G0032: Lazarus Group
Lazarus Group is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). [1] [2] Lazarus Group has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.[3]
North Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses “Lazarus Group” as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns.[4][5][6]
Analyst context for executives and security teams
Lazarus Group is an ATT&CK intrusion set used as an umbrella for North Korean cyber activity associated in public reporting with espionage, destructive attacks, and financially motivated campaigns. For leaders, the practical issue is not the name itself but the breadth: related ATT&CK relationships include multiple remote access tools, backdoors, destructive or ransomware-related tooling, network utilities, and a campaign affecting defense, aerospace, government, financial, and other sectors. Treat this as a test of whether your organization can connect threat intelligence, endpoint/network telemetry, identity evidence, and recovery planning across long-running, multi-tool operations.
Executive priority
Prioritize this object when assessing resilience against state-linked activity, destructive malware scenarios, financial fraud risk, and high-value-sector exposure. Executives should ask whether incident response plans distinguish espionage, ransomware/destructive activity, and business email compromise decisions; whether Windows, macOS, and Linux monitoring gaps are known; and whether audit evidence can show patching, segmentation, privileged access control, and recovery readiness. Because ATT&CK notes attribution challenges and shared DPRK personnel, infrastructure, malware, and tradecraft, leadership should avoid over-focusing on actor naming and instead fund behavior-based detection and response capabilities.
Technical view
ATT&CK provides no official detection text, tactics, or platforms for the group object itself, so SOC and IR teams should validate coverage through the related software and campaign context. Relationships point to Windows-heavy malware and tools such as Volgmer, FALLCHILL, Bankshot, RATANKBA, BADCALL, HARDRAIN, TYPEFRAME, KEYMARBLE, AuditCred, RawDisk, WannaCry, HOPLIGHT, HotCroissant, BLINDINGCAN, Dtrack, and others, plus macOS/Linux exposure through Dacls and macOS exposure through Cryptoistic and AppleJeus. Defensive validation should emphasize remote access tooling, suspicious DLL execution, backdoor persistence, raw disk access, SMB/worm-like propagation risk, route/netsh changes, and LLMNR/NBT-NS/mDNS poisoning or rogue authentication behavior associated with Responder.
Likely telemetry
- Endpoint process, module/DLL load, service, persistence, and file-write telemetry, especially on Windows and where macOS/Linux assets are in scope from related software
- Network connection, DNS, proxy, web, and command-and-control style beaconing evidence for RATs and backdoors
- Windows command and script logging for netsh and route usage, including local or remote network configuration changes
- Authentication telemetry, NTLM events, SMB activity, and name-resolution traffic relevant to Responder-style credential capture
- Email and collaboration logs where Operation Dream Job or suspected spearphishing/BEC-adjacent activity is a relevant business concern
Detection direction
- Do not rely on the actor label as the detection strategy; map alerts to related malware/tool behaviors and local asset criticality.
- Validate coverage for Windows first because many related software entries specify Windows, then explicitly test macOS and Linux visibility where Dacls, Cryptoistic, or AppleJeus-like relationships matter.
- Tune for suspicious use of legitimate administration/network utilities such as netsh and route by correlating command context, user, host role, and change window to reduce false positives.
- Hunt for rogue authentication and name-resolution abuse patterns, especially LLMNR/NBT-NS/mDNS and NTLM capture indicators, where Responder exposure is possible.
- Correlate RAT/backdoor detections with outbound network patterns, persistence changes, and credential events rather than single indicators alone.
Mitigation priorities
- Sequence controls around resilience: patch and reduce exposed legacy SMB risk, harden endpoint execution, and maintain tested offline or protected backups.
- Reduce credential theft paths by disabling unnecessary name-resolution protocols where feasible, hardening NTLM usage, and monitoring authentication anomalies.
- Apply least privilege and privileged access controls so RAT or backdoor access does not automatically become domain-wide control.
