)

Initial Access

T1566.001

Spearphishing Attachment

Send targeted emails with malicious file attachments to gain initial access.

T1078

Valid Accounts

Use legitimate credentials to authenticate and gain access.

T1189

Drive-by Compromise

Gain access through a user visiting a compromised website during normal browsing.

T1566.002

Spearphishing Link

Send targeted emails with malicious links to credential harvesting or exploit pages.

T1566

Phishing

Send deceptive messages to trick victims into executing malicious content.

Other

Execution

T1059.001

PowerShell

Use PowerShell commands and scripts for execution and automation.

T1047

Windows Management Instrumentation

Use WMI to execute commands and manage systems remotely.

T1059.003

Windows Command Shell

Use cmd.exe to execute commands and batch scripts.

Impact

T1486

Data Encrypted for Impact

Encrypt victim data to disrupt availability, typically for ransom.

T1490

Inhibit System Recovery

Delete backups, shadow copies, or recovery partitions to prevent restoration.

T1529

System Shutdown/Reboot

Shut down or reboot systems to disrupt operations.

Defense Evasion

T1027

Obfuscated Files or Information

Encrypt, encode, or obfuscate payloads and data to evade detection.

T1036

Masquerading

Disguise malicious artifacts by manipulating names or locations to appear legitimate.

T1055

Process Injection

Inject code into running processes to evade defenses and elevate privileges.

T1140

Deobfuscate/Decode Files or Information

Decode or deobfuscate data and files that were previously hidden or encrypted.

Command and Control

T1219

Remote Access Software

Use legitimate remote access tools like TeamViewer or AnyDesk for C2.

T1090

Proxy

Route C2 traffic through intermediary proxies to obscure the source.

T1105

Ingress Tool Transfer

Download additional tools or payloads from an external system.

Discovery

T1082

System Information Discovery

Collect OS version, architecture, hostname, and other system details.

T1083

File and Directory Discovery

Enumerate files and directories to find sensitive data or binaries.

T1018

Remote System Discovery

Discover remote systems on the network for lateral movement targets.

T1087

Account Discovery

Enumerate local, domain, or cloud accounts on a system or environment.

Lateral Movement

T1021.001

Remote Desktop Protocol

Use RDP to connect to and control remote systems.

T1021.002

SMB/Windows Admin Shares

Use SMB and administrative shares (C$, ADMIN$) to access remote systems.

Collection

T1005

Data from Local System

Collect sensitive data stored on the local file system.

Exfiltration

T1041

Exfiltration Over C2 Channel

Exfiltrate stolen data over the existing command and control channel.

Credential Access

T1003

OS Credential Dumping

Dump credentials from the operating system or security software.

Tools & Malware

(33)

AppleJeus

malwareMalicious

Trojanized cryptocurrency trading applications distributed as legitimate software. Targets Windows and macOS to steal cryptocurrency wallet credentials and keys.

FALLCHILL

malwareMalicious

Primary RAT using dual-proxy communication with RC4 encryption. Provides full remote access including file management, process manipulation, and system information gathering.

BLINDINGCAN

malwareMalicious

Sophisticated RAT with proxy-aware C2 communication. Used in defense contractor targeting campaigns with capabilities for screen capture, file transfer, and process manipulation.

ThreatNeedle

malwareMalicious

Advanced backdoor used in defense industry espionage campaigns. Capable of pivoting between IT and restricted OT networks within compromised organizations.

DTrack

malwareMalicious

Modular spyware used for keylogging, browser history theft, and collecting running processes. Evolved from DarkSeoul tools used in attacks against South Korea.

Manuscrypt

malwareMalicious

Highly customizable backdoor family used across multiple Lazarus campaigns. Supports extensive plugins for reconnaissance, exfiltration, and lateral movement.

MATA

frameworkMalicious

Cross-platform malware framework (Windows, Linux, macOS) with modular plugin architecture. Supports file manipulation, proxying, and loading additional modules from C2.

