Lazarus Group

Executive Profile (BLUF)

“Lazarus Group” is not a discrete operational unit. It is an analytic umbrella term — most authoritatively codified in U.S. Government usage as Hidden Cobra (DHS/US-CERT, 2017 onward) — covering the cyber activity of multiple sub-clusters subordinated to the Reconnaissance General Bureau (RGB)‘s 3rd Bureau (Lab 110, historically Bureau 121) of the Democratic People’s Republic of Korea. Under this umbrella sit the financial-crime cluster APT38 — Bluenoroff, the espionage cluster Andariel, a general-purpose Lab 110 cluster, and, since January 2021, the CERIUM-aligned Bureau 325. The fact that “Lazarus” is an umbrella rather than a single team is a structural attribute the analyst must keep in view: attributions to “Lazarus” pool together operations that, at organisational ground truth, are run by different sub-units with different missions.

Lazarus is the most consequential state-sponsored cyber actor in the financial domain in modern history. Its operations span destructive sabotage (Sony Pictures 2014), commodity-grade ransomware with global civilian impact (WannaCry 2017), bank heists at central-bank scale (Bangladesh Bank 2016), supply-chain compromise (3CX 2023, JumpCloud 2023), and crypto-ecosystem theft now measured in single-incident billions (Ronin 2022, Bybit 2025). It was formally designated by OFAC on September 13, 2019 alongside its sub-clusters as the cyber arm of the Reconnaissance General Bureau (RGB).

Organizational Structure / Parent Hierarchy

State Affairs Commission (DPRK)
  └── Korean People's Army General Staff
        └── Reconnaissance General Bureau (RGB)
              ├── 3rd Bureau — Foreign Intelligence / Technical
              │     └── Lab 110 (reorganised from Bureau 121, per Mandiant 2023)
              │           ├── Lazarus core / general operations cluster
              │           ├── APT38 / Bluenoroff — financial crime
              │           └── Andariel — espionage, defense targets
              ├── 5th Bureau — Inter-Korean / Diplomacy
              │     └── Kimsuky (per multiple Western analyses)
              └── Bureau 325 — CERIUM (announced January 2021)

Parent unit: Reconnaissance General Bureau (RGB) / 3rd Bureau (Lab 110).

Force size estimates: Defector and secondary-source estimates of total Bureau 121 / Lab 110 personnel range widely from approximately 600 to over 6,000 operators. The variance reflects the difficulty of reconstructing DPRK military-intelligence headcount from defector accounts alone. CrowdStrike, Mandiant, and Microsoft track several hundred distinct operator personas through tooling and infrastructure clustering.

Vendor and government naming taxonomy:

SourceName
U.S. Government (DHS/US-CERT, FBI)HIDDEN COBRA
Microsoft (legacy)ZINC
Microsoft (current, weather taxonomy)DIAMOND SLEET (Lazarus core), SAPPHIRE SLEET (APT38-aligned crypto activity)
CrowdStrikeLABYRINTH CHOLLIMA (Lazarus core); STARDUST CHOLLIMA (APT38)
MandiantTEMP.Hermit, APT38 (Bluenoroff cluster), Andariel
Kaspersky / ESET / Trend MicroLazarus, Bluenoroff, Andariel
Treasury (OFAC)Lazarus Group, Bluenoroff, Andariel (designated 13 Sep 2019)

Front infrastructure: The DOJ’s September 2018 indictment of Park Jin Hyok established Chosun Expo Joint Venture (KEJV), a China-based front company operating from Dalian, as a cover for DPRK programmer deployments. Subsequent indictments and Treasury actions have named additional China- and Russia-based front entities and a global network of DPRK IT workers (the focus of CISA AA22-108A and successor advisories).

