Threat Actor Profile
High APT
Description

Lazarus Group is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). (Citation: US-CERT HIDDEN COBRA June 2017) (Citation: Treasury North Korean Cyber Groups September 2019) Lazarus Group has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.(Citation: Novetta Blockbuster) North Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses “Lazarus Group” as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns.(Citation: Mandiant DPRK Laz Org Breakdown 2022)(Citation: Mandiant DPRK Groups 2023)(Citation: JPCert Blog Laz Subgroups 2025)

Confidence Score
90%
Known Aliases
Lazarus Group Labyrinth Chollima HIDDEN COBRA Guardians of Peace ZINC NICKEL ACADEMY Diamond Sleet
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (93)
T1005 - Data from Local System
Collection
T1056.001 - Keylogging
Collection
T1074.001 - Local Data Staging
Collection
T1560 - Archive Collected Data
Collection
T1560.002 - Archive via Library
Collection
T1560.003 - Archive via Custom Method
Collection
T1001.003 - Protocol or Service Impersonation
Command and Control
T1008 - Fallback Channels
Command and Control
T1071.001 - Web Protocols
Command and Control
T1090.001 - Internal Proxy
Command and Control
T1090.002 - External Proxy
Command and Control
T1102.002 - Bidirectional Communication
Command and Control
T1104 - Multi-Stage Channels
Command and Control
T1105 - Ingress Tool Transfer
Command and Control
T1132.001 - Standard Encoding
Command and Control
T1571 - Non-Standard Port
Command and Control
T1573.001 - Symmetric Cryptography
Command and Control
T1110.003 - Password Spraying
Credential Access
T1557.001 - LLMNR/NBT-NS Poisoning and SMB Relay
Credential Access
T1027.007 - Dynamic API Resolution
Defense Evasion
T1027.009 - Embedded Payloads
Defense Evasion
T1027.013 - Encrypted/Encoded File
Defense Evasion
T1036.003 - Rename Legitimate Utilities
Defense Evasion
T1036.004 - Masquerade Task or Service
Defense Evasion
T1036.005 - Match Legitimate Resource Name or Locat…
Defense Evasion
T1055.001 - Dynamic-link Library Injection
Defense Evasion
T1070 - Indicator Removal
Defense Evasion
T1070.003 - Clear Command History
Defense Evasion
T1070.004 - File Deletion
Defense Evasion
T1070.006 - Timestomp
Defense Evasion
T1078 - Valid Accounts
Defense Evasion
T1134.002 - Create Process with Token
Defense Evasion
T1140 - Deobfuscate/Decode Files or Information
Defense Evasion
T1202 - Indirect Command Execution
Defense Evasion
T1218 - System Binary Proxy Execution
Defense Evasion
T1218.005 - Mshta
Defense Evasion
T1218.011 - Rundll32
Defense Evasion
T1553.002 - Code Signing
Defense Evasion
T1562.001 - Disable or Modify Tools
Defense Evasion
T1562.004 - Disable or Modify System Firewall
Defense Evasion
T1564.001 - Hidden Files and Directories
Defense Evasion
T1620 - Reflective Code Loading
Defense Evasion
T1010 - Application Window Discovery
Discovery
T1012 - Query Registry
Discovery
T1016 - System Network Configuration Discovery
Discovery
T1033 - System Owner/User Discovery
Discovery
T1046 - Network Service Discovery
Discovery
T1049 - System Network Connections Discovery
Discovery
T1057 - Process Discovery
Discovery
T1082 - System Information Discovery
Discovery
T1083 - File and Directory Discovery
Discovery
T1124 - System Time Discovery
Discovery
T1680 - Local Storage Discovery
Discovery
T1047 - Windows Management Instrumentation
Execution
T1053.005 - Scheduled Task
Execution
T1059.001 - PowerShell
Execution
T1059.003 - Windows Command Shell
Execution
T1059.005 - Visual Basic
Execution
T1106 - Native API
Execution
T1203 - Exploitation for Client Execution
Execution
T1204.002 - Malicious File
Execution
T1041 - Exfiltration Over C2 Channel
Exfiltration
T1048.003 - Exfiltration Over Unencrypted Non-C2 Pr…
Exfiltration
T1485 - Data Destruction
Impact
T1489 - Service Stop
Impact
T1491.001 - Internal Defacement
Impact
T1529 - System Shutdown/Reboot
Impact
T1561.001 - Disk Content Wipe
Impact
T1561.002 - Disk Structure Wipe
Impact
T1189 - Drive-by Compromise
Initial Access
T1566.001 - Spearphishing Attachment
Initial Access
T1566.002 - Spearphishing Link
Initial Access
T1566.003 - Spearphishing via Service
Initial Access
T1021.001 - Remote Desktop Protocol
Lateral Movement
T1021.002 - SMB/Windows Admin Shares
Lateral Movement
T1021.004 - SSH
Lateral Movement
T1098 - Account Manipulation
Persistence
T1542.003 - Bootkit
Persistence
T1543.003 - Windows Service
Persistence
T1547.001 - Registry Run Keys / Startup Folder
Persistence
T1547.009 - Shortcut Modification
Persistence
T1574.001 - DLL
Persistence
T1574.013 - KernelCallbackTable
Persistence
T1589.002 - Email Addresses
Reconnaissance
T1591 - Gather Victim Org Information
Reconnaissance
T1583.001 - Domains
Resource Development
T1583.006 - Web Services
Resource Development
T1584.004 - Server
Resource Development
T1585.001 - Social Media Accounts
Resource Development
T1585.002 - Email Accounts
Resource Development
T1587.001 - Malware
Resource Development
T1588.002 - Tool
Resource Development
T1588.004 - Digital Certificates
Resource Development
AI Threat Intelligence Report
April 29, 2026 15:33
Threat Intelligence Report: Lazarus Group

Automated AI-generated threat intelligence report for Lazarus Group.

