← All Threat Actors / Lazarus Group
Last updated: April 02, 2026
LG
Lazarus Group
North Korean Reconnaissance General Bureau (RGB)
πŸ‡°πŸ‡΅ North KoreaNation-State● ActiveG0032
Key Intelligence
MITRE ID
G0032
Country
πŸ‡°πŸ‡΅ North Korea
Motivation
Financial Gain, Espionage, Disruption
Active Since
2009
Last Seen
2025
Techniques
33 across 12 tactics
Attribution
North Korean Reconnaissance General Bureau (RGB)
Also Known As
HIDDEN COBRAZincDiamond SleetLabyrinth ChollimaAPT38BlueNoroffAndarielBureau 121Guardians of PeaceWhois Hacking Team
Target Profile
Targeted Industries
CryptocurrencyFinancial ServicesBankingDefenseTechnologyGamingMedia
Targeted Countries
πŸ‡ΊπŸ‡Έ United StatesπŸ‡°πŸ‡· South KoreaπŸ‡―πŸ‡΅ Japan🌍 GlobalπŸ‡§πŸ‡© Bangladesh

Overview

Lazarus Group is North Korea's most prolific cyber threat actor, operating under the Reconnaissance General Bureau. Unique among nation-state groups for combining espionage with large-scale financial theft to fund the DPRK regime. Responsible for the 2014 Sony Pictures attack, the $81M Bangladesh Bank heist, the WannaCry ransomware pandemic, and billions in cryptocurrency theft. Sub-groups include BlueNoroff (financial) and Andariel (espionage).

Tools & Malware

ManuscryptFALLCHILLHOPLIGHTBankshotBrambulDTrackBLINDINGCANAppleJeusTraderTraitorKANDYKORNKANDYKORN AnalysisTraderTraitor AdvisoryELECTRICFISHRustBucket

Malware & Tool Details

Arsenal attributed to Lazarus Group.

Manuscrypt
Custom RAT
Custom RAT
FALLCHILL
Malware / Tool
ATT&CK Software
HOPLIGHT
Malware / Tool
ATT&CK Software
Bankshot
Malware / Tool
ATT&CK Software
Brambul
Malware / Tool
ATT&CK Software
DTrack
Spyware/RAT
Spyware/RAT
BLINDINGCAN
RAT
RAT
AppleJeus
Crypto Trading Trojan
Crypto Trading Trojan
TraderTraitor
Crypto Targeting Malware
Crypto Targeting Malware
KANDYKORN
macOS Backdoor
macOS Backdoor
KANDYKORN Analysis
macOS Backdoor
macOS Backdoor
TraderTraitor Advisory
Malware / Tool
View Details

Attack Path Ronin Bridge / Cryptocurrency Heists (2022-2025)

Following MITRE ATT&CK Flow methodology.

ATTACK FLOWRonin Bridge / Cryptocurrency Heists (2022-2025)8 steps | Drag nodes to rearrange

Diamond Model

Caltagirone, Pendergast & Betz (2013) | Drag to rearrange
ADVERSARY
RGB (Reconnaissance General Bureau), Bureau 121, sub-groups BlueNoroff, Andariel
CAPABILITY
AppleJeus, TraderTraitor, KANDYKORN, Manuscrypt, BLINDINGCAN, custom SWIFT tools
INFRASTRUCTURE
Fake company websites, trojanized npm packages, compromised DeFi protocols, Tornado Cash
VICTIM
Cryptocurrency exchanges (Bybit, Ronin/Axie), banks (Bangladesh Bank), tech companies

ATT&CK Navigator

Interactive MITRE ATT&CK Navigator layer for Lazarus Group (G0032).

Open Full Navigator

Known CVEs Exploited

CVEYearDescription
CVE-2021-442282021Log4Shell β€” rapidly adopted for initial access
CVE-2022-06092022Chrome zero-day for watering hole attacks on crypto companies
CVE-2023-427932023JetBrains TeamCity RCE for supply chain access
CVE-2021-211482021Chrome V8 heap buffer overflow zero-day
CVE-2020-93952020Adobe Reader RCE used in targeted attacks

Notable Campaigns

2025
Bybit Hack
Theft of approximately $1.5B in cryptocurrency from Bybit exchange.
2022
Ronin Bridge Hack
Theft of $620M from Axie Infinity's Ronin blockchain bridge.
2017
WannaCry Ransomware
Global ransomware pandemic affecting 200,000+ systems across 150 countries.
2016
Bangladesh Bank Heist
Attempted theft of $1B from Bangladesh Bank via SWIFT; $81M successfully stolen.
2014
Sony Pictures Hack
Destructive attack against Sony Pictures in retaliation for 'The Interview' film.

