Lazarus Group
Executive Profile (BLUF)
“Lazarus Group” is not a discrete operational unit. It is an analytic umbrella term — most authoritatively codified in U.S. Government usage as Hidden Cobra (DHS/US-CERT, 2017 onward) — covering the cyber activity of multiple sub-clusters subordinated to the Reconnaissance General Bureau (RGB)‘s 3rd Bureau (Lab 110, historically Bureau 121) of the Democratic People’s Republic of Korea. Under this umbrella sit the financial-crime cluster APT38 — Bluenoroff, the espionage cluster Andariel, a general-purpose Lab 110 cluster, and, since January 2021, the CERIUM-aligned Bureau 325. The fact that “Lazarus” is an umbrella rather than a single team is a structural attribute the analyst must keep in view: attributions to “Lazarus” pool together operations that, at organisational ground truth, are run by different sub-units with different missions.
Lazarus is the most consequential state-sponsored cyber actor in the financial domain in modern history. Its operations span destructive sabotage (Sony Pictures 2014), commodity-grade ransomware with global civilian impact (WannaCry 2017), bank heists at central-bank scale (Bangladesh Bank 2016), supply-chain compromise (3CX 2023, JumpCloud 2023), and crypto-ecosystem theft now measured in single-incident billions (Ronin 2022, Bybit 2025). It was formally designated by OFAC on September 13, 2019 alongside its sub-clusters as the cyber arm of the Reconnaissance General Bureau (RGB).
Organizational Structure / Parent Hierarchy
State Affairs Commission (DPRK)
└── Korean People's Army General Staff
└── Reconnaissance General Bureau (RGB)
├── 3rd Bureau — Foreign Intelligence / Technical
│ └── Lab 110 (reorganised from Bureau 121, per Mandiant 2023)
│ ├── Lazarus core / general operations cluster
│ ├── APT38 / Bluenoroff — financial crime
│ └── Andariel — espionage, defense targets
├── 5th Bureau — Inter-Korean / Diplomacy
│ └── Kimsuky (per multiple Western analyses)
└── Bureau 325 — CERIUM (announced January 2021)
Parent unit: Reconnaissance General Bureau (RGB) / 3rd Bureau (Lab 110).
Force size estimates: Defector and secondary-source estimates of total Bureau 121 / Lab 110 personnel range widely from approximately 600 to over 6,000 operators. The variance reflects the difficulty of reconstructing DPRK military-intelligence headcount from defector accounts alone. CrowdStrike, Mandiant, and Microsoft track several hundred distinct operator personas through tooling and infrastructure clustering.
Vendor and government naming taxonomy:
| Source | Name |
|---|---|
| U.S. Government (DHS/US-CERT, FBI) | HIDDEN COBRA |
| Microsoft (legacy) | ZINC |
| Microsoft (current, weather taxonomy) | DIAMOND SLEET (Lazarus core), SAPPHIRE SLEET (APT38-aligned crypto activity) |
| CrowdStrike | LABYRINTH CHOLLIMA (Lazarus core); STARDUST CHOLLIMA (APT38) |
| Mandiant | TEMP.Hermit, APT38 (Bluenoroff cluster), Andariel |
| Kaspersky / ESET / Trend Micro | Lazarus, Bluenoroff, Andariel |
| Treasury (OFAC) | Lazarus Group, Bluenoroff, Andariel (designated 13 Sep 2019) |
Front infrastructure: The DOJ’s September 2018 indictment of Park Jin Hyok established Chosun Expo Joint Venture (KEJV), a China-based front company operating from Dalian, as a cover for DPRK programmer deployments. Subsequent indictments and Treasury actions have named additional China- and Russia-based front entities and a global network of DPRK IT workers (the focus of CISA AA22-108A and successor advisories).
Mission & Targeting
Across its sub-clusters, Lazarus pursues three overlapping mission sets:
- Strategic destruction and signalling — Sony Pictures (2014), South Korean banking and broadcasting (Operation DarkSeoul 2013 lineage), and selective destructive operations aligned with regime political objectives.
