{ "id": "05b91aac-5c0a-4940-a302-2b7622298cf9", "created_at": "2026-04-06T00:11:23.336572Z", "updated_at": "2026-04-10T03:38:18.990756Z", "deleted_at": null, "sha1_hash": "15fe3aebfe29419d4d6416ab6507b93808c0b014", "title": "Lazarus: History of mysterious group behind infamous cyber attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1786209, "plain_text": "Lazarus: History of mysterious group behind infamous cyber\r\nattacks\r\nBy Threat Intel\r\nPublished: 2017-11-16 · Archived: 2026-04-05 13:01:37 UTC\r\nThe Lazarus group made headlines this week when Symantec researchers found strong evidence linking it to the\r\nWannaCry ransomware attacks that crippled computers all over the world earlier this month.\r\nThe group first came to broad international attention when it was implicated in the attacks on Sony in 2014, but it\r\nhas been in operation since at least 2009.\r\nPress enter or click to view image in full size\r\nHistory of attacks\r\n2009: Attacks on organizations in the U.S. and South Korea\r\nIn fact, it is possible that Lazarus was active as far back as 2007, but it first came to widespread attention in 2009,\r\nwhen a series of attacks starting on July 4 that year impacted several government, financial, and media websites in\r\nboth the U.S. and South Korea. The attacks began in the U.S. on its independence day, and targeted institutions\r\nhttps://medium.com/threat-intel/lazarus-attacks-wannacry-5fdeddee476c\r\nPage 1 of 5\n\nincluding the White House and the Pentagon. Later that week the websites of major government, financial, and\r\nmedia organizations in South Korea were hit.\r\nThese attacks were distributed denial of service (DDoS) attacks that aimed to take websites offline. The attackers\r\nused the Dozer malware (Trojan.Dozer) to carry out these attacks. The attacks, while disruptive, were relatively\r\nunsophisticated, but over the years Lazarus has refined its methods to carry out more sophisticated attacks.\r\nHowever, as can be seen in the WannaCry attacks to which it has been linked, it can still be prone to sloppiness.\r\n2011: South Korean organizations targeted again\r\nIn 2011, organizations in South Korea were yet again targeted by DDoS attacks. Similar to 2009, a number of\r\ngovernment and private websites were targeted, this time using a tool called Trojan.Koredos. This attack was\r\nunusual for a DDoS attack because it did not use a command and control (C\u0026C) server; the commands were\r\nhidden inside the threat itself. The use of a tactic like this indicated a growth in sophistication from the group\r\ncompared to the 2009 attacks. Symantec research into this threat also found that, as well as carrying out a DDoS\r\nattack, if the infected computers were not cleared of this Trojan the master boot record (MBR) of some of them\r\nwould be destroyed within 10 days.\r\nPress enter or click to view image in full size\r\nSouth Korea’s capital Seoul. South Korean organizations have been frequently targeted by Lazarus.\r\n2013: Attacks become more destructive\r\nIn 2013, a destructive attack against banks and local broadcasting organizations in South Korea was reported. The\r\nattack defaced the website of a Korean ISP and also crippled servers belonging to a number of organizations. The\r\nwebsites of the companies affected went down in this attack, with a number of the organizations affected having\r\nhttps://medium.com/threat-intel/lazarus-attacks-wannacry-5fdeddee476c\r\nPage 2 of 5\n\nthe hard drives of many of their computers wiped. Wiping malware called Jokra (Trojan.Jokra) was used in this\r\nattack, which a group called ‘WhoIs’ originally claimed credit for in a message posted on computers during the\r\nattacks. However, Symantec and other security researchers believe that the Lazarus group was behind this attack,\r\nas well as the two previously mentioned attacks in 2011 and 2009.\r\nAlso in 2013, researchers spotted a piece of malware called Castov (Downloader.Castov and Infostealer.Castov)\r\ntargeting South Korean financial institutions and their customers. In these attacks, which are also believed to\r\noriginate from Lazarus, Castov was used to steal passwords, account details, and digital certificates from the\r\ncomputers it infected. Castov (Trojan.Castov) was also used in further DDoS attacks against South Korean targets\r\nin June 2013.