{ "id": "ace7aafb-ebd5-4c44-8b87-2c0273d3c160", "created_at": "2026-04-06T00:14:31.300322Z", "updated_at": "2026-04-10T03:38:19.268413Z", "deleted_at": null, "sha1_hash": "311a9b40ed193e8fc9b816af46980ce582f02045", "title": "Tempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus’s Subgroup - JPCERT/CC Eyes", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1110295, "plain_text": "Tempted to Classifying APT Actors: Practical Challenges of\r\nAttribution in the Case of Lazarus’s Subgroup - JPCERT/CC Eyes\r\nBy 佐々木 勇人(Hayato Sasaki)\r\nPublished: 2025-03-24 · Archived: 2026-04-05 19:40:48 UTC\r\nLazarus\r\n*Please note that this article is a translation of the Japanese version published on January 20, 2025, and\r\nmay not reflect the latest information on threat trends.\r\n“Lazarus”[1] no longer refer to a single APT group but a collection of many sub-groups. Originally, it referred to a\r\nsingle group or activities by some small groups. I suppose that, as the scale of their activities expanded, the group\r\nbranched out into multiple units. Now it is realistic to consider that “Lazarus” is no longer an applicable label.\r\nWhen I start talking about Lazarus’ subgroup-level identification or attribution, many people look skeptical or\r\nuninterested. However, this kind of analysis, which may seem overly obsessive, is actually crucial to addressing\r\nattacks against the entire Japan, and this blog post explains the reasons.\r\nCharacteristics of Lazarus subgroups\r\nThere are already a number of labels that refer to activities/campaigns and groups of Lazarus, and the number is\r\ngrowing. In addition, although it is not limited to Lazarus, various security vendors use different names for the\r\nsame group, subgroup, and malware, making it more difficult to grasp the whole picture. Furthermore, some\r\nauthors focus on the names of attack groups (or subgroups) in their analysis reports, while others focus on the\r\nnames of attack campaigns, which makes the terminology even more confusing. There was even a case where a\r\nlabel used as the name of an attack campaign in one report was cited as that of an attack group in another.\r\n*I have organized the labels as follows. Any suggestions or information about the classification are welcome.\r\nLabels for the entire APT activity:\r\nHidden Cobra, TraderTraitor\r\nLabels for individual (or intermittent)  campaigns[2]:\r\nOperation Dreamjob, Operation In(ter)ception, AppleJeus, Dangerous Password, CryptoCore, SnatchCrypto,\r\nContagious Interview, Operation Jtrack\r\n*Dangerous Password and CryptoCore initially appeared as attack group names, but later they are also used as\r\nattack campaign names in many cases.\r\nLabels for attack groups (subgroups):\r\nTEMP.Hermit, Selective Pisces, Diamond Sleet, Zinc, UNC577, Black Artemis, Labyrinth Chollima, NICKEL\r\nACADEMY\r\nAPT38, Bluenoroff, Stardust chollima, CryptoMimic, Leery Turtle, Sapphire Sleet, TA444, BlackAlicanto\r\nJade Sleet, UNC4899, Slaw Pisces\r\nhttps://blogs.jpcert.or.jp/en/2025/03/classifying-lazaruss-subgroup.html\r\nPage 1 of 11\n\nGleaming Pisces, Citrine Sleet\r\nAndariel, Stonefly, Onyx Sleet, Jumpy Pisces, Silent Chollima\r\nMoonstone Sleet (*This may not be a subgroup of Lazarus)\r\nLabels that used to refer to a single attack group and then now used for its successors, related groups,\r\nand branched subgroups:\r\nLazarus, Bluenoroff, APT38, Andariel\r\nI have argued[3] in various places that accurate profiling and attribution of APT groups is critical for counter-operations against threat actors. Some people may think that a broad classification is sufficient, rather than more\r\ndetailed subgrouping. It is true that some of the Lazarus subgroups have the same targets, objectives and TTPs.