- Revenue generation for the sanctioned state — Bank SWIFT operations (2014–2019), cryptocurrency exchange and bridge theft (2017 onward), ransomware (WannaCry 2017), ATM cash-out schemes (FASTCash since 2018), and the parallel revenue stream of overseas DPRK IT workers under false identity (CISA AA22-108A).
- Strategic espionage — Defense, aerospace, nuclear, and policy targets via the Andariel sub-cluster and Lazarus-core operations. The “Dream Job” / Operation North Star LinkedIn recruiter-lure campaign is the most documented pattern.
Geographic targeting is global. Mandiant assesses APT38 — Bluenoroff alone has operated against banks in at least 38 countries. WannaCry’s indiscriminate worm propagation made Lazarus the first state-sponsored actor to cause documented mass civilian harm at NHS-incident scale.
Capabilities & TTPs
Initial access:
- Spear-phishing with weaponised documents (RTF, HWP for Korean targets, Office macros).
- “Dream Job” / Operation North Star — fake recruiter outreach on LinkedIn against aerospace, defense, and cryptocurrency-engineering targets; vector for the Ronin Bridge 2022 compromise.
- Supply-chain compromise — 3CX DesktopApp (March 2023), JumpCloud (June 2023), CyberLink Promeo (2023), prior MeDoc-adjacent operations.
- Watering-hole compromise of South Korean and crypto-industry sites.
Tooling and malware families:
- Destructive / wipers: Destover (Sony 2014), KillDisk variants.
- Loaders and droppers: Manuscrypt, BLINDINGCAN (CISA AR20-232A), AppleJeus (cross-platform crypto-focused).
- Backdoors: LightlessCan, BADCALL, FALLCHILL, HARDRAIN, HOPLIGHT.
- Macos targeting: AppleJeus, RustBucket, KandyKorn — Lazarus is among the most operationally proficient state actors on macOS.
- Ransomware: WannaCry (2017), Hermes precursor (2017), VHD ransomware (2020).
- Financial-system specific: FASTCash for ATM switching infrastructure; SWIFT-specific tooling under APT38 — Bluenoroff (EVTDIAG, MSOUTC, MSDELETE).
Tradecraft features:
- EternalBlue weaponisation — WannaCry repurposed the SMBv1 exploit from the NSA tools leaked by the Shadow Brokers. The kill-switch domain was inadvertently registered by Marcus Hutchins on May 12, 2017, halting global propagation; without that intervention, impact would have been substantially worse.
- Operational discipline on high-value targets — Multi-month reconnaissance of single targets, custom tooling per operation, careful operator OPSEC.
- Operator pace — Higher than most state actors due to revenue-generation mission; some operations are visibly time-pressured (BangladeshBank, several crypto thefts) with attendant tradecraft errors that have aided attribution.
- Cross-cluster infrastructure overlap with Gamaredon-adjacent FSB operators documented post-2023 (Trend Micro, April 2025). Analytically significant: shared infrastructure complicates attribution and may indicate institutionalised DPRK–Russia operator cohabitation following the June 2024 strategic partnership treaty.
Refer to Advanced Persistent Threats for general framework.
