Dashboard / Threat Actors / UNC4736

🇰🇵

UNC4736

APT Group 1 zero-day CVE ETDA ✓

Also Known As

No alias recorded

Target Countries 1

Countries highlighted in red

Cyprus

Sectors Targeted

Data Processing, Hosting, and Related Services 518 Software Publishers 5112 Computer Systems Design and Related Services 54151 Commodity Contracts Intermediation 523160 Utilities 22 Data Processing, Hosting, and Related Services 51821 Computer Systems Design and Related Services 5415

Details

Origin 🇰🇵 KP

Last Updated 23 Dec 2023

MITRE ATT&CK 35

T1027 T1027.009 T1027.013 T1055 T1055.002 T1059.003 T1071 T1071.001 T1078 T1102 T1102.001 T1189 T1195 T1195.002 T1203 T1217 T1218 T1218.007 T1218.015 T1543 T1543.004 T1546 T1546.016 T1553 T1553.002 T1559 T1566 T1566.001 T1573 T1573.001 T1574 T1574.001 T1620 T1657 T1678

Related Zero-Days 1

CVE-2024-7971

Known Names 30 entries

Lazarus Group Kaspersky

Labyrinth Chollima CrowdStrike

Group 77 Talos

Hastati Group SecureWorks

Whois Hacking Team McAfee

NewRomanic Cyber Army Team McAfee

Zinc Microsoft

Hidden Cobra Trend Micro

Appleworm Symantec

APT-C-26 Qihoo 360

ATK 3 Thales

SectorA01 ThreatRecon

ITG03 IBM

TA404 Proofpoint

DEV-0139 Microsoft

Guardians of Peace self given

Gods Apostles self given

Gods Disciples self given

UNC577 Mandiant

UNC2970 Mandiant

UNC4034 Mandiant

UNC4736 Mandiant

UNC4899 Mandiant

Diamond Sleet Microsoft

Citrine Sleet Microsoft

Jade Sleet Microsoft

TraderTraitor CISA

Gleaming Pisces Palo Alto

Slow Pisces Palo Alto

G0032 MITRE

Observed Target Countries 28

Based on ETDA data — countries highlighted in red

Australia Bangladesh Belgium Brazil Canada Chile China Ecuador France Germany Guatemala Hong Kong India Israel Japan Mexico Netherlands Philippines Poland Russia South Africa South Korea Taiwan Thailand UK USA Vietnam Worldwide (WannaCry)

Description

(Malwarebytes) Lazarus Group is commonly believed to be run by the North Korean government, motivated primarily by financial gain as a method of circumventing long-standing sanctions against the regime. They first came to substantial media notice in 2013 with a series of coordinated attacks against an assortment of South Korean broadcasters and financial institutions using DarkSeoul, a wiper program that overwrites sections of the victims’ master boot record. In November 2014, a large scale breach of Sony Pictures was attributed to Lazarus. The attack was notable due to its substantial penetration across Sony networks, the extensive amount of data exfiltrated and leaked, as well of use of a wiper in a possible attempt to erase forensic evidence. Attribution on the attacks was largely hazy, but the FBI released a statement tying the Sony breach to the earlier DarkSeoul attack, and officially attributed both incidents to North Korea. Fast forward to May 2017 with the widespread outbreak of WannaCry, a piece of ransomware that used an SMB exploit as an attack vector. Attribution to North Korea rested largely on code reuse between WannaCry and previous North Korean attacks, but this was considered to be thin grounds given the common practice of tool sharing between regional threat groups. Western intelligence agencies released official statements to the public reaffirming the attribution, and on September 6, 2018, the US Department of Justice charged a North Korean national with involvement in both WannaCry and the Sony breach. Lazarus Group has 3 subgroups: 1. {{Subgroup: Andariel, Silent Chollima}} 2. {{Subgroup: BeagleBoyz}} 3. {{Subgroup: Bluenoroff, APT 38, Stardust Chollima}} 4. {{Subgroup: Operation Contagious Interview}} The following groups may be associated with the Lazarus Group: {{Covellite}}, {{Reaper, APT 37, Ricochet Chollima, ScarCruft}}, {{Wassonite}} and {{Moonstone Sleet}}.