\r\nFor example, no matter whether the attacker is Citrine Sleet/UNC4736, Sapphire Sleet/CryptoMimic or\r\nMoonstone Sleet, all of which target cryptocurrency, the response strategy may not change significantly.\r\nThe reasons for identifying threat actors at the subgroup level for Lazarus is further explained later, but there are\r\ntwo characteristics and trends behind this argument, which are unique to Lazarus subgroups and make the\r\ngrouping of threat actors more difficult:\r\n1. Overlaps in TTPs among multiple subgroups\r\nAs many security vendors and analysts have discussed in the past[4], there are overlaps in initial attack\r\nvector, C2 infrastructure, and malware among multiple subgroups.\r\nAs explained in JPCERT/CC Eyes[5] recently, there have been multiple confirmed attack campaigns in\r\nwhich LinkedIn was used for initial attack vector. In addition, there is a tendency that similar attack\r\nmethods to be increasingly used, which is explained later.\r\n2. Rise of task force-like groups beyond traditional subgrouping\r\nFrom 2021 to February 2023, reports and media coverage on a new APT actor called Bureau325\r\nappeared[6]. It is known that this actor shares the same TTPs as multiple known Lazarus subgroups and\r\nalso uses the same malware as Kimsuky. It is assumed that Bureau325 is a task force-like group or activity\r\nwhich is free from existing group structures[7].\r\nIn March 2023, Mandiant published a report on APT43[8]. The activities of the actors described in this\r\nreport were previously reported as those of Kimsuky or Thallium. However, Mandiant’s analysis team has\r\nreclassified the group as APT43. The report also notes that APT43 uses the same tools across groups and\r\nsubgroups, similar to Bureau 325.\r\nReasons for identification in subgroup level\r\nWhen identifying APT actors, attention is often paid to attribution, such as identifying the perpetrators, their\r\nbackgrounds, and attributing responsibility to a specific state, which I believe is the underlying reason why people\r\nare not so interested in Lazarus subgroup identification[9]. The following section discusses why detailed\r\nidentification of subgroups, which are merely virtual distinctions, is necessary in addition to attribution.\r\nReason 1: To ensure the effects of mid- to long-term damage prevention through security alerts, etc.\r\nFor example, in attacks through SNS, such as the case covered on JPCERT/CC Eyes recently, cryptocurrency\r\nbusinesses and defense and aviation industries were targeted, and thus it was possible to focus on alerting such\r\nindustries. Since attackers usually contact individual engineers at target organizations on SNS, it was effective to\r\nhttps://blogs.jpcert.or.jp/en/2025/03/classifying-lazaruss-subgroup.html\r\nPage 2 of 11\n\nalert and share IoCs with organizations in the sector.\r\nOn the other hand, objectives, and target sectors/individuals/organizations of subgroups (and related groups) and\r\nattack campaigns identified in the second half of 2023 and later are becoming more complex. While most of them\r\ntarget the cryptocurrency sector, there is a wide range of groups, such as those targeting sensitive corporate\r\ninformation, those using ransomware (Moonstone Sleet), and those targeting illegal foreign currency income by IT\r\nworkers (WageMole attack campaign).\r\nIdentifying the target industries and objectives of each subgroup accurately makes it possible to provide\r\ninformation to specific sectors and organizations, which is more effective than issuing alerts. When an alert is\r\nissued about an attack that exploits the vulnerability of a specific sector or product, the attacker is also likely to\r\ntarget other sectors or products. However, people may not pay much attention to the alert, thinking that it is\r\nirrelevant to them.