Lazarus Group
G00323 reportsAnalyst assessment — key judgments
- Signature techniques: T1213.002 (Sharepoint), T1588.006 (Vulnerabilities), T1021.007 (Cloud Services).
- Primary targeting: KP, KR, US, IN.
- Newly emerged: 3 report(s) in last 30d vs 0 prior (+100%).
- Recent movement: 5 new technique(s), 8 new infrastructure indicator(s) in the last 30 days.
- Hunt coverage 80% of 5 observed techniques (1 gap(s)).
- Assessment confidence: medium (60).
Activity & trend
Movement — last 30 days
Vulnerabilities in this actor's reporting · 58
- CVE-2016-4437KEV1 rpt
- CVE-2021-26855KEV1 rpt
- CVE-2021-36260KEV1 rpt
- CVE-2022-0492KEV1 rpt
- CVE-2022-27925KEV1 rpt
- CVE-2022-40684KEV1 rpt
- CVE-2022-41082KEV1 rpt
- CVE-2023-20198KEV1 rpt
- CVE-2023-32315KEV1 rpt
- CVE-2023-46747KEV1 rpt
- CVE-2024-21182KEV1 rpt
- CVE-2024-21762KEV1 rpt
- CVE-2024-36401KEV1 rpt
- CVE-2025-48595KEV1 rpt
- CVE-2025-55182KEV1 rpt
- CVE-2025-6218KEV1 rpt
- CVE-2025-67038KEV1 rpt
- CVE-2025-8088KEV1 rpt
- CVE-2026-10520KEV1 rpt
- CVE-2026-11645KEV1 rpt
- CVE-2026-12569KEV1 rpt
- CVE-2026-20230KEV1 rpt
- CVE-2026-20245KEV1 rpt
- CVE-2026-20253KEV1 rpt
- CVE-2026-20262KEV1 rpt
Overview
Lazarus Group is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). (Citation: US-CERT HIDDEN COBRA June 2017) (Citation: Treasury North Korean Cyber Groups September 2019) Lazarus Group has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.(Citation: Novetta Blockbuster)
North Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses “Lazarus Group” as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns.(Citation: Mandiant DPRK Laz Org Breakdown 2022)(Citation: Mandiant DPRK Groups 2023)(Citation: JPCert Blog Laz Subgroups 2025)
ATT&CK technique matrix
- T1213.002 · Sharepointconf 601evidence: June 2026 CVE Landscape
- T1588.006 · Vulnerabilitiesconf 601evidence: June 2026 CVE Landscape
- T1021.007 · Cloud Servicesconf 601evidence: Q2 2026 Open Source Malware Index
- T1589.001 · Credentialsconf 601evidence: Q2 2026 Open Source Malware Index
- AML.T0011.001 · Malicious Packageconf 601evidence: Q2 2026 Open Source Malware Index
Threat catalogue · engineering roadmap
Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.
Infrastructure
Relationships
Activity
| Title | Source | Severity | Collected |
|---|