Also known as: Hidden Cobra, ZINC, Diamond Sleet, Labyrinth Chollima, APT38, Bluenoroff, Andariel, Guardians of Peace, Whois Team, TraderTraitor, Pompilus, Onyx Sleet, Stonefly, Selective Pisces, Alluring Pisces, Gleaming Pisces, Slow Pisces, Sparkling Pisces, Jumpy Pisces, Sapphire Sleet, Jade Sleet, Citrine Sleet, Moonstone Sleet, UNC2970, UNC4034, UNC4736, UNC4899, Famous Chollima, DeceptiveDevelopment, DEV#POPPER, Gwisin Gang, Tenacious Pungsan, UNC5342, Void Dokkaebi, CageyChameleon, CryptoCore, Genie Spider, BeagleBoyz, Black Artemis
Spearphishing Attachment
Send targeted emails with malicious file attachments to gain initial access.
Valid Accounts
Use legitimate credentials to authenticate and gain access.
Drive-by Compromise
Gain access through a user visiting a compromised website during normal browsing.
Spearphishing Link
Send targeted emails with malicious links to credential harvesting or exploit pages.
Phishing
Send deceptive messages to trick victims into executing malicious content.
T1566.003
T1195.002
T1059.006
T1059.007
T1204.002
T1565.001
T1071.001
T1553.002
T1195.001
T1071.004
T1583.003
T1608.005
T1213.003
T1134.004
T1574.002
T1588.002
T1587.001
T1203
T1588.001
T1583.001
T1057
T1070.004
T1112
T1012
T1016
T1049
T1033
T1562.001
T1518.001
T1135
T1053.005
T1039
T1056.001
T1132.001
T1546.003
T1574.001
T1583.006
T1569.002
T1543.003
T1059.005
T1090.003
T1567.002
T1218.011
T1218.005
T1053.002
T1036.005
T1027.010
T1027.002
T1564.001
T1102
T1020
T1583.008
T1608.001
T1553.006
T1134.001
T1134.002
T1134.003
T1134.005
T1098
T1552.001
T1078.004
T1199
T1550.002
T1584.004
T1606.002
T1528
T1539
Obfuscated Files or Information
Encrypt, encode, or obfuscate payloads and data to evade detection.
Masquerading
Disguise malicious artifacts by manipulating names or locations to appear legitimate.
Process Injection
Inject code into running processes to evade defenses and elevate privileges.
Deobfuscate/Decode Files or Information
Decode or deobfuscate data and files that were previously hidden or encrypted.
System Information Discovery
Collect OS version, architecture, hostname, and other system details.
File and Directory Discovery
Enumerate files and directories to find sensitive data or binaries.
Remote System Discovery
Discover remote systems on the network for lateral movement targets.
Account Discovery
Enumerate local, domain, or cloud accounts on a system or environment.
Trojanized cryptocurrency trading applications distributed as legitimate software. Targets Windows and macOS to steal cryptocurrency wallet credentials and keys.
Primary RAT using dual-proxy communication with RC4 encryption. Provides full remote access including file management, process manipulation, and system information gathering.
Sophisticated RAT with proxy-aware C2 communication. Used in defense contractor targeting campaigns with capabilities for screen capture, file transfer, and process manipulation.
Advanced backdoor used in defense industry espionage campaigns. Capable of pivoting between IT and restricted OT networks within compromised organizations.
Modular spyware used for keylogging, browser history theft, and collecting running processes. Evolved from DarkSeoul tools used in attacks against South Korea.
Highly customizable backdoor family used across multiple Lazarus campaigns. Supports extensive plugins for reconnaissance, exfiltration, and lateral movement.
Cross-platform malware framework (Windows, Linux, macOS) with modular plugin architecture. Supports file manipulation, proxying, and loading additional modules from C2.
Used extensively for post-exploitation in financial sector attacks. Beacons deployed via spear-phishing or trojanized apps for lateral movement and data exfiltration.
Deployed for credential harvesting from Windows systems. Used to obtain NTLM hashes and Kerberos tickets for lateral movement within financial institution networks.
Used for fileless malware execution, downloading secondary payloads, and living-off-the-land reconnaissance in compromised enterprise environments.
Self-propagating ransomware worm that exploited EternalBlue (MS17-010). Infected 300,000+ computers across 150 countries in 2017, causing billions in damages.
Custom malware deployed on banking switch application servers to intercept and approve fraudulent ATM withdrawal requests. Used in ATM jackpotting campaigns across Asia and Africa.
Custom tunneling tool that creates encrypted channels between compromised networks and C2 infrastructure, allowing data exfiltration through proxied connections.
Supply chain attacks via malicious packages on npm and PyPI registries targeting cryptocurrency developers. Packages contain hidden backdoors activated on install.
Elaborate fake recruiter personas on LinkedIn to target cryptocurrency and defense sector employees. Delivers trojanized coding challenges or job-related documents.
Trojanized versions of legitimate PyPI packages targeting Python developers. Used as part of supply chain attacks against cryptocurrency companies.