Major Operations (table)
| Date | Operation | Impact | Confidence |
|---|---|---|---|
| Mar 2013 | DarkSeoul wiper attacks | South Korean banks, broadcasters; ~50,000 systems wiped | High (KISA, FireEye) |
| Nov 2014 | Sony Pictures Entertainment | Destructive wiper (Destover); exfiltration and leak of internal data; FBI attribution Dec 2014 | High (FBI, DOJ 2018) |
| Feb 2016 | Bangladesh Bank SWIFT heist (executed by APT38 — Bluenoroff) | $81M of $851M attempted; laundered via Philippines RCBC | High (DOJ 2021, Mandiant) |
| May 2017 | WannaCry ransomware | 200,000+ systems / 150+ countries; UK NHS disrupted; White House attribution Dec 2017 | High (DOJ 2018, FVEY) |
| 2018–ongoing | FASTCash ATM cash-out (CISA AA18-275A) | ATM switch compromise; tens of millions exfiltrated across multiple countries | High (CISA, FBI) |
| Sept 2018 | DOJ indicts Park Jin Hyok | First named DPRK cyber operator | High (DOJ) |
| 2019–2021 | Operation Dream Job / Operation In(ter)ception (ESET) | Aerospace, defense, crypto industry targeting via LinkedIn lures | High (ESET, Mandiant) |
| Sept 2019 | OFAC designation (sm774) | Lazarus, Bluenoroff, Andariel sanctioned as RGB sub-entities | High (Treasury) |
| Feb 2021 | DOJ indicts Jon Chang Hyok, Kim Il, Park Jin Hyok | $1.3B scheme | High (DOJ) |
| Mar 2022 | Ronin Bridge (Axie Infinity) — ~$620M ETH/USDC | Largest single DeFi theft at time; Dream Job lure as initial access | High (Treasury attribution Apr 2022, Chainalysis) |
| Mar 2023 | 3CX DesktopApp supply-chain compromise | Signed binary distribution; cascading downstream compromise (incl. Trading Technologies X_TRADER) | High (Mandiant, vendor confirmation) |
| Jun 2023 | JumpCloud compromise | MSP supply-chain access to downstream cryptocurrency firms | High (JumpCloud, Mandiant) |
| Apr 2025 | Trend Micro reports DPRK–FSB infrastructure overlap | Shared infrastructure with Gamaredon | Medium-High (Trend Micro) |
| Feb 2025 | Bybit theft (~$1.5B) | Largest crypto theft on record at time; FBI attribution within days | High (FBI, Chainalysis, TRM Labs) |
Attribution Basis
The U.S. Government, allied intelligence services, and the private threat-intelligence community converge on DPRK / RGB attribution for the Lazarus umbrella on the basis of:
- DOJ indictments (September 2018 — Park Jin Hyok; February 2021 — Jon Chang Hyok et al.) naming DPRK nationals, e-mail accounts, and the Chosun Expo Joint Venture front company.
- OFAC designations (September 13, 2019; press release sm774) under EO 13722 explicitly identifying Lazarus, APT38 — Bluenoroff, and Andariel as RGB sub-clusters.
- White House statement on WannaCry (December 19, 2017, Tom Bossert), formally attributing WannaCry to DPRK, joined by UK, Canada, Australia, New Zealand, Japan.
- Technical malware-family clustering — Destover ↔ Sony; Manuscrypt and BLINDINGCAN families; AppleJeus signature evolution; recurrent code reuse documented by Kaspersky, ESET, Mandiant.
- Infrastructure clustering — Operator IP reuse traceable to DPRK-allocated Star JV ranges and to forward-deployed nodes in China and Russia.
- On-chain forensics — Chainalysis, TRM Labs, and Elliptic have published deterministic clustering of DPRK theft addresses across Ronin, Atomic Wallet, Stake.com, and Bybit incidents, supporting law-enforcement seizure actions.
Where attribution is contested or shifting, it is generally at the sub-cluster boundary (is this APT38 or Andariel? Is this Lazarus core or a CERIUM operation?), not at the umbrella DPRK level.
Geopolitical Context
Lazarus operations express the DPRK’s strategic posture across three vectors:
- Sanctions resistance — Since UNSCR 2270 (2016) and successor resolutions, cyber theft has become a structurally necessary revenue line. UN Panel of Experts assessments (until terminated by Russian veto in April 2024) tracked cumulative theft to several billion USD by 2023.
- Coercive signalling — Sony 2014 demonstrated the regime would conduct destructive operations against a private entity over content offensive to the leadership. WannaCry’s collateral damage signalled willingness to externalise tradecraft costs to the global civilian network.
- Alliance and bloc dynamics — The DPRK–Russia strategic partnership treaty (June 2024) and DPRK munitions/troop deployments supporting the Ukraine War correlate with reported infrastructure overlaps between Lazarus-cluster and FSB-aligned operators. This is an emerging analytical thread and should be tracked under both DPRK and Russia cyber files. See DPRK Cyber Warfare — Revenue, Espionage, and Geopolitical Weaponization.