\r\nReason 2: Countermeasures/counter operations\r\nThe accurate identification of subgroups is also essential for Japan to capture the activities of individual actors\r\nover the long term and to conduct accurate threat analysis on what kind of activities are intended by the\r\ngovernment agencies behind these Lazarus subgroups[[10].\r\nActive cyber defence will also be important for Japan to conduct counter operations against the activities of APT\r\nactors in the future.Behind each subgroup, there should be an organization with formation, rules, and forms of\r\ncommand and control, and the effectiveness of various countermeasures should differ from one another.\r\nMoreover, in addition to the effectiveness, some countermeasures may cause problems under international\r\nlaw[11], and it is extremely important to accurately capture the relationship between the actions and perpetrator of\r\nthe counterparty and the background entity.\r\nReason 3: “Message” to the attackers\r\nMany threat analysts are increasingly focusing on subgroup identification. This is partly for counter-tactical\r\nreasons, as discussed in Reason 1. However, it is also because the analysts believe that subgroups reflect the actual\r\nactivities, organizational backgrounds, and resources of the real perpetrators, not just a virtual distinction.\r\nThere are only a limited number of cases where disclosing information about threat actors, such as public\r\nattribution or publishing analytical reports, influences their activities[12]. However, it is at least possible to make\r\nthe attacker’s new tactics less likely to succeed or make them obsolete. We do not know to what extent APT actors\r\nactually pay attention to such information disclosures since they have rarely been verified so far. In any case, if the\r\ninformation is to be disclosed for the purpose of deterrence, such as in the form of public attribution, accurate\r\nsubgroup identification and clarification would be a minimum requirement to deliver the message to the target\r\n(individual or organizational actors).\r\nMost importantly, it should be noted that disclosure of accurate subgroup identification demonstrates the ability of\r\nthe defenders and responders.\r\nCase study of subgroups with overlapping tactics: contact targets on SNS and have them download a\r\nmalicious npm package\r\nAs explained in a recent JPCERT/CC Eyes article, several subgroups started to contact individual engineers on\r\nLinkedIn or other SNS to have them download a malicious Python or npm package via PyPI or GitHub in their\r\nhttps://blogs.jpcert.or.jp/en/2025/03/classifying-lazaruss-subgroup.html\r\nPage 3 of 11\n\ninitial phase.\r\nThe following is a timeline of the activities of several subgroups that use same or similar tactics.\r\nFigure 1: Multiple subgroups that contact their targets on SNS and have them download malicious\r\npackages\r\nMoonstone Sleet\r\nTarget sectors/objectives: cryptocurrency theft, ransomware attacks, sensitive information in defense industry,\r\netc., illegal income of IT workers\r\nIn February 2024, we published a JPCERT/CC Eyes blog article about a case in which this subgroup have\r\ntheir targets to download a malicious Python package via PyPI, and its analysis mentioned that the\r\nComebacker was used[13]. In December 2023, Qianxin reported a similar sample[14], and later in May 2024,\r\nMicrosoft announced that it was tracking the subgroup under the name Moonstone Sleet[15].\r\nMicrosoft says that this subgroup has no direct overlap with the subgroup which performs Contagious\r\nInterviews (discussed below), whose TTP is similar[16].