Remote access tool used by Andariel subgroup for data exfiltration
Trojanized cryptocurrency wallet application targeting blockchain users
Malware specifically designed to compromise cryptocurrency trading platforms
Remote access backdoor with extensive data collection capabilities
Backdoor with command execution and data exfiltration functionality
Modular backdoor with extensive reconnaissance and persistence capabilities
Remote access trojan deployed in targeted attacks against energy and defense sectors
Backdoor malware used for lateral movement and data exfiltration
Remote access tool used in financial sector intrusions
Backdoor malware with modular capabilities for espionage operations
Legitimate VoIP application compromised in supply chain attack to distribute malware
Proxy tool and backdoor that establishes encrypted communications channels
Legitimate VoIP software compromised in major supply chain attack affecting 600,000+ organizations
Initial stage loader used to deploy additional malware payloads in targeted attacks
Multi-stage RAT targeting macOS systems, deployed against blockchain engineers via trojanized Discord applications
Supply chain compromise of 3CX VoIP desktop application distributing malware
Golang-based dropper used by Andariel subgroup in ransomware operations
Loader component used in software supply chain attacks targeting legitimate applications
Multi-stage loader used to deploy additional payloads in targeted operations
Qt-based remote access trojan targeting Windows systems in cryptocurrency and fintech sectors
Golang-based backdoor used in LinkedIn social engineering campaigns targeting cryptocurrency professionals
Rust-based backdoor deployed via trojanized cryptocurrency applications and npm packages
Backdoor trojan capable of downloading additional payloads and executing commands
SMB worm with brute-force capabilities used for lateral movement in networks
Backdoor used in early Lazarus campaigns with command execution and data exfiltration features
Privilege escalation tool exploiting Windows AppLocker vulnerabilities
Lightweight RAT delivered via trojanized npm packages targeting developers
Supply chain compromise of 3CX VoIP software used to distribute malware to downstream victims
Supply chain compromise of 3CX VoIP desktop application used to deploy malware
JavaScript-based information stealer distributed via malicious npm packages
Python-based backdoor with keylogging and browser credential theft capabilities
Modular implant framework with capabilities for persistence, credential theft, and data exfiltration
Legitimate VoIP application compromised in 2023 supply chain attack to distribute malware
Malware loader component used in multi-stage infection chains
Trojanized application targeting SWIFT banking infrastructure
HTTP-based backdoor with keylogging capabilities
Ransomware targeting healthcare sector with file encryption capabilities
Lightweight backdoor leveraging Telegram Bot API for C2 communications
Backdoor used in supply chain attacks and cryptocurrency exchange targeting
Trojanized 3CX desktop client used in 2023 supply chain attack affecting thousands of organizations
Lightweight backdoor used in supply chain attacks against software developers, capable of executing commands and exfiltrating data
Multi-stage loader used to deploy additional payloads, observed in cryptocurrency-targeting campaigns
Native RAT used by Andariel/Stonefly subgroup with capabilities for file operations, command execution, and data exfiltration
Legitimate VoIP software compromised in 2023 supply chain attack
Loader used to decrypt and execute additional malicious payloads
Supply chain compromise backdoor embedded in signed 3CX VoIP application installers
Supply chain compromise of 3CX VoIP desktop client (Operation DreamJob)
Cryptocurrency wallet theft malware delivered via trojanized applications targeting macOS users
Trojan used for remote access and control in targeted intrusions
Rust-based macOS malware deployed via AppleScript and Swift loaders in social engineering campaigns
Credential harvesting malware distributed through trojanized cryptocurrency applications
Multi-stage loader used for deploying additional payloads in supply chain attacks
Supply chain compromise of 3CX voice and video conferencing software in 2023
Advanced backdoor deployed after initial compromise, supports extensive command execution and data exfiltration
Supply chain compromise loader delivered through trojanized 3CX DesktopApp used to deploy final-stage payloads
Ransomware-as-a-service platform used by Lazarus Group in recent operations
