THREATOPS Actor Dossier
LIVE ← Dashboard

Lazarus Group

G00323 reports
aliases · Lazarus Group · Labyrinth Chollima · HIDDEN COBRA · Guardians of Peace · ZINC · NICKEL ACADEMY · Diamond Sleet
Export dossier:
3
Reports
5
Techniques
5
Tactics
4
Countries
80%
Hunt coverage
7
Aliases

Analyst assessment — key judgments

  • Signature techniques: T1213.002 (Sharepoint), T1588.006 (Vulnerabilities), T1021.007 (Cloud Services).
  • Primary targeting: KP, KR, US, IN.
  • Newly emerged: 3 report(s) in last 30d vs 0 prior (+100%).
  • Recent movement: 5 new technique(s), 8 new infrastructure indicator(s) in the last 30 days.
  • Hunt coverage 80% of 5 observed techniques (1 gap(s)).
  • Assessment confidence: medium (60).

Activity & trend

Newly emergedLast 30d: 3 vs 0 prior (+100%)· first reported 2026-06-15 · last 2026-07-10
2
7d
3
30d
3
90d
3
All
0.2
Rpts/wk
Reporting timeline · 12 months

Movement — last 30 days

New techniques
T1213.002T1588.006T1021.007T1589.001AML.T0011.001
Targeting gained
INKPKRUS
New infrastructure
https://denizhalil.com/2026/06/12/cve-20https://labs.watchtowr.com/why-use-app-lhttps://www.pwndefend.com/2026/06/09/cvec8ecb7bf007e197781883d29b672714d956a1876eff0bcdc53fee23e89142ea2track.hubspot.com2fwww.sonatype.com252fwww.sonatype.com

Vulnerabilities in this actor's reporting · 58

Overview

Analyst triage
Intelligence summary

Lazarus Group is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). (Citation: US-CERT HIDDEN COBRA June 2017) (Citation: Treasury North Korean Cyber Groups September 2019) Lazarus Group has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.(Citation: Novetta Blockbuster)

North Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses “Lazarus Group” as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns.(Citation: Mandiant DPRK Laz Org Breakdown 2022)(Citation: Mandiant DPRK Groups 2023)(Citation: JPCert Blog Laz Subgroups 2025)

Top co-occurring indicators
    Aliases & naming
      Targeting · countries
        Targeting · named victims

          ATT&CK technique matrix

          Coverage vs hunt library:
          Hunt-coverage gaps — prioritized

            Top techniques by observation

            Threat catalogue · engineering roadmap0

            Flagged detection-engineering queue

            Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.

              No techniques queued yet — flag a gap above to add it here.

              Infrastructure

              IOC type mix
              Tooling / malware families
                Tracked infrastructure

                Relationships

                Related actors (behavioral cluster)
                  Attributed malware
                  Campaigns
                  No behavioral cluster, attributed malware, or campaigns recorded for this actor yet.

                  Activity

                  30-day mention timeline
                  Recent reporting
                  TitleSourceSeverityCollected