\r\nThe Sony attacks\r\nIt was the attack on the computer systems of Sony Pictures Entertainment (SPE) in 2014 that brought the Lazarus\r\ngroup to widespread attention.\r\nThe attack on Sony Pictures became public knowledge on November 24, 2014, when Sony employees turned on\r\ntheir computers to be greeted with the sight of a neon red skeleton and the words “Hacked by GOP”, which stood\r\nfor “Guardians of the Peace”. The message also threatened to release data later that day if an unspecified request\r\nwas not met. Over the following weeks, huge swathes of information stolen from Sony were released, including:\r\npersonal information about employees and their families; email correspondence between employees at the\r\ncompany; information about company salaries, unreleased Sony films, and other information.\r\nMuch of the leaked information, particularly some of the email correspondence between executives at the\r\ncompany, received a lot of coverage in the media and caused embarrassment for the company.\r\nIt’s not clear how long the hackers were on Sony’s systems before they released this information, but given how\r\nmuch data was obtained it is likely they maintained a presence for a few months at least.\r\nAs well as leaking this vast trove of data, the attackers also destroyed many computers in the organization using\r\nmalware identified as Backdoor.Destover. Destover is a particularly destructive malware that can completely wipe\r\ninfected systems. It was the subject of an FBI Flash Warning at the time. Flash Warnings are confidential alerts\r\nsent to businesses thought to be at risk from attackers. It is possible to configure Destover to only target computers\r\nin one particular organization, which is likely to have been the case in the Sony attack. Some of the tools and\r\ntechniques used by Destover allowed researchers to link it to the previously mentioned 2013 attacks carried out\r\nagainst targets in South Korea, indicating the same group was responsible for both these attacks.\r\nGet Threat Intel’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThis attack was hugely high profile and received vast media coverage, with some executives at Sony even\r\nstepping down in its wake.\r\nhttps://medium.com/threat-intel/lazarus-attacks-wannacry-5fdeddee476c\r\nPage 3 of 5\n\nPress enter or click to view image in full size\r\nThe Sony attacks, where were widely attributed to Lazarus, made headlines.\r\n2015: Manufacturing industry in South Korea targeted\r\nIn October 2015, Symantec found evidence that organizations in South Korea were being targeted by a number of\r\nmalicious tools, including Backdoor.Duuzer, W32.Brambul, and Backdoor.Joanap. These threats all appeared to\r\noriginate from the same actors and seemed to have a focus on the South Korean manufacturing industry. The aim\r\nof these attacks appeared to be to steal data and information: cyber espionage.\r\nSWIFT attacks\r\nA cyber attack in February 2016 resulted in $81 million being stolen from the Bangladesh Central Bank, with the\r\nfigure likely to have been much higher but for a typo and the vigilance of eagle-eyed bank officials who put a stop\r\nto the fraud before any more money was stolen. It is believed the attackers originally aimed to steal $1 billion.\r\nThe money was stolen through fraudulent SWIFT transactions, though the SWIFT system itself was not\r\ncompromised, and malware (Trojan.BanSwift) was used to cover the attackers’ tracks. Subsequent investigations\r\nby Symantec determined that the same attackers were behind similar attacks on other banks in Asia, including\r\nVietnam’s Tien Phong Bank, which said it had intercepted a fraudulent transfer of more than $1 million in the\r\nfourth quarter of 2015.\r\nCode sharing between the BanSwift Trojan and Backdoor.Contopee, which had previously been observed being\r\nused by Lazarus, led researchers to determine that Lazarus was also behind these attacks.\r\nThe Bangladesh bank heist was a sophisticated and complex attack. Much of the $81 million stolen in this attack\r\nremains unrecovered.