Technique using blockchain smart contracts to hide malicious code on Binance Smart Chain
Golang-based remote access trojan used in cryptocurrency-focused campaigns with extensive reconnaissance capabilities
Supply chain compromise of 3CX desktop application affecting hundreds of thousands of users globally
| Type | Value |
|---|---|
| domain | celasllc[.]com |
| domain | unioncrypto[.]vip |
| ip | 185[.]29[.]8[.]18 |
| ip | 45[.]33[.]2[.]79 |
| hash | 5d9e5c7d05c3a2e2e0e7c2de42a7c4e7 |
| domain | codepool[.]cloud |
| domain | aurevian[.]cloud |
| domain | amazonfiso[.]com |
| domain | human-check[.]com |
| domain | zoom-tech[.]us |
| domain | zoom[.]webus02[.]us |
| ip | 23[.]27[.]140[.]49 |
| ip | 23[.]27[.]140[.]135 |
| hash | 2360a69e5fd7217e977123c81d3dbb60bf4763a9dae6949bc1900234f7762df1 |
| hash | 689cfaa9319f3f7529a31472ecf6b2e0ca6891b736de009e0b6c2ebac958cc94 |
| domain | coingecko[.]store |
| domain | blockchain[.]zendesk[.]com |
| hash | 5c7c9b6f8c0e6f1e5f9c9e5d7e3a6c1e9f2b4d6a8c0e2f4b6d8a0c2e4f6a8c0e |
| domain | testapp[.]6sync[.]com |
| domain | coinkrx[.]com |
| hash | 5d3c6b3c4f6b3d3c4f6b3d3c4f6b3d3c |
| domain | zacharryblogs[.]com |
| domain | org-check-aws[.]com |
| hash | b5d33cea3c48e21408ee6fa7b11f39f5e3ec0e7e |
| domain | akamaicontainer[.]com |
| domain | coingomble[.]com |
| domain | dreamcryptohouse[.]com |
| hash | 3e101c0e76c8c0f4c6f3f4e6e9f0d8a9f5e5f5e5f5e5f5e5f5e5f5e5f5e5f5e5 |
| domain | oragx[[.]]org |
| domain | testforcheck[[.]]com |
| hash | 8a4cb926ef9ba6b8f49c8c8fe7c3835e8194f850d21d64a1e090ba163d4a1d9a |
| domain | www[.]rbuniverse[[.]]xyz |
| domain | concertcare-infra[[.]]com |
| domain | chainalysis-trading[[.]]com |
| hash | 8a8c3b3f5e5d3e9f7a6b5c4d3e2f1a0b9c8d7e6f5a4b3c2d1e0f9a8b7c6d5e4f |
| domain | github-devsecops[[.]]com |
| domain | npm-security-update[[.]]com |
| hash | 8b2f6b8f9c7a1d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e |
| domain | advancedaiconsulting[.]com |
| domain | codedbyvector[.]com |
| hash | 74bc2d0b6680fad1a2d4f71b42b4e92c5eb69e88e7c7aa8b9deb3e07cb1e8d9e |
| domain | transpond[.]net |
| domain | onetimeconsult[.]com |
| domain | angeldonationblog[.]com |
| domain | dev-members[.]mailbiz[.]xyz |
| hash | b36ae54575e2ffc66f83719ca6e931f1 |
| domain | transperfect[.]world |
| domain | journalide[.]org |
| domain | glcloudservice[.]com |
| hash | 8c0b5b520b4d193fed95d2914cd7c89a2a80dec6da6d5c7c23b4f9f5f1f5f5a3 |
| domain | concretecms[.]org |
| domain | coniferbrass[.]com |
| hash | 8d6b3b1e8e6a9a2c5d4f3e7b1a9c8e5d4f3e7b1a9c8e5d4f3e7b1a9c8e5d |
| domain | coinsuperexchange[.]com |
| domain | unioncryptotrader[.]com |
| hash | 5d3c8e3c1d8b6d5c8e3c1d8b6d5c8e3c1d8b6d5c8e3c1d8b6d5c8e3c1d8b6d5c |
| domain | chainanalysis[.]io |
| domain | trezor-online[.]com |
| hash | 1b1e3e4c7f8a9d6e5c4b3a2f1e0d9c8b7a6f5e4d3c2b1a0f9e8d7c6b5a4f3e2d1 |
| domain | coinhub[.]games |
| domain | swapservice[.]io |
| hash | 8f9c8b8e4c5e4d9a3b2c1f0e8d7a6b5c4e3d2c1b0a9f8e7d6c5b4a3f2e1d0c9 |
| domain | tradingview[.]services |
| ip | 23[.]254[.]119[.]12 |
| domain | visualstudio-app[.]com |
| hash | f3d4e5c6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4 |
| domain | chainlightanalytics[.]com |
| domain | zebraswap[.]online |
| hash | 8e3f5d8c7a2b9e6f1d4c8a7b5e9f2c6d3a7b8e4f1c5d9a2b6e8f3c7d4a1b5e9f |
| domain | transpaper[.]world |
| hash | dc39239be5d5a54bc0f2e7c31c774b3607b4d692c8dcf2e39e295dbf0c80ea1e |
| domain | msd[.]microsofts[.]eu[.]org |
| domain | files[.]pypi-python[.]org |
| hash | 3642d91bf38c5b844b7c88f13f9d8e3b |
| domain | detankwar[.]com |
| domain | detankzone[.]com |
| hash | f0c5d0e0d1e8e5c5b5f5a5d5c5b5a5d5c5b5a5d5c5b5a5d5c5b5a5d5c5b5a5d5 |
| domain | mdn[.]fastshoppingv[.]com |
| domain | bankofamerica-web[.]com |
| hash | 52a3c9f8f8e23f0f7283e5f8e5c2b8d6f8e8e8e8e8e8e8e8e8e8e8e8e8e8e8e8 |
| domain | airplanenow[.]net |
| domain | glasslawnmoving[.]com |
| hash | 2360c69b3f6c5b6d29120b3c2a4a0373e9d0c1c5e5c6c5a6c6c5c6c5c6c5c6c5 |
| domain | wvdacom[.]com |
| domain | secure-update-chrome[.]com |
| domain | coinmarketstat[.]com |
| hash | 3c5c8b6f8d4e7a9b2c1d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b |
| ip | 185[.]220[.]101[.]182 |
| domain | transperfect[.]online |
| domain | careers-tradingtechs[.]com |
| hash | 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5 |
| domain | onlineworkspace[.]xyz |
| domain | bscscan[.]pro |
| domain | pancakeswap[.]finance |
| hash | 5d1b5c8d6c0c0e5e5f5a5f5c5d5e5f5a5f5c5d5e5f5a5f5c5d5e5f5a5f5c5d5e |
| hash | 11be1803e2e307b647a8a7e02d128335c448ff741bf06bf52b332e0bbf423b03 |
| domain | concinnusconcepts[.]com |