\r\nComebacker was found in a 2021 campaign by TEMP.Hermit (labeled by Mandiant and also classified as\r\nUNC577 in the past)/Diamond Sleet (labeled by Microsoft  and also classified as Zinc in the past)[17].\r\nHowever, there is little information on the relations between the attack groups.\r\nGleaming Pisces (Citrine Sleet)\r\nRelations to previously classified group: actors of Apple Jeus (UNC1720) \r\nTarget sectors: cryptocurrency businesses, individuals \r\nSimilar to Moonstone Sleet, this subgroup performs initial compromise using PyPI. Unit42 calls the group\r\nGleaming Pisces, and Microsoft refers to it as Citrine Sleet. PondRAT (named by Unit42) used in the PyPI\r\nexploit attack campaign in 2024[18] has its origin in PoolRAT (name by Unit42) disclosed by CISA when it\r\nissued an alert about AppleJeus attack campaign in February 2021[19], and PoolRAT was also found in the\r\nhttps://blogs.jpcert.or.jp/en/2025/03/classifying-lazaruss-subgroup.html\r\nPage 4 of 11\n\nsupply chain attack on 3cx in March 2023[20].\r\nThese RATs share a common A5/1 encryption key, and it was also found in the previously mentioned\r\nComebacker-like sample reported by Qianxin. In addition, FudModule, reportedly used by\r\nTEMP.Hermit/Diamond Sleet, was also found in Citrine Sleet’s attack. Microsoft says that there are overlaps\r\nbetween Diamond Sleet and Citrine Sleet in their infrastructure and malware[21].\r\nContagious Interview (attack campaign)\r\nTarget sectors/objectives: cryptocurrency theft, illegal income of IT workers (Associated with Wagemole\r\nalthough it is a separate campaign.)\r\nThis attack activity was reported by Macnica in October 2024[22] and by NTT Security in December\r\n2024[23]. The attackers contact IT engineers pretending to request job interviews. It was first reported by\r\nUnit42 in November 2023[24], and according to the company, the campaign has been active since 2022.\r\nThe attack campaign was allegedly conducted by FAMOUS CHOLLIMA, classified by CrowdStrike, but it\r\nremains unclear whether it is a subgroup of Lazarus or another group.\r\nIn addition, this activity has been associated with Wagemole and CL-STA-0237 (the name used by Unit 42)\r\n[25], which are allegedly related to the activities of “IT workers”, North Korean IT technical impersonators\r\nwho work illegally at overseas IT companies to obtain foreign currency[26].\r\nAs mentioned earlier, Microsoft currently classifies Moonstone Sleet activity and Contagious Interview as\r\nseparate activities. Phylum has been tracking the malicious npm packages used in both activities and has\r\npublished a number of reports[27].\r\nReference: Summary of relationships among subgroups at the moment\r\nIn this article, I have described and compared the Moonstone Sleet activity, Contagious Interview attack\r\ncampaign, and Gleaming Pisces (Citrine Sleet) activity. They all share the same initial attack vector: contact the\r\ntarget on SNS and then have them download a malicious npm package. The following is a summary of the\r\nactivities of other Lazarus subgroups and the changes in the classification and the names used by security vendors\r\nover time.\r\nI believe that the information will continue to change, with new subgroups emerging and security analysts making\r\nreclassifications[28]. In the future, we will try to create a system that captures and organizes such information in a\r\ndynamic and flexible manner.