Search Again
Lazarus Group
Summary of Actor: Lazarus Group, also known as APT38, is a highly sophisticated, state-sponsored threat actor attributed to North Korea. The group is known for its cyber espionage, financially motivated attacks, and disruptive cyber operations targeting various industries worldwide. Active since at least 2009, Lazarus has been responsible for major financial heists, intellectual property theft, and destructive malware campaigns.
General Features:
- Nation-State Backing: Strongly linked to the North Korean government, likely operating under the Reconnaissance General Bureau (RGB).
- Advanced Tactics: Utilizes custom malware, zero-day exploits, supply chain attacks, and sophisticated social engineering techniques.
- Diverse Targeting: Initially focused on government and military espionage, but now predominantly targeting financial institutions, cryptocurrency exchanges, blockchain-related firms, and high-value enterprises.
- Evasion Capabilities: Employs multi-stage attacks, obfuscation techniques, and legitimate tools to evade detection and persistence.
Related Other Groups:
Reaper,imsuky (APT37),Andariel,BlueNoroff (APT38)Indicators of Attack (IoA):
- Spear-Phishing & Social Engineering
- Custom Malware & Exploits
- Compromise of Supply Chains & Software Updates
- Command-and-Control (C2) Infrastructure
- Cryptocurrency Theft & Laundering
Recent Activities and Trends:
- Latest Campaigns :
- ByBit Cryptocurrency Exchange Attack
- Ransomware & Supply Chain Attacks
- Advanced Blockchain Attacks
- Emerging Trends :
- Increased Focus on Financial Cybercrime
- Use of AI for Social Engineering & Phishing
- Use of AI for Social Engineering & Phishing Targeting of Cybersecurity & Threat Intelligence Firms
UNC4736
Appleworm
Hidden Cobra
UNC2970
Guardians of Peace
+24
Target Countries
Germany
Australia
Poland
USA
Worldwide (WannaCry)
+23
Target Sectors
Energy & Utilities
Finance
HealthCare & Social Assistance
Public Administration
Electrical&Electronical Manufacturing
+2
Associated Malware/Software
osx.hloader
win.hoplight
comebacker
win.dyepack
Trojan:Win32/SmokeLoader
+208
️Related CVEs
ATT&CK IDs:
T1048 - Exfiltration Over Alternative Protocol
T1060 - Registry Run Keys / Startup Folder
T1497 - Virtualization/Sandbox Evasion
T1195.001
T1090 - Proxy
+420
| Tactic | Id | Technique | |||
|---|---|---|---|---|---|
| Collection | T1557 | Adversary-in-the-Middle |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1530 | Data from Cloud Storage |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1025 | Data from Removable Media |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1056 | Input Capture |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1074 | Data Staged |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1039 | Data from Network Shared Drive |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1005 | Data from Local System |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1213 | Data from Information Repositories |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1119 | Automated Collection |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1115 | Clipboard Data |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1560 | Archive Collected Data |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1125 | Video Capture |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1114 | Email Collection |
Sub Techniques |
Detections |
Mitigations |
| Collection | T1113 | Screen Capture |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1104 | Multi-Stage Channels |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1001 | Data Obfuscation |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1095 | Non-Application Layer Protocol |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1568 | Dynamic Resolution |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1024 | Custom Cryptographic Protocol |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1105 | Ingress Tool Transfer |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1071 | Application Layer Protocol |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1571 | Non-Standard Port |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1102 | Web Service |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1132 | Data Encoding |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1219 | Remote Access Software |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1008 | Fallback Channels |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1572 | Protocol Tunneling |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1573 | Encrypted Channel |
Sub Techniques |
Detections |
Mitigations |
| Command And Control | T1090 | Proxy |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1557 | Adversary-in-the-Middle |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1056 | Input Capture |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1556 | Modify Authentication Process |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1555 | Credentials from Password Stores |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1040 | Network Sniffing |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1139 | Bash History |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1111 | Multi-Factor Authentication Interception |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1110 | Brute Force |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1081 | Credentials in Files |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1187 | Forced Authentication |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1003 | OS Credential Dumping |
Sub Techniques |
Detections |
Mitigations |