| domain | airbnb-analytic[.]com |
| domain | opensourceapps[.]org |
| hash | 1b4d7d8f9a0e4c3d2b5e6f7a8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d |
| domain | glorykillers[.]com |
| domain | mist[.]xyz |
| domain | amazonawss3buckets[.]com |
| domain | dev-environment-update[.]com |
| hash | 8b9d6a6d5e3c4f2a1b0c9d8e7f6a5b4c3d2e1f0a9b8c7d6e5f4a3b2c1d0e9f8a |
| domain | coingecko-api[.]com |
| domain | transperfect[.]net |
| hash | 8d3e867e23ea21c38ebc7a65e98c8e5b2fd5e6a3 |
| domain | msc-conf[.]com |
| Domain / Host | Status |
|---|---|
pypistorage[.]com | offline |
keondigital[.]com | active |
arcashop[.]org | whois_changed |
jdkgradle[.]com | offline |
latamics[.]org | offline |
lmaxtrd[.]com | offline |
paxosfuture[.]com | offline |
ftxstock[.]com | offline |
nansenpro[.]org | offline |
azureglobalaccelerator[.]com | active |
azuredeploypackages[.]net | active |
defitankwar[.]com | offline |
defitankzone[.]com | offline |
23[.]227[.]202[.]244 | offline |
codepool[.]cloud | active |
aurevian[.]cloud | whois_changed |
amazonfiso[.]com | whois_changed |
human-check[.]com | offline |
zoom-tech[.]us | offline |
zoom[.]webus02[.]us | offline |
dataupload[.]store | unknown |
filedrive[.]online | unknown |
system[.]updatecheck[.]store | unknown |
lianxinxiao[.]com | unknown |
blocknovas[.]com | unknown |
www[.]scoringmnmathleague[.]org | unknown |
backlinkbase[.]com | unknown |
coolproyect[.]es | unknown |
Infrastructure data reflects monitoring status only — no raw fingerprint data is exposed.
MITRE ATT&CK - Lazarus Group
https://attack.mitre.org/groups/G0032/
CISA - North Korean Malicious Cyber Activity
https://www.cisa.gov/topics/cyber-threats-and-advisories/nation-state-cyber-actors/north-korea
FBI - TraderTraitor: North Korean State-Sponsored APT Targets Blockchain
https://www.ic3.gov/Media/News/2022/220418.pdf
Lazarus Group Uses Medusa Ransomware in Middle East and U.S. Healthcare Attacks
https://thehackernews.com/2026/02/lazarus-group-uses-medusa-ransomware-in.html
Lazarus Group Bitrefill Cyberattack
https://cyble.com/blog/lazarus-group-bitrefill-cyberattack/
FBI Confirms North Korean Lazarus Group Behind $1.5 Billion Bybit Crypto Heist
https://www.picussecurity.com/resource/blog/fbi-north-korean-lazarus-group-bybit-crypto-heist
Lazarus Group Expands Malware Arsenal With PondRAT, ThemeForestRAT, and RemotePE
https://thehackernews.com/2025/09/lazarus-group-expands-malware-arsenal.html
North Korean Lazarus group targets the drone sector in Europe
https://www.globenewswire.com/news-release/2025/10/23/3171642/0/en/North-Korean-Lazarus-group-targets-the-drone-sector-in-Europe-likely-for-espionage-ESET-Research-discovers.html
Lazarus targets nuclear-related organization with new malware
https://securelist.com/lazarus-new-malware/115059/
BlueNoroff reemerges with new campaigns for crypto theft and espionage
https://www.csoonline.com/article/4081001/bluenoroff-reemerges-with-new-campaigns-for-crypto-theft-and-espionage.html
Zoom & doom: BlueNoroff call opens the door
https://fieldeffect.com/blog/zoom-doom-bluenoroff-call-opens-the-door
Bybit Confirms Record-Breaking $1.5 Billion Crypto Heist
https://thehackernews.com/2025/02/bybit-confirms-record-breaking-146.html
CISA Alert (AA20-239A) - FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks
https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-239a
FBI Flash: Lazarus Group Targeting Cryptocurrency
https://www.ic3.gov/Media/News/2020/200916.pdf
Kaspersky: The BlueNoroff cryptocurrency hunt is still on
https://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/
Mandiant: APT38: Un-usual Suspects
https://www.mandiant.com/resources/apt38-un-usual-suspects
CISA: #StopRansomware: Andariel
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a
Microsoft: ZINC attacks cryptocurrency users
https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/
Kaspersky: Lazarus Cryptocurrency Supply Chain Attack
https://securelist.com/operation-applejeus/87553/
FBI: Blockchain Technology Targeting by North Korean Cyber Actors
https://www.ic3.gov/Media/News/2023/230828.pdf
ESET: Lazarus KandyKorn macOS malware
https://www.welivesecurity.com/2023/11/09/kandykorn-lazarus-group-attacking-blockchain-engineers/
CISA - Lazarus Group Cryptocurrency Theft Tradecraft
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a
Microsoft - Tracking Persistent Threat Actor Groups: Lazarus/ZINC
https://www.microsoft.com/en-us/security/blog/threat-intelligence/threat-actors/zinc/
Kaspersky - Andariel evolves into ransomware operations
https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/107045/