View full AI report
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['Lazarus Group',
             'Labyrinth Chollima',
             'HIDDEN COBRA',
             'Guardians of Peace',
             'ZINC',
             'NICKEL ACADEMY',
             'Diamond Sleet'],
 'created': '2017-05-31T21:32:03.807Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Lazarus Group](https://attack.mitre.org/groups/G0032) is a '
                'North Korean state-sponsored cyber threat group attributed to '
                'the Reconnaissance General Bureau (RGB). (Citation: US-CERT '
                'HIDDEN COBRA June 2017) (Citation: Treasury North Korean '
                'Cyber Groups September 2019) [Lazarus '
                'Group](https://attack.mitre.org/groups/G0032) has been active '
                'since at least 2009 and is reportedly responsible for the '
                'November 2014 destructive wiper attack on Sony Pictures '
                'Entertainment, identified by Novetta as part of Operation '
                'Blockbuster. Malware used by [Lazarus '
                'Group](https://attack.mitre.org/groups/G0032) correlates to '
                'other reported campaigns, including Operation Flame, '
                'Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days '
                'of Rain.(Citation: Novetta Blockbuster)\n'
                '\n'
                'North Korea’s cyber operations have shown a consistent '
                'pattern of adaptation, forming and reorganizing units as '
                'national priorities shift. These units frequently share '
                'personnel, infrastructure, malware, and tradecraft, making it '
                'difficult to attribute specific operations with high '
                'confidence. Public reporting often uses “Lazarus Group” as an '
                'umbrella term for multiple North Korean cyber operators '
                'conducting espionage, destructive attacks, and financially '
                'motivated campaigns.(Citation: Mandiant DPRK Laz Org '
                'Breakdown 2022)(Citation: Mandiant DPRK Groups '
                '2023)(Citation: JPCert Blog Laz Subgroups 2025)\n'
                '\n',
 'external_references': [{'external_id': 'G0032',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0032'},
                         {'description': '(Citation: CrowdStrike Labyrinth '
                                         'Chollima Feb 2022)',
                          'source_name': 'Labyrinth Chollima'},
                         {'description': '(Citation: Microsoft Threat Actor '
                                         'Naming July 2023)',
                          'source_name': 'Diamond Sleet'},
                         {'description': '(Citation: Microsoft ZINC disruption '
                                         'Dec 2017)',
                          'source_name': 'ZINC'},
                         {'description': '(Citation: Novetta Blockbuster)',
                          'source_name': 'Lazarus Group'},
                         {'description': '(Citation: Secureworks NICKEL '
                                         'ACADEMY Dec 2017)',
                          'source_name': 'NICKEL ACADEMY'},
                         {'description': '(Citation: US-CERT HIDDEN COBRA June '
                                         '2017)',
                          'source_name': 'Guardians of Peace'},
                         {'description': 'CrowdStrike. (2022, February 1). '
                                         'CrowdStrike Adversary Labyrinth '
                                         'Chollima. Retrieved February 1, '
                                         '2022.',
                          'source_name': 'CrowdStrike Labyrinth Chollima Feb '
                                         '2022',
                          'url': 'https://web.archive.org/web/20210723190317/https://adversary.crowdstrike.com/en-US/adversary/labyrinth-chollima/'},
                         {'description': 'Michael Barnhart, Austin Larsen, '
                                         'Jeff Johnson, Taylor Long, Michelle '
                                         'Cantos, Adrian Hernandez. (2023, '
                                         'October 10). Assessed Cyber '
                                         'Structure and Alignments of North '
                                         'Korea in 2023. Retrieved August 25, '
                                         '2025.',
                          'source_name': 'Mandiant DPRK Groups 2023',
                          'url': 'https://cloud.google.com/blog/topics/threat-intelligence/north-korea-cyber-structure-alignment-2023'},
                         {'description': 'Michael Barnhart, Michelle Cantos, '
                                         'Jeffery Johnson, Elias fox, Gary '
                                         'Freas, Dan Scott. (2022, March 23). '
                                         'Not So Lazarus: Mapping DPRK Cyber '
                                         'Threat Groups to Government '
                                         'Organizations. Retrieved September '
                                         '9, 2025.',
                          'source_name': 'Mandiant DPRK Laz Org Breakdown 2022',
                          'url': 'https://cloud.google.com/blog/topics/threat-intelligence/mapping-dprk-groups-to-government/'},
                         {'description': 'Microsoft . (2023, July 12). How '
                                         'Microsoft names threat actors. '
                                         'Retrieved November 17, 2023.',
                          'source_name': 'Microsoft Threat Actor Naming July '
