Lazarus Group
Aliases: Labyrinth Chollima, HIDDEN COBRA, Guardians of Peace, ZINC, NICKEL ACADEMY, Diamond Sleet
Lazarus Group is a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau. The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups, such as Andariel, APT37, APT38, and Kimsuky.
Open interactive actor investigation
ATT&CK techniques
T1059.003
Windows Command ShellT1566.001
Spearphishing AttachmentT1202
Indirect Command ExecutionT1048.003
Exfiltration Over Unencrypted Non-C2 ProtocolT1001.003
Protocol or Service ImpersonationT1584.004
ServerT1105
Ingress Tool TransferT1218.005
MshtaT1010
Application Window DiscoveryT1587.001
MalwareT1134.002
Create Process with TokenT1021.004
SSHT1098
Account ManipulationT1564.001
Hidden Files and DirectoriesT1485
Data DestructionT1591
Gather Victim Org InformationT1106
Native APIT1078
Valid AccountsT1012
Query RegistryT1090.002
External ProxyT1027.013
Encrypted/Encoded FileT1104
Multi-Stage ChannelsT1046
Network Service DiscoveryT1005
Data from Local SystemT1489
Service StopT1016
System Network Configuration DiscoveryT1588.004
Digital CertificatesT1573.001
Symmetric CryptographyT1082
System Information DiscoveryT1033
System Owner/User DiscoveryT1620
Reflective Code LoadingT1041
Exfiltration Over C2 ChannelT1102.002
Bidirectional CommunicationT1560
Archive Collected DataT1203
Exploitation for Client ExecutionT1059.001
PowerShellT1566.002
Spearphishing LinkT1074.001
Local Data StagingT1036.003
Rename System UtilitiesT1047
Windows Management InstrumentationT1071.001
Web ProtocolsT1557.001
LLMNR/NBT-NS Poisoning and SMB RelayT1057
Process DiscoveryT1547.001
Registry Run Keys / Startup FolderT1589.002
Email AddressesT1561.001
Disk Content WipeT1491.001
Internal DefacementT1588.002
ToolT1547.009
Shortcut ModificationT1059.005
Visual BasicT1542.003
BootkitT1218.011
Rundll32T1583.006
Web ServicesT1056.001
KeyloggingT1571
Non-Standard PortT1132.001
Standard EncodingT1189
Drive-by CompromiseT1110.003
Password SprayingT1204.002
Malicious FileT1553.002
Code SigningT1218
System Binary Proxy ExecutionT1560.002
Archive via LibraryT1027.007
Dynamic API ResolutionT1070.004
File DeletionT1090.001
Internal ProxyT1008
Fallback ChannelsT1140
Deobfuscate/Decode Files or InformationT1562.001
Disable or Modify ToolsT1561.002
Disk Structure WipeT1583.001
DomainsT1562.004
Disable or Modify System FirewallT1053.005
Scheduled TaskT1566.003
Spearphishing via ServiceT1036.005
Match Legitimate Name or LocationT1070
Indicator RemovalT1083
File and Directory DiscoveryT1574.013
KernelCallbackTableT1055.001
Dynamic-link Library InjectionT1585.001
Social Media AccountsT1021.001
Remote Desktop ProtocolT1529
System Shutdown/RebootT1124
System Time DiscoveryT1036.004
Masquerade Task or ServiceT1070.006
TimestompT1070.003
Clear Command HistoryT1574.002
DLL Side-LoadingT1543.003
Windows ServiceT1021.002
SMB/Windows Admin SharesT1585.002
Email AccountsT1049
System Network Connections DiscoveryT1560.003
Archive via Custom MethodT1584.001
DomainsT1027.002
Software PackingT1204.001
Malicious LinkT1087.002
Domain AccountT1591.004
Identify RolesT1567.002
Exfiltration to Cloud StorageT1583.004
ServerT1608.002
Upload ToolT1110
Brute ForceT1593.001
Social MediaT1220
XSL Script ProcessingT1534
Internal SpearphishingT1221
Template InjectionT1218.010
Regsvr32T1497.001
System ChecksT1614.001
System Language DiscoveryT1036
MasqueradingT1608.001
Upload MalwareT1588.003
Code Signing CertificatesT1218.001
Compiled HTML FileT1496
Resource HijackingT1547.005
Security Support ProviderT1003.001
LSASS MemoryT1112
Modify RegistryT1059
Command and Scripting Interpreter
Windows Command ShellT1566.001
Spearphishing AttachmentT1202
Indirect Command ExecutionT1048.003
Exfiltration Over Unencrypted Non-C2 ProtocolT1001.003
Protocol or Service ImpersonationT1584.004
ServerT1105
Ingress Tool TransferT1218.005
MshtaT1010
Application Window DiscoveryT1587.001
MalwareT1134.002
Create Process with TokenT1021.004
SSHT1098
Account ManipulationT1564.001
Hidden Files and DirectoriesT1485
Data DestructionT1591
Gather Victim Org InformationT1106
Native APIT1078
Valid AccountsT1012
Query RegistryT1090.002