\r\nhttps://medium.com/threat-intel/lazarus-attacks-wannacry-5fdeddee476c\r\nPage 4 of 5\n\n2017: Banks targeted again\r\nIn February 2017, Symantec published an investigation into watering hole attacks that had attempted to infect\r\nmore than 100 organizations in 31 different countries with a previously undiscovered malware called\r\nDownloader.Ratabanka. These attacks were highly targeted, with the majority of institutions targeted being banks,\r\nwith a small number of telecoms and internet firms also on the list of targets. However, there was no evidence\r\nfunds were successfully stolen from any of the banks in this attack.\r\nResearchers from Symantec were able to establish a number of links between Ratabanka and tools previously\r\nassociated with Lazarus, leading them to conclude with reasonable confidence that the group was behind these\r\nattempted attacks.\r\nWannaCry rocks the world\r\nThe WannaCry ransomware attacks have received extensive coverage since a widespread attack on May 12 caused\r\nthe systems of many large organizations around the world, including the NHS in the UK, to come to a juddering\r\nhalt.\r\nSymantec discovered evidence that an earlier version of WannaCry was used in targeted attacks on enterprises in\r\nFebruary, March, and April, but the leak of the EternalBlue exploit code by the Shadow Brokers in April was\r\nseemingly a fortuitous occurrence for the attackers that allowed them to spread the ransomware much more\r\nwidely.\r\nAnalysis of the early WannaCry attacks by Symantec revealed substantial commonalities in the tools, techniques,\r\nand infrastructure used by the attackers and those seen in previous Lazarus attacks, making it highly likely that\r\nLazarus was also behind the spread of WannaCry.\r\nWhile it made a splash, certain errors in how WannaCry was deployed indicate a degree of sloppiness that may\r\nhave curtailed its effectiveness. For example, while the ransomware had code to provide unique Bitcoin addresses\r\nfor each victim it defaulted to hardcoded addresses as a result of a race condition bug. This meant WannaCry\r\ncouldn’t use unique Bitcoin addresses because of the bug so couldn’t track payments. The attackers did release a\r\nvariant 13 hours after the initial deployment of WannaCry with this bug fixed, but the vast majority of infections\r\nthat occurred had this bug.\r\nMuch mystery still surrounds the WannaCry attack, and Lazarus itself, but given it has been active for almost a\r\ndecade, this ransomware attack is unlikely to be the last we see of this audacious attack group.\r\nCheck out the Security Response blog and follow Threat Intel on Twitter to keep up-to-date with the latest\r\nhappenings in the world of threat intelligence and cybersecurity.\r\nLike this story? Recommend it by hitting the heart button so others on Medium see it, and follow Threat Intel on\r\nMedium for more great content.\r\nSource: https://medium.com/threat-intel/lazarus-attacks-wannacry-5fdeddee476c\r\nhttps://medium.com/threat-intel/lazarus-attacks-wannacry-5fdeddee476c\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://medium.com/threat-intel/lazarus-attacks-wannacry-5fdeddee476c" ], "report_names": [ "lazarus-attacks-wannacry-5fdeddee476c" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "d4f7cf97-9c98-409c-8b95-b80d14c576a5", "created_at": "2022-10-25T16:07:24.561104Z", "updated_at": "2026-04-10T02:00:05.03343Z", "deleted_at": null, "main_name": "Shadow Brokers", "aliases": [], "source_name": "ETDA:Shadow Brokers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "171b85f2-8f6f-46c0-92e0-c591f61ea167", "created_at": "2023-01-06T13:46:38.830188Z", "updated_at": "2026-04-10T02:00:03.114926Z", "deleted_at": null, "main_name": "The Shadow Brokers", "aliases": [ "Shadow Brokers", "ShadowBrokers", "The ShadowBrokers", "TSB" ], "source_name": "MISPGALAXY:The Shadow Brokers", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434283, "ts_updated_at": 1775792298, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/15fe3aebfe29419d4d6416ab6507b93808c0b014.pdf", "text": "https://archive.orkl.eu/15fe3aebfe29419d4d6416ab6507b93808c0b014.txt", "img": "https://archive.orkl.eu/15fe3aebfe29419d4d6416ab6507b93808c0b014.jpg" } }