Lazarus Group: A criminal syndicate with a flag Topics: Sep. 23, 2025 | Christine Barry The Lazarus Group is a notorious state-sponsored cybercrime organization linked to the Democratic People’s Republic of Korea (DPRK, North Korea ). The group operates within the nation’s primary intelligence agency, the Reconnaissance General Bureau (RGB) . Analysts believe most Lazarus Group members operate from Pyongyang, North Korea, with some operating abroad via foreign outposts or cover companies . One example of a foreign operation is detailed in this 2018 statement by the U.S. Department of Justice : Park Jin Hyok, was a computer programmer who worked for over a decade for Chosun Expo Joint Venture … and is affiliated with Lab 110, a component of DPRK military intelligence. … Security researchers that have independently investigated these activities referred to this hacking team as the “Lazarus Group.” The Lazarus Group has been active since at least 2009 and has become one of the most prolific and versatile threat actors in the world. What is the Lazarus Group? The name ‘Lazarus Group’ originally referred to a single threat actor or “ small set of coordinated actors ” linked to North Korea. Today, it is an umbrella term describing the many subgroups, or threat clusters, assigned to cyber operations within DPRK military intelligence. Mandiant researchers created this diagram in 2024 to illustrate their best assessment of the DPRK hierarchy: Overview of DPRK agencies as of 2024, via Mandiant Before we dig into the Lazarus Group clusters, let’s quickly look at the Ministry of State Security (MSS) and APT37 . The MSS is a civilian secret police and counterintelligence agency that conducts domestic surveillance and political security activities. The MSS controls the flow of information inside the country and monitors the North Korean population for loyalty. APT37 performs cyberoperations supporting the mission of the MSS. In 2020-2021, the group targeted COVID-19 researchers as part of DPRK’s pandemic response . The group also performs ongoing targeting of South Korean organizations that assist North Korean defectors. APT37 isn’t commonly considered part of Lazarus Group. Lazarus Group threat clusters reside within the RGB. Researchers originally traced the clusters to the 5 rd Bureau and 3rd Bureau within the RGB, as you see in this diagram from 2020 : 2020 assessment of DPRK cyberoperations (cropped), via Mandiant The distinction here is based on mission focus. Mandiant researchers concluded the 5 th Bureau was focused on South Korea and other regional targets, while the 3 rd Bureau was assigned to foreign intelligence. The financially motivated Lazarus Group clusters were linked to Lab 110 , while Bureau 325 conducted information warfare and influence operations against South Korea. The COVID-19 pandemic disrupted the DPRK cyber operations and severed the foreign operators from their leadership in Pyongyang . Threat actors abroad began collaborating in different ways and started running ransomware campaigns to fund their groups without support from the RGB. As a result, the DPRK cyber operations coming out of the pandemic were much different than before . The Bureau alignment became less relevant as the geopolitical interests of North Korea evolved. As a result, the 2024 assessment eliminates the bureau distinctions and puts Lazarus Group clusters directly below the RGB. Lazarus Group clusters There are multiple active clusters in the RGB, and most of them are tracked by more than one name. These clusters collaborate, share infrastructure and tools, and sometimes splinter into additional groups for specific projects. Lazarus Group actors benefit from the protection and support of the regime, and they are provided information from multiple sources throughout the DPRK intelligence system. This allows the group leadership and operators to identify and adapt quickly to new opportunities. Researchers are commonly tracking five to eight clusters at a time, including the project-based clusters that come and go. The following four clusters are the primary groups: TEMP.Hermit, aka Diamond Sleet, Labyrinth Chollima, Selective Pisces, TA404: This cluster targets government, defense, telecommunications and financial institutions worldwide. The term “Lazarus Group” refers most often to this cluster of activities. APT43 , aka Kimsuky, Velvet Chollima, Black Banshee, Emerald Sleet, Sparkling Pisces, Thallium: North Korea's premier intelligence collection unit. This group conducts sophisticated espionage targeting South Korea, Japan, and U.S. government, defense and academic sectors. APT38 , aka Bluenoroff, Stardust Chollima, BeagleBoyz, CageyChameleon: This threat is the top financially motivated operation in the DPRK. These operations target banks, cryptocurrency exchanges and DeFi platforms. APT38 circumvents sanctions through massive cryptocurrency theft operations. Andariel, aka APT45 , Silent Chollima, Onyx Sleet DarkSeoul,