\r\nhttps://blogs.jpcert.or.jp/en/2025/03/classifying-lazaruss-subgroup.html\r\nPage 5 of 11\n\nFigure 2: Transition of Lazarus subgroups\r\nIn conclusion\r\nThe term “attribution” has two concepts. One of them is a strict meaning used in international law and criminal\r\nprocedure, and the other is traditionally used by the security community. I personally refer to the former as “hard”\r\nattribution, which includes the identification of individuals and organizations actually involved as well as the\r\nattribution of responsibility, and the latter as “soft” attribution, which covers virtual groupings such as\r\nactors/attack groups and profiling.\r\nEven when there is insufficient evidence for “hard” attribution, “soft” attribution may be helpful in issuing\r\nappropriate alerts and providing countermeasure information. On the other hand, “hard” attribution is necessary\r\nfor long-term countermeasures even when it is not feasible for technically timely responses.\r\nThere is not enough space here to cover a variety of technical and non-technical issues surrounding attribution, but\r\nI believe that “information disclosure” will be a key topic in the future. Disclosure of attribution results is an\r\nachievement for analysts in the private sector as well as an important tool for commercial businesses to\r\ndemonstrate their expertise. While it is difficult for them to visualize the capabilities of products and services,\r\nreports of (soft) attribution can easily show their findings, which is important for maintaining the sound growth of\r\nthe security market. \r\nMeanwhile, attribution is also an achievement for government side. Aside from the arguments over the\r\neffectiveness of public attribution[29], it is a valuable opportunity for governments to demonstrate why they\r\ncollect information on private victim organizations. In addition, as mentioned earlier, it is also a chance to\r\ndemonstrate the capabilities as a country to their allies and adversaries.\r\nHowever, in either position, prioritizing achievement and disclosing technically unreliable attribution results bring\r\na number of negative consequences. The effectiveness of information disclosure should also be verified.\r\nMost importantly, it should always be reminded that so-called “threat intelligence,” including attribution results, is\r\nnot a product created solely by those who release the information. Behind the scenes, victim organizations and\r\nanalysts involved in on-site response play an extremely important role. Information disclosure influences threat\r\nhttps://blogs.jpcert.or.jp/en/2025/03/classifying-lazaruss-subgroup.html\r\nPage 6 of 11\n\nactors, and at the same time, it is also a highly complex activity that affects not only the alerted organizations but\r\nalso various other parties, including the victim organizations, analysts, and product vendors. Attribution\r\nmethodology is still in the process of development, and information disclosure involves a number of unresolved\r\nissues. I have repeatedly discussed various issues surrounding “information disclosure” in the past[30], and I will\r\ncontinue such discussions along with alerts and analytical reports.\r\nFigure 3: Timing of each attribution\r\nHayato Sasaki\r\n(Translated by Takumi Nakano)\r\nReferences\r\n*Please note that the authors and titles are omitted due to the large number of references.\r\n[1] This name first appeared in Operation Blockbuster, a joint analysis report led by Novetta and involving a\r\nnumber of security vendors in 2016. It was initially described as “Lazarus Group.”