| Credential Access | T1552 | Unsecured Credentials |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1548 | Abuse Elevation Control Mechanism |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1574 | Hijack Execution Flow |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1127 | Trusted Developer Utilities Proxy Execution |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1140 | Deobfuscate/Decode Files or Information |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1070 | Indicator Removal |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1556 | Modify Authentication Process |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1220 | XSL Script Processing |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1553 | Subvert Trust Controls |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1542 | Pre-OS Boot |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1562 | Impair Defenses |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1036 | Masquerading |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1497 | Virtualization/Sandbox Evasion |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1045 | Software Packing |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1564 | Hide Artifacts |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1112 | Modify Registry |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1480 | Execution Guardrails |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1221 | Template Injection |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1107 | File Deletion |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1218 | System Binary Proxy Execution |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1134 | Access Token Manipulation |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1064 | Scripting |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1143 | Hidden Window |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1055 | Process Injection |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1202 | Indirect Command Execution |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1550 | Use Alternate Authentication Material |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1620 | Reflective Code Loading |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1027 | Obfuscated Files or Information |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1622 | Debugger Evasion |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1089 | Disabling Security Tools |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1014 | Rootkit |
Sub Techniques |
Detections |
Mitigations |
| Defense Evasion | T1656 | Impersonation |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1046 | Network Service Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1007 | System Service Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1082 | System Information Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1124 | System Time Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1135 | Network Share Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1217 | Browser Information Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1040 | Network Sniffing |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1010 | Application Window Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1614 | System Location Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1057 | Process Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1012 | Query Registry |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1497 | Virtualization/Sandbox Evasion |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1016 | System Network Configuration Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1033 | System Owner/User Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1083 | File and Directory Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1063 | Security Software Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1087 | Account Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1518 | Software Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1018 | Remote System Discovery |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1622 | Debugger Evasion |
Sub Techniques |
Detections |
Mitigations |
| Discovery | T1049 | System Network Connections Discovery |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1059 | Command and Scripting Interpreter |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1053 | Scheduled Task/Job |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1559 | Inter-Process Communication |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1203 | Exploitation for Client Execution |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1047 | Windows Management Instrumentation |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1569 | System Services |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1072 | Software Deployment Tools |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1204 | User Execution |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1155 | AppleScript |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1064 | Scripting |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1129 | Shared Modules |
Sub Techniques |
Detections |
Mitigations |
| Execution | T1106 | Native API |
Sub Techniques |
Detections |
Mitigations |
| Exfiltration | T1048 | Exfiltration Over Alternative Protocol |
Sub Techniques |
Detections |
Mitigations |
| Exfiltration | T1002 | Data Compressed |
Sub Techniques |
Detections |
Mitigations |
| Exfiltration | T1022 | Data Encrypted |
Sub Techniques |
Detections |
Mitigations |
| Exfiltration | T1011 | Exfiltration Over Other Network Medium |