Tools Used 158

3proxy 3Rat Client Andaratm AppleJeus ARTFULPIE Aryan ATMDtrack AuditCred BADCALL Bankshot BanSwift BISTROMATH Bitsran BLINDINGCAN BlindToad Bookcode BootWreck BottomLoader Brambul BTC Changer BUFFETLINE Castov CheeseTray CleanToad ClientTraficForwarder COLDCAT CollectionRAT Concealment Troy Contopee CookieTime Dacls RAT DarkComet DAVESHELL DBLL Dropper DeltaCharlie Destover DLRAT Dozer DoublePulsar DRATzarus Dtrack Duuzer DyePack ELECTRICFISH EternalBlue FALLCHILL Fimlis FudModule Gh0st RAT Gopuram HARDRAIN Hawup Hermes HLOADER HOOKSHOT HOPLIGHT HotelAlfa HOTCROISSANT Hotwax HtDnDownLoader Http Dr0pper HTTP Troy ICONICSTEALER Joanap Jokra KANDYKORN KEYMARBLE KillDisk Koredos Lazarus LightlessCan LIGHTSHIFT LIGHTSHOW MagicRAT MATA Mimikatz Mydoom NachoCheese NestEgg NickelLoader NineRAT NukeSped OpBlockBuster PEBBLEDASH PhanDoor PLANKWALK Plink PondRAT POOLRAT PowerBrace PowerRatankba PowerShell RAT PowerSpritz PowerTask ProcDump Proxysvc PSLogger Quickcafe QuiteRAT Ratankba RatankbaPOS RawDisk Recon RedShawl Rifdoor Rising Sun Romeos RomeoAlfa RomeoBravo RomeoCharlie RomeoDelta RomeoEcho RomeoFoxtrot RomeoGolf RomeoHotel RomeoMike RomeoNovember RomeoWhiskey RustBucket Scout SHARPKNOT SheepRAT SIDESHOW SierraAlfa SierraCharlie SIGFLIP SLICKSHOES SmallTiger Stunnel SUDDENICON SUGARLOADER TAINTEDSCRIBE TAXHAUL Tdrop Tdrop2 TFlower ThreatNeedle TigerRAT TOUCHKEY TOUCHMOVE TOUCHSHIFT TOUCHSHOT Troy TYPEFRAME ValeforBeta VEILEDSIGNAL VHD Volgmer VSingle Vyveva WannaCry WbBot WinorDLL64 WolfRAT Wormhole YamaBot Yort Living off the Land

Operations 115

2007 Operation “Flame” Target: South Korean government. Method: Disruption and sabotage.

2009-07 Operation “Troy” North Korean hackers are suspected of launching a cyber-attack on some of the most important government offices in the US and South Korea in recent days, including the White House, the Pentagon, the New York Stock Exchange and the presidential Blue House in Seoul. The attack took out some of South Korea’s most important websites, including those of the Blue House, the defense ministry, the national assembly, Shinhan bank, Korea Exchange bank and the top internet portal Naver. Target: Government, financial and media institutions in South Korea and USA. Method: DdoS attacks. https://www.theguardian.com/world/2009/jul/08/south-korea-cyber-attack

2011-03 Attack on South Korean banks and media Recent Distributed Denial of Service (DdoS) attacks on a number South Korean websites have been in news for the past week. The threat responsible for carrying out these attacks is Trojan.Koredos. Target: South Korean organizations. Method: DdoS attacks and destruction of infected machines. https://www.symantec.com/connect/blogs/trojankoredos-comes-unwelcomed-surprise

2013-03 Operation “Ten Days of Rain” / ”DarkSeoul” Computer networks running three major South Korean banks and the country’s two largest broadcasters were paralyzed Wednesday in attacks that some experts suspected originated in North Korea, which has consistently threatened to cripple its far richer neighbor. The attacks, which left many South Koreans unable to withdraw money from A.T.M.’s and news broadcasting crews staring at blank computer screens, came as the North’s official Korean Central News Agency quoted the country’s leader, Kim Jong-un, as threatening to destroy government installations in the South, along with American bases in the Pacific. Target: Three broadcasting stations and a bank in South Korea. Method: Infecting with viruses, stealing and wiping information. https://www.nytimes.com/2013/03/21/world/asia/south-korea-computer-network-crashes.html

