Lazarus

  • First known sample

    2009
  • Discovery

    2016
  • Number of targets

    100-1000
  • Current status

    Active
  • Type

    Cyberespionage toolkit
  • Targeted platforms

    Windows
  • TOP targeted countries

    Brazil , China , India , Indonesia , Iran , Iraq , Malaysia , Mexico , Poland , Russia , Saudi Arabia , South Korea , Taiwan , Thailand , Turkey , USA , Vietnam
  • The way of propagation

    Watering hole attacks
  • Purpose/Functions

    Cyberespionage , Cybersabotage
  • Special features
    Anti-forensics, HDD wiper, SWIFT Alliance software tampering, multi-stage loaders, false flag operations.
  • Targets

    Financial institutions , Government entities , Military
  • Artefacts/Attribution
    Out of the Lazarus group reference sample set compiled by our partner Novetta, just over 60% (61.9%) of them have at least one PE resource with Korean locale or language. A North Korean IP was involved in at least two operations against banks in Europe in 2017.
  • Description

    An APT actor that’s been active since at least 2009. This group is believed to be responsible for numerous multifaceted campaigns that include cyberespionage, cyber sabotage, ransomware, and attacks against financial institutions. Originally, the group was focused on carrying out what seemed to be a geopolitical agenda mainly focused on South Korea. However, it has since moved on to global targets and has begun launching attacks for financial gain.

    Additional information