Cyber Threat Actor: Lazarus
| Actor Type | Location | Known Incidents |
Nation State
|
North Korea
|
87 incidents |
|---|
Profile
The threat actor is known by multiple aliases including BlueNoroff, Hidden Cobra, Lazarus and APT38 and is assessed to operate from North Korea. Public reporting links the group to the Reconnaissance General Bureau and its Bureau 121 cyber warfare unit, describing its activities as both financially motivated and intelligence‑gathering in support of the regime. Notable operations include the theft of approximately $1.5 billion in Ethereum from Bybit in early 2025, the $69 million heist against Phemex in January 2025, and the breach of Seoul National University Hospital in 2021 that exposed data for over 800 000 individuals. These incidents illustrate a pattern of targeting high‑value financial platforms and sensitive institutional networks to generate revenue and acquire strategic information.
The group’s targeting spans financial institutions, cryptocurrency services, healthcare providers and defense‑related organizations across multiple regions. Reported victims include banks in Bangladesh, Taiwan, Mexico and Chile, cryptocurrency exchanges such as Bybit, Phemex, CoinEx and Alphapo, and healthcare providers in South Korea and the United Kingdom. In addition, actors have attempted to compromise defense contractors and nuclear facilities, as seen in attempts to obtain US‑South Korean war plans and to infiltrate Indian nuclear plant networks. The geographic reach of the activity is global, with attacks observed in Europe, Asia, the Americas and the Middle East.
Initial access frequently relies on spear‑phishing emails that contain malicious Office documents, fake job offers or LinkedIn messages designed to trick recipients into enabling macros or downloading payloads. Once inside a network, the actors deploy malware families such as WannaCry ransomware, the Dtrack backdoor, PowerRatankba PowerShell tools and the INLETDRIFT macOS backdoor, often leveraging living‑off‑the‑land binaries and script‑based loaders to evade detection. They also employ techniques like disabling security software, using custom downloaders that check for antivirus products, and employing mixers such as Sinbad to launder stolen cryptocurrency. These tactics demonstrate a focus on stealth, persistence and the manipulation of legitimate administrative tools for malicious purposes.
Attribution to North Korea is reinforced by technical overlaps with previously identified Lazarus code, shared infrastructure such as command‑and‑control servers, and the reuse of specific malware components across disparate campaigns. The group is described as a state‑sponsored APT that also engages in cybercrime to fund weapons development, and has been observed cooperating with Russian entities under mutual sanctions pressure to evade restrictions. While the actor operates under several names, BlueNoroff is recognized as the subset that focuses on banks and cryptocurrency firms, whereas the broader Lazarus umbrella encompasses espionage and sabotage efforts. This multifaceted approach enables the actor to pursue both monetary gain and strategic intelligence objectives in support of the Pyongyang regime.