- Segment high-value business, financial, engineering, and any OT/ICS-adjacent environments to limit propagation and destructive impact.
- Maintain cross-platform endpoint monitoring where macOS and Linux assets are present, not only Windows-focused defenses.
Analyst notes and limits
ATT&CK describes Lazarus Group as a North Korean state-sponsored group attributed to the RGB and notes that public reporting often uses the name as an umbrella for multiple North Korean operators. That matters analytically: shared infrastructure, malware, personnel, and tradecraft can make precise attribution difficult. Relationships to many software objects provide useful defensive validation points, but local telemetry and incident evidence are required before making environment-specific conclusions.
The group object has no official ATT&CK detection guidance, tactics, or platforms. Platform and behavior observations here are inferred only from supplied relationships to software and campaign objects, not from a complete procedure list. This take does not assert current exploitation, customer exposure, guaranteed detection, or definitive attribution for any local incident.
Lazarus Group
Lazarus Group is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). [1] [2] Lazarus Group has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.[3]
North Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses “Lazarus Group” as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns.[4][5][6]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Lazarus Group malware uses cmd.exe to execute commands on a compromised host.CitationNovetta BlockbusterCitationNovetta Blockbuster Destructive MalwareCitationMcAfee Lazarus Resurfaces Feb 2018CitationUS-CERT SHARPKNOT June 2018CitationQualys LolZarus A Destover-like variant used by Lazarus Group uses a batch file mechanism to delete its binaries from the system.CitationMcAfee GhostSecret |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Lazarus Group has targeted victims with spearphishing emails containing malicious Microsoft Word documents.CitationMcAfee BankshotCitationKaspersky ThreatNeedle Feb 2021CitationLazarus APT January 2022CitationQualys LolZarus |
| Enterprise | T1202 | Indirect Command Execution | Lazarus Group persistence mechanisms have used |
| Enterprise | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol Sub-technique | Lazarus Group malware SierraBravo-Two generates an email message via SMTP containing information about newly infected victims.CitationNovetta BlockbusterCitationNovetta Blockbuster RATs |
| Enterprise | T1001.003 | Protocol or Service Impersonation Sub-technique | Lazarus Group malware also uses a unique form of communication encryption known as FakeTLS that mimics TLS but uses a different encryption method, potentially evading SSL traffic inspection/decryption.CitationNovetta BlockbusterCitationNovetta Blockbuster Destructive MalwareCitationMcAfee Lazarus Resurfaces Feb 2018CitationMcAfee-GhostSecret-fixurl |
| Enterprise | T1584.004 | Server Sub-technique | Lazarus Group has compromised servers to stage malicious tools.CitationKaspersky ThreatNeedle Feb 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | Lazarus Group has downloaded files, malware, and tools from its C2 onto a compromised host.CitationNovetta BlockbusterCitationNovetta Blockbuster Destructive MalwareCitationNovetta Blockbuster LoadersCitationSentinelOne Lazarus macOS July 2020CitationTrendMicro macOS Dacls May 2020CitationKaspersky ThreatNeedle Feb 2021CitationGoogle TAG Lazarus Jan 2021CitationLazarus APT January 2022CitationQualys LolZarusCitationESET Twitter Ida Pro Nov 2021 |
| Enterprise | T1218.005 | Mshta Sub-technique | Lazarus Group has used |
| Enterprise | T1010 | Application Window Discovery | Lazarus Group malware IndiaIndia obtains and sends to its C2 server the title of the window for each running process. The KilaAlfa keylogger also reports the title of the window in the foreground.CitationNovetta BlockbusterCitationNovetta Blockbuster LoadersCitationNovetta Blockbuster Tools |
| Enterprise | T1587.001 | Malware Sub-technique | Lazarus Group has developed custom malware for use in their operations.CitationCISA AppleJeus Feb 2021CitationGoogle TAG Lazarus Jan 2021 |