\r\n[2] Attack campaign: Attack activities conducted against a specific organization or sector for a certain period of\r\ntime using a specific attack method or infrastructure. (Reference: 2024年3月「攻撃技術情報の取扱い・活用手\r\n引き」(サイバー攻撃による被害に関する情報共有の促進に向けた検討会事務局(経済産業省、\r\nJPCERT/CC))[Japanese only]\r\n[3] https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_2_2_sasaki_en.pdf, JSAC2024\r\nhttps://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_2_6_hayato_sasaki_en.pdf, National Institute for Defense\r\nStudies (NIDS) Commentary https://www.nids.mod.go.jp/publication/commentary/pdf/commentary346.pdf\r\n[Japanese only]\r\n[4] These are slightly old reports, but they analyze the organization and overlaps of subgroups based on the\r\nclustering of malware clusters. https://securelist.com/lazarus-threatneedle/100803/,\r\nhttps://vblocalhost.com/uploads/VB2021-Park.pdf\r\nhttps://blogs.jpcert.or.jp/en/2025/03/classifying-lazaruss-subgroup.html\r\nPage 7 of 11\n\n[5] https://blogs.jpcert.or.jp/en/2025/01/initial_attack_vector.html\r\n[6] https://cloud.google.com/blog/topics/threat-intelligence/mapping-dprk-groups-to-government/?hl=en, “Final\r\nreport of the Panel of Experts submitted pursuant to resolution 2627 (2022)”,\r\nhttps://www.un.org/securitycouncil/sanctions/1718/panel_experts/reports\r\n[7] CISTECジャーナル2023年5月号 JPCERT/CC 佐々木勇人「2022年度国連北朝鮮制裁委報告書から北\r\n朝鮮関連のサイバー攻撃動向を読み解く―新たな攻撃グループ登場の背景とその動向について―」\r\n[Japanese only]\r\n[8] https://cloud.google.com/blog/topics/threat-intelligence/apt43-north-korea-cybercrime-espionage?hl=en\r\n[9] When I once explained the Lazarus subgroups to a member of an international organization, I was told,\r\n“Whatever the subgroups are, they are already attributed (to a certain government) for their illegal activities, and\r\nthat should be enough.”\r\n[10] Until 2023, such tracking and reporting was conducted at the expert panel of the United Nations Security\r\nCouncil Sanctions Committee on North Korea. The panel collected information like those covered in this article\r\nfrom various security vendor reports and analyzed threats by group and government agencies considered behind\r\nsuch groups. However, as news media reported, the expert panel’s activities ended in FY2023.\r\n[11] Reference: 中谷和弘, 河野桂子, 黒崎将広『サイバー攻撃の国際法 タリン・マニュアル2.0の解説\r\n(増補版)』, 中村和彦『越境サイバー侵害行動と国際法―国家実行から読み解く規律の行方―』ほか\r\n[Japanese only]\r\n[12] For an explanation on the limitations of the punitive deterrence approach centered on public attribution in the\r\nU.S. and the history of the transition to a cost-imposition approach, please refer to the following article of the\r\nNational Institute for Defense Studies (NIDS) Commentary. 佐々木勇人, 瀬戸崇志『サイバー攻撃対処にお\r\nける攻撃「キャンペーン」概念と「コスト賦課アプローチ」——近年の米国政府当局によるサイバー\r\n攻撃活動への対処事例の考察から』\r\nhttps://www.nids.mod.go.jp/publication/commentary/pdf/commentary346.pdf [Japanese only]\r\n[13] https://blogs.jpcert.or.jp/en/2024/02/lazarus_pypi.html\r\n[14] https://ti.qianxin.com/blog/articles/Analysis-of-Suspected-Lazarus-APT-Q-1-Attack-Sample-Targeting-npm-Package-Supply-Chain-EN/\r\n[15] https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/\r\n[16] https://thehackernews.com/2024/05/microsoft-uncovers-moonstone-sleet-new.html\r\n[17] https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/\r\n[18] https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/\r\n[19] https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-048a\r\nhttps://blogs.jpcert.or.jp/en/2025/03/classifying-lazaruss-subgroup.html\r\nPage 8 of 11\n\n[20] https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/\r\n[21] https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/\r\n[22] https://security.macnica.co.jp/blog/2024/10/-contagious-interview.html\r\n[23]  https://jp.security.ntt/tech_blog/en-contagious-interview-ottercookie\r\n[24] https://unit42.paloaltonetworks.jp/two-campaigns-by-north-korea-bad-actors-target-job-hunters/\r\n[25] https://unit42.paloaltonetworks.com/fake-north-korean-it-worker-activity-cluster/\r\n[26] https://ofac.treasury.gov/recent-actions/20220516\r\n[27] https://blog.phylum.io/crypto-themed-npm-packages-found-delivering-stealthy-malware/\r\n[28] We mentioned that Mandiant reclassified it as APT43 in March 2023. The activities of this actor were\r\npreviously often reported and classified as those of Kimsuky and Thallium. However, after years of tracking, it\r\nwas reanalyzed, reclassified, and then announced as APT43. https://cloud.google.com/blog/ja/topics/threat-intelligence/apt43-north-korea-cybercrime-espionage\r\n[29] For the studies based on the argument that deterrence approaches through public attribution and economic\r\nsanctions assuming so-called punitive deterrence had little success, refer to the following. Michael P.