Sub Techniques |
Detections |
Mitigations |
| Exfiltration | T1567 | Exfiltration Over Web Service |
Sub Techniques |
Detections |
Mitigations |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1486 | Data Encrypted for Impact |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1529 | System Shutdown/Reboot |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1499 | Endpoint Denial of Service |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1561 | Disk Wipe |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1491 | Defacement |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1498 | Network Denial of Service |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1531 | Account Access Removal |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1496 | Resource Hijacking |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1490 | Inhibit System Recovery |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1485 | Data Destruction |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1495 | Firmware Corruption |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1489 | Service Stop |
Sub Techniques |
Detections |
Mitigations |
| Impact | T1565 | Data Manipulation |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1193 | Spearphishing Attachment |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1566 | Phishing |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1190 | Exploit Public-Facing Application |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1133 | External Remote Services |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1195 | Supply Chain Compromise |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1199 | Trusted Relationship |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1189 | Drive-by Compromise |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1192 | Spearphishing Link |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1091 | Replication Through Removable Media |
Sub Techniques |
Detections |
Mitigations |
| Initial Access | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
| Lateral Movement | T1534 | Internal Spearphishing |
Sub Techniques |
Detections |
Mitigations |
| Lateral Movement | T1570 | Lateral Tool Transfer |
Sub Techniques |
Detections |
Mitigations |
| Lateral Movement | T1017 | Application Deployment Software |
Sub Techniques |
Detections |
Mitigations |
| Lateral Movement | T1072 | Software Deployment Tools |
Sub Techniques |
Detections |
Mitigations |
| Lateral Movement | T1021 | Remote Services |
Sub Techniques |
Detections |
Mitigations |
| Lateral Movement | T1210 | Exploitation of Remote Services |
Sub Techniques |
Detections |
Mitigations |
| Lateral Movement | T1091 | Replication Through Removable Media |
Sub Techniques |
Detections |
Mitigations |
| Lateral Movement | T1563 | Remote Service Session Hijacking |
Sub Techniques |
Detections |
Mitigations |
| Lateral Movement | T1550 | Use Alternate Authentication Material |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1053 | Scheduled Task/Job |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1543 | Create or Modify System Process |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1574 | Hijack Execution Flow |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1505 | Server Software Component |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1136 | Create Account |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1060 | Registry Run Keys / Startup Folder |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1547 | Boot or Logon Autostart Execution |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1556 | Modify Authentication Process |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1176 | Browser Extensions |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1133 | External Remote Services |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1542 | Pre-OS Boot |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1037 | Boot or Logon Initialization Scripts |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1546 | Event Triggered Execution |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1098 | Account Manipulation |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1137 | Office Application Startup |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1023 | Shortcut Modification |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1031 | Modify Existing Service |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
| Persistence | T1138 | Application Shimming |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1053 | Scheduled Task/Job |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1543 | Create or Modify System Process |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1548 | Abuse Elevation Control Mechanism |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1574 | Hijack Execution Flow |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1547 | Boot or Logon Autostart Execution |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1037 | Boot or Logon Initialization Scripts |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1546 | Event Triggered Execution |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1098 | Account Manipulation |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1134 | Access Token Manipulation |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1055 | Process Injection |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1078 | Valid Accounts |
Sub Techniques |
Detections |
Mitigations |
| Privilege Escalation | T1138 | Application Shimming |
Sub Techniques |
Detections |
Mitigations |
| Reconnaissance | T1589 | Gather Victim Identity Information |
