Lazarus Group

Lazarus Group is a threat group that has been attributed to the North Korean government. The group has been active since at least 2009, and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of the campaign Operation Blockbuster, which was named by Novetta.

Malware used by Lazarus Group has correlated to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. In late 2017, Lazarus Group used the disk-wiping tool KillDisk in an attack against an online casino based in Central America.

North Korean group definitions have significant overlap, and the name Lazarus Group encompasses a broad range of activity. Some organizations use Lazarus Group to refer to any activity attributed to North Korea. Some organizations track North Korean clusters or groups, such as Bluenoroff, APT37, and APT38 separately, while other organizations track some activity associated with those groups as Lazarus Group.

Other names for this threat

Andariel, Appleworm, APT-C-26, APT38, Bluenoroff, Bureau 121, COVELLITE, Dark Seoul, GOP, Group 77, Guardian of Peace, Guardians of Peace, Hastati Group, HIDDEN COBRA, Labyrinth Chollima, Lazarus, NewRomantic Cyber Army Team, NICKEL ACADEMY, Operation AppleJesus, Operation DarkSeoul, Operation GhostSecret, Operation Troy, Silent Chollima, Subgroup: Andariel, Subgroup: Bluenoroff, Unit 121, Whois Hacking Team, WHOis Team, ZINC

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.