2013-05 South Korean Financial Companies Targeted by Castov In the past few months we have been actively monitoring an exploit kit, called Gongda, which is mainly targeting South Korea. Interestingly, we have come across a piece of malware, known as Castov, being delivered by this exploit kit that targets specific South Korean financial companies and their customers. The cybercriminals in this case have done their research on the South Korean online financial landscape. https://www.symantec.com/connect/blogs/south-korean-financial-companies-targeted-castov

2013-06 DarkSeoul Cyberattacks Against South Korea Continue on Anniversary of Korean War Yesterday, June 25, the Korean peninsula observed a series of cyberattacks coinciding with the 63rd anniversary of the start of the Korean War. While multiple attacks were conducted by multiple perpetrators, one of the distributed denial-of-service (DdoS) attacks observed yesterday against South Korean government websites can be directly linked to the DarkSeoul gang and Trojan.Castov. https://www.symantec.com/connect/blogs/four-years-darkseoul-cyberattacks-against-south-korea-continue-anniversary-korean-war

2014-11 Operation “Blockbuster”: Breach of Sony Pictures Entertainment The attack on Sony Pictures became public knowledge on November 24, 2014, when Sony employees turned on their computers to be greeted with the sight of a neon red skeleton and the words “Hacked by GOP”, which stood for “Guardians of the Peace”. The message also threatened to release data later that day if an unspecified request was not met. Over the following weeks, huge swathes of information stolen from Sony were released, including: personal information about employees and their families; email correspondence between employees at the company; information about company salaries, unreleased Sony films, and other information. Target: Sony Pictures Entertainment (released the “Interview” movie, ridiculing the North Korean leader). Method: Infecting with malware, stealing and wiping data of the company’s employees, correspondence, copies of unreleased films. https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/the-hack-of-sony-pictures-what-you-need-to-know https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf

2015-06 Using the Palo Alto Networks AutoFocus threat intelligence platform, we identified several samples of malicious code with behavior similar to the aforementioned Operation Troy campaign dating back to June 2015, over two years after the original attacks in South Korea. Session data revealed a live attack targeting the transportation and logistics sector in Europe. https://unit42.paloaltonetworks.com/tdrop2-attacks-suggest-dark-seoul-attackers-return/

2017-03 The Blockbuster Sequel This recently identified activity is targeting Korean speaking individuals, while the threat actors behind the attack likely speak both Korean and English. This blog will detail the recently discovered samples, their functionality, and their ties to the threat group behind Operation Blockbuster. https://unit42.paloaltonetworks.com/unit42-the-blockbuster-sequel/

2017-05 WannaCry ransomware ThaiCERT's whitepaper: https://www.dropbox.com/s/hpr9fas9xbzo2uz/Whitepaper WannaCry Ransomware.pdf?dl=0

2017-06 We analyzed a new RATANKBA variant (BKDR_RATANKBA.ZAEL–A), discovered in June 2017, that uses a PowerShell script instead of its more traditional PE executable form—a version that other researchers also recently identified. https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/

2017-08 The Blockbuster Saga Continues Unit 42 researchers at Palo Alto Networks have discovered new attack activity targeting individuals involved with United States defense contractors. https://unit42.paloaltonetworks.com/unit42-blockbuster-saga-continues/

2017 Late Several financial sector and a casino breaches using KillDisk wiping malware in Latin America and USA. https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-financial-organizations-in-latin-america/ https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/

2017/2018 Cryptocurrency attacks on South Korean exchanges. https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/

2018-01 F-Secure’s investigation revealed that a system administrator from the target organization received a phishing document via their personal LinkedIn account. The document masqueraded as a legitimate job advert for a role in a blockchain technology company that matched the employee’s skills. https://labs.f-secure.com/assets/BlogFiles/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf

2018-03 APT attack on Turkish Financial Sector. Target: Turkish Financial Sector. Method: Spear-phishing with Bankshot implant. https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/

2018-04 Operation “GhostSecret” Target: The impacted organizations are in industries such as telecommunications, health, finance, critical infrastructure, and entertainment. Method: Spear-phishing with Destover-like implant. https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/

2018-04 The first artefacts we found relating to MATA were used around April 2018. After that, the actor behind this advanced malware framework used it aggressively to infiltrate corporate entities around the world. https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/

2018-08 Operation “AppleJeus” Target: Cryptocurrency exchange. Method: Fake installer and macOS malware. https://securelist.com/operation-applejeus/87553/