Mission & Targeting

Across its sub-clusters, Lazarus pursues three overlapping mission sets:

  1. Strategic destruction and signalling — Sony Pictures (2014), South Korean banking and broadcasting (Operation DarkSeoul 2013 lineage), and selective destructive operations aligned with regime political objectives.
  2. Revenue generation for the sanctioned state — Bank SWIFT operations (2014–2019), cryptocurrency exchange and bridge theft (2017 onward), ransomware (WannaCry 2017), ATM cash-out schemes (FASTCash since 2018), and the parallel revenue stream of overseas DPRK IT workers under false identity (CISA AA22-108A).
  3. Strategic espionage — Defense, aerospace, nuclear, and policy targets via the Andariel sub-cluster and Lazarus-core operations. The “Dream Job” / Operation North Star LinkedIn recruiter-lure campaign is the most documented pattern.

Geographic targeting is global. Mandiant assesses APT38 — Bluenoroff alone has operated against banks in at least 38 countries. WannaCry’s indiscriminate worm propagation made Lazarus the first state-sponsored actor to cause documented mass civilian harm at NHS-incident scale.

Capabilities & TTPs

Initial access:

  • Spear-phishing with weaponised documents (RTF, HWP for Korean targets, Office macros).
  • “Dream Job” / Operation North Star — fake recruiter outreach on LinkedIn against aerospace, defense, and cryptocurrency-engineering targets; vector for the Ronin Bridge 2022 compromise.
  • Supply-chain compromise — 3CX DesktopApp (March 2023), JumpCloud (June 2023), CyberLink Promeo (2023), prior MeDoc-adjacent operations.
  • Watering-hole compromise of South Korean and crypto-industry sites.

Tooling and malware families:

  • Destructive / wipers: Destover (Sony 2014), KillDisk variants.
  • Loaders and droppers: Manuscrypt, BLINDINGCAN (CISA AR20-232A), AppleJeus (cross-platform crypto-focused).
  • Backdoors: LightlessCan, BADCALL, FALLCHILL, HARDRAIN, HOPLIGHT.
  • Macos targeting: AppleJeus, RustBucket, KandyKorn — Lazarus is among the most operationally proficient state actors on macOS.
  • Ransomware: WannaCry (2017), Hermes precursor (2017), VHD ransomware (2020).
  • Financial-system specific: FASTCash for ATM switching infrastructure; SWIFT-specific tooling under APT38 — Bluenoroff (EVTDIAG, MSOUTC, MSDELETE).

Tradecraft features:

  • EternalBlue weaponisation — WannaCry repurposed the SMBv1 exploit from the NSA tools leaked by the Shadow Brokers. The kill-switch domain was inadvertently registered by Marcus Hutchins on May 12, 2017, halting global propagation; without that intervention, impact would have been substantially worse.
  • Operational discipline on high-value targets — Multi-month reconnaissance of single targets, custom tooling per operation, careful operator OPSEC.
  • Operator pace — Higher than most state actors due to revenue-generation mission; some operations are visibly time-pressured (BangladeshBank, several crypto thefts) with attendant tradecraft errors that have aided attribution.
  • Cross-cluster infrastructure overlap with Gamaredon-adjacent FSB operators documented post-2023 (Trend Micro, April 2025). Analytically significant: shared infrastructure complicates attribution and may indicate institutionalised DPRK–Russia operator cohabitation following the June 2024 strategic partnership treaty.

Refer to Advanced Persistent Threats for general framework.

Major Operations (table)