Sub Techniques |
Detections |
Mitigations |
| Reconnaissance | T1595 | Active Scanning |
Sub Techniques |
Detections |
Mitigations |
| Reconnaissance | T1592 | Gather Victim Host Information |
Sub Techniques |
Detections |
Mitigations |
| Reconnaissance | T1590 | Gather Victim Network Information |
Sub Techniques |
Detections |
Mitigations |
| Reconnaissance | T1591 | Gather Victim Org Information |
Sub Techniques |
Detections |
Mitigations |
| Reconnaissance | T1596 | Search Open Technical Databases |
Sub Techniques |
Detections |
Mitigations |
| Reconnaissance | T1593 | Search Open Websites/Domains |
Sub Techniques |
Detections |
Mitigations |
| Resource Development | T1586 | Compromise Accounts |
Sub Techniques |
Detections |
Mitigations |
| Resource Development | T1588 | Obtain Capabilities |
Sub Techniques |
Detections |
Mitigations |
| Resource Development | T1587 | Develop Capabilities |
Sub Techniques |
Detections |
Mitigations |
| Resource Development | T1584 | Compromise Infrastructure |
Sub Techniques |
Detections |
Mitigations |
| Resource Development | T1585 | Establish Accounts |
Sub Techniques |
Detections |
Mitigations |
| Resource Development | T1583 | Acquire Infrastructure |
Sub Techniques |
Detections |
Mitigations |
| Resource Development | T1608 | Stage Capabilities |
Sub Techniques |
Detections |
Mitigations |
Total Count : 676
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf
https://github.com/hvs-consulting/ioc_signatures/tree/main/Lazarus_APT37
https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf
https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479
https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a
https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/
https://securelist.com/apt-trends-report-q2-2019/91897/
https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats
https://home.treasury.gov/index.php/news/press-releases/sm774
https://slowmist.medium.com/slowmist-our-in-depth-investigation-of-north-korean-apts-large-scale-phishing-attack-on-nft-users-362117600519
https://www.bankinfosecurity.com/south-korea-sanctions-pyongyang-hackers-a-21193
https://usa.kaspersky.com/about/press-releases/2021_apt-actor-lazarus-attacks-defense-industry-develops-supply-chain-attack-capabilities
https://baesystemsai.blogspot.com/2017/02/lazarus-watering-hole-attacks.html
https://www.anquanke.com/post/id/230161
https://mandiant.widen.net/s/pkffwrbjlz/m-trends-2023
https://download.hauri.net/DownSource/down/dwn_detail_down.html?uid=55
http://report.threatbook.cn/LS.pdf
https://www.cfr.org/interactive/cyber-operations/operation-ghostsecret
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/lazarus-recruitment/
https://asec.ahnlab.com/en/54195/
https://securelist.com/lazarus-new-malware/115059/
https://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/
https://web.archive.org/web/20130607233212/https://www.symantec.com/connect/blogs/south-korean-financial-companies-targeted-castov
https://securelist.com/it-threat-evolution-q2-2023/110355/
https://blog.talosintelligence.com/2019/01/fake-korean-job-posting.html
https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new
https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf
https://www.zdnet.com/article/north-korean-hackers-infiltrate-chiles-atm-network-after-skype-job-interview/
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/
https://www.us-cert.gov/ncas/analysis-reports/ar20-133a
https://securelist.com/apt-trends-report-q3-2020/99204/
https://eromang.zataz.com/tag/agentbase-exe/
https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud-wp.pdf
https://blogs.jpcert.or.jp/en/2024/02/lazarus_pypi.html
https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug-180129.pdf
https://securelist.com/apt-trends-report-q1-2021/101967/
https://www.us-cert.gov/ncas/alerts/TA17-318B
https://drive.google.com/file/d/1lq0Sjw4FKBxf017Ss7W7uGMvs7CgFzcA/view
https://github.com/Hildaboo/Unidentified081Server
https://st.drweb.com/static/new-www/news/2021/april/drweb_research_attacks_on_russian_research_institutes_en.pdf
https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/
https://www.clearskysec.com/wp-content/uploads/2020/06/CryptoCore_Group.pdf
https://cybersecurity.att.com/blogs/labs-research/lazarus-campaign-ttps-and-evolution
https://securelist.com/lazarus-trojanized-defi-app/106195/
https://www.bleepingcomputer.com/news/security/us-sanctions-crypto-mixer-tornado-cash-used-by-north-korean-hackers/
https://www.youtube.com/watch?v=1NkzTKkEM2k
https://www.securonix.com/blog/securonix-threat-labs-monthly-intelligence-insights-june-2023/
https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf
https://www.cyberscoop.com/north-korea-hackers-lazarus-group-israel-defense/
https://businessinsights.bitdefender.com/tech-advisory-manageengine-cve-2022-47966
https://www.symantec.com/connect/blogs/trojankoredos-comes-unwelcomed-surprise
https://attack.mitre.org/groups/G0032
https://attack.mitre.org/groups/G0001/
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048g
https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf?1625657388
https://app.box.com/s/xyyord0b806e6or2nh92coxw2areyyx4
https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf
https://www.secureworks.com/research/threat-profiles/nickel-academy
https://asec.ahnlab.com/en/53132/
https://exchange.xforce.ibmcloud.com/threat-group/0c0c39d309b5c7f00a0a7edd54bb025e
https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf
https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-financial-organizations-in-latin-america/
https://attack.mitre.org/groups/G0034
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-040a