2018-07 Operation “CryptoCore” Operation “Dangerous Password” Operation “Leery Turtle” https://www.clearskysec.com/wp-content/uploads/2020/06/CryptoCore_Group.pdf https://www.clearskysec.com/wp-content/uploads/2021/05/CryptoCore-Lazarus-Clearsky.pdf

2018 Summer Our investigation into the Dtrack RAT actually began with a different activity. In the late summer of 2018, we discovered ATMDtrack, a piece of banking malware targeting Indian banks. Further analysis showed that the malware was designed to be planted on the victim’s ATMs, where it could read and store the data of cards that were inserted into the machines. https://securelist.com/my-name-is-dtrack/93338/

2018-10 Operation “Sharpshooter” Target: 87 organizations in many different sectors (majority Government and Defense) across the globe, predominantly in the United States. Method: Rising Sun implant to gather intelligence. https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/

2018-11 More Attacks on Cryptocurrency Businesses Target: Some of the documents (for instance one entitled “sample document for business plan evaluation of venture company”) were prepared in Korean, presumably to target South Korean businesses. Another contains a business overview of what seems to be a Chinese technology consulting group named LAFIZ (“we couldn’t confirm if it’s a legitimate business or another fake company made up by Lazarus,” Kaspersky Lab researchers said). Yet another provided information for coin listings with a translation in Korean, researchers said. Method: Documents containing weaponized macros, “carefully prepared to attract the attention of cryptocurrency professionals.” It utilizes PowerShell to control Windows systems and macOS malware for Apple users. https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/

2019-03 The infamous Lazarus threat actor group has been found targeting an Israeli defense company, according to new research outlined by a cybersecurity firm ClearSky. The campaign is carried out with an intention to steal military and commercial secrets. https://cyware.com/news/lazarus-hacking-group-expand-their-attack-horizon-by-targeting-an-israeli-defense-company-02e2ec77

2019-03 Operation “AppleJeus sequel” As a result of our ongoing efforts, we identified significant changes to the group’s attack methodology. https://securelist.com/operation-applejeus-sequel/95596/

2019-04 “Hoplight” Malware Campaign Known as “Hoplight,” the malware is a collection of nine files, though most of those are designed to work as obfuscation layers to keep admins and security software from spotting the attack. https://www.theregister.co.uk/2019/04/10/lazarus_group_malware/

2019-05 North Korean Tunneling Tool: ELECTRICFISH This report provides analysis of one malicious 32-bit Windows executable file. The malware implements a custom protocol that allows traffic to be funneled between a source and a destination Internet Protocol (IP) address. The malware continuously attempts to reach out to the source and the designation system, which allows either side to initiate a funneling session. The malware can be configured with a proxy server/port and proxy username and password. This feature allows connectivity to a system sitting inside of a proxy server, which allows the actor to bypass the compromised system’s required authentication to reach outside of the network. https://www.us-cert.gov/ncas/analysis-reports/AR19-129A

2019-05 Hackers associated with the APT Lazarus/HIDDEN COBRA group were found to be breaking into online stores of large US retailers and planting payment skimmers as early as May 2019. https://sansec.io/research/north-korea-magecart

2019-09 Operation “In(ter)caption” Operation “In(ter)caption” At the end of last year, we discovered targeted attacks against aerospace and military companies in Europe and the Middle East, active from September to December 2019. A collaborative investigation with two of the affected European companies allowed us to gain insight into the operation and uncover previously undocumented malware. https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf

2019-09 Lazarus Group’s MATA Framework Leveraged to Deploy TFlower Ransomware https://www.sygnia.co/mata-framework

2019-10 Dacls, the Dual platform RAT https://blog.netlab.360.com/dacls-the-dual-platform-rat-en/

2019-12 The Deadly Planeswalker: How The TrickBot Group United High-Tech Crimeware & APT https://labs.sentinelone.com/the-deadly-planeswalker-how-the-trickbot-group-united-high-tech-crimeware-apt/

2020 Operation “North Star” In this 2020 campaign McAfee ATR discovered a series of malicious documents containing job postings taken from leading defense contractors to be used as lures, in a very targeted fashion. https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-summary-of-our-latest-analysis/ https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/