                                         '2023',
                          'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'},
                         {'description': 'Novetta Threat Research Group. '
                                         '(2016, February 24). Operation '
                                         'Blockbuster: Unraveling the Long '
                                         'Thread of the Sony Attack. Retrieved '
                                         'February 25, 2016.',
                          'source_name': 'Novetta Blockbuster',
                          'url': 'https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf'},
                         {'description': 'Secureworks. (2017, December 15). '
                                         'Media Alert - Secureworks Discovers '
                                         'North Korean Cyber Threat Group, '
                                         'Lazarus, Spearphishing Financial '
                                         'Executives of Cryptocurrency '
                                         'Companies. Retrieved December 27, '
                                         '2017.',
                          'source_name': 'Secureworks NICKEL ACADEMY Dec 2017',
                          'url': 'https://www.secureworks.com/about/press/media-alert-secureworks-discovers-north-korean-cyber-threat-group-lazarus-spearphishing'},
                         {'description': 'Smith, B. (2017, December 19). '
                                         'Microsoft and Facebook disrupt ZINC '
                                         'malware attack to protect customers '
                                         'and the internet from ongoing '
                                         'cyberthreats. Retrieved December 20, '
                                         '2017.',
                          'source_name': 'Microsoft ZINC disruption Dec 2017',
                          'url': 'https://blogs.microsoft.com/on-the-issues/2017/12/19/microsoft-facebook-disrupt-zinc-malware-attack-protect-customers-internet-ongoing-cyberthreats/'},
                         {'description': 'The U.S. Government refers to '
                                         'malicious cyber activity by the '
                                         'North Korean government as HIDDEN '
                                         'COBRA.(Citation: US-CERT HIDDEN '
                                         'COBRA June 2017)(Citation: US-CERT '
                                         'HOPLIGHT Apr 2019)',
                          'source_name': 'HIDDEN COBRA'},
                         {'description': 'US Treasury . (2019, September 13). '
                                         'Treasury Sanctions North Korean '
                                         'State-Sponsored Malicious Cyber '
                                         'Groups. Retrieved September 29, '
                                         '2021.',
                          'source_name': 'Treasury North Korean Cyber Groups '
                                         'September 2019',
                          'url': 'https://home.treasury.gov/news/press-releases/sm774'},
                         {'description': 'US-CERT. (2017, June 13). Alert '
                                         '(TA17-164A) HIDDEN COBRA – North '
                                         'Korea’s DDoS Botnet Infrastructure. '
                                         'Retrieved July 13, 2017.',
                          'source_name': 'US-CERT HIDDEN COBRA June 2017',
                          'url': 'https://www.us-cert.gov/ncas/alerts/TA17-164A'},
                         {'description': 'US-CERT. (2019, April 10). '
                                         'MAR-10135536-8 – North Korean '
                                         'Trojan: HOPLIGHT. Retrieved April '
                                         '19, 2019.',
                          'source_name': 'US-CERT HOPLIGHT Apr 2019',
                          'url': 'https://www.us-cert.gov/ncas/analysis-reports/AR19-100A'},
                         {'description': '佐々木勇人 Hayato Sasaki. (2025, March '
                                         '25). Tempted to Classifying APT '
                                         'Actors: Practical Challenges of '
                                         'Attribution in the Case of Lazarus’s '
                                         'Subgroup. Retrieved August 25, 2025.',
                          'source_name': 'JPCert Blog Laz Subgroups 2025',
                          'url': 'https://blogs.jpcert.or.jp/en/2025/03/classifying-lazaruss-subgroup.html'}],
 'id': 'intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a',
 'modified': '2025-10-24T01:29:21.748Z',
 'name': 'Lazarus Group',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.3.0',
 'x_mitre_contributors': ['Kyaw Pyiyt Htet, @KyawPyiytHtet',
                          'Dragos Threat Intelligence',
                          'MyungUk Han, ASEC',
                          'Jun Hirata, NEC Corporation',
                          'Manikantan Srinivasan, NEC Corporation India',
                          'Pooja Natarajan, NEC Corporation India'],
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack', 'ics-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '5.0'}
Quick Actions
View AI Report
Related TTPs (93)
Data from Local System
Collection
Keylogging
Collection
Local Data Staging
Collection
Archive Collected Data
Collection
Archive via Library
Collection
View All 93 TTPs
Related Reports (1)
Threat Intelligence Report: L…
Intelligence Report
Back to Threat Actors
Dashboard Home