Lazarus Group is a North Korean state-sponsored cyber threat organization attributed to the Reconnaissance General Bureau (RGB), the country’s primary military intelligence division. Active since at least 2009, Lazarus is considered one of the world’s most prolific and destructive hacking collectives, operating both as an agent of state espionage and as a tool for generating illicit revenue to support North Korea’s sanctioned regime.
Lazarus uses a wide array of custom malware (e.g., Appleseed, HardRain, Fallchill, Joanap), ransomware (WannaCry), and advanced social engineering tactics. They are adept at quickly repackaging malware, switching encryption keys, deleting logs, and employing disk-wiping malware for maximum disruption. Money laundering is conducted through decentralized platforms and mixers like Tornado Cash to obfuscate the origins of stolen cryptocurrency.
Key Motivations and Activities
• Financial Theft: Lazarus is infamous for massive financial heists, targeting banks, cryptocurrency exchanges, and fintech firms to generate revenue for the North Korean regime and fund its missile and nuclear programs.
• Espionage: The group targets governments, defense contractors, critical infrastructure, and research organizations for intelligence collection.
• Sabotage and Disruption: Lazarus has conducted destructive attacks, including the Sony Pictures hack (2014) and the global WannaCry ransomware outbreak (2017).
Structure and Subgroups
• Bluenoroff (APT38): Specializes in financial heists, including SWIFT and cryptocurrency attacks.
• Andariel: Focuses on espionage against businesses, government agencies, and critical infrastructure.
• TEMP.Hermit: Conducts strategic intelligence gathering, especially against government and defense targets.
Tactics, Techniques, and Procedures (TTPs)
• Initial Access: Spear-phishing, supply chain compromise, exploitation of zero-day vulnerabilities, and watering hole attacks.
• Malware Arsenal: Custom malware families such as MagicRAT, QuiteRAT, ThreatNeedle, LPEClient, and ransomware variants.
• Lateral Movement: Use of RDP, PSExec, SMB, and exploitation of vulnerabilities like Log4Shell (CVE-2021-44228).
• Data Exfiltration: Exfiltration via C2 channels, cloud storage (Dropbox), and encrypted protocols.
• Obfuscation: Use of VPNs (notably Astrill VPN), proxies, and anti-forensic techniques to evade detection and attribution.
• Social Engineering: Fake job offers (Operation Dream Job, ClickFake Interview) to lure victims in the cryptocurrency sector.
Indicators of Compromise (IOCs)
• Recent IP Addresses: Lazarus regularly rotates infrastructure, but recent campaigns have used Astrill VPN IPs such as 104.223.97.2 and 91.239.130.102. Other IOCs include domains registered for specific attacks (e.g., bybit-assessment.com) and wallet addresses for laundering stolen crypto assets.
• Malware: MagicRAT, QuiteRAT, ThreatNeedle, LPEClient, GolangGhost, and others.