2020 Operation “Dream Job” Upon infection, the attackers collected intelligence regarding the company’s activity, and also its financial affairs, probably in order to try and steal some money from it. https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf

2020-02 Lazarus BTC Changer https://www.group-ib.com/blog/btc_changer

2020-03 Lazarus on the hunt for big game https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/

2020-04 New Mac variant of Lazarus Dacls RAT distributed via Trojanized 2FA app https://blog.malwarebytes.com/threat-analysis/2020/05/new-mac-variant-of-lazarus-dacls-rat-distributed-via-trojanized-2fa-app/

2020-04 We discovered another malware cluster named CookieTime used in a campaign mainly focused on the defense industry. https://securelist.com/apt-trends-report-q1-2021/101967/

2020-06 Covid-19 Relief: North Korea Hackers Lazarus Planning Massive Attack on US, UK, Japan, Singapore, India, South Korea? https://www.ibtimes.sg/covid-19-relief-north-korea-hackers-lazarus-planning-massive-attack-us-uk-japan-singapore-47072

2020-06 ESET researchers have discovered a previously undocumented Lazarus backdoor, which they have dubbed Vyveva, being used to attack a freight logistics company in South Africa. https://www.welivesecurity.com/2021/04/08/are-you-afreight-dark-watch-out-vyveva-new-lazarus-backdoor/

2020 Mid Lazarus targets defense industry with ThreatNeedle https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-Lazarus-targets-defense-industry-with-Threatneedle-En.pdf

2020-08 North Korean hackers are targeting Israel's defense sector, Israel Ministry of Defense claims https://www.cyberscoop.com/north-korea-hackers-lazarus-group-israel-defense/

2020-11 ESET researchers uncover a novel Lazarus supply-chain attack leveraging WIZVERA VeraPort software https://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/

2020-12 As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that actors, such as the Lazarus group, are going after intelligence that could help these efforts by attacking entities related to COVID-19 research. https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/

2021-01 New campaign targeting security researchers https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/ https://www.zdnet.com/article/google-north-korean-hackers-have-targeted-security-researchers-via-social-media/ https://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/

2021-03 Lazarus Attack Activities Targeting Japan (VSingle/ValeforBeta) https://blogs.jpcert.or.jp/en/2021/03/Lazarus_malware3.html

2021-03 Update on campaign targeting security researchers https://blog.google/threat-analysis-group/update-campaign-targeting-security-researchers/

2021 Spring Lazarus campaign TTPs and evolution https://cybersecurity.att.com/blogs/labs-research/lazarus-campaign-ttps-and-evolution

2021 Autumn Amazon‑themed campaigns of Lazarus in the Netherlands and Belgium https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/

2021-06 APT actor Lazarus attacks defense industry, develops supply chain attack capabilities https://usa.kaspersky.com/about/press-releases/2021_apt-actor-lazarus-attacks-defense-industry-develops-supply-chain-attack-capabilities

2021-11 Lazarus hackers target researchers with trojanized IDA Pro https://www.bleepingcomputer.com/news/security/lazarus-hackers-target-researchers-with-trojanized-ida-pro/

2021-12 Lazarus Trojanized DeFi app for delivering malware https://securelist.com/lazarus-trojanized-defi-app/106195/

2022 Analysis Report on Lazarus Threat Group’s Volgmer and Scout Malware https://asec.ahnlab.com/en/57685/

2022-01 North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/

2022-01 Lazarus Targets Chemical Sector https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical

2022-02 Operation “LolZarus” Qualys Threat Research has identified a new Lazarus campaign using employment phishing lures targeting the defence sector. https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns

2022-02 On February 10, Threat Analysis Group discovered two distinct North Korean government-backed attacker groups exploiting a remote code execution vulnerability in Chrome, CVE-2022-0609. https://blog.google/threat-analysis-group/countering-threats-north-korea/

2022 Early Tracing State-Aligned Activity Targeting Journalists, Media https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists

2022-02 Lazarus and the tale of three RATs https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html

2022-02 MagicRAT: Lazarus’ latest gateway into victim networks https://blog.talosintelligence.com/2022/09/lazarus-magicrat.html

2022-03 A hacker stole $625 million from the blockchain behind NFT game Axie Infinity https://www.theverge.com/2022/3/29/23001620/sky-mavis-axie-infinity-ronin-blockchain-validation-defi-hack-nft https://www.cisa.gov/uscert/ncas/alerts/aa22-108a