| Enterprise | T1134.002 | Create Process with Token Sub-technique | Lazarus Group keylogger KiloAlfa obtains user tokens from interactive sessions to execute itself with API call |
| Enterprise | T1021.004 | SSH Sub-technique | Lazarus Group used SSH and the PuTTy PSCP utility to gain access to a restricted segment of a compromised network.CitationKaspersky ThreatNeedle Feb 2021 |
| Enterprise | T1098 | Account Manipulation | Lazarus Group malware WhiskeyDelta-Two contains a function that attempts to rename the administrator’s account.CitationNovetta BlockbusterCitationNovetta Blockbuster Destructive Malware |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | Lazarus Group has used a VBA Macro to set its file attributes to System and Hidden and has named files with a dot prefix to hide them from the Finder application.CitationMcAfee Lazarus Resurfaces Feb 2018CitationSentinelOne Lazarus macOS July 2020CitationTrendMicro macOS Dacls May 2020CitationLazarus APT January 2022 |
| Enterprise | T1485 | Data Destruction | Lazarus Group has used a custom secure delete function to overwrite file contents with data from heap memory.CitationNovetta Blockbuster |
| Enterprise | T1591 | Gather Victim Org Information | Lazarus Group has studied publicly available information about a targeted organization to tailor spearphishing efforts against specific departments and/or individuals.CitationKaspersky ThreatNeedle Feb 2021 |
| Enterprise | T1106 | Native API | Lazarus Group has used the Windows API |
| Enterprise | T1078 | Valid Accounts | Lazarus Group has used administrator credentials to gain access to restricted network segments.CitationKaspersky ThreatNeedle Feb 2021 |
| Enterprise | T1027.009 | Embedded Payloads Sub-technique | Lazarus Group has distributed malicious payloads embedded in PNG files.CitationMicrosoft DiamondSleet 2023 |
| Enterprise | T1012 | Query Registry | Lazarus Group malware IndiaIndia checks Registry keys within HKCU and HKLM to determine if certain applications are present, including SecureCRT, Terminal Services, RealVNC, TightVNC, UltraVNC, Radmin, mRemote, TeamViewer, FileZilla, pcAnyware, and Remote Desktop. Another Lazarus Group malware sample checks for the presence of the following Registry key: |
| Enterprise | T1090.002 | External Proxy Sub-technique | Lazarus Group has used multiple proxies to obfuscate network traffic from victims.CitationUS-CERT FALLCHILL Nov 2017CitationTrendMicro macOS Dacls May 2020 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Lazarus Group has used multiple types of encryption and encoding for their payloads, including AES, Caracachs, RC4, XOR, Base64, and other tricks such as creating aliases in code for Native API function names.CitationNovetta BlockbusterCitationNovetta Blockbuster LoadersCitationNovetta Blockbuster RATsCitationMcAfee Lazarus Resurfaces Feb 2018CitationTrendMicro macOS Dacls May 2020CitationLazarus APT January 2022CitationQualys LolZarus |
| Enterprise | T1104 | Multi-Stage Channels | Lazarus Group has used multi-stage malware components that inject later stages into separate processes.CitationLazarus APT January 2022 |
| Enterprise | T1046 | Network Service Discovery | Lazarus Group has used nmap from a router VM to scan ports on systems within the restricted segment of an enterprise network.CitationKaspersky ThreatNeedle Feb 2021 |
| Enterprise | T1005 | Data from Local System | Lazarus Group has collected data and files from compromised networks.CitationNovetta BlockbusterCitationNovetta Blockbuster LoadersCitationNovetta Blockbuster RATsCitationKaspersky ThreatNeedle Feb 2021 |
| Enterprise | T1489 | Service Stop | Lazarus Group has stopped the MSExchangeIS service to render Exchange contents inaccessible to users.CitationNovetta Blockbuster Destructive Malware |
| Enterprise | T1016 | System Network Configuration Discovery | Lazarus Group malware IndiaIndia obtains and sends to its C2 server information about the first network interface card’s configuration, including IP address, gateways, subnet mask, DHCP information, and whether WINS is available.CitationNovetta BlockbusterCitationNovetta Blockbuster Loaders |