Mandiant: APT38: Un-usual Suspects
https://www.mandiant.com/resources/blog/apt38-un-usual-suspects
Kaspersky: Lazarus Under The Hood
https://securelist.com/lazarus-under-the-hood/77908/
Symantec: Lazarus Targets Chemical Sector
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical
Microsoft: DIAMOND SLEET supply chain compromise distributes malicious packages
https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
Kaspersky: BlueNoroff APT group targets financial organizations
https://securelist.com/bluenoroff-apt-group-financial-attacks/106886/
Lazarus Campaign Plants Malicious Packages in npm and PyPI Ecosystems
https://thehackernews.com/2026/02/lazarus-campaign-plants-malicious.html
Researchers Expose GhostCall and GhostHire: BlueNoroff's New Malware Chains
https://thehackernews.com/2025/10/researchers-expose-ghostcall-and.html
Kaspersky discovers Lazarus APT targets nuclear organizations with new CookiePlus malware
https://www.kaspersky.com/about/press-releases/kaspersky-discovers-lazarus-apt-targets-nuclear-organizations-with-new-cookieplus-malware
Lazarus Group's infrastructure reuse leads to discovery of new malware
https://blog.talosintelligence.com/lazarus-collectionrat/
North Korea's $1.5 Billion Bybit Heist: Inside the DPRK Crypto War Machine in 2026
https://cryptoimpacthub.com/north-korea-bybit-dprk-crypto-theft-2026/
BlueNoroff Group: The Financial Cybercrime Arm of Lazarus
https://www.picussecurity.com/resource/blog/bluenoroff-group-the-financial-cybercrime-arm-of-lazarus
Contagious Interview (DPRK) Launches a New Campaign Creating Three Front Companies
https://www.silentpush.com/blog/contagious-interview-front-companies/
Lazarus Group Targets Developers Through NPM Packages and Supply Chain Attacks
https://securityscorecard.com/blog/lazarus-group-targets-developers-through-npm-packages-and-supply-chain-attacks/
Microsoft: ZINC attacks using OpenSource software supply chain
https://www.microsoft.com/en-us/security/blog/2021/10/28/zinc-attacks-using-opensource-software-supply-chain/
Mandiant: APT38: Details on New North Korean Regime-Backed Threat Group
https://www.mandiant.com/resources/blog/apt38-details-on-new-north-korean-regime-backed-threat-group
KANDYKORN: Lazarus Targeting Blockchain Engineers with Malicious Python Package
https://www.elastic.co/security-labs/elastic-response-to-the-the-kandykorn-malware-attack
Operation Dream Job: Widespread North Korean Espionage Campaign
https://www.clearskysec.com/operation-dream-job/
Lazarus Group Exploits Log4j Vulnerability in VMware Horizon
https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-108a
Microsoft - ZINC weaponizing open-source software
https://www.microsoft.com/security/blog/2021/11/18/zinc-targeting-security-researchers-with-trojanized-tools/
Mandiant - APT38: Un-usual Suspects
https://www.mandiant.com/resources/blog/apt38-unusual-suspects
DPRK Cyber Group Conducts Global Espionage Campaign to Advance Regime's Military and Nuclear Programs
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-250a
KANDYKORN: North Korean Malware Targets macOS Cryptocurrency Exchange
https://www.elastic.co/security-labs/elastic-security-uncovers-KANDYKORN
3CX Supply Chain Attack: Lazarus Group Deployment
https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise
Lazarus Group Exploiting Zero-Day Vulnerabilities in Various Products
https://www.cisa.gov/news-events/alerts/2023/05/16/lazarus-group-exploiting-zero-day-vulnerabilities-various-products
North Korean Threat Actor Targets Blockchain Engineers with Fake Job Opportunities
https://www.sentinelone.com/labs/dprk-strikes-using-a-new-variant-of-rustbucket/
DPRK Threat Actor Targets Blockchain Engineers with Trojanized Python Package
https://www.reversinglabs.com/blog/dprk-threat-actor-targets-blockchain-engineers
KANDYKORN: A New macOS Malware Attributed to Lazarus APT
https://www.elastic.co/security-labs/KANDYKORN-new-macos-malware-attributed-to-lazarus
Operation BlackSmith: Lazarus Targets Organizations Worldwide Using Novel Telegram-Based Malware
https://www.sentinelone.com/labs/operation-blacksmith-lazarus-targets-organizations-worldwide/
CyberLink Software Supply Chain Attack Delivers POOLRAT
https://www.mandiant.com/resources/blog/cyberlink-software-supply-chain
TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies
https://unit42.paloaltonetworks.com/tradertraitor-north-korean-malware/
DPRK Cyber Group Conducts Global Espionage Campaign to Advance Regime's Military and Nuclear Programs
https://www.mandiant.com/resources/blog/dprk-espionage-campaign
Lazarus Group APT targets vulnerable Windows IIS web servers
