Lazarus Arisen: Architecture, Techniques and Attribution

The only in-depth report outlining multiple layers of Lazarus infrastructure,
thorough analysis of hacker’s tools and evidence leading to North Korean IP addresses

Inside the report

Indicators of compromise to check if your organisation was, or is, under attack by Lazarus

Detailed description of infrastructure used by Lazarus to cover up tracks leading to North Korea

In-depth analysis of tools that allowed attackers to stay unnoticed in the corporate infrastructure

Tactics, Techniques, Procedures (TTPs) and recommendations on how to prevent infection

Contact us +7 (495) 984 33 64 or

Get the reportsread the blog

за интерес к отчетам Group-IB

Contact us +7 (495) 984 33 64 or

Due to continued media attention and alleged connections to North Korea, Lazarus has become a well‑known hacking group. However, existing attribution based primarily on malware code similarities is not always reliable.

Group-IB identified new non-malware evidence of North Korean involvement in recent attacks, revealing their chain of anonymized nodes and C&C infrastructure — allowing better understanding of their goals and motivation. This report contains an in-depth review of North Korean cyber division tools and tactics as well as recommendations on how to track their involvement in recent attacks on financial institutions and other critical infrastructure.

Dmitry Volkov

Head of Threat Intelligence Department
Сo-founder Group-IB

Protect your clients, business and reputation

Threat Intelligence subscribers are always on the forefront and have been informed about Lazarus activities. The earliest indicator of compromise detected by Group-IB is dated March 2016. This was directly after the Central Bank of Bangladesh incident. Following this incident, the group modified its tactics and tools, adapting them to the changing environment and misleading researchers.

We help to prevent and investigate cyber attacks at every stage, from reconnaissance or preparation to threat actors taking actions to achieve objectives. Furthermore, we prevent the spread of the attack and ensure that your infrastructure is clean of the presence of infection.

Contact us to learn more: +7 495 984-33-64 or

Threat Intelligence

Learn about threats, leakages, attacks, and hacking activity before they can harm your business

Threat Detection System

Detect malicious incidents in your internal network to prevent intrusions, attacks, data leaks, and espionage

Secure Bank

Get the most of your antifraud systems and instantly protect all of your clients

Secure Portal

Protect your customers and citizens with innovative solutions for e‑commerce & e‑government

About Group-IB

Group-IB is one of the global leaders in preventing and investigating high-tech crimes and online fraud.

Since 2003, the company has been active in the field of computer forensics and information security, protecting the largest international companies against financial losses and reputation risks.

We are recognized by Forrester as a threat intelligence vendor providing leading insight to the Eastern European region and recommended by the Organization for Security and Co-operation in Europe (OSCE). In 2017 IDC Report named Group-IB the leader of the Russian Threat Intelligence Services Market.

Group-IB’s experience and threat intelligence has been fused into an eco-system of highly sophisticated software and hardware solutions to monitor, identify and prevent cyber threats.

Learn more

Lazarus Arisen: Architecture,
Techniques and Attribution

Thank you for your interest in our research.

Please fill in the form below and we will send you full version of Group-IB Lazarus report.
Please make sure to correctly fill in all fields, we will only provide materials on provision
of a valid corporate email address.
* Your data is protected by Privacy Policy
Thank you! You’ll receive Group-IB Lazarus report shortly.
Find more news about latest cybercrime trends
Have any questions, please contact us via

Report an incident

24/7 Incident Response Assistance +7 495 984-33-64

* Your data is protected by Privacy Policy
Thank you!
We will contact you soon.
Report an incident