| Enterprise | T1588.004 | Digital Certificates Sub-technique | Lazarus Group has obtained SSL certificates for their C2 domains.CitationCISA AppleJeus Feb 2021 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Several Lazarus Group malware families encrypt C2 traffic using custom code that uses XOR with an ADD operation and XOR with a SUB operation. Another Lazarus Group malware sample XORs C2 traffic. Other Lazarus Group malware uses Caracachs encryption to encrypt C2 payloads. Lazarus Group has also used AES to encrypt C2 traffic.CitationNovetta BlockbusterCitationNovetta Blockbuster Destructive MalwareCitationMcAfee Lazarus Resurfaces Feb 2018CitationMcAfee GhostSecret |
| Enterprise | T1082 | System Information Discovery | Several Lazarus Group malware families collect information on the type and version of the victim OS, as well as the victim computer name and CPU information.CitationNovetta BlockbusterCitationNovetta Blockbuster Destructive MalwareCitationNovetta Blockbuster LoadersCitationMcAfee Lazarus Resurfaces Feb 2018CitationMcAfee GhostSecretCitationLazarus APT January 2022 |
| Enterprise | T1033 | System Owner/User Discovery | Various Lazarus Group malware enumerates logged-on users.CitationNovetta BlockbusterCitationNovetta Blockbuster Destructive MalwareCitationNovetta Blockbuster LoadersCitationNovetta Blockbuster RATsCitationMcAfee Lazarus Resurfaces Feb 2018CitationSentinelOne Lazarus macOS July 2020CitationLazarus APT January 2022 |
| Enterprise | T1620 | Reflective Code Loading | Lazarus Group has changed memory protection permissions then overwritten in memory DLL function code with shellcode, which was later executed via KernelCallbackTable hijacking. Lazarus Group has also used shellcode within macros to decrypt and manually map DLLs into memory at runtime.CitationLazarus APT January 2022CitationQualys LolZarus |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Lazarus Group has exfiltrated data and files over a C2 channel through its various tools and malware.CitationNovetta BlockbusterCitationNovetta Blockbuster LoadersCitationMcAfee Lazarus Resurfaces Feb 2018 |
| Enterprise | T1102.002 | Bidirectional Communication Sub-technique | Lazarus Group has used GitHub as C2, pulling hosted image payloads then committing command execution output to files in specific directories.CitationLazarus APT January 2022 |
| Enterprise | T1560 | Archive Collected Data | Lazarus Group has compressed exfiltrated data with RAR and used RomeoDelta malware to archive specified directories in .zip format, encrypt the .zip file, and upload it to C2. CitationNovetta Blockbuster LoadersCitationNovetta Blockbuster RATsCitationMcAfee Lazarus Resurfaces Feb 2018 |
| Enterprise | T1203 | Exploitation for Client Execution | Lazarus Group has exploited Adobe Flash vulnerability CVE-2018-4878 for execution.CitationMcAfee Bankshot |
| Enterprise | T1059.001 | PowerShell Sub-technique | Lazarus Group has used PowerShell to execute commands and malicious code.CitationGoogle TAG Lazarus Jan 2021 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | Lazarus Group has sent malicious links to victims via email.CitationKaspersky ThreatNeedle Feb 2021 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is saved in the %TEMP% directory, then compressed, encrypted, and uploaded to a C2 server.CitationNovetta BlockbusterCitationNovetta Blockbuster Loaders |
| Enterprise | T1036.003 | Rename Legitimate Utilities Sub-technique | Lazarus Group has renamed system utilities such as |
| Enterprise | T1047 | Windows Management Instrumentation | Lazarus Group has used WMIC for discovery as well as to execute payloads for persistence and lateral movement.CitationNovetta BlockbusterCitationNovetta Blockbuster RATsCitationKaspersky ThreatNeedle Feb 2021CitationQualys LolZarus |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Lazarus Group has conducted C2 over HTTP and HTTPS.CitationMcAfee Lazarus Resurfaces Feb 2018CitationSentinelOne Lazarus macOS July 2020CitationTrendMicro macOS Dacls May 2020CitationLazarus APT January 2022CitationQualys LolZarusCitationESET Twitter Ida Pro Nov 2021 |
| Enterprise | T1557.001 | Name Resolution Poisoning and SMB Relay Sub-technique | Lazarus Group executed Responder using the command |