External ProxyT1027.013
Encrypted/Encoded FileT1104
Multi-Stage ChannelsT1046
Network Service DiscoveryT1005
Data from Local SystemT1489
Service StopT1016
System Network Configuration DiscoveryT1588.004
Digital CertificatesT1573.001
Symmetric CryptographyT1082
System Information DiscoveryT1033
System Owner/User DiscoveryT1620
Reflective Code LoadingT1041
Exfiltration Over C2 ChannelT1102.002
Bidirectional CommunicationT1560
Archive Collected DataT1203
Exploitation for Client ExecutionT1059.001
PowerShellT1566.002
Spearphishing LinkT1074.001
Local Data StagingT1036.003
Rename System UtilitiesT1047
Windows Management InstrumentationT1071.001
Web ProtocolsT1557.001
LLMNR/NBT-NS Poisoning and SMB RelayT1057
Process DiscoveryT1547.001
Registry Run Keys / Startup FolderT1589.002
Email AddressesT1561.001
Disk Content WipeT1491.001
Internal DefacementT1588.002
ToolT1547.009
Shortcut ModificationT1059.005
Visual BasicT1542.003
BootkitT1218.011
Rundll32T1583.006
Web ServicesT1056.001
KeyloggingT1571
Non-Standard PortT1132.001
Standard EncodingT1189
Drive-by CompromiseT1110.003
Password SprayingT1204.002
Malicious FileT1553.002
Code SigningT1218
System Binary Proxy ExecutionT1560.002
Archive via LibraryT1027.007
Dynamic API ResolutionT1070.004
File DeletionT1090.001
Internal ProxyT1008
Fallback ChannelsT1140
Deobfuscate/Decode Files or InformationT1562.001
Disable or Modify ToolsT1561.002
Disk Structure WipeT1583.001
DomainsT1562.004
Disable or Modify System FirewallT1053.005
Scheduled TaskT1566.003
Spearphishing via ServiceT1036.005
Match Legitimate Name or LocationT1070
Indicator RemovalT1083
File and Directory DiscoveryT1574.013
KernelCallbackTableT1055.001
Dynamic-link Library InjectionT1585.001
Social Media AccountsT1021.001
Remote Desktop ProtocolT1529
System Shutdown/RebootT1124
System Time DiscoveryT1036.004
Masquerade Task or ServiceT1070.006
TimestompT1070.003
Clear Command HistoryT1574.002
DLL Side-LoadingT1543.003
Windows ServiceT1021.002
SMB/Windows Admin SharesT1585.002
Email AccountsT1049
System Network Connections DiscoveryT1560.003
Archive via Custom MethodT1584.001
DomainsT1027.002
Software PackingT1204.001
Malicious LinkT1087.002
Domain AccountT1591.004
Identify RolesT1567.002
Exfiltration to Cloud StorageT1583.004
ServerT1608.002
Upload ToolT1110
Brute ForceT1593.001
Social MediaT1220
XSL Script ProcessingT1534
Internal SpearphishingT1221
Template InjectionT1218.010
Regsvr32T1497.001
System ChecksT1614.001
System Language DiscoveryT1036
MasqueradingT1608.001
Upload MalwareT1588.003
Code Signing CertificatesT1218.001
Compiled HTML FileT1496
Resource HijackingT1547.005
Security Support ProviderT1003.001
LSASS MemoryT1112
Modify RegistryT1059
Command and Scripting Interpreter
Correlated CTI and IR reports
Attribution Methodology: How to Build, Defend, and Challenge a Threat Actor Attribution
1200km CTI repository · explicit report mentionCTI Research: Kubernetes & Cloud-Native Threat Landscape
1200km CTI repository · explicit report mentionFrom Threat Intelligence to Detection: A Practitioner's Guide
1200km CTI repository · explicit report mentionCTI Research Kubernetes Cloud Native Threat Landscape
1200km Medium · authored report mentionComprehensive Guide to DoS and DDoS Attacks with MITRE ATT CK
1200km Medium · authored report mentionFrom Threat Intelligence to Detection A Practitioner s Guide
1200km Medium · authored report mentionPhishing Email Awareness Protecting Employees and Organizations
1200km Medium · authored report mention
1200km CTI repository · explicit report mentionCTI Research: Kubernetes & Cloud-Native Threat Landscape
1200km CTI repository · explicit report mentionFrom Threat Intelligence to Detection: A Practitioner's Guide
1200km CTI repository · explicit report mentionCTI Research Kubernetes Cloud Native Threat Landscape
1200km Medium · authored report mentionComprehensive Guide to DoS and DDoS Attacks with MITRE ATT CK
1200km Medium · authored report mentionFrom Threat Intelligence to Detection A Practitioner s Guide
1200km Medium · authored report mentionPhishing Email Awareness Protecting Employees and Organizations
1200km Medium · authored report mention