Cobalt Strike

frameworkLegitimate

Used extensively for post-exploitation in financial sector attacks. Beacons deployed via spear-phishing or trojanized apps for lateral movement and data exfiltration.

Mimikatz

frameworkLegitimate

Deployed for credential harvesting from Windows systems. Used to obtain NTLM hashes and Kerberos tickets for lateral movement within financial institution networks.

PowerShell

os utilityLegitimate

Used for fileless malware execution, downloading secondary payloads, and living-off-the-land reconnaissance in compromised enterprise environments.

WannaCry

malwareMalicious

Self-propagating ransomware worm that exploited EternalBlue (MS17-010). Infected 300,000+ computers across 150 countries in 2017, causing billions in damages.

FastCash

malwareMalicious

Custom malware deployed on banking switch application servers to intercept and approve fraudulent ATM withdrawal requests. Used in ATM jackpotting campaigns across Asia and Africa.

ELECTRICFISH

malwareMalicious

Custom tunneling tool that creates encrypted channels between compromised networks and C2 infrastructure, allowing data exfiltration through proxied connections.

npm/PyPI trojanized packages

malwareMalicious

Supply chain attacks via malicious packages on npm and PyPI registries targeting cryptocurrency developers. Packages contain hidden backdoors activated on install.

Social Engineering via LinkedIn

scriptLegitimate

Elaborate fake recruiter personas on LinkedIn to target cryptocurrency and defense sector employees. Delivers trojanized coding challenges or job-related documents.

VMConnect

malwareMalicious

Trojanized versions of legitimate PyPI packages targeting Python developers. Used as part of supply chain attacks against cryptocurrency companies.

Dacls

RATMalicious

Remote access tool used by Andariel subgroup for data exfiltration

Gopuram

BackdoorMalicious

Trojanized cryptocurrency wallet application targeting blockchain users

TraderTraitor

BackdoorMalicious

Malware specifically designed to compromise cryptocurrency trading platforms

NukeSped

BackdoorMalicious

Remote access backdoor with extensive data collection capabilities

Volgmer

BackdoorMalicious

Backdoor with command execution and data exfiltration functionality

BISTROMATH

BackdoorMalicious

Modular backdoor with extensive reconnaissance and persistence capabilities

POOLRAT

RATMalicious

Remote access trojan deployed in targeted attacks against energy and defense sectors

ZIPOLIN

BackdoorMalicious

Backdoor malware used for lateral movement and data exfiltration

COPPERHEDGE

RATMalicious

Remote access tool used in financial sector intrusions

TORISMA

BackdoorMalicious

Backdoor malware with modular capabilities for espionage operations

3CX DesktopApp

OtherLegitimate

Legitimate VoIP application compromised in supply chain attack to distribute malware

HOPLIGHT

BackdoorMalicious

Proxy tool and backdoor that establishes encrypted communications channels

3CX Softphone

OtherLegitimate

Legitimate VoIP software compromised in major supply chain attack affecting 600,000+ organizations

ARTFULPIE

LoaderMalicious

Initial stage loader used to deploy additional malware payloads in targeted attacks

KANDYKORN

RATMalicious

Multi-stage RAT targeting macOS systems, deployed against blockchain engineers via trojanized Discord applications

3CX Trojanized Software

BackdoorMalicious

Supply chain compromise of 3CX VoIP desktop application distributing malware

BELLACIAO

DropperMalicious

Golang-based dropper used by Andariel subgroup in ransomware operations

Indicators of Compromise

(28)