DateOperationImpactConfidence
Mar 2013DarkSeoul wiper attacksSouth Korean banks, broadcasters; ~50,000 systems wipedHigh (KISA, FireEye)
Nov 2014Sony Pictures EntertainmentDestructive wiper (Destover); exfiltration and leak of internal data; FBI attribution Dec 2014High (FBI, DOJ 2018)
Feb 2016Bangladesh Bank SWIFT heist (executed by APT38 — Bluenoroff)$81M of $851M attempted; laundered via Philippines RCBCHigh (DOJ 2021, Mandiant)
May 2017WannaCry ransomware200,000+ systems / 150+ countries; UK NHS disrupted; White House attribution Dec 2017High (DOJ 2018, FVEY)
2018–ongoingFASTCash ATM cash-out (CISA AA18-275A)ATM switch compromise; tens of millions exfiltrated across multiple countriesHigh (CISA, FBI)
Sept 2018DOJ indicts Park Jin HyokFirst named DPRK cyber operatorHigh (DOJ)
2019–2021Operation Dream Job / Operation In(ter)ception (ESET)Aerospace, defense, crypto industry targeting via LinkedIn luresHigh (ESET, Mandiant)
Sept 2019OFAC designation (sm774)Lazarus, Bluenoroff, Andariel sanctioned as RGB sub-entitiesHigh (Treasury)
Feb 2021DOJ indicts Jon Chang Hyok, Kim Il, Park Jin Hyok$1.3B schemeHigh (DOJ)
Mar 2022Ronin Bridge (Axie Infinity) — ~$620M ETH/USDCLargest single DeFi theft at time; Dream Job lure as initial accessHigh (Treasury attribution Apr 2022, Chainalysis)
Mar 20233CX DesktopApp supply-chain compromiseSigned binary distribution; cascading downstream compromise (incl. Trading Technologies X_TRADER)High (Mandiant, vendor confirmation)
Jun 2023JumpCloud compromiseMSP supply-chain access to downstream cryptocurrency firmsHigh (JumpCloud, Mandiant)
Apr 2025Trend Micro reports DPRK–FSB infrastructure overlapShared infrastructure with GamaredonMedium-High (Trend Micro)
Feb 2025Bybit theft (~$1.5B)Largest crypto theft on record at time; FBI attribution within daysHigh (FBI, Chainalysis, TRM Labs)

Attribution Basis

The U.S. Government, allied intelligence services, and the private threat-intelligence community converge on DPRK / RGB attribution for the Lazarus umbrella on the basis of:

  • DOJ indictments (September 2018 — Park Jin Hyok; February 2021 — Jon Chang Hyok et al.) naming DPRK nationals, e-mail accounts, and the Chosun Expo Joint Venture front company.
  • OFAC designations (September 13, 2019; press release sm774) under EO 13722 explicitly identifying Lazarus, APT38 — Bluenoroff, and Andariel as RGB sub-clusters.
  • White House statement on WannaCry (December 19, 2017, Tom Bossert), formally attributing WannaCry to DPRK, joined by UK, Canada, Australia, New Zealand, Japan.
  • Technical malware-family clustering — Destover ↔ Sony; Manuscrypt and BLINDINGCAN families; AppleJeus signature evolution; recurrent code reuse documented by Kaspersky, ESET, Mandiant.
  • Infrastructure clustering — Operator IP reuse traceable to DPRK-allocated Star JV ranges and to forward-deployed nodes in China and Russia.
  • On-chain forensics — Chainalysis, TRM Labs, and Elliptic have published deterministic clustering of DPRK theft addresses across Ronin, Atomic Wallet, Stake.com, and Bybit incidents, supporting law-enforcement seizure actions.

Where attribution is contested or shifting, it is generally at the sub-cluster boundary (is this APT38 or Andariel? Is this Lazarus core or a CERIUM operation?), not at the umbrella DPRK level.

Geopolitical Context

Lazarus operations express the DPRK’s strategic posture across three vectors:

  1. Sanctions resistance — Since UNSCR 2270 (2016) and successor resolutions, cyber theft has become a structurally necessary revenue line. UN Panel of Experts assessments (until terminated by Russian veto in April 2024) tracked cumulative theft to several billion USD by 2023.
  2. Coercive signalling — Sony 2014 demonstrated the regime would conduct destructive operations against a private entity over content offensive to the leadership. WannaCry’s collateral damage signalled willingness to externalise tradecraft costs to the global civilian network.
  3. Alliance and bloc dynamics — The DPRK–Russia strategic partnership treaty (June 2024) and DPRK munitions/troop deployments supporting the Ukraine War correlate with reported infrastructure overlaps between Lazarus-cluster and FSB-aligned operators. This is an emerging analytical thread and should be tracked under both DPRK and Russia cyber files. See DPRK Cyber Warfare — Revenue, Espionage, and Geopolitical Weaponization.

