HOMETHREATSLazarus Group
APT / THREAT GROUP💰 FINANCIALADVANCED

Lazarus Group

🌐PRK-attributed
1
campaigns
45
aliases
Active since:2009Last seen:Mar 17, 2026

Intelligence Profile

[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). (Citation: US-CERT HIDDEN COBRA June 2017) (Citation: Treasury North Korean Cyber Groups September 2019) [Lazarus Group](https://attack.mitre.org/groups/G0032) has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by [Lazarus Group](https://attack.mitre.org/groups/G0032) correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.(Citation: Novetta Blockbuster)

North Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses “Lazarus Group” as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns.(Citation: Mandiant DPRK Laz Org Breakdown 2022)(Citation: Mandiant DPRK Groups 2023)(Citation: JPCert Blog Laz Subgroups 2025)

Threat Analysis

Lazarus Group is a advanced-sophistication threat actor attributed to PRK, engaged in cyber operations with a primary motivation of financial.

Financially motivated threat actors like Lazarus Group prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.

Classified as an advanced threat actor, Lazarus Group likely develops or acquires zero-day exploits, employs custom malware toolchains, and demonstrates long-term persistence capabilities — hallmarks of a well-resourced operation consistent with nation-state backing.

Activity attributed to this group has been observed since at least 2009, indicating a sustained operational presence over multiple years.

Known Campaigns

Lazarus Group — Active Operations March 2026

Lazarus Group is a financial threat actor attributed to PRK. Known targets include: finance, cryptocurrency. Uses TTPs: T1486, T1566.001, T1047. Since 2009, HIDDEN COBRA actors have leveraged their capabilities to target and compromise a range of victims; some intrusions have resulted in the exfiltration of data while others have been disruptive in nature. Commercial reporting has referred to this activity as Lazarus Grou...

🎯 finance🎯 cryptocurrency
ACTIVEMEDIUM2026

Intelligence Reports Mentioning Lazarus Group

External References

Quick Facts

TypeAPT / Threat Group
Motivation💰 financial
Sophisticationadvanced
Origin🌐 PRK
Active Since2009
Aliases45
SourceMalpedia

Also Known As

AndarielATK3Operation DarkSeoulHidden CobraLabyrinth ChollimaOperation AppleJeusDiamond SleetDEV-0139COVELLITECOPERNICIUMWhois Hacking TeamNICKEL GLADSTONEApplewormLazarus GroupGuardians of PeaceZincTA404Subgroup: BluenoroffStardust ChollimaAPT 38Bureau 121HIDDEN COBRADEV-1222G0082APT38G0032Nickel AcademyDark SeoulGroup 77Black ArtemisLazarus groupSapphire SleetAPT-C-26NICKEL ACADEMYHastati GroupBluenoroffCitrine SleetMoonstone SleetUnit 121BeagleBoyzOperation TroyNewRomanic Cyber Army TeamOperation GhostSecretZINCATK117

Targeted Sectors

🎯 finance🎯 cryptocurrency

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.