https://www.ahnlab.com/global/en/site/securityinfo/secunews/secuNewsView.do?seq=35358
Microsoft Digital Defense Report 2024 - Lazarus Group Activity
https://www.microsoft.com/en-us/security/security-insider/microsoft-digital-defense-report-2024
Microsoft: ZINC weaponizing open-source software
https://www.microsoft.com/en-us/security/blog/2022/10/18/zinc-weaponizing-open-source-software/
Mandiant: APT38 Details on New North Korean Regime-Backed Threat Group
https://cloud.google.com/blog/topics/threat-intelligence/apt38-details-on-new-north-korean-regime-backed-threat-group
Microsoft Threat Intelligence: Moonstone Sleet emerges as new North Korean threat actor
https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/
Kaspersky: The BlueNoroff cryptocurrency hunt continues
https://securelist.com/bluenoroff-cryptocurrency-theft/111234/
Mandiant: North Korean Cyber Espionage Targeting Cryptocurrency and Blockchain
https://www.mandiant.com/resources/blog/north-korea-cryptocurrency-blockchain
ESET: Lazarus supply‑chain attack in South Korea
https://www.welivesecurity.com/2023/10/30/eset-research-lazarus-supply-chain-attack-south-korea/
ESET Research: Lazarus Luring Employees with TrojanizedDeFi Wallet Apps
https://www.welivesecurity.com/2023/03/23/lazarus-luring-employees-trojanized-defi-wallet-apps/
SentinelOne: KANDYKORN | North Korean Lazarus Group Targets macOS Cryptocurrency Engineers
https://www.sentinelone.com/labs/kandykorn-north-korean-lazarus-group-targets-macos-cryptocurrency-engineers/
Kaspersky: Operation DreamJob: Lazarus Group campaigns in detail
https://securelist.com/lazarus-operation-dreamjob/109792/
Elastic Security Labs - DPRK Strikes Using a New Variant of Rustbucket
https://www.elastic.co/security-labs/dprk-strikes-using-a-new-variant-of-rustbucket
SentinelOne - KANDYKORN: A New Malware Family Targeting Cryptocurrency Exchanges
https://www.sentinelone.com/labs/kandykorn-a-new-malware-family-targeting-cryptocurrency-exchanges/
Mandiant - AppleJeus: North Korean Cryptocurrency Theft
https://cloud.google.com/blog/topics/threat-intelligence/applejeus-north-korean-cryptocurrency-theft
JPCERT/CC - Lazarus Attack Activities Targeting Japan
https://blogs.jpcert.or.jp/en/2023/10/lazarus-malware.html
Microsoft: ZINC weaponizing open-source software
https://www.microsoft.com/security/blog/2022/10/18/zinc-weaponizing-open-source-software/
North Korean Threat Actor Targets Blockchain Engineers with Poisoned Python Packages
https://www.microsoft.com/en-us/security/blog/2023/11/16/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/
JPCERT/CC Analysis of Lazarus Group Activity Targeting Japan
https://blogs.jpcert.or.jp/en/2023/05/lazarus_dll.html
FBI Flash: North Korean State-Sponsored Cyber Actors Use Maui Ransomware
https://www.ic3.gov/Media/News/2022/220720.pdf
CISA Alert AA23-325A: #StopRansomware: Andariel
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a
FBI Flash Alert: AppleJeus Malware Targeting Cryptocurrency
https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-048a
Mandiant: APT38: Un-usual Suspects
https://cloud.google.com/blog/topics/threat-intelligence/apt38-unusual-suspects
CISA: TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-341a
Kaspersky: The Lazarus Heist: How North Korea's hackers became the world's greatest bank robbers
https://www.kaspersky.com/about/press-releases/2023_the-lazarus-heist
Microsoft: ZINC targeting cryptocurrency businesses
https://www.microsoft.com/en-us/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe/
ESET: Lazarus Under The Hood
https://www.welivesecurity.com/2023/03/08/lazarus-luring-employees-trojanized-defi-wallet-apps/
KANDYKORN: Multi-stage macOS Malware Targets Cryptocurrency Exchanges
https://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn
Lazarus Group Exploits Log4Shell Vulnerability to Deploy RAT
https://www.trendmicro.com/en_us/research/22/a/lazarus-group-exploits-log4shell.html
CISA Advisory on DPRK Cyber Threat to Cryptocurrency Industry
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-074a
CISA Maui Ransomware Analysis
https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-187a
SentinelOne - KANDYKORN | North Korean Targeting of macOS Cryptocurrency Trading Applications
https://www.sentinelone.com/labs/kandykorn-north-korean-targeting-of-macos-cryptocurrency-trading-applications/
Microsoft Threat Intelligence - Moonstone Sleet emerges as new North Korean threat actor
https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor/
Mandiant - APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations
https://www.mandiant.com/resources/blog/apt43-north-korea-cybercrime-espionage
Microsoft: ZINC Expands Malware Arsenal with New Capabilities
https://www.microsoft.com/en-us/security/blog/2022/09/29/zinc-weaponizing-open-source-software/
DPRK IT Workers: Exposing a Global Illicit Network
https://www.state.gov/dprk-it-workers-exposing-a-global-illicit-network/
KANDYKORN: A New Malware Strain Targets Blockchain Engineers
https://www.elastic.co/security-labs/KANDYKORN-new-malware-attacks-blockchain-engineers
TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a
DPRK Cryptocurrency Theft and Laundering
https://home.treasury.gov/news/press-releases/sm1774
DPRK IT Workers: Evading Sanctions and Funding Weapons Programs
https://www.mandiant.com/resources/blog/dprk-it-workers-evading-sanctions
Lazarus Group Exploits Log4j for Cryptocurrency Attacks
https://www.ahnlab.com/en/site/securityinfo/secunews/secuNewsView.do?seq=37141
North Korean Threat Actor Targets Blockchain Engineers with Trojanized Crypto Apps
https://www.sentinelone.com/labs/dprk-strikes-using-a-new-variant-of-rustdoor/
Operation Blacksmith: Lazarus Targets Organizations Worldwide Using Novel Telegram-based Malware Written in DLang
https://www.cisco.com/c/en/us/about/press/press-releases/2023/lazarus-targets-organizations-telegram-based-malware.html
KANDYKORN: North Korean Malware Targets macOS Users
https://www.elastic.co/security-labs/KANDYKORN-macos-malware
FBI: TraderTraitor Campaign Targeting Cryptocurrency Sector
https://www.ic3.gov/Media/News/2023/230905.pdf
DPRK Cyber Group Conducts Software Supply Chain Attack
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-263a
Microsoft - Volt Typhoon targets US critical infrastructure
https://www.microsoft.com/en-us/security/blog/2024/04/22/moonstone-sleet-emerges-as-new-north-korean-threat-actor/
Mandiant - AppleJeus: Analysis of North Korea's Cryptocurrency Malware
https://cloud.google.com/blog/topics/threat-intelligence/applejeus-analysis-north-korea-cryptocurrency-malware
CISA: Lazarus Group Malware Targeting Defense Organizations
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a
Microsoft: ZINC Attacks Cryptocurrency Organizations
https://www.microsoft.com/en-us/security/blog/2023/09/14/targeted-attacks-on-cryptocurrency-industry-by-lazarus-group/
Kaspersky: BlueNoroff Financial Attacks
https://securelist.com/bluenoroff-methods-bypass-motw/108383/
DPRK Cyber Group Conducts Global Espionage Campaign to Advance Regime's Military and Nuclear Programs
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-129a
Lazarus Group Targets Software Vendor Using Known Vulnerabilities
https://www.ahnlab.com/global/en/site/securityinfo/secunews/secuNewsView.do?seq=32654
KANDYKORN: Lazarus macOS malware in a three-stage intrusion
https://www.elastic.co/security-labs/KANDYKORN-update
Kaspersky: Andariel Ransomware Operations
https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/107678/
Microsoft: Sapphire Sleet Supply Chain Compromise
https://www.microsoft.com/en-us/security/blog/2024/04/22/sapphire-sleet-north-korea-based-threat-actor-targets-cryptocurrency-sector/
Microsoft: ZINC targeting cryptocurrency exchanges
https://www.microsoft.com/en-us/security/blog/2023/09/14/diamond-sleet-supply-chain-compromise-distributes-a-modified-cyberlink-installer/
Microsoft - ZINC weaponizing open-source software
https://www.microsoft.com/en-us/security/blog/2021/10/28/microsoft-finds-new-elevation-of-privilege-exploit-used-by-zinc-to-target-security-researchers/
Mandiant - APT38: Un-usual Suspects
https://www.mandiant.com/resources/reports/apt38-un-usual-suspects
DPRK Cryptocurrency Theft Indictment - FBI
https://www.fbi.gov/news/press-releases/fbi-and-justice-department-announce-charges-against-north-korean-operatives
Lazarus Group Targeting Blockchain Engineers - Kaspersky
https://securelist.com/lazarus-bluenoroff-methods/109545/
DPRK Cyber Group Conducts Global Espionage Campaign to Advance Regime's Military and Nuclear Programs
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-214a
Microsoft - Moonstone Sleet emerges as new North Korean threat actor
https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks
SentinelOne - KANDYKORN | North Korean Threat Actors Target macOS
https://www.sentinelone.com/blog/kandykorn-north-korean-threat-actors-target-macos/
Mandiant - APT43 North Korean Group Uses Phishing and Malware for Espionage
https://www.mandiant.com/resources/blog/apt43-north-korean-group-uses-cybercrime-to-fund-espionage
Lazarus Group Exploits ManageEngine ServiceDesk Vulnerability
https://www.microsoft.com/en-us/security/blog/2024/07/29/moonstone-sleet-emerges-as-new-north-korean-threat-actor/
