What is the Lazarus Group?

The Lazarus Group (also known as Hidden Cobra, ZINC, and Diamond Sleet) is a North Korean state-sponsored advanced persistent threat (APT) group linked to the Reconnaissance General Bureau (RGB). They are responsible for major cyber operations including the Sony Pictures hack (2014), Bangladesh Bank heist (2016), WannaCry ransomware (2017), and billions in cryptocurrency theft.

What TTPs does Lazarus Group use?

Lazarus Group employs spear-phishing, watering hole attacks, supply chain compromise, custom malware (BLINDINGCAN, HOPLIGHT, FALLCHILL), cryptocurrency theft tools, and destructive wiper malware. They target financial institutions, cryptocurrency exchanges, defense contractors, and media companies worldwide.

Lazarus Group / Hidden Cobra

Lazarus Group / Hidden Cobra (also known as Hidden Cobra, Zinc, Diamond Sleet, TEMP.Hermit) is a state-sponsored advanced persistent threat group attributed to North Korea (RGB), active since 2009. The group primarily targets financial, cryptocurrency, defense, aerospace worldwide sectors. It is tracked by MITRE ATT&CK as G0032.

Overview & Attribution

North Korea's most prolific APT group, responsible for the Sony hack, WannaCry, Bangladesh Bank heist, and billions in cryptocurrency theft to fund the DPRK weapons program.

Threat Assessment

Lazarus Group has been active since 2009, attributed to North Korea (RGB). The group is known for targeting financial, cryptocurrency, defense, aerospace worldwide using a combination of custom malware, living-off-the-land techniques, and sophisticated social engineering.

Attribution: North Korea (RGB)
Active since: 2009
Primary targets: financial, cryptocurrency, defense, aerospace worldwide
Also known as: Hidden Cobra, Zinc, Diamond Sleet, TEMP.Hermit

Arsenal & Tools

Lazarus Group employs a diverse arsenal of custom and shared tooling:

Manuscrypt: Custom/shared tooling used in operations
DTrack: Custom/shared tooling used in operations
BLINDINGCAN: Custom/shared tooling used in operations
AppleJeus: Custom/shared tooling used in operations
DeathNote: Custom/shared tooling used in operations
LightlessCan: Custom/shared tooling used in operations

Targeting & Operations

The group focuses on financial, cryptocurrency, defense, aerospace worldwide sectors, with operations spanning multiple geographic regions. Their campaigns typically involve carefully crafted spearphishing, strategic watering holes, and exploitation of public-facing applications.

Operational Pattern

Lazarus Group is characterized by persistent, long-term access operations. Once inside a target network, the group establishes multiple redundant persistence mechanisms and moves laterally to high-value systems before beginning data exfiltration.

MITRE ATT&CK Mapping

Tactic	Technique	Usage
Initial Access	T1195.002 Supply Chain Compromise	Software supply chain attacks
Execution	T1059.001 PowerShell	PowerShell implants
Persistence	T1543.003 Windows Service	Service persistence
Defense Evasion	T1027.002 Software Packing	Heavy obfuscation
Credential Access	T1555.003 Browser Credentials	Credential theft
C2	T1071.001 Web Protocols	HTTP/HTTPS C2

Notable Campaigns

Lazarus Group has been linked to multiple significant campaigns targeting financial, cryptocurrency, defense, aerospace worldwide organizations. The group continuously evolves its tooling and infrastructure to evade detection while maintaining persistent access to compromised networks.

Long-term espionage: Multi-year intrusions into government and defense networks
Supply chain targeting: Compromise of technology providers and managed service providers
Zero-day exploitation: Use of previously unknown vulnerabilities for initial access

Detection & Defense

Threat intelligence integration: Monitor for known Lazarus Group IOCs and TTPs in SIEM/EDR platforms
Network monitoring: Detect C2 patterns associated with Manuscrypt and related tooling
Email security: Implement advanced phishing detection for spearphishing campaigns
Endpoint detection: Deploy behavioral detection rules for known Lazarus Group TTPs
Patch management: Prioritize patching of vulnerabilities known to be exploited by this group
Lateral movement detection: Monitor for suspicious authentication patterns and admin tool usage

Defend Against Lazarus Group

Mjolnir Security provides specialized capabilities to detect and respond to Lazarus Group operations.

APT DetectionThreat HuntingIncident ResponseMDR ServicesThreat Intelligence

APT Threat Hunting Proactive hunting for Lazarus Group TTPs, tooling artifacts, and infrastructure indicators within your environment.
Threat Intelligence Continuous monitoring of Lazarus Group campaigns and infrastructure changes with actionable intelligence for your defense team.
24/7 Incident Response Rapid containment and forensic investigation. Call +1 833 403 5875.

Written by: Mjolnir Security  |  Published: February 10, 2026