http://www.documentcloud.org/documents/7038686-US-Army-report-on-North-Korean-military.html
https://web.archive.org/web/20130701021735/https://www.symantec.com/connect/blogs/four-years-darkseoul-cyberattacks-against-south-korea-continue-anniversary-korean-war
https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/the-hermit-kingdoms-ransomware-play.html
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/
https://attack.mitre.org/groups/G0011
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf
https://www.symantec.com/connect/blogs/duuzer-back-door-trojan-targets-south-korea-take-over-computers
https://www.sygnia.co/mata-framework
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/10/18092216/Updated-MATA-attacks-Eastern-Europe_full-report_ENG.pdf
https://securelist.com/bluenoroff-methods-bypass-motw/108383/
https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-north-korea-indictment
https://blogs.jpcert.or.jp/en/2022/07/vsingle.html
https://therecord.media/coinex-cryptocurrency-heist-north-korea
https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html
https://thehackernews.com/2023/10/north-koreas-lazarus-group-launders-900.html
https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html
https://securelist.com/operation-applejeus-sequel/95596/
https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/
https://norfolkinfosec.com/osint-reporting-on-dprk-and-ta505-overlap/
https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/
https://blogs.jpcert.or.jp/en/2022/07/yamabot.html
https://www.zscaler.com/blogs/security-research/analysis-lilithbot-malware-and-eternity-threat-group
https://www.us-cert.gov/ncas/current-activity/2020/05/12/north-korean-malicious-cyber-activity
https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-108a
https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/
https://www.us-cert.gov/ncas/analysis-reports/ar20-045b
https://dragos.com/resource/covellite/
https://dragos.com/adversaries.html
https://securelist.com/unveiling-lazarus-new-campaign/110888/
http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/
https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf
https://storage.googleapis.com/pub-tools-public-publication-data/pdf/ce44cbda9fdc061050c1d2a5dec0270874a9dc85.pdf
https://www.intezer.com/blog-chinaz-relations/
https://www.consilium.europa.eu/en/press/press-releases/2020/07/30/eu-imposes-the-first-ever-sanctions-against-cyber-attacks/
https://mega.nz/file/lkh1gY5C#93FUlwTwl0y27cfM0jtm4SYnWbtk06d0qoDg1e4eQ6s
https://www.darkreading.com/attacks-breaches/north-korean-hacking-group-steals-$135-million-from-indian-bank-/d/d-id/1332678
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=41dcfaff-d5f0-484d-8649-ef8c61588eec
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239b
https://www.cisecurity.org/insights/blog/top-10-malware-march-2022
https://www.elastic.co/security-labs/DPRK-strikes-using-a-new-variant-of-rustbucket
https://www.microsoft.com/en-us/security/blog/2022/09/29/zinc-weaponizing-open-source-software/
https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/
https://research.checkpoint.com/north-korea-turns-against-russian-targets/
https://www.fbi.gov/news/press-releases/fbi-identifies-cryptocurrency-funds-stolen-by-dprk
https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-G.PDF
https://cloud.google.com/blog/topics/threat-intelligence/unc2970-backdoor-trojanized-pdf-reader
http://www.intezer.com/lazarus-group-targets-more-cryptocurrency-exchanges-and-fintech-companies/
https://attack.mitre.org/groups/G0096
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical
https://www.symantec.com/connect/blogs/south-korean-financial-companies-targeted-castov
https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity
https://lifars.com/wp-content/uploads/2021/09/Lazarus.pdf
https://labs.f-secure.com/assets/BlogFiles/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf
https://cybergeeks.tech/a-detailed-analysis-of-lazarus-malware-disguised-as-notepad-shell-extension/
https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA%3D%3D&mid=2247499462&idx=1&sn=7cc55f3cc2740e8818648efbec21615f
https://securelist.com/lazarus-under-the-hood/77908/
https://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html
https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html
https://www.us-cert.gov/ncas/alerts/TA18-275A
https://www.bankinfosecurity.com/vietnamese-bank-blocks-1-million-online-heist-a-9105
https://labs.withsecure.com/content/dam/labs/docs/WithSecure-Lazarus-No-Pineapple-Threat-Intelligence-Report-2023.pdf
https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf
https://www.sentinelone.com/blog/lazarus-operation-interception-targets-macos-users-dreaming-of-jobs-in-crypto
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/
https://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/
https://twitter.com/BitsOfBinary/status/1321488299932983296
https://www.anomali.com/blog/evidence-of-stronger-ties-between-north-korea-and-swift-banking-attacks
https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/
https://asec.ahnlab.com/en/32572/
https://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/
https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/
http://blog.nsfocus.net/stumbzarus-apt-lazarus/
https://drive.google.com/file/d/1XoGQFEJQ4nFAUXSGwcnTobviQ_ms35mG/view
https://news.sophos.com/en-us/2021/03/15/dearcry-ransomware-attacks-exploit-exchange-server-vulnerabilities/
http://researchcenter.paloaltonetworks.com/2017/04/unit42-the-blockbuster-sequel/
https://www.clearskysec.com/wp-content/uploads/2021/05/CryptoCore-Lazarus-Clearsky.pdf