Kaspersky: Lazarus Deploys New POOLRAT Backdoor
https://securelist.com/lazarus-on-the-hunt-for-big-game/111403/
Mandiant - APT38: Un-usual Suspects
https://www.mandiant.com/resources/apt38-unusual-suspects
Kaspersky - Andariel evolves to target South Korea with ransomware
https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/
KANDYKORN: North Korean Threat Actor Targets Blockchain Engineers
https://www.elastic.co/security-labs/KANDYKORN-north-korean-threat-actor-targets-blockchain-engineers
JPCERT/CC - Lazarus Group Targets Cryptocurrency Assets
https://blogs.jpcert.or.jp/en/2024/01/lazarus-kmspico.html
SentinelOne - KANDYKORN macOS Malware Analysis
https://www.sentinelone.com/labs/kandykorn-new-macos-malware-family-targets-cryptocurrency-engineers/
Kaspersky - DTrack Activity Targeting Financial Institutions
https://securelist.com/dtrack-targeting-europe-latin-america/107798/
Microsoft Threat Intelligence - North Korean Threat Actor Targets Cryptocurrency Sector
https://www.microsoft.com/en-us/security/blog/2023/11/22/diamond-sleet-supply-chain-compromise-distributes-a-modified-cyberlink-installer/
Microsoft Threat Intelligence: ZINC weaponizing open-source software
https://www.microsoft.com/en-us/security/blog/2022/10/27/zinc-weaponizing-open-source-software/
Kaspersky: Andariel evolves to target South Korean financial organizations and defense industries
https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/105463/
CISA Alert (AA23-144A): North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a
CISA: #StopRansomware Advisory on North Korea State-Sponsored Cyber Actors
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a
Kaspersky: BlueNoroff cryptocurrency hunt expands to new platforms
https://securelist.com/bluenoroff-cryptocurrency-hunt/111149/
FBI Flash: TraderTraitor Campaign Targeting Cryptocurrency Industry
https://www.ic3.gov/Media/News/2023/230707.pdf
Kaspersky: Lazarus APT targets macOS users with multi-stage malware
https://securelist.com/lazarus-apt-targets-macos-users/111348/
FBI: TraderTraitor: North Korea's AppleJeus Malware Targeting Cryptocurrency Users
https://www.fbi.gov/news/stories/north-korean-malware-targeting-cryptocurrency
SentinelOne: KANDYKORN - Multi-Stage macOS APT
https://www.sentinelone.com/labs/kandykorn-from-the-lazarus-group/
Microsoft - Tracking Lazy Lazarus cryptocurrency theft techniques
https://www.microsoft.com/en-us/security/blog/2023/07/26/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/
CISA Alert - AppleJeus: Analysis of North Korea's Cryptocurrency Malware
https://www.cisa.gov/news-events/cybersecurity-advisories/aa19-339a
CrowdStrike - LABYRINTH CHOLLIMA Adversary Profile
https://www.crowdstrike.com/adversaries/labyrinth-chollima/
ESET - Lazarus Group: From Bangladesh to Poland
https://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/
KANDYKORN: A New macOS Malware Strain Used by Lazarus
https://www.elastic.co/security-labs/KANDYKORN-lazarus-remote-access-trojan
TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies
https://www.microsoft.com/en-us/security/blog/2023/04/18/multiple-north-korean-threat-actors-exploiting-the-same-vulnerabilities/
Lazarus Group Exploiting Zero-Day Vulnerabilities in MagicLine4NX
https://thehackernews.com/2024/11/lazarus-group-exploits-zero-day.html
Lazarus Group's RustyAttr: New Rust-based Malware Targets Aerospace and Cryptocurrency
https://www.microsoft.com/en-us/security/blog/2024/11/rustyattr-lazarus-group-malware/
Kaspersky: Operation DreamJob - Lazarus Targeting Developers with Malicious npm Packages
https://securelist.com/lazarus-dreamjob-npm-malware/111456/
Mandiant: North Korean Threat Actor Targets Cryptocurrency Industry with Custom Malware
https://cloud.google.com/blog/topics/threat-intelligence/north-korea-cryptocurrency-attacks-2024
Kaspersky: Andariel evolves to target South Korea with ransomware
https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/105330/
ESET: Lazarus Trojanized DeFi Wallet Apps Steal Crypto
https://www.welivesecurity.com/2023/03/20/fake-trading-apps-target-cryptocurrency-users/
SentinelOne: KANDYKORN - Multi-Stage macOS Malware Targets Cryptocurrency Exchanges
https://www.sentinelone.com/labs/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/
Kaspersky: Lazarus Bluenoroff cryptocurrency heists continue
https://securelist.com/lazarus-bluenoroff-cryptocurrency-heists/111716/
SentinelOne: KANDYKORN macOS malware targets cryptocurrency exchanges
https://www.sentinelone.com/blog/combing-through-the-invisible-the-emergence-of-kandykorn-macos-malware/