Gaps
- Internal organisational boundary between “Lazarus core” and APT38 — Bluenoroff post-2020 — Mandiant’s 2023 lineage reassessment clarified Lab 110 / Bureau 121, but cluster boundaries continue to shift; some 2024–2025 crypto operations cannot be cleanly allocated to a single sub-unit.
- Bureau 325 / CERIUM scope — Health-sector targeting peaked during the pandemic; the unit’s current portfolio is not well documented.
- Operator deployment in Russia post-2024 — Headcount, basing, and the degree of operational integration with FSB / GRU remain in the gap.
- DPRK IT-worker ↔ Lazarus tactical handoff — CISA AA22-108A established the IT-worker scheme as a parallel revenue programme; the extent to which IT-worker personas double as Lazarus-cluster initial access is partly mapped but not exhaustively.
- Full Chosun Expo successor network — Post-2018 indictment, regenerated front-company infrastructure is incompletely characterised in the public record.
Strategic Implications
For Western posture, Lazarus crystallises three durable problems:
- The “criminal-state” hybrid is now permanent. Lazarus operations fund the DPRK strategic weapons programmes through criminal-grade tradecraft executed at state scale. Counter-cyber and counter-finance must operate as a single discipline.
- The crypto attack surface scales faster than defensive maturity. Each cycle of crypto-platform consolidation (CEX → DeFi bridges → restaking → re-CEX after FTX) presents Lazarus a new under-hardened high-value target. Bybit 2025 demonstrates the per-incident ceiling continues to rise.
- Supply-chain operations against signed software (3CX, JumpCloud) are now baseline tradecraft for the umbrella. Critical-infrastructure operators and software vendors should treat DPRK supply-chain risk on par with Russia-attributed (e.g. SolarWinds/UNC2452) and China-attributed equivalents.
- Attribution complication from DPRK–Russia infrastructure sharing. If shared infrastructure with FSB-aligned operators becomes deliberate, attribution at the cluster boundary will degrade, and policy responses will need to accept higher analytic uncertainty.
Sources (confidence-tagged)
- [High, authoritative] U.S. Department of Justice, Indictment of Park Jin Hyok, Sept 6, 2018. Foundational naming of operator, Chosun Expo cover, link of Sony / Bangladesh Bank / WannaCry.
- [High, authoritative] U.S. Department of Justice, Indictment of Jon Chang Hyok, Kim Il, Park Jin Hyok, Feb 17, 2021. $1.3B aggregate; covers crypto, banks, ATM cash-out.
- [High, authoritative] U.S. Treasury / OFAC Press Release sm774, Sept 13, 2019. Designates Lazarus, Bluenoroff, Andariel as RGB sub-entities.
- [High, authoritative] White House statement on WannaCry attribution, Dec 19, 2017 (Bossert).
- [High, authoritative] CISA / FBI / USCYBERCOM advisories: TA17-164A, AR18-165A, AA18-275A (FASTCash), AA20-239A (BLINDINGCAN), AA22-108A (DPRK IT workers), and successors.
- [High] Mandiant, “APT38: Un-usual Suspects” (Oct 2018) + 2023 Lab 110 / Bureau 121 lineage update.
- [High] CrowdStrike Global Threat Reports (Chollima taxonomy).
- [High] Microsoft Threat Intelligence: ZINC / DIAMOND SLEET / SAPPHIRE SLEET tracking.
- [High] Kaspersky GReAT, ESET, Trend Micro technical reporting on Lazarus malware families (AppleJeus, Manuscrypt, RustBucket, KandyKorn).
- [High] Chainalysis Crypto Crime Reports 2022–2025; on-chain attribution of Ronin, Atomic Wallet, Stake.com, Bybit thefts.
- [Medium-High] Trend Micro, “Earth Koshchei / DPRK–FSB infrastructure overlaps”, April 2025.
- [Medium] UN Panel of Experts on DPRK reports through 2024 (mandate terminated April 2024 by Russian veto).
- [Medium] ESET, “Operation In(ter)ception” and “Operation Dream Job” (2020–2024).
- [Background] Marcus Hutchins / MalwareTech analysis of WannaCry kill-switch, May 2017.