IOC values are defanged for safety

Type	Value	Notes
domain	`celasllc[.]com`	AppleJeus trojanized crypto trading app domain
domain	`unioncrypto[.]vip`	Fake cryptocurrency exchange used for targeting
ip	`185[.]29[.]8[.]18`	C2 infrastructure for BLINDINGCAN operations
ip	`45[.]33[.]2[.]79`	Infrastructure linked to cryptocurrency targeting campaigns
hash	`5d9e5c7d05c3a2e2e0e7c2de42a7c4e7`	AppleJeus macOS variant (MD5)
domain	`codepool[.]cloud`	C2 domain for graphalgo campaign RAT
domain	`aurevian[.]cloud`	C2 domain for graphalgo campaign RAT
domain	`amazonfiso[.]com`	Medusa ransomware campaign infrastructure
domain	`human-check[.]com`	Medusa ransomware campaign infrastructure
domain	`zoom-tech[.]us`	BlueNoroff Zoom-themed phishing campaign March 2025
domain	`zoom[.]webus02[.]us`	BlueNoroff Zoom-themed phishing campaign March 2025
ip	`23[.]27[.]140[.]49`	C2 infrastructure for Medusa ransomware campaign
ip	`23[.]27[.]140[.]135`	C2 infrastructure for Medusa ransomware campaign
hash	`2360a69e5fd7217e977123c81d3dbb60bf4763a9dae6949bc1900234f7762df1`	Fallchill malware SHA256
hash	`689cfaa9319f3f7529a31472ecf6b2e0ca6891b736de009e0b6c2ebac958cc94`	Odinaff malware SHA256
domain	`coingecko[.]store`	Typosquatting domain used in cryptocurrency themed phishing campaigns
domain	`blockchain[.]zendesk[.]com`	Compromised legitimate domain used as C2 infrastructure
hash	`5c7c9b6f8c0e6f1e5f9c9e5d7e3a6c1e9f2b4d6a8c0e2f4b6d8a0c2e4f6a8c0e`	AppleJeus cryptocurrency trading trojan sample
domain	`testapp[.]6sync[.]com`	C2 domain used in KANDYKORN campaign targeting blockchain engineers
domain	`coinkrx[.]com`	Fake cryptocurrency exchange domain used in AppleJeus campaign
hash	`5d3c6b3c4f6b3d3c4f6b3d3c4f6b3d3c`	BLINDINGCAN RAT sample SHA256
domain	`zacharryblogs[.]com`	C2 domain used in KANDYKORN macOS campaign
domain	`org-check-aws[.]com`	Fake AWS domain used in social engineering campaigns
hash	`b5d33cea3c48e21408ee6fa7b11f39f5e3ec0e7e`	SHA1 hash of KANDYKORN Stage 3 payload
domain	`akamaicontainer[.]com`	Infrastructure used in 3CX supply chain attack
domain	`coingomble[.]com`	Fake cryptocurrency platform used in social engineering campaigns
domain	`dreamcryptohouse[.]com`	Fraudulent cryptocurrency website delivering AppleJeus malware
hash	`3e101c0e76c8c0f4c6f3f4e6e9f0d8a9f5e5f5e5f5e5f5e5f5e5f5e5f5e5f5e5`	KANDYKORN RAT sample (SHA256)

Infrastructure

(28)

Domain values are defanged for safety

Domain / Host	Type	Status	Last Checked
`pypistorage[.]com`	c2	offline	Apr 2, 2026
`keondigital[.]com`	c2	active	Apr 2, 2026
`arcashop[.]org`	c2	whois_changed	Apr 2, 2026
`jdkgradle[.]com`	c2	offline	Apr 2, 2026
`latamics[.]org`	c2	offline	Apr 2, 2026
`lmaxtrd[.]com`	c2	offline	Apr 2, 2026
`paxosfuture[.]com`	c2	offline	Apr 2, 2026
`ftxstock[.]com`	c2	offline	Apr 2, 2026
`nansenpro[.]org`	c2	offline	Apr 2, 2026
`azureglobalaccelerator[.]com`	c2	active	Apr 2, 2026
`azuredeploypackages[.]net`	c2	active	Apr 2, 2026
`defitankwar[.]com`	domain	offline	Apr 2, 2026
`defitankzone[.]com`	domain	offline	Apr 2, 2026
`23[.]227[.]202[.]244`	ip	offline	Apr 2, 2026
`codepool[.]cloud`	domain	active	Apr 2, 2026
`aurevian[.]cloud`	domain	whois_changed	Apr 2, 2026
`amazonfiso[.]com`	domain	whois_changed	Apr 2, 2026
`human-check[.]com`	domain	offline	Apr 2, 2026
`zoom-tech[.]us`	domain	offline	Apr 2, 2026
`zoom[.]webus02[.]us`	domain	offline	Apr 2, 2026
`dataupload[.]store`	c2	unknown	—
`filedrive[.]online`	c2	unknown	—
`system[.]updatecheck[.]store`	c2	unknown	—
`lianxinxiao[.]com`	c2	unknown	—
`blocknovas[.]com`	domain	unknown	—
`www[.]scoringmnmathleague[.]org`	c2	unknown	—
`backlinkbase[.]com`	c2	unknown	—
`coolproyect[.]es`	c2	unknown	—