https://www.secureworks.com/research/threat-profiles/nickel-gladstone
https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/
https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/apt/rpt-apt38-2018.pdf
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/
https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf
https://technical.nttsecurity.com/post/102fnog/targeted-trickbot-activity-drops-powerbrace-backdoor
https://www.us-cert.gov/ncas/analysis-reports/AR18-149A
https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/
https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/dtrack_lazarus_group.md
https://symantec-blogs.broadcom.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware
https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Tools-Report.pdf
https://blog.macnica.net/blog/2020/11/dtrack.html
https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html
https://blog.talosintelligence.com/lazarus-quiterat/
https://www.rapid7.com/blog/post/2023/03/30/backdoored-3cxdesktopapp-installer-used-in-active-threat-campaign/
https://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing
https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-apt-activity-report-q2-2023-q3-2023.pdf
https://vblocalhost.com/uploads/VB2021-Park.pdf
https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/
https://www.reuters.com/article/us-cyber-heist-swift-specialreport-idUSKCN0YB0DD
https://media.ccc.de/v/froscon2021-2670-der_cyber-bankraub_von_bangladesch
https://securelist.com/apt-trends-report-q2-2020/97937/
https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threat-actor-citrine-sleet-exploiting-chromium-zero-day/
https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/
https://www.theverge.com/2022/3/29/23001620/sky-mavis-axie-infinity-ronin-blockchain-validation-defi-hack-nft
https://norfolkinfosec.com/dprk-malware-targeting-security-researchers/
https://asec.ahnlab.com/en/33801/
https://raw.githubusercontent.com/eric-erki/APT_CyberCriminal_Campagin_Collections/master/2017/2017.05.30.Lazarus_Arisen/Group-IB_Lazarus.pdf
https://blog.google/threat-analysis-group/update-campaign-targeting-security-researchers/
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks
https://research.hisolutions.com/2025/04/rolling-in-the-deepweb-lazarus-tsunami/
https://socket.dev/blog/north-korean-apt-lazarus-targets-developers-with-malicious-npm-package
https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group
https://norfolkinfosec.com/a-lazarus-keylogger-pslogger/
https://www.youtube.com/watch?v=mrTdSdMMgnk
https://asec.ahnlab.com/wp-content/uploads/2021/11/Lazarus-%EA%B7%B8%EB%A3%B9%EC%9D%98-NukeSped-%EC%95%85%EC%84%B1%EC%BD%94%EB%93%9C-%EB%B6%84%EC%84%9D-%EB%B3%B4%EA%B3%A0%EC%84%9C.pdf
https://www.documentcloud.org/documents/4834259-Park-Jin-Hyok-Complaint.html
https://blog.trendmicro.com/trendlabs-security-intelligence/ratankba-watering-holes-against-enterprises/
https://mp.weixin.qq.com/s/2sV-DrleHiJMSpSCW0kAMg
https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/
https://www.threatray.com/blog/establishing-the-tigerrat-and-tigerdownloader-malware-families
https://securityintelligence.com/posts/direct-kernel-object-manipulation-attacks-etw-providers/
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180231/LazarusUnderTheHood_PDF_final_for_securelist.pdf
https://twitter.com/kucher1n/status/1642886340105601029?t=3GCn-ZhDjqWEMXya_PKseg
https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-dissecting-operation-troy.pdf
https://www.youtube.com/watch?v=nUjxH1gW53s
https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/
https://attack.mitre.org/groups/G0032/
https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/
https://www.cyberbit.com/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/
https://blogs.jpcert.or.jp/ja/2023/05/dangerouspassword.html
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/stonefly-north-korea-espionage
https://objective-see.com/blog/blog_0x5F.html
https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
https://www.boho.or.kr/filedownload.do?attach_file_seq=2452&attach_file_id=EpF2452.pdf
https://suspected.tistory.com/269
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048b
https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/
https://github.blog/2023-07-18-security-alert-social-engineering-campaign-targets-technology-industry-employees/
https://www.us-cert.gov/ncas/alerts/aa20-106a
http://baesystemsai.blogspot.de/2016/05/cyber-heist-attribution.html
https://www.datanet.co.kr/news/articleView.html?idxno=133346
https://www.3cx.com/blog/news/mandiant-initial-results/
https://github.com/dodo-sec/Malware-Analysis/blob/main/SmoothOperator/SmoothOperator.md
https://blog.naver.com/checkmal/223416580495
https://www.nytimes.com/2013/03/21/world/asia/south-korea-computer-network-crashes.html
https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html
https://github.com/xl7dev/WebShell/blob/master/Asp/RedHat%20Hacker.asp
https://vxhive.blogspot.com/2020/11/deep-dive-into-hermes-ransomware.html
https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
https://github.com/fboldewin/FastCashMalwareDissected/
https://www.trendmicro.com/en_us/research/23/c/information-on-attacks-involving-3cx-desktop-app.html
https://blogs.blackberry.com/en/2021/10/drawing-a-dragon-connecting-the-dots-to-find-apt41
https://objective-see.com/blog/blog_0x57.html
https://research.nccgroup.com/2018/04/17/decoding-network-data-from-a-gh0st-rat-variant/
https://www.bleepingcomputer.com/news/security/dprk-hacking-groups-breach-south-korean-defense-contractors/
https://www.sentinelone.com/wp-content/uploads/2022/02/Modified-Elephant-APT-and-a-Decade-of-Fabricating-Evidence-SentinelLabs.pdf