2022-04 Lazarus Group Exploiting Log4Shell Vulnerability (NukeSped) https://asec.ahnlab.com/en/34461/

2022-05 Lazarus Group Exploits Zero-Day Vulnerability to Hack South Korean Financial Entity https://thehackernews.com/2023/03/lazarus-group-exploits-zero-day.html

2022-06 North Korea accused of orchestrating $100 million Harmony crypto hack https://therecord.media/north-korea-accused-of-orchestrating-100-million-harmony-crypto-hack/

2022-06 Stealing the LIGHTSHOW https://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970 https://www.mandiant.com/resources/blog/lightshift-and-lightshow

2022-06 ZINC weaponizing open-source software https://www.microsoft.com/en-us/security/blog/2022/09/29/zinc-weaponizing-open-source-software/

2022-06 ₿uyer ₿eware: Fake Cryptocurrency Applications Serving as Front for AppleJeus Malware https://www.volexity.com/blog/2022/12/01/buyer-beware-fake-cryptocurrency-applications-serving-as-front-for-applejeus-malware/ https://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/

2022-07 Lazarus and the tale of three RATs https://blog.talosintelligence.com/lazarus-three-rats/

2022-08 deBridge Finance crypto platform targeted by Lazarus hackers https://www.bleepingcomputer.com/news/security/debridge-finance-crypto-platform-targeted-by-lazarus-hackers/

2022-08 Lazarus ‘Operation In(ter)ception’ Targets macOS Users Dreaming of Jobs in Crypto https://www.sentinelone.com/blog/lazarus-operation-interception-targets-macos-users-dreaming-of-jobs-in-crypto/

2022-08 Operation “No Pineapple!” North Korean hackers stole research data in two-month-long breach https://www.bleepingcomputer.com/news/security/north-korean-hackers-stole-research-data-in-two-month-long-breach/

2022-09 SlowMist: Investigation of North Korean APT’s Large-Scale Phishing Attack on NFT Users https://slowmist.medium.com/slowmist-our-in-depth-investigation-of-north-korean-apts-large-scale-phishing-attack-on-nft-users-362117600519

2022-09 Lazarus and the FudModule Rootkit: Beyond BYOVD with an Admin-to-Kernel Zero-Day https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/

2022 Late DPRK Using Unpatched Zimbra Devices to Spy on Researchers https://www.darkreading.com/remote-workforce/dprk-using-unpatched-zimbra-devices-to-spy-on-researchers-

2022 Late 3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/xtrader-3cx-supply-chain

2022 Late North Korean hackers linked to defense sector supply-chain attack https://www.bleepingcomputer.com/news/security/north-korean-hackers-linked-to-defense-sector-supply-chain-attack/

2022-11 DPRK hacking groups breach South Korean defense contractors https://www.bleepingcomputer.com/news/security/dprk-hacking-groups-breach-south-korean-defense-contractors/

2023 Early Lazarus Group's infrastructure reuse leads to discovery of new malware https://blog.talosintelligence.com/lazarus-collectionrat/

2023 Early Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT https://blog.talosintelligence.com/lazarus-quiterat/

2023-03 More evidence links 3CX supply-chain attack to North Korean hacking group https://therecord.media/3cx-attack-north-korea-lazarus-group https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/ https://www.3cx.com/blog/news/mandiant-initial-results/

2023-03 Linux malware strengthens links between Lazarus and the 3CX supply‑chain attack https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/

2023-03 Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/

2023-05 Lazarus Group Targeting Windows IIS Web Servers https://asec.ahnlab.com/en/53132/

2023-06 North Korea’s Lazarus Group Likely Responsible For $35 Million Atomic Crypto Theft https://hub.elliptic.co/analysis/north-korea-s-lazarus-group-likely-responsible-for-35-million-atomic-crypto-theft/

2023-06 Lazarus Threat Group Exploiting Vulnerability of Korean Finance Security Solution https://asec.ahnlab.com/en/54195/

2023-07 North Korea Leverages SaaS Provider in a Targeted Supply Chain Attack https://www.mandiant.com/resources/blog/north-korea-supply-chain