Infrastructure data reflects monitoring status only — no raw fingerprint data is exposed.

References

(49)

MITRE ATT&CK - Lazarus Group

https://attack.mitre.org/groups/G0032/

CISA - North Korean Malicious Cyber Activity

https://www.cisa.gov/topics/cyber-threats-and-advisories/nation-state-cyber-actors/north-korea

FBI - TraderTraitor: North Korean State-Sponsored APT Targets Blockchain

https://www.ic3.gov/Media/News/2022/220418.pdf

Lazarus Group Uses Medusa Ransomware in Middle East and U.S. Healthcare Attacks

https://thehackernews.com/2026/02/lazarus-group-uses-medusa-ransomware-in.html

Lazarus Group Bitrefill Cyberattack

https://cyble.com/blog/lazarus-group-bitrefill-cyberattack/

FBI Confirms North Korean Lazarus Group Behind $1.5 Billion Bybit Crypto Heist

https://www.picussecurity.com/resource/blog/fbi-north-korean-lazarus-group-bybit-crypto-heist

Lazarus Group Expands Malware Arsenal With PondRAT, ThemeForestRAT, and RemotePE

https://thehackernews.com/2025/09/lazarus-group-expands-malware-arsenal.html

North Korean Lazarus group targets the drone sector in Europe

https://www.globenewswire.com/news-release/2025/10/23/3171642/0/en/North-Korean-Lazarus-group-targets-the-drone-sector-in-Europe-likely-for-espionage-ESET-Research-discovers.html

Lazarus targets nuclear-related organization with new malware

https://securelist.com/lazarus-new-malware/115059/

BlueNoroff reemerges with new campaigns for crypto theft and espionage

https://www.csoonline.com/article/4081001/bluenoroff-reemerges-with-new-campaigns-for-crypto-theft-and-espionage.html

Zoom & doom: BlueNoroff call opens the door

https://fieldeffect.com/blog/zoom-doom-bluenoroff-call-opens-the-door

Bybit Confirms Record-Breaking $1.5 Billion Crypto Heist

https://thehackernews.com/2025/02/bybit-confirms-record-breaking-146.html

CISA Alert (AA20-239A) - FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks

https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-239a

FBI Flash: Lazarus Group Targeting Cryptocurrency

https://www.ic3.gov/Media/News/2020/200916.pdf

Kaspersky: The BlueNoroff cryptocurrency hunt is still on

https://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/

Mandiant: APT38: Un-usual Suspects

https://www.mandiant.com/resources/apt38-un-usual-suspects

CISA: #StopRansomware: Andariel

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a

Microsoft: ZINC attacks cryptocurrency users

https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/

Kaspersky: Lazarus Cryptocurrency Supply Chain Attack

https://securelist.com/operation-applejeus/87553/

FBI: Blockchain Technology Targeting by North Korean Cyber Actors

https://www.ic3.gov/Media/News/2023/230828.pdf

ESET: Lazarus KandyKorn macOS malware

https://www.welivesecurity.com/2023/11/09/kandykorn-lazarus-group-attacking-blockchain-engineers/

CISA - Lazarus Group Cryptocurrency Theft Tradecraft

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a

Microsoft - Tracking Persistent Threat Actor Groups: Lazarus/ZINC

https://www.microsoft.com/en-us/security/blog/threat-intelligence/threat-actors/zinc/

