THE CYBER TRIBUNAL
Subscribe
threat actor profile

Lazarus Group: North Korea’s most dangerous cyber weapon

By Colton Cowher March 13, 2026 4 min read
Lazarus Group: North Korea’s most dangerous cyber weapon

Tags: Threat Actor Profile, Nation-State, DPRK, Financial Crime, Espionage

Most nation-state hackers want one of two things: intelligence or disruption. Lazarus Group wants both, plus your money.


That is what makes them genuinely weird to analyze. You cannot build a clean threat model around them because their motivation shifts depending on the target, the operation, and probably what Pyongyang needs funded that quarter. They are a spy apparatus and a criminal syndicate at the same time, run by one of the most sanctioned governments on earth.


If you spend any time in CTI, you already know this name. Here is why it keeps coming up.

Who They Are


Lazarus Group is attributed to North Korea’s Reconnaissance General Bureau (RGB), the country’s primary foreign intelligence directorate. They have been active since at least 2009, though most people outside the intelligence community first heard of them after the 2014 Sony Pictures attack.


The name “Lazarus Group” is essentially an umbrella. Depending on which vendor’s reporting you follow, you will also see sub-clusters called APT38, BlueNoroff, Andariel, and Hidden Cobra. These are not entirely separate organizations – they are functional units with different specializations. APT38 focuses on financial institutions and SWIFT fraud. Andariel leans toward South Korean targets and has been linked to ransomware deployment. The lines between them blur, and different researchers draw them differently.


The U.S. government formally attributed Lazarus to the North Korean state in 2018. The FBI, CISA, and Treasury have all named them directly in public advisories since then.

What They Want


North Korea runs under severe international sanctions. The regime needs hard currency – to fund weapons programs, pay officials, keep things running. Lazarus is one of the primary ways they get it. The UN Panel of Experts linked the group to over $3 billion in stolen cryptocurrency between 2017 and 2023.


At the same time, they run traditional espionage operations: defense secrets, government agencies, think tanks focused on Korean Peninsula policy.


That dual mission is what makes them hard to profile. A financial firm getting hit might be a straight theft operation. A defense contractor might be espionage. It might be both. You cannot assume motivation from target type alone, which is not something you can say about most APTs.

How they operate


Spearphishing is usually where it starts. They are patient about it. Targets get customized lures – fake job offers come up constantly, especially in crypto and defense. The “Dream Job” campaign ran for years, sending fabricated recruitment packages to aerospace and defense employees to deliver malware through what looked like a normal hiring process. It worked repeatedly.


Supply chain compromise is in the toolkit too. The 3CX breach – a widely used VoIP software provider – was ultimately traced back to Lazarus. They compromised a legitimate software update and pushed malware to thousands of downstream customers. That is not something a low-capability group pulls off casually.


Cryptocurrency infrastructure is a persistent target. Exchanges, DeFi protocols, individual wallets. The 2022 Ronin Network breach drained $625 million in ETH and USDC from the Axie Infinity platform. Lazarus got in through compromised private keys obtained via a fake job offer sent to a senior engineer. Same playbook, different target.


They also build custom malware. Families like BLINDINGCAN, HOPLIGHT, and MagicRAT show up across campaigns, alongside custom loaders and droppers. They use commodity tooling too when it fits their operational security needs – they are not precious about it.

Notable campaigns


Sony Pictures (2014) is where the wider world started paying attention. Destructive malware wiped Sony’s network, gigabytes of internal data went public, and the operation was widely read as retaliation for “The Interview.” It was one of the first major nation-state destructive attacks against a private company on U.S. soil.


The Bangladesh Bank SWIFT heist in 2016 was something else. Lazarus manipulated interbank transfer requests to attempt a $1 billion theft from Bangladesh’s central bank. $81 million got out before a typo in one of the transfer requests triggered a hold. A typo. That is the only reason the number is not ten times larger.


WannaCry in 2017 hit over 200,000 systems across 150 countries in 72 hours. Hospitals, telecoms, government agencies. Attribution to Lazarus was based on code similarities to previously documented malware and infrastructure overlaps. The debate around that attribution was loud at the time, but the consensus held.


The Ronin Network breach in 2022 is the one I keep coming back to. $625 million, gone, through a fake LinkedIn job offer. The victim was a senior engineer who did not know he had been targeted until it was too late. The attack was not discovered for six days after it happened.

Why this matters for defenders


Most organizations are not direct North Korean espionage targets. That does not mean Lazarus is irrelevant to your work.
The techniques they use – job-themed spearphishing, supply chain compromise, cryptocurrency credential theft – have spread well beyond this group.

Understanding how the high end of the tradecraft works makes it easier to recognize the cheaper versions of the same techniques when they show up in your environment.


From a detection angle, CISA and the FBI have published multiple Malware Analysis Reports with IOCs and YARA rules for Lazarus-associated malware families. MITRE ATT&CK tracks them under G0032 and documents their TTPs in detail. Both are worth keeping bookmarked.

Bottom line


Lazarus has been continuously active for over fifteen years. They have stolen billions, disrupted major corporations, and hit infrastructure across dozens of countries. The financial motivation sitting alongside the traditional espionage mission makes them harder to predict than groups with a single objective.


They are not going to stop. The sanctions that fund their existence are not going anywhere, which means the pressure to generate revenue through cybercrime is not going anywhere either. Tracking them is not optional if you work in threat intelligence.

Sources: CISA Advisory AA22-108A, MITRE ATT&CK G0032, UN Panel of Experts Report S/2023/171, Mandiant APT38 Report (2018), FBI Flash CU-000167-MW