\r\nFischerkeller, Emily O. Goldman, Richard J. Harknett, “Cyber Persistence Theory: Redefining National Security\r\nin Cyberspace”, Robert Chesney and Max Smeets Eds, “Deter, Disrupt, or Deceive Assessing Cyber Conflict as an\r\nIntelligence Contest”\r\n[30] https://blogs.jpcert.or.jp/ja/2022/04/sharing_and_disclosure.html, https://blogs.jpcert.or.jp/ja/2023/05/cost-and-effectiveness-of-alerts.html, https://blogs.jpcert.or.jp/ja/2023/08/incident-disclosure-and-coordination.html,\r\nhttps://blogs.jpcert.or.jp/ja/2023/12/leaks-and-breaking-trust.html\r\n[Japanese only]\r\n佐々木 勇人(Hayato Sasaki)\r\nThreat Information Analyst. Deputy Director, Cyber Security Coordination Group, JPCERT/CC. Director of\r\nPolicy Affairs. Part-time researcher in the Cyber Security Research Division, National Institute for Defense\r\nStudies(NIDS) since May 2024.\r\nRelated articles\r\nhttps://blogs.jpcert.or.jp/en/2025/03/classifying-lazaruss-subgroup.html\r\nPage 9 of 11\n\nBeware of Contacts through LinkedIn: They Target Your Organization’s Property, Not Yours\r\nNew Malicious PyPI Packages used by Lazarus\r\nYamaBot Malware Used by Lazarus\r\nVSingle malware that obtains C2 server information from GitHub\r\nhttps://blogs.jpcert.or.jp/en/2025/03/classifying-lazaruss-subgroup.html\r\nPage 10 of 11\n\nLazarus Attack Activities Targeting Japan (VSingle/ValeforBeta)\r\nSource: https://blogs.jpcert.or.jp/en/2025/03/classifying-lazaruss-subgroup.html\r\nhttps://blogs.jpcert.or.jp/en/2025/03/classifying-lazaruss-subgroup.html\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://blogs.jpcert.or.jp/en/2025/03/classifying-lazaruss-subgroup.html" ], "report_names": [ "classifying-lazaruss-subgroup.html" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "998746e1-b4b8-429b-a737-6eb368247c42", "created_at": "2022-10-25T16:07:23.505704Z", "updated_at": "2026-04-10T02:00:04.632806Z", "deleted_at": null, "main_name": "Covellite", "aliases": [ "Black Artemis", "CTG-2460", "Nickel Academy" ], "source_name": "ETDA:Covellite", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "7187a642-699d-44b2-9c69-498c80bce81f", "created_at": "2025-08-07T02:03:25.105688Z", "updated_at": "2026-04-10T02:00:03.78394Z", "deleted_at": null, "main_name": "NICKEL TAPESTRY", "aliases": [ "CL-STA-0237 ", "CL-STA-0241 ", "DPRK IT Workers", "Famous Chollima ", "Jasper Sleet Microsoft", "Purpledelta Recorded Future", "Storm-0287 ", "UNC5267 ", "Wagemole " ], "source_name": "Secureworks:NICKEL TAPESTRY", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "810fada6-3a62-477e-ac11-2702f9a1ef80", "created_at": "2023-01-06T13:46:38.874104Z", "updated_at": "2026-04-10T02:00:03.129286Z", "deleted_at": null, "main_name": "STARDUST CHOLLIMA", "aliases": [ "Sapphire Sleet" ], "source_name": "MISPGALAXY:STARDUST