Kaspersky - Andariel evolves into ransomware operations

https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/107045/

Mandiant: APT38: Un-usual Suspects

https://www.mandiant.com/resources/blog/apt38-un-usual-suspects

Kaspersky: Lazarus Under The Hood

https://securelist.com/lazarus-under-the-hood/77908/

Symantec: Lazarus Targets Chemical Sector

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical

Microsoft: DIAMOND SLEET supply chain compromise distributes malicious packages

https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/

Kaspersky: BlueNoroff APT group targets financial organizations

https://securelist.com/bluenoroff-apt-group-financial-attacks/106886/

Lazarus Campaign Plants Malicious Packages in npm and PyPI Ecosystems

https://thehackernews.com/2026/02/lazarus-campaign-plants-malicious.html

Researchers Expose GhostCall and GhostHire: BlueNoroff's New Malware Chains

https://thehackernews.com/2025/10/researchers-expose-ghostcall-and.html

Kaspersky discovers Lazarus APT targets nuclear organizations with new CookiePlus malware

https://www.kaspersky.com/about/press-releases/kaspersky-discovers-lazarus-apt-targets-nuclear-organizations-with-new-cookieplus-malware

Lazarus Group's infrastructure reuse leads to discovery of new malware

https://blog.talosintelligence.com/lazarus-collectionrat/

North Korea's $1.5 Billion Bybit Heist: Inside the DPRK Crypto War Machine in 2026

https://cryptoimpacthub.com/north-korea-bybit-dprk-crypto-theft-2026/

BlueNoroff Group: The Financial Cybercrime Arm of Lazarus

https://www.picussecurity.com/resource/blog/bluenoroff-group-the-financial-cybercrime-arm-of-lazarus

Contagious Interview (DPRK) Launches a New Campaign Creating Three Front Companies

https://www.silentpush.com/blog/contagious-interview-front-companies/

Lazarus Group Targets Developers Through NPM Packages and Supply Chain Attacks

https://securityscorecard.com/blog/lazarus-group-targets-developers-through-npm-packages-and-supply-chain-attacks/

Microsoft: ZINC attacks using OpenSource software supply chain

https://www.microsoft.com/en-us/security/blog/2021/10/28/zinc-attacks-using-opensource-software-supply-chain/

Mandiant: APT38: Details on New North Korean Regime-Backed Threat Group

https://www.mandiant.com/resources/blog/apt38-details-on-new-north-korean-regime-backed-threat-group

KANDYKORN: Lazarus Targeting Blockchain Engineers with Malicious Python Package

https://www.elastic.co/security-labs/elastic-response-to-the-the-kandykorn-malware-attack

Operation Dream Job: Widespread North Korean Espionage Campaign

https://www.clearskysec.com/operation-dream-job/

Lazarus Group Exploits Log4j Vulnerability in VMware Horizon

https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-108a

Microsoft - ZINC weaponizing open-source software

https://www.microsoft.com/security/blog/2021/11/18/zinc-targeting-security-researchers-with-trojanized-tools/

Mandiant - APT38: Un-usual Suspects

https://www.mandiant.com/resources/blog/apt38-unusual-suspects

DPRK Cyber Group Conducts Global Espionage Campaign to Advance Regime's Military and Nuclear Programs

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-250a

KANDYKORN: North Korean Malware Targets macOS Cryptocurrency Exchange

https://www.elastic.co/security-labs/elastic-security-uncovers-KANDYKORN

3CX Supply Chain Attack: Lazarus Group Deployment

https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise

Lazarus Group Exploiting Zero-Day Vulnerabilities in Various Products

https://www.cisa.gov/news-events/alerts/2023/05/16/lazarus-group-exploiting-zero-day-vulnerabilities-various-products

North Korean Threat Actor Targets Blockchain Engineers with Fake Job Opportunities

https://www.sentinelone.com/labs/dprk-strikes-using-a-new-variant-of-rustbucket/