2023-07 Security alert: social engineering campaign targets technology industry employees https://github.blog/2023-07-18-security-alert-social-engineering-campaign-targets-technology-industry-employees/

2023-07 Lazarus Threat Group Attacking Windows Servers to Use as Malware Distribution Points https://asec.ahnlab.com/en/55369/

2023-07 CoinsPaid blames Lazarus hackers for theft of $37,300,000 in crypto https://www.bleepingcomputer.com/news/security/coinspaid-blames-lazarus-hackers-for-theft-of-37-300-000-in-crypto/

2023-07 Lazarus hackers linked to $60 million Alphapo cryptocurrency heist https://www.bleepingcomputer.com/news/security/lazarus-hackers-linked-to-60-million-alphapo-cryptocurrency-heist/

2023-07 A cascade of compromise: unveiling Lazarus’ new campaign https://securelist.com/unveiling-lazarus-new-campaign/110888/

2023-08 VMConnect: Malicious PyPI packages imitate popular open source modules https://www.reversinglabs.com/blog/vmconnect-malicious-pypi-packages-imitate-popular-open-source-modules https://www.reversinglabs.com/blog/vmconnect-supply-chain-campaign-continues

2023-09 FBI Identifies Lazarus Group Cyber Actors as Responsible for Theft of $41 Million from Stake.com https://www.fbi.gov/news/press-releases/fbi-identifies-lazarus-group-cyber-actors-as-responsible-for-theft-of-41-million-from-stakecom

2023-09 CoinEx confirms hack after $31 million in cryptocurrency allegedly stolen from exchange https://therecord.media/coinex-confirms-hack-after-31-million-allegedly-stolen https://therecord.media/coinex-cryptocurrency-heist-north-korea

2023-10 Multiple North Korean threat actors exploiting the TeamCity CVE-2023-42793 vulnerability https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/

2023-10 Operation “Dream Magic” https://asec.ahnlab.com/en/57736/

2023-10 Elastic catches DPRK passing out KANDYKORN https://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn https://www.sentinelone.com/blog/dprk-crypto-theft-macos-rustbucket-droppers-pivot-to-deliver-kandykorn-payloads/

2023-10 Diamond Sleet supply chain compromise distributes a modified CyberLink installer https://www.microsoft.com/en-us/security/blog/2023/11/22/diamond-sleet-supply-chain-compromise-distributes-a-modified-cyberlink-installer/

2024-01 Lazarus Group Uses the DLL Side-Loading Technique https://asec.ahnlab.com/en/60792/

2024-02 New Malicious PyPI Packages used by Lazarus https://blogs.jpcert.or.jp/en/2024/02/lazarus_pypi.html

2024-02 Slow Pisces Targets Developers With Coding Challenges and Introduces New Customized Python Malware https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/

2024-05 The Crypto Game of Lazarus APT: Investors vs. Zero-days https://securelist.com/lazarus-apt-steals-crypto-with-a-tank-game/114282/

2024-05 FBI links North Korean hackers to $308 million crypto heist https://www.bleepingcomputer.com/news/security/fbi-links-north-korean-hackers-to-308-million-crypto-heist/

2024-06 Fake recruiter coding tests target devs with malicious Python packages https://www.reversinglabs.com/blog/fake-recruiter-coding-tests-target-devs-with-malicious-python-packages

2024-06 An Offer You Can Refuse: UNC2970 Backdoor Deployment Using Trojanized PDF Reader https://cloud.google.com/blog/topics/threat-intelligence/unc2970-backdoor-trojanized-pdf-reader

2024-08 North Korean threat actor Citrine Sleet exploiting Chromium zero-day https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/

2024-09 Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/

2024-10 Radiant links $50 million crypto heist to North Korean hackers https://www.bleepingcomputer.com/news/security/radiant-links-50-million-crypto-heist-to-north-korean-hackers/

2024-11 Operation “SyncHole” Operation SyncHole: Lazarus APT goes back to the well https://securelist.com/operation-synchole-watering-hole-attacks-by-lazarus/116326/

2025-01 Operation “99” North Korean State Sponsored Supply Chain Attack on Tech Innovation https://securityscorecard.com/wp-content/uploads/2025/01/Report_011325_Strike_Operation99.pdf

2025-01 Operation “Phantom Circuit” Operation Phantom Circuit: North Korea’s Global Data Exfiltration Campaign https://securityscorecard.com/wp-content/uploads/2025/01/Operation-Phantom-Circuit-Report_012725_03.pdf

