{ "id": "d80046ea-5176-4d0b-9447-ed32712db00c", "created_at": "2026-04-06T01:31:02.908987Z", "updated_at": "2026-04-10T03:38:20.714157Z", "deleted_at": null, "sha1_hash": "440ec55c2370b97cea13801febdb76fa08b57de4", "title": "Lazarus: Three North Koreans Charged for Financially Motivated Attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48950, "plain_text": "Lazarus: Three North Koreans Charged for Financially Motivated\r\nAttacks\r\nBy About the Author\r\nArchived: 2026-04-06 01:21:18 UTC\r\nThe U.S. government has charged three men in relation to a string of financially motivated cyber attacks linked to\r\nthe North Korean Lazarus (aka Appleworm) group. The attackers stole approximately $1.3 billion from a range of\r\nfinancial institutions and cryptocurrency exchanges.\r\nIn a second case, a Canadian-American citizen has pleaded guilty to involvement in a money laundering scheme\r\nlinked to heists organized by the Lazarus group.\r\nThe charges relate to a number of financially motivated attacks, including several investigated by Symantec, a\r\ndivision of Broadcom (NASDAQ: AVGO).\r\nBanking attacks\r\nLazarus was linked to a 2016 attack that stole US$81 million from the Bangladesh Central Bank and a number of\r\nother attacks against banks in Asia and South America. The attacks prompted an alert by payments network\r\nSWIFT, after it was found that the attackers had used malware to cover up evidence of fraudulent transfers.\r\nIn order to steal such massive sums, the attackers deployed relatively sophisticated malware, most notably\r\nTrojan.Banswift, which was used to wipe evidence of fraudulent transactions. Banswift shared code with an older\r\nLazarus tool called Backdoor.Contopee. Contopee, along with two other pieces of Lazarus malware,\r\nBackdoor.Fimlis and Backdoor.Fimlis.B, were already being used in limited targeted attacks against the financial\r\nsector in South-East Asia.\r\nFinancially motivated attacks continued into 2017, when dozens of organizations were targeted through watering-hole attacks involving a previously unseen piece of malware. The attackers compromised websites likely to be\r\nvisited by staff at targeted organizations and used a custom exploit kit to deliver malware to selected targets. The\r\nexploit kit was configured to only infect visitors from approximately 150 different IP addresses. These IP\r\naddresses belonged to 104 different organizations located in 31 different countries, most of which were banks.\r\nWhile the malware used in these attacks (Downloader.Ratankba) had been previously unseen, further analysis by\r\nSymantec uncovered strong links between this tool and known Lazarus tools.\r\nWannaCry\r\nLazarus was subsequently implicated in the WannaCry ransomware attacks. The ransomware incorporated the\r\nleaked EternalBlue exploit that used two known vulnerabilities in Windows (CVE-2017-0144 and CVE-2017-\r\n0145) to turn the ransomware into a worm, capable of spreading itself to any unpatched computers on the victim’s\r\nnetwork and also to other vulnerable computers connected to the internet.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-north-korea-indictment\r\nPage 1 of 3\n\nWithin a matter of hours, the malware had infected hundreds of thousands of computers worldwide. The attack\r\nhad the potential to be highly profitable but it was poorly executed. WannaCry was supposed to generate a unique\r\nBitcoin wallet address for each infected computer but, due to a bug, it failed to do so and instead defaulted to three\r\nhardcoded Bitcoin addresses for payment. This meant the attackers had no way of knowing which victims had\r\npaid using the hardcoded addresses. The attackers also included a “killswitch” in the malware. This was the\r\naddress of a non-existent domain. WannaCry was designed to check if the domain was live and, if it was, it would\r\ncease installing. However, it was quickly found by a security researcher who registered the domain themselves,\r\nthus limiting the damage.\r\nFASTCash ATM attacks\r\nThe group’s interest in financially motivated attacks persisted and, in 2018, evidence appeared of its involvement\r\nin attacks on ATM networks in Africa and Asia. The operation, known as FASTCash, allowed the group to\r\neffectively empty ATMs of cash. The attacks began with breaches of the targeted bank’s network in order to gain\r\naccess to the switch application server that handled ATM transactions. Malware (Trojan.Fastcash) was installed on\r\nthe server and used to intercept fraudulent cash withdrawal requests and send falsified approval responses,\r\nallowing cash to be withdrawn.\r\nCryptocurrency attacks\r\nIn a related announcement, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the\r\nDepartment of Treasury released details on AppleJeus, malware that was used in a series of attacks on\r\ncryptocurrency exchanges. The malware is designed to masquerade as legitimate cryptocurrency trading\r\napplications.\r\nAt least seven different versions of AppleJeus have been discovered, each of which is designed to target a different\r\ncryptocurrency trading application. The following trading platforms were targeted by the malware:\r\nCelas Trade Pro\r\nJMT Trading\r\nUnion Crypto\r\nKupay Wallet\r\nCoinGoTrade\r\nDorusio\r\nAnts2Whale\r\nInitially the malware was spread using fake versions of the legitimate trading platform websites. However, later\r\nthe attackers switched vectors, relying on phishing, social networking, and social engineering techniques to fool\r\nvictims into downloading the malware.\r\nFar-reaching investigations\r\nThe indictment is the latest in a series of charges laid out against state-sponsored espionage actors by authorities in\r\nthe U.S. and comes on the back of a 2018 indictment against one of the men named in this week’s announcement.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-north-korea-indictment\r\nPage 2 of 3\n\nThe charges are a timely reminder of the ability of law enforcement to investigate attacks that originate far beyond\r\nnational borders.\r\nProtection/Mitigation\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-north-korea-indictment\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-north-korea-indictment\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-north-korea-indictment" ], "report_names": [ "lazarus-north-korea-indictment" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "679e335a-38a4-4db9-8fdf-a48c17a1f5e6", "created_at": "2023-01-06T13:46:38.820429Z", "updated_at": "2026-04-10T02:00:03.112131Z", "deleted_at": null, "main_name": "FASTCash", "aliases": [], "source_name": "MISPGALAXY:FASTCash", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439062, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/440ec55c2370b97cea13801febdb76fa08b57de4.pdf", "text": "https://archive.orkl.eu/440ec55c2370b97cea13801febdb76fa08b57de4.txt", "img": "https://archive.orkl.eu/440ec55c2370b97cea13801febdb76fa08b57de4.jpg" } }