Home Groups Lazarus Group Lazarus Group Lazarus Group is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). [1] [2] Lazarus Group has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. [3] North Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses "Lazarus Group" as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns. [4] [5] [6] ID: G0032 ⓘ Associated Groups : Labyrinth Chollima, HIDDEN COBRA, Guardians of Peace, ZINC, NICKEL ACADEMY, Diamond Sleet Contributors : Kyaw Pyiyt Htet, @KyawPyiytHtet; Dragos Threat Intelligence; MyungUk Han, ASEC; Jun Hirata, NEC Corporation; Manikantan Srinivasan, NEC Corporation India; Pooja Natarajan, NEC Corporation India Version : 5.0 Created: 31 May 2017 Last Modified: 24 October 2025 Version Permalink Live Version Associated Group Descriptions Name Description Labyrinth Chollima [7] HIDDEN COBRA The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. [1] [8] Guardians of Peace [1] ZINC [9] NICKEL ACADEMY [10] Diamond Sleet [11] Campaigns ID Name First Seen Last Seen References Techniques C0022 Operation Dream Job September 2019 [12] August 2020 [13] [13] [14] [15] [12] Account Discovery : Domain Account , Acquire Infrastructure : Server , Acquire Infrastructure : Domains , Acquire Infrastructure : Web Services , Application Layer Protocol : Web Protocols , Archive Collected Data : Archive via Utility , Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Brute Force , Command and Scripting Interpreter : Visual Basic , Command and Scripting Interpreter : PowerShell , Command and Scripting Interpreter : Windows Command Shell , Compromise Infrastructure : Domains , Compromise Infrastructure : Server , Data from Local System , Debugger Evasion , Develop Capabilities : Code Signing Certificates , Develop Capabilities : Malware , Encrypted Channel : Symmetric Cryptography , Establish Accounts : Social Media Accounts , Establish Accounts : Email Accounts , Exfiltration Over C2 Channel , Exfiltration Over Web Service : Exfiltration to Cloud Storage , File and Directory Discovery , Gather Victim Identity Information , Gather Victim Org Information , Gather Victim Org Information : Identify Roles , Impersonation , Indicator Removal : File Deletion , Ingress Tool Transfer , Internal Spearphishing , Masquerading : Masquerade File Type , Native API , Obfuscated Files or Information : Software Packing , Obfuscated Files or Information : Encrypted/Encoded File , Obtain Capabilities : Code Signing Certificates , Obtain Capabilities : Tool , Phishing : Spearphishing via Service , Phishing : Spearphishing Attachment , Phishing : Spearphishing Link , Scheduled Task/Job : Scheduled Task , Search Open Websites/Domains : Social Media , Server Software Component : IIS Components , Stage Capabilities : Upload Malware , Stage Capabilities : Upload Tool , Subvert Trust Controls : Code Signing , System Binary Proxy Execution : Rundll32 , System Binary Proxy Execution : Regsvr32 , System Location Discovery : System Language Discovery , Template Injection , User Execution : Malicious Link , User Execution : Malicious File , Virtualization/Sandbox Evasion : System Checks , Virtualization/Sandbox Evasion : Time Based Checks , Windows Management Instrumentation , XSL Script Processing Techniques Used Domain ID Name Use Enterprise T1134 .002 Access Token Manipulation : Create Process with Token Lazarus Group keylogger KiloAlfa obtains user tokens from interactive sessions to execute itself with API call CreateProcessAsUserA under that user's context. [3] [16] Enterprise T1087 .002 Account Discovery : Domain Account During Operation Dream Job , Lazarus Group queried compromised victim's active directory servers to obtain the list of employees including administrator accounts. [12] Enterprise T1098 Account Manipulation Lazarus Group malware WhiskeyDelta-Two contains a function that attempts to rename the administrator’s account. [3] [17] Enterprise T1583 .001 Acquire Infrastructure : Domains Lazarus Group has acquired domains related to their campaigns to act as distribution points and C2 channels. [18] [19] During Operation Dream Job , Lazarus Group registered a domain name identical to that of a compromised company as part of their BEC