https://unit42.paloaltonetworks.com/operation-diplomatic-specter/
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/
https://blog.comae.io/wannacry-the-largest-ransom-ware-infection-in-history-f37da8e30a58
https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d
https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html
https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF
https://www.flashpoint-intel.com/blog/linguistic-analysis-wannacry-ransomware/
http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html
https://www.secureworks.com/about/press/media-alert-secureworks-discovers-north-korean-cyber-threat-group-lazarus-spearphishing
https://www.bleepingcomputer.com/news/security/north-korean-hackers-linked-to-15-billion-bybit-crypto-heist/
https://www.computing.co.uk/ctg/news/3074007/lazarus-rises-warning-over-new-hoplight-malware-linked-with-north-korea
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clasiopa-materials-research
https://www.boho.or.kr/filedownload.do?attach_file_seq=2612&attach_file_id=EpF2612.pdf
https://www.trendmicro.com/en_us/research/21/d/water-pamola-attacked-online-shops-via-malicious-orders.html
https://blog.talosintelligence.com/2020/11/crat-and-plugins.html
https://asec.ahnlab.com/en/34461/
https://therecord.media/coinex-confirms-hack-after-31-million-allegedly-stolen
https://swanleesec.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-1
https://objective-see.org/blog/blog_0x73.html
https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud.pdf
https://blog.netlab.360.com/dacls-the-dual-platform-rat/
https://securityscorecard.com/wp-content/uploads/2025/01/Report_011325_Strike_Operation99.pdf
https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf
https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/
https://www.bitdefender.com/en-us/blog/labs/lazarus-group-targets-organizations-with-sophisticated-linkedin-recruiting-scam
https://twitter.com/BitsOfBinary/status/1337330286787518464
https://web.archive.org/web/20170311192337/http://download01.norman.no:80/documents/ThemanyfacesofGh0stRat.pdf
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/
https://www.zscaler.com/security-research/3CX-supply-chain-attack-analysis-march-2023
https://www.il-pib.pl/czasopisma/JTIT/2019/1/113.pdf
https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/
https://securelist.com/blog/sas/77908/lazarus-under-the-hood/
https://blogs.jpcert.or.jp/en/2021/01/Lazarus_tools.html
https://www.welivesecurity.com/2023/02/23/winordll64-backdoor-vast-lazarus-arsenal/
https://www.riskiq.com/blog/labs/lazarus-group-cryptocurrency/
https://www.sentinelone.com/labs/modifiedelephant-apt-and-a-decade-of-fabricating-evidence/
https://marcoramilli.com/2019/11/04/is-lazarus-apt38-targeting-critical-infrastructures/
https://web.archive.org/web/20160527050022/https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks
https://socket.dev/blog/lazarus-strikes-npm-again-with-a-new-wave-of-malicious-packages
https://www.telsy.com/lazarus-gate/
https://asec.ahnlab.com/en/60792/
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048f
https://www.dropbox.com/s/hpr9fas9xbzo2uz/Whitepaper WannaCry Ransomware.pdf?dl=0
https://www.youtube.com/watch?v=zGvQPtejX9w
https://home.treasury.gov/news/press-releases/sm924
https://www.bleepingcomputer.com/news/cryptocurrency/coinstats-says-north-korean-hackers-breached-1-590-crypto-wallets/
https://www.bleepingcomputer.com/news/security/radiant-links-50-million-crypto-heist-to-north-korean-hackers/
https://blog.malwarebytes.com/threat-analysis/2019/03/the-advanced-persistent-threat-files-lazarus-group/
https://securelist.com/my-name-is-dtrack/93338/
http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://securelist.com/lazarus-apt-steals-crypto-with-a-tank-game/114282/
https://www.prevailion.com/the-gh0st-remains-the-same-2/
https://www.newyorker.com/magazine/2021/04/26/the-incredible-rise-of-north-koreas-hacking-army
https://www.symantec.com/security-center/writeup/2018-021216-4405-99#technicaldescription
https://global.ahnlab.com/global/upload/download/techreport/%5BAhnLab%5DAndariel_a_Subgroup_of_Lazarus%20(3).pdf
https://www.secureworks.com/research/threat-profiles/copper-fieldstone
https://malverse.it/analisi-bankshot-copperhedge
https://www.bleepingcomputer.com/news/security/north-korean-hackers-stole-research-data-in-two-month-long-breach/
https://norfolkinfosec.com/dprk-targeting-researchers-ii-sys-payload-and-registry-hunting/
https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/
https://www.us-cert.gov/ncas/analysis-reports/AR19-100A
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=f04ded49-5b0e-4422-9c6c-4c6e2ed7d3d3
https://www.secureworks.com/research/threat-profiles/bronze-union
https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-Lazarus-targets-defense-industry-with-Threatneedle-En.pdf
https://www.symantec.com/connect/blogs/four-years-darkseoul-cyberattacks-against-south-korea-continue-anniversary-korean-war
https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/
https://stairwell.com/wp-content/uploads/2022/07/Stairwell-Threat-Report-Maui-Ransomware.pdf
https://blogs.vmware.com/security/2022/11/threat-analysis-active-c2-discovery-using-protocol-emulation-part4-dacls-aka-mata.html
https://www.secureworks.com/research/wcry-ransomware-analysis
https://researchcenter.paloaltonetworks.com/2017/08/unit42-blockbuster-saga-continues/
https://asec.ahnlab.com/wp-content/uploads/2023/10/20231013_Lazarus_OP.Dream_Magic.pdf
https://objective-see.com/blog/blog_0x51.html
https://www.bleepingcomputer.com/news/security/lazarus-group-deploys-its-first-mac-malware-in-cryptocurrency-exchange-hack/
