03 Lazarus

Lazarus

Region

Global

Industries

Crypto,

Energy & Utilities,

Government,

Science & Engineering,

Software & IT

First seen

2007

Cybercrime

Significant financial losses, economic disruption, and geopolitical implications

Heritage

Multiple identities and subgroups, including APT 38, Bluenoroff, and Andariel

Categorizations

Nation-state adversary

Aliases

Dark Seoul Gang, HIDDEN COBRA, Guardians of Peace, APT38, APT-C-26, Labyrinth Chollima, Zinc, Bluenoroff, Stardust Chollima, BeagleBoyz, Labyrinth Chollima, TA444, UNC2970, Temp.Hermit, UNC57 7, Diamond Sleet, Sapphire Sleet, CL-STA-0240, CL-STA-0241, Citrine Sleet

About

Lazarus is a notorious hacking organization of Masked Actors, known as an advanced persistent threat (APT) group. With links to North Korea, it’s been tied to many high-profile cyberattacks, including 2014’s Sony Pictures hack and 2017’s WannaCry ransomware attack. Just like its biblical namesake, Lazarus has a habit of disappearing and re-emerging under new identities to evade detection.

Learn more about Lazarus from Group-IB’s research

Report: Lazarus Arisen - architecture, tools, attribution

Stealthy Attributes of Lazarus APT Group

APT Lazarus: Eager Crypto Beavers, Video calls and Games

Victims

Targets range from financial institutions to entertainment companies. Victims are often large entities with critical infrastructure, substantial financial assets, or strategic information. Lazarus intensified attacks on cryptocurrency services in 2024.

What we know about Lazarus members

Individual identities remain largely unknown, but Lazarus is believed to operate under the Reconnaissance General Bureau, North Korea’s primary intelligence agency.

Motivations

Financial gain to support the North Korean regime and intelligence gathering.