| Enterprise | T1057 | Process Discovery | Several Lazarus Group malware families gather a list of running processes on a victim system and send it to their C2 server. A Destover-like variant used by Lazarus Group also gathers process times.CitationNovetta BlockbusterCitationNovetta Blockbuster LoadersCitationMcAfee Lazarus Resurfaces Feb 2018CitationMcAfee GhostSecretCitationTrendMicro macOS Dacls May 2020CitationLazarus APT January 2022 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Lazarus Group has maintained persistence by loading malicious code into a startup folder or by adding a Registry Run key.CitationNovetta BlockbusterCitationNovetta Blockbuster RATsCitationMcAfee Lazarus Resurfaces Feb 2018CitationLazarus APT January 2022 |
| Enterprise | T1685 | Disable or Modify Tools | Lazarus Group malware TangoDelta attempts to terminate various processes associated with McAfee. Additionally, Lazarus Group malware SHARPKNOT disables the Microsoft Windows System Event Notification and Alerter services.CitationNovetta BlockbusterCitationNovetta Blockbuster LoadersCitationNovetta Blockbuster ToolsCitationUS-CERT SHARPKNOT June 2018. |
| Enterprise | T1589.002 | Email Addresses Sub-technique | Lazarus Group collected email addresses belonging to various departments of a targeted organization which were used in follow-on phishing campaigns.CitationKaspersky ThreatNeedle Feb 2021 |
| Enterprise | T1561.001 | Disk Content Wipe Sub-technique | Lazarus Group has used malware like WhiskeyAlfa to overwrite the first 64MB of every drive with a mix of static and random buffers. A similar process is then used to wipe content in logical drives and, finally, attempt to wipe every byte of every sector on every drive. WhiskeyBravo can be used to overwrite the first 4.9MB of physical drives. WhiskeyDelta can overwrite the first 132MB or 1.5MB of each drive with random data from heap memory.CitationNovetta Blockbuster Destructive Malware |
| Enterprise | T1491.001 | Internal Defacement Sub-technique | Lazarus Group replaced the background wallpaper of systems with a threatening image after rendering the system unbootable with a Disk Structure Wipe.CitationNovetta Blockbuster Destructive Malware |
| Enterprise | T1588.002 | Tool Sub-technique | Lazarus Group has obtained a variety of tools for their operations, including Responder and PuTTy PSCP.CitationKaspersky ThreatNeedle Feb 2021 |
| Enterprise | T1547.009 | Shortcut Modification Sub-technique | Lazarus Group malware has maintained persistence on a system by creating a LNK shortcut in the user’s Startup folder.CitationMcAfee Lazarus Resurfaces Feb 2018 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Lazarus Group has used VBA and embedded macros in Word documents to execute malicious code.CitationLazarus APT January 2022CitationQualys LolZarus |
| Enterprise | T1542.003 | Bootkit Sub-technique | Lazarus Group malware WhiskeyAlfa-Three modifies sector 0 of the Master Boot Record (MBR) to ensure that the malware will persist even if a victim machine shuts down.CitationNovetta BlockbusterCitationNovetta Blockbuster Destructive Malware |
| Enterprise | T1218.011 | Rundll32 Sub-technique | Lazarus Group has used rundll32 to execute malicious payloads on a compromised host.CitationESET Twitter Ida Pro Nov 2021 |
| Enterprise | T1583.006 | Web Services Sub-technique | Lazarus Group has hosted malicious downloads on Github.CitationCISA AppleJeus Feb 2021 |
| Enterprise | T1056.001 | Keylogging Sub-technique | Lazarus Group malware KiloAlfa contains keylogging functionality.CitationNovetta BlockbusterCitationNovetta Blockbuster Tools |
| Enterprise | T1571 | Non-Standard Port | Some Lazarus Group malware uses a list of ordered port numbers to choose a port for C2 traffic, creating port-protocol mismatches.CitationNovetta BlockbusterCitationNovetta Blockbuster RATs |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | A Lazarus Group malware sample encodes data with base64.CitationMcAfee Lazarus Resurfaces Feb 2018 |
| Enterprise | T1189 | Drive-by Compromise | Lazarus Group delivered RATANKBA and other malicious code to victims via a compromised legitimate website.CitationRATANKBACitationGoogle TAG Lazarus Jan 2021 |
