{ "id": "7b4b1939-0748-4312-836e-b5c5f83813db", "created_at": "2026-04-06T00:07:32.627548Z", "updated_at": "2026-04-10T03:38:19.459389Z", "deleted_at": null, "sha1_hash": "44685ea8f03cc35db256d415cd5027c234df9ad4", "title": "Lazarus APT Spinoff Linked to Banking Hacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1127802, "plain_text": "Lazarus APT Spinoff Linked to Banking Hacks\r\nBy Michael Mimoso\r\nPublished: 2017-04-03 · Archived: 2026-04-05 13:44:25 UTC\r\nThe Lazarus Group has splintered off a group whose mission is to attack banks and steal money in order to fund\r\nits operations.\r\nSINT MAARTEN—The Lazarus Group, a nation-state level of attacker tied to the 2014 attacks on Sony Pictures\r\nEntertainment, has splintered off a portion of its operation to concentrate on stealing money to fund itself.\r\nThe group, widely believed to be North Korean, has been linked to a February 2016 attack against the Bangladesh\r\nCentral bank that resulted in more than $850 million in fraudulent SWIFT network transactions, $80 million of\r\nwhich still has not been recovered.\r\nAt the Security Analyst Summit, researchers from Kaspersky Lab and BAE Systems explained how the splinter\r\ngroup, known as Bluenoroff, has almost exclusively hit financial institutions, casinos, financial trade software\r\ndevelopment companies and cryptocurrency businesses. The group has also been connected to an attack earlier\r\nthis year against banks in Poland, based on code strings and wiper malware discovered and known to be part of\r\nLazarus’ arsenal.\r\nhttps://threatpost.com/lazarus-apt-spinoff-linked-to-banking-hacks/124746/\r\nPage 1 of 3\n\nVitaly Kamluk of Kaspersky Lab and Adrian Nish and Sergey Shevchenko of BAE Systems today published an\r\nupdate on Lazarus and Bluenoroff, pinning to them their unique interest in SWIFT software. SWIFT is a global\r\nnetwork supporting financial transactions and messaging between institutions. The attackers, researchers said,\r\naren’t looking for smash-and-grab bank robberies. They learn the inner workings of SWIFT software and develop\r\nand implement patches that allow the attackers to steal significant amounts of money without leaving a trace\r\nbehind on the hacked systems.\r\nDries Watteyne, SWIFT head of customer security intelligence, also appeared at SAS and said the attackers had\r\nintimate knowledge of how the SWIFT network processes transactions and messages between financial\r\ninstitutions.\r\n“They had sophisticated knowledge on a business level,” Watteyne said. “They were able to make sure all\r\nmessages sent from the bank and statements from the U.S. bank were hidden.”\r\nWatteyne explained that with an international transaction of U.S. dollars, emitters send payment instructions to a\r\nU.S. bank, which remits an acknowledgement before sending funds to an offshore bank.\r\nThe attackers used stolen credentials to inject custom malware at the bank that was able to delete all payment\r\ninstructions from the targeted database, modify SWIFT messages, including start- and end-of-day statements, and\r\nalso bypass integrity verification checks built into the system.\r\nThe Lazarus Group is alleged to have leaked mountains of sensitive data from Sony Pictures Entertainment in\r\n2014, including emails, movie scripts and other confidential information. Following the Sony hack in January\r\n2015, the U.S. levied sanctions against North Korean defense agencies, two other government agencies and 10\r\nindividuals. The Executive Order explaining the sanctions came two weeks after North Korea suffered a DDoS\r\nattack that disconnected much of the country from the Internet.\r\nLazarus Group’s interest in profit is relatively new, the researchers said. They’ve adopted a number of tactics\r\npreferred by cybercriminals, including watering hole attacks to compromise financial targets. In these attacks, a\r\nwebsite of common interest to the target is attacked and spiked with malicious code designed to exploit a\r\nvulnerable browser or piece of third-party software.\r\nBAE’s Nish said they used iframes to redirect browsers to sites hosting scripts that check for vulnerabilities,\r\ndeliver exploits and payloads. Most of the Bluenoroff attacks were initially focused on Southeast Asia and\r\ndeveloping countries. Starting with the Poland attacks, their bravado grew and was much more global.\r\nThe link between Bluenoroff, North Korea and Lazarus gained steam, Kamluk said, from an analysis of a\r\ncommand and control server in Europe used in attacks. The researchers determined how the attackers connected to\r\nthe server and tested their backdoors using multiple IPs from around the world. One short connection, however,\r\nwas made from an IP range in North Korea.\r\nhttps://threatpost.com/lazarus-apt-spinoff-linked-to-banking-hacks/124746/\r\nPage 2 of 3\n\nKamluk said the attackers’ installation of cryptocurrency mining software crashed the server and likely kept the\r\nattackers from properly wiping their traces. While none of the researchers would commit fully to attributing North\r\nKorea to these attacks, the evidence does indicate some involvement.\r\n“If it is North Korea,” Kamluk said, “we know very little about its current motivation and use of offensive\r\ncapabilities.”\r\nSource: https://threatpost.com/lazarus-apt-spinoff-linked-to-banking-hacks/124746/\r\nhttps://threatpost.com/lazarus-apt-spinoff-linked-to-banking-hacks/124746/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://threatpost.com/lazarus-apt-spinoff-linked-to-banking-hacks/124746/" ], "report_names": [ "124746" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434052, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/44685ea8f03cc35db256d415cd5027c234df9ad4.pdf", "text": "https://archive.orkl.eu/44685ea8f03cc35db256d415cd5027c234df9ad4.txt", "img": "https://archive.orkl.eu/44685ea8f03cc35db256d415cd5027c234df9ad4.jpg" } }