Lazarus Group
Lazarus Group is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). Lazarus Group has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. North Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses “Lazarus Group” as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns.
Attribution signal
?Score = mentions × confidence weight, summed across all attributed sources. Higher source diversity increases the score.≥ 10 High≥ 3 Moderate< 3 LowAttribution signals
28 mentions · 5 sources"the FBI, CISA, and U.S. Treasury confirmed that the DPRK-backed entities behind TraderTraitor are tracked as Lazarus Group, APT38, BlueNoroff, and Stardust Chollima"
"attributed to Lazarus Group"
"The FBI attributed approximately $1.5 billion in stolen virtual assets to TraderTraitor in February 2025."
"it was seen in the wild, and since then in multiple attacks attributed to Lazarus' Operation DreamJob campaigns"
"a campaign that we track under the umbrella of North Korea-aligned Lazarus"
"ESET research analyzes a recent instance of the Operation DreamJob cyberespionage campaign conducted by Lazarus, a North Korea-aligned APT group"
"We also tracked the continuing evolution of Lazarus campaigns, including Operation DreamJob and Operation DangerousPassword."
"North Korea's Lazarus Group has posed as recruiters on LinkedIn to install malware on the machines of individuals working in an aerospace company, as discovered by ESET Research."
"Lazarus organization is launching ClickFix attacks against high-value environments using macOS systems"
"Expel discovers and continuously tracks HexagonalRodent (alias Famous Chollima subset), assessed as high-confidence DPRK state-sponsored APT sub-group."
"In summary, we attribute this activity with a high level of confidence to Lazarus, particularly to its campaigns related to Operation DreamJob"
"Lazarus and DeceptiveDevelopment continued to invest in long-term relationship building with high-value targets"
Hedge terms observed