Gaps

  • Internal organisational boundary between “Lazarus core” and APT38 — Bluenoroff post-2020 — Mandiant’s 2023 lineage reassessment clarified Lab 110 / Bureau 121, but cluster boundaries continue to shift; some 2024–2025 crypto operations cannot be cleanly allocated to a single sub-unit.
  • Bureau 325 / CERIUM scope — Health-sector targeting peaked during the pandemic; the unit’s current portfolio is not well documented.
  • Operator deployment in Russia post-2024 — Headcount, basing, and the degree of operational integration with FSB / GRU remain in the gap.
  • DPRK IT-worker ↔ Lazarus tactical handoff — CISA AA22-108A established the IT-worker scheme as a parallel revenue programme; the extent to which IT-worker personas double as Lazarus-cluster initial access is partly mapped but not exhaustively.
  • Full Chosun Expo successor network — Post-2018 indictment, regenerated front-company infrastructure is incompletely characterised in the public record.

Strategic Implications

For Western posture, Lazarus crystallises three durable problems:

  1. The “criminal-state” hybrid is now permanent. Lazarus operations fund the DPRK strategic weapons programmes through criminal-grade tradecraft executed at state scale. Counter-cyber and counter-finance must operate as a single discipline.
  2. The crypto attack surface scales faster than defensive maturity. Each cycle of crypto-platform consolidation (CEX → DeFi bridges → restaking → re-CEX after FTX) presents Lazarus a new under-hardened high-value target. Bybit 2025 demonstrates the per-incident ceiling continues to rise.
  3. Supply-chain operations against signed software (3CX, JumpCloud) are now baseline tradecraft for the umbrella. Critical-infrastructure operators and software vendors should treat DPRK supply-chain risk on par with Russia-attributed (e.g. SolarWinds/UNC2452) and China-attributed equivalents.
  4. Attribution complication from DPRK–Russia infrastructure sharing. If shared infrastructure with FSB-aligned operators becomes deliberate, attribution at the cluster boundary will degrade, and policy responses will need to accept higher analytic uncertainty.

Sources (confidence-tagged)

  • [High, authoritative] U.S. Department of Justice, Indictment of Park Jin Hyok, Sept 6, 2018. Foundational naming of operator, Chosun Expo cover, link of Sony / Bangladesh Bank / WannaCry.
  • [High, authoritative] U.S. Department of Justice, Indictment of Jon Chang Hyok, Kim Il, Park Jin Hyok, Feb 17, 2021. $1.3B aggregate; covers crypto, banks, ATM cash-out.
  • [High, authoritative] U.S. Treasury / OFAC Press Release sm774, Sept 13, 2019. Designates Lazarus, Bluenoroff, Andariel as RGB sub-entities.
  • [High, authoritative] White House statement on WannaCry attribution, Dec 19, 2017 (Bossert).
  • [High, authoritative] CISA / FBI / USCYBERCOM advisories: TA17-164A, AR18-165A, AA18-275A (FASTCash), AA20-239A (BLINDINGCAN), AA22-108A (DPRK IT workers), and successors.
  • [High] Mandiant, “APT38: Un-usual Suspects” (Oct 2018) + 2023 Lab 110 / Bureau 121 lineage update.
  • [High] CrowdStrike Global Threat Reports (Chollima taxonomy).
  • [High] Microsoft Threat Intelligence: ZINC / DIAMOND SLEET / SAPPHIRE SLEET tracking.
  • [High] Kaspersky GReAT, ESET, Trend Micro technical reporting on Lazarus malware families (AppleJeus, Manuscrypt, RustBucket, KandyKorn).
  • [High] Chainalysis Crypto Crime Reports 2022–2025; on-chain attribution of Ronin, Atomic Wallet, Stake.com, Bybit thefts.
  • [Medium-High] Trend Micro, “Earth Koshchei / DPRK–FSB infrastructure overlaps”, April 2025.
  • [Medium] UN Panel of Experts on DPRK reports through 2024 (mandate terminated April 2024 by Russian veto).
  • [Medium] ESET, “Operation In(ter)ception” and “Operation Dream Job” (2020–2024).
  • [Background] Marcus Hutchins / MalwareTech analysis of WannaCry kill-switch, May 2017.

See Also