| Enterprise | T1110.003 | Password Spraying Sub-technique | Lazarus Group malware attempts to connect to Windows shares for lateral movement by using a generated list of usernames, which center around permutations of the username Administrator, and weak passwords.CitationNovetta BlockbusterCitationNovetta Blockbuster RATs |
| Enterprise | T1204.002 | Malicious File Sub-technique | Lazarus Group has attempted to get users to launch a malicious Microsoft Word attachment delivered via a spearphishing email.CitationMcAfee BankshotCitationKaspersky ThreatNeedle Feb 2021CitationLazarus APT January 2022CitationQualys LolZarus |
| Enterprise | T1553.002 | Code Signing Sub-technique | Lazarus Group has digitally signed malware and utilities to evade detection.CitationLazarus APT January 2022 |
| Enterprise | T1218 | System Binary Proxy Execution | Lazarus Group lnk files used for persistence have abused the Windows Update Client ( |
| Enterprise | T1560.002 | Archive via Library Sub-technique | Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is compressed with Zlib, encrypted, and uploaded to a C2 server.CitationNovetta Blockbuster RATsCitationMcAfee Lazarus Resurfaces Feb 2018 |
Groups, software, and campaigns
S0364: RawDisk
RawDisk is a legitimate commercial driver from the EldoS Corporation that is used for interacting with files, disks, and partitions. The driver allows for direct modification of data on a local computer's hard drive. In some cases, the tool can enact these raw disk modifications from user-mode processes, circumventing Windows operating system security features.[1][2]
S0238: Proxysvc
Proxysvc is a malicious DLL used by Lazarus Group in a campaign known as Operation GhostSecret. It has appeared to be operating undetected since 2017 and was mostly observed in higher education organizations. The goal of Proxysvc is to deliver additional payloads to the target and to maintain control for the attacker. It is in the form of a DLL that can also be executed as a standalone process. [1]
S0245: BADCALL
BADCALL is a Trojan malware variant used by the group Lazarus Group. [1]
S0181: FALLCHILL
FALLCHILL is a RAT that has been used by Lazarus Group since at least 2016 to target the aerospace, telecommunications, and finance industries. It is usually dropped by other Lazarus Group malware or delivered when a victim unknowingly visits a compromised website. [1]
S0366: WannaCry
S1182: MagicRAT
MagicRAT is a remote access tool developed in C++ and exclusively used by the Lazarus Group threat actor in operations. MagicRAT allows for arbitrary command execution on victim machines and provides basic remote access functionality.[1]
S0376: HOPLIGHT
S0263: TYPEFRAME
TYPEFRAME is a remote access tool that has been used by Lazarus Group. [1]
S0567: Dtrack
S0431: HotCroissant
HotCroissant is a remote access trojan (RAT) attributed by U.S. government entities to malicious North Korean government cyber activity, tracked collectively as HIDDEN COBRA.[1] HotCroissant shares numerous code similarities with Rifdoor.[2]
S0246: HARDRAIN
S0497: Dacls
Dacls is a multi-platform remote access tool used by Lazarus Group since at least December 2019.[1][2]
C0022: Operation Dream Job
Operation Dream Job was a cyber espionage operation likely conducted by Lazarus Group that targeted the defense, aerospace, government, and other sectors in the United States, Israel, Australia, Russia, and India. In at least one case, the cyber actors tried to monetize their network access to conduct a business email compromise (BEC) operation. In 2020, security researchers noted overlapping TTPs, to include fake job lures and code similarities, between Operation Dream Job, Operation North Star, and Operation Interception; by 2022 security researchers described Operation Dream Job as an umbrella term covering both Operation Interception and Operation North Star.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 5.0 | Current bundle | fe9e411a7ca5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
US-CERT HIDDEN COBRA June 2017
US-CERT. (2017, June 13). Alert (TA17-164A) HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure. Retrieved July 13, 2017.
