ALL MENU

Technology
S2W's Technology
AI
Big Data
Security
Products
SAIP
QUAXAR
XARVIS
EYEZ
Services
AI Data Consulting
Penetration Testing
Incident Response
Request for Intelligence
Resources
Event
Webinar
SIS
Conference
About S2W
About S2W
History
News

QUICK LINKS

Resources
  • Research
  • Threat Intelligence Reports
Threat Group Profiling: Lazarus
2025.04.29

✅ Report Title: Threat Group Profiling - Lazarus (APT Group)



The S2W Threat Intelligence Center has published an analysis report on the Lazarus APT group, affiliated with North Korea's Reconnaissance General Bureau. This high-level threat intelligence report goes beyond basic profiling, offering in-depth insights into Lazarus’s organizational structure, recent attack trends, and evolving Tactics, Techniques, and Procedures (TTPs).



✅ Executive Summary:


📌 Who is the Lazarus APT Group?


- The Lazarus Group is a prominent APT group backed by the North Korean government, believed to have initiated its operations around 2009.


- It is also known by various aliases, including Hidden Cobra, Guardians of Peace, Labyrinth Chollima, UNC4034, BlackArtemis, ZINC, Nickel Academy, APT-C-26, and Diamond Sleet.


- Lazarus has conducted a wide range of operations targeting global organizations and enterprises for data theft, system destruction, and cryptocurrency theft, among other objectives.


- Since January 2023 alone, the group is estimated to have carried out over 25 major cyberattacks.


- In the initial compromise stage, Lazarus commonly employs exploit vulnerability & watering hole attacks, phishing, and supply chain attacks.



📌 Key Tactics, Techniques, and Procedures (TTPs)


- Exploit Vulnerability & Watering Hole: Lazarus has consistently compromised legitimate websites to weaponize them as watering holes. Numerous cases have been identified where the group exploited zero-day vulnerabilities and remote code execution (RCE) vulnerabilities to infiltrate web servers.


- Phishing: Lazarus distributes malware via phishing emails and approaches targets through social networking services (X, Signal, WhatsApp, Wire, etc.). They leverage techniques such as malicious macros (T1137.001) and remote template injection (T1221) to deliver weaponized documents.


- Notable cases: Operation DreamJob, phishing websites themed around cryptocurrency, and the MATA malware campaign.


- Supply Chain Attack: Lazarus has actively leveraged third-party supply chains to disseminate malware, including compromised security solutions and IT software.


- Notable case: 3CX supply chain compromise.


- Common Attack Techniques: Regardless of the initial infiltration method, Lazarus consistently employs techniques such as Timestomp (T1070.006), Indicator Removal (T1070), Reflective Code Loading (T1260), and DLL Side-Loading (T1574.002).



✅ Recommended Threat Detection and Mitigation Actions:


- Lazarus has increasingly weaponized supply chain attacks and undisclosed zero-day vulnerabilities to propagate malware, resulting in widespread global impacts.


- Notably, the group has compromised numerous South Korean corporate websites, converting them into watering hole sites and deploying zero-day malware, reinforcing its status as one of the most formidable APT groups.


- Organizations are strongly advised to analyze TTPs relevant to their environment and prioritize threat hunting and detection efforts accordingly, to proactively enhance their overall security posture.



🧑‍💻 Report Author: S2W TALON (Updated. 2025-04-29)


👉 Contact us: https://s2w.inc/en/contact


*The full report is available upon request or with a subscription to the S2W platform.


R&D Columns
Text-to-SQL: Natural Language to SQL with AI
2025.04.29
Previous
News Highlights
Weekly Darkweb in April W4
2025.04.30
Next
List