CHOLLIMA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d14271be-be2e-4be7-9578-5b6196e35481", "created_at": "2023-11-21T02:00:07.355328Z", "updated_at": "2026-04-10T02:00:03.46613Z", "deleted_at": null, "main_name": "TA444", "aliases": [], "source_name": "MISPGALAXY:TA444", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c306e698-3b48-46d7-b571-3dfa0c828379", "created_at": "2023-05-16T02:02:09.957677Z", "updated_at": "2026-04-10T02:00:03.364345Z", "deleted_at": null, "main_name": "APT43", "aliases": [], "source_name": "MISPGALAXY:APT43", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c1eadfd8-6e9c-4024-902d-555c9530fcea", "created_at": "2023-01-06T13:46:38.645834Z", "updated_at": "2026-04-10T02:00:03.04985Z", "deleted_at": null, "main_name": "TEMP.Hermit", "aliases": [], "source_name": "MISPGALAXY:TEMP.Hermit", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "e265bb3a-eb4c-4999-9b1d-c24a0d05a7f0", "created_at": "2023-12-21T02:00:06.096716Z", "updated_at": "2026-04-10T02:00:03.502439Z", "deleted_at": null, "main_name": "UNC4736", "aliases": [], "source_name": "MISPGALAXY:UNC4736", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "45e6e2b3-43fe-44cd-8025-aea18a7f488f", "created_at": "2024-06-20T02:02:09.897489Z", "updated_at": "2026-04-10T02:00:04.769917Z", "deleted_at": null, "main_name": "Moonstone Sleet", "aliases": [ "Storm-1789", "Stressed Pungsan" ], "source_name": "ETDA:Moonstone Sleet", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "0106b19a-ac99-4bc9-90b9-4647bfc5f3ce", "created_at": "2023-11-08T02:00:07.144995Z", "updated_at": "2026-04-10T02:00:03.425891Z", "deleted_at": null, "main_name": "TraderTraitor", "aliases": [ "Pukchong", "Jade Sleet", "UNC4899" ], "source_name": "MISPGALAXY:TraderTraitor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "28523c53-1944-4ff0-bbdc-89b06e4e3c84", "created_at": "2024-11-01T02:00:52.752463Z", "updated_at": "2026-04-10T02:00:05.359782Z", "deleted_at": null, "main_name": "Moonstone Sleet", "aliases": [ "Moonstone Sleet", "Storm-1789" ], "source_name": "MITRE:Moonstone Sleet", "tools": [ "Qilin" ], "source_id": "MITRE", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7d5531e2-0ad1-4237-beed-af009035576f", "created_at": "2024-05-01T02:03:07.977868Z", "updated_at": "2026-04-10T02:00:03.817883Z", "deleted_at": null, "main_name": "BRONZE PALACE", "aliases": [ "APT15 ", "BRONZE DAVENPORT ", "BRONZE IDLEWOOD ", "CTG-6119 ", "CTG-6119 ", "CTG-9246 ", "Ke3chang ", "NICKEL ", "Nylon Typhoon ", "Playful Dragon", "Vixen Panda " ], "source_name": "Secureworks:BRONZE PALACE", "tools": [ "BMW", "BS2005", "Enfal", "Mirage", "RoyalCLI", "RoyalDNS" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "d05e8567-9517-4bd8-a952-5e8d66f68923", "created_at": "2024-11-13T13:15:31.114471Z", "updated_at": "2026-04-10T02:00:03.761535Z", "deleted_at": null, "main_name": "WageMole", "aliases": [ "Void Dokkaebi", "WaterPlum", "PurpleBravo", "Famous Chollima", "UNC5267", "Wagemole", "Nickel Tapestry", "Storm-1877" ], "source_name": "MISPGALAXY:WageMole", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "ef59a0d9-c556-4448-8553-ed28f315d352", "created_at": "2025-06-29T02:01:57.047978Z", "updated_at": "2026-04-10T02:00:04.744218Z", "deleted_at": null, "main_name": "Operation Contagious Interview", "aliases": [ "Jasper Sleet", "Nickel Tapestry", "Operation Contagious Interview", "PurpleBravo", "Storm-0287", "Tenacious Pungsan", "UNC5267", "Wagemole", "WaterPlum" ], "source_name": "ETDA:Operation Contagious Interview", "tools": [ "BeaverTail", "InvisibleFerret", "OtterCookie", "PylangGhost" ], "source_id": "ETDA", "reports": null }, { "id": "dcbff54d-13ec-40b5-b3b9-b74a315669e1", "created_at": "2026-02-03T02:00:03.428641Z", "updated_at": "2026-04-10T02:00:03.937539Z", "deleted_at": null, "main_name": "UNC1069", "aliases": [ "MASAN", "CryptoCore" ], "source_name": "MISPGALAXY:UNC1069", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434471, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/311a9b40ed193e8fc9b816af46980ce582f02045.pdf", "text": "https://archive.orkl.eu/311a9b40ed193e8fc9b816af46980ce582f02045.txt", "img": "https://archive.orkl.eu/311a9b40ed193e8fc9b816af46980ce582f02045.jpg" } }