Detection Engineering

Fake Job Application Detection
Monitor for downloads from unfamiliar coding challenge platforms (e.g., GitHub repos with low star counts, recently created domains). Flag .dmg, .pkg, or .exe files received via LinkedIn messages or Discord. Implement application allowlisting on developer machines.
View Detection Rule / Guide
macOS LaunchAgent Persistence
Monitor ~/Library/LaunchAgents/ and /Library/LaunchDaemons/ for new plist files. Alert on launchctl load commands from non-standard paths. Check for unsigned or ad-hoc signed binaries in application bundles. Use ESF (Endpoint Security Framework) for real-time monitoring.
View Detection Rule / Guide
Cryptocurrency Transaction Anomaly
Implement multi-signature requirements and monitor for unauthorized API key usage on exchange platforms. Deploy real-time blockchain analytics to detect transfers to known DPRK-linked mixer addresses. Alert on large transfers outside business hours.
View Detection Rule / Guide

Related Threat Actors

Documented in MITRE ATT&CK, vendor intelligence, and government advisories.

Kimsuky
Same nation (DPRK)
Both RGB but Kimsuky targets policy/intelligence while Lazarus targets financial.
Andariel
Sub-group
Lazarus sub-group focused on South Korean military and ransomware.

Defense Recommendations

Mitigations with MITRE ATT&CK IDs. Click badges for implementation guidance.

Implement hardware wallet multi-sig (3-of-5) for crypto holdings above threshold. Lazarus targets single-signer hot wallets.
FBI IC3 Crypto Advisory
Enforce application allowlisting on developer workstations. Block unsigned .dmg/.exe from social media.
CISA AA22-108A
Conduct mandatory social engineering training focused on fake recruiter scenarios via LinkedIn and Telegram.
Google TAG Advisory
Air-gap cold wallet infrastructure. Use HSMs for key management. Never sign transactions on internet-connected systems.
NIST SP 800-57
Deploy real-time blockchain transaction monitoring with automated alerts for transfers above defined thresholds.
FinCEN Advisory

Attribution Confidence

High
Attribution
Confidence
Evidence Supporting Attribution
FBI public attribution for $620M Ronin Bridge theft
https://www.fbi.gov/news/press-releases/fbi-identifies-lazar
DOJ indicts 3 DPRK military hackers (Feb 2021)
https://www.justice.gov/opa/pr/three-north-korean-military-h
Multiple joint advisories (US, UK, ROK, Japan)
https://www.cisa.gov/news-events/analysis-reports/ar21-048a

Threat Assessment

Capability8/10
Intent10/10
Targeting7/10
Critical
Overall Threat Level
Primary DPRK revenue generation actor. Estimated $3B+ stolen in cryptocurrency since 2017. Highly motivated by regime survival funding and sanctions evasion.

Legal Actions & Sanctions

2021-02
DOJ charges 3 DPRK military hackers for global cyberattacks
Indictment
https://www.justice.gov/opa/pr/three-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and
2022-04
FBI attributes $620M Ronin Bridge theft to Lazarus Group
Attribution
https://www.fbi.gov/news/press-releases/fbi-identifies-lazarus-group-cyber-actors-as-responsible-for-theft-of-620-million-in-virtual-currency-from-ronin-network
2023-09
OFAC sanctions DPRK-linked crypto mixers used by Lazarus
Sanctions
https://home.treasury.gov/news/press-releases/jy1768

Recent Reporting

2025-02
2024-11
Microsoft: DPRK threat actors targeting cryptocurrency sector
https://www.microsoft.com/en-us/security/blog/2024/11/

Emulation Plans & Guidance

PlanSourceTypeDescriptionLink
CISA AppleJeus Malware AnalysisCISAGuideTechnical analysis of AppleJeus with IOCs and detection guidanceOpen
Elastic KANDYKORN AnalysisElastic Security LabsGuidemacOS KANDYKORN backdoor analysis with detection rulesOpen
Lazarus/BlueNoroff Research CollectionGitHub / tayvanoOpen SourceComprehensive collection of DPRK APT articles, analysis, heists, and IOCs with 200+ entriesOpen
ATT&CK Evaluations - DPRK (Lazarus)MITRE EngenuityFrameworkOfficial ATT&CK Evaluation with Lazarus macOS and Windows emulation scenariosOpen
CISA Alert: TraderTraitor DPRKCISAGuideAdvisory covering Lazarus cryptocurrency targeting with TraderTraitor malware TTPsOpen
Lazarus Group: Criminal Syndicate with a FlagBarracuda NetworksBlog PostDeep dive into Lazarus hierarchy, subgroups, cryptocurrency targeting, and operational structureOpen
Emulating the North Korean Adversary Lazarus GroupAttackIQBlog PostSix attack graphs emulating Lazarus campaigns: Operation Sharpshooter, Rising Sun implant, cryptocurrency targetingOpen

References & Intelligence Sources

Page Contributors

Adversary Village
MITRE ATT&CK Team
BreachSimRange