2025-01 Operation “Marstech Mayhem” Lazarus Group’s Open-Source Trap: North Korea’s New Malware Tactic Targeting Developers and Crypto Wallets https://securityscorecard.com/wp-content/uploads/2025/02/Operation-Marstech-Mayhem-Report_021025_03.pdf

2025-02 North Korean hackers linked to $1.5 billion ByBit crypto heist https://www.bleepingcomputer.com/news/security/north-korean-hackers-linked-to-15-billion-bybit-crypto-heist/ https://therecord.media/north-koreans-initial-laundering-bybit-hack

2025-04 Beyond the Pond Phish: Unraveling Lazarus Group’s Evolving Tactics https://blog.bitmex.com/bitmex-busts-lazarus-group/

2025-05 BitoPro exchange links Lazarus hackers to $11 million crypto heist https://www.bleepingcomputer.com/news/security/bitopro-exchange-links-lazarus-hackers-to-11-million-crypto-heist/

Reports & References 35

https://blog.malwarebytes.com/threat-analysis/2019/03/the-advanced-persistent-threat-files-lazarus-group/ https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/a-look-into-the-lazarus-groups-operations https://www.kaspersky.com/about/press-releases/2017_chasing-lazarus-a-hunt-for-the-infamous-hackers-to-prevent-large-bank-robberies https://medium.com/threat-intel/lazarus-attacks-wannacry-5fdeddee476c https://content.fireeye.com/apt/rpt-apt38 https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity https://www.us-cert.gov/ncas/alerts/aa20-106a https://www.us-cert.gov/ncas/current-activity/2020/05/12/north-korean-malicious-cyber-activity https://global.ahnlab.com/global/upload/download/techreport/%5BAhnLab%5DAndariel_a_Subgroup_of_Lazarus%20(3).pdf https://exchange.xforce.ibmcloud.com/threat-group/0c0c39d309b5c7f00a0a7edd54bb025e https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/ http://www.documentcloud.org/documents/7038686-US-Army-report-on-North-Korean-military.html https://public.intel471.com/blog/partners-in-crime-north-koreans-and-elite-russian-speaking-cybercriminals/ https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf https://www.newyorker.com/magazine/2021/04/26/the-incredible-rise-of-north-koreas-hacking-army https://blogs.jpcert.or.jp/en/2021/01/Lazarus_tools.html https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/lazarus-recruitment/ https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/the-hermit-kingdoms-ransomware-play.html https://asec.ahnlab.com/en/48223/ https://securelist.com/the-lazarus-group-deathnote-campaign/109490/ https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-108a https://www.trmlabs.com/post/inside-north-koreas-crypto-heists https://www.elliptic.co/blog/how-the-lazarus-group-is-stepping-up-crypto-hacks-and-changing-its-tactics https://thehackernews.com/2023/10/north-koreas-lazarus-group-launders-900.html https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf https://eng.nis.go.kr/common/download.do?type=&seq=8E464392CD0485169FA97278AEE8B607 https://go.recordedfuture.com/hubfs/reports/cta-2023-1130.pdf https://www.trmlabs.com/post/north-korean-hackers-stole-600-million-in-crypto-in-2023 https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_1_6_dongwook-kim_seulgi-lee_en.pdf https://www.elliptic.co/blog/north-korean-hackers-return-to-tornado-cash-despite-sanctions https://www.bleepingcomputer.com/news/cryptocurrency/coinstats-says-north-korean-hackers-breached-1-590-crypto-wallets/ https://www.group-ib.com/blog/apt-lazarus-python-scripts/ https://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/ https://securelist.com/lazarus-new-malware/115059/ https://www.sonatype.com/hubfs/White_Papers/How-North-Korea-Backed-Lazarus-Group-is-Weaponizing-Open-Source-Whitepaper.pdf

ETDA Profile

Lazarus Group, Hidden Cobra, Labyrinth Chollima

Origin

North Korea

First Seen 2007

Sponsor State-sponsored, Bureau/Unit 211

Motivation

Information theft and espionage Sabotage and destruction Financial crime

MITRE ATT&CK Groups

https://attack.mitre.org/groups/G0032/

View on ETDA APT Groups ↗