Open source URL -
[2]
Treasury North Korean Cyber Groups September 2019
US Treasury . (2019, September 13). Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups. Retrieved September 29, 2021.
Open source URL -
[3]
Novetta Blockbuster
Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
Open source URL -
[4]
Mandiant DPRK Laz Org Breakdown 2022
Michael Barnhart, Michelle Cantos, Jeffery Johnson, Elias fox, Gary Freas, Dan Scott. (2022, March 23). Not So Lazarus: Mapping DPRK Cyber Threat Groups to Government Organizations. Retrieved September 9, 2025.
Open source URL -
[5]
Mandiant DPRK Groups 2023
Michael Barnhart, Austin Larsen, Jeff Johnson, Taylor Long, Michelle Cantos, Adrian Hernandez. (2023, October 10). Assessed Cyber Structure and Alignments of North Korea in 2023. Retrieved August 25, 2025.
Open source URL -
[6]
JPCert Blog Laz Subgroups 2025
佐々木勇人 Hayato Sasaki. (2025, March 25). Tempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus’s Subgroup. Retrieved August 25, 2025.
Open source URL -
[7]
CrowdStrike Labyrinth Chollima Feb 2022
CrowdStrike. (2022, February 1). CrowdStrike Adversary Labyrinth Chollima. Retrieved February 1, 2022.
Open source URL -
[8]
Diamond Sleet
(Citation: Microsoft Threat Actor Naming July 2023)
-
[9]
Guardians of Peace
(Citation: US-CERT HIDDEN COBRA June 2017)
-
[10]
HIDDEN COBRA
The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.(Citation: US-CERT HIDDEN COBRA June 2017)(Citation: US-CERT HOPLIGHT Apr 2019)
-
[11]
Labyrinth Chollima
(Citation: CrowdStrike Labyrinth Chollima Feb 2022)
-
[12]
Lazarus Group
(Citation: Novetta Blockbuster)
-
[13]
Microsoft Threat Actor Naming July 2023
Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Open source URL -
[14]
Microsoft ZINC disruption Dec 2017
Smith, B. (2017, December 19). Microsoft and Facebook disrupt ZINC malware attack to protect customers and the internet from ongoing cyberthreats. Retrieved December 20, 2017.
Open source URL -
[15]
NICKEL ACADEMY
(Citation: Secureworks NICKEL ACADEMY Dec 2017)
-
[16]
Secureworks NICKEL ACADEMY Dec 2017
Secureworks. (2017, December 15). Media Alert - Secureworks Discovers North Korean Cyber Threat Group, Lazarus, Spearphishing Financial Executives of Cryptocurrency Companies. Retrieved December 27, 2017.
Open source URL -
[17]
US-CERT HOPLIGHT Apr 2019
US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
Open source URL -
[18]
ZINC
(Citation: Microsoft ZINC disruption Dec 2017)
-
[19]
mitre-attack G0032Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.