https://asec.ahnlab.com/en/55369/
https://www.cisa.gov/uscert/ncas/alerts/aa20-239a
https://unit42.paloaltonetworks.com/unit42-blockbuster-saga-continues/
https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/
https://cloud.google.com/blog/topics/threat-intelligence/apt45-north-korea-digital-military-machine
https://www.cisa.gov/uscert/sites/default/files/publications/AA22-108A-TraderTraitor-North_Korea_APT_Targets_Blockchain_Companies.pdf
https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/dark-river-you-can-t-see-them-but-they-re-there/
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c
https://threatpost.com/operation-blockbuster-coalition-ties-destructive-attacks-to-lazarus-group/116422/
https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/
https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html
https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure
https://asec.ahnlab.com/ko/56256/
https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/
https://news.sophos.com/en-us/2019/09/18/the-wannacry-hangover/
https://threatbook.cn/ppt/The%2520Nightmare%2520of%2520Global%2520Cryptocurrency%2520Companies%2520-%2520Demystifying%2520the%2520%25E2%2580%259CDangerousPassword%25E2%2580%259D%2520of%2520the%2520APT%2520Organization.pdf
https://blog.netlab.360.com/dacls-the-dual-platform-rat-en/
https://www.vkremez.com/2019/10/lets-learn-dissecting-lazarus-windows.html
https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf
https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html?m=1
https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
https://www.cfr.org/interactive/cyber-operations/covellite
https://blog.talosintelligence.com/lazarus-three-rats/
https://www.cisa.gov/uscert/ncas/alerts/aa22-187a
https://www.cisa.gov/uscert/sites/default/files/publications/aa22-187a-north-korean%20state-sponsored-cyber-actors-use-maui-ransomware-to-target-the-hph-sector.pdf
https://www.cisa.gov/uscert/ncas/alerts/TA18-275A
https://blogs.jpcert.or.jp/en/2020/08/Lazarus-malware.html
https://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn
https://asec.ahnlab.com/en/57685/
https://adeo.com.tr/wp-content/uploads/2020/05/ADEO-Lazarus-APT38.pdf
https://media.defense.gov/2023/Feb/09/2003159161/-1/-1/0/CSA_RANSOMWARE_ATTACKS_ON_CI_FUND_DPRK_ACTIVITIES.PDF
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services
https://us-cert.cisa.gov/ncas/alerts/aa20-345a
https://www.secrss.com/articles/18635
https://www.elastic.co/security-labs/elastic-users-protected-from-suddenicon-supply-chain-attack
https://blog.google/threat-analysis-group/countering-threats-north-korea/
https://www.sentinelone.com/blog/bluenoroff-how-dprks-macos-rustbucket-seeks-to-evade-analysis-and-detection/
https://www.microsoft.com/security/blog/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/
https://socket.dev/blog/lazarus-expands-malicious-npm-campaign-11-new-packages-add-malware-loaders-and-bitbucket
https://www.bleepingcomputer.com/news/security/lazarus-hackers-target-researchers-with-trojanized-ida-pro/
https://www.fbi.gov/news/press-releases/fbi-identifies-lazarus-group-cyber-actors-as-responsible-for-theft-of-41-million-from-stakecom
https://securelist.com/operation-applejeus/87553/
https://blog.talosintelligence.com/2019/09/panda-evolution.html
https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf
http://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html
https://www.sentinelone.com/blog/lazarus-operation-interception-targets-macos-users-dreaming-of-jobs-in-crypto/
https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf
https://www.us-cert.gov/ncas/analysis-reports/ar20-045d
http://www.issuemakerslab.com/research3/
https://twitter.com/X__Junior/status/1743193763000828066
https://brandefense.io/blog/apt-groups/lazarus-apt-group-apt38/
https://medium.com/@DCSO_CyTec/andariels-jupiter-malware-and-the-case-of-the-curious-c2-dbfe29f57499
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/a-look-into-the-lazarus-groups-operations
https://web.archive.org/web/20140816135909/https://www.symantec.com/connect/blogs/inside-back-door-attack
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf
https://github.com/werkamsus/Lilith
https://unit42.paloaltonetworks.com/unit42-operation-blockbuster-goes-mobile/
https://www.reversinglabs.com/blog/fake-recruiter-coding-tests-target-devs-with-malicious-python-packages
https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise
https://www.us-cert.gov/ncas/alerts/TA17-318A
https://www.hvs-consulting.de/lazarus-report/
https://www.group-ib.com/blog/apt-lazarus-python-scripts/
https://blogs.vmware.com/security/2023/03/investigating-3cx-desktop-application-attacks-what-you-need-to-know.html
https://securingtomorrow.mcafee.com/mcafee-labs/android-malware-appears-linked-to-lazarus-cybercrime-group/#sf174581990
https://github.com/649/APT38-DYEPACK
https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware
https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/
https://asec.ahnlab.com/ko/58215/
https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html
https://github.com/0xZuk0/rules-of-yaras/blob/main/reports/Wannacry%20Ransomware%20Report.pdf
https://blogs.jpcert.or.jp/en/2021/03/Lazarus_malware3.html
https://labs.k7computing.com/index.php/lazarus-apts-operation-interception-uses-signed-binary/
https://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/
https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_1_6_dongwook-kim_seulgi-lee_en.pdf
https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html
https://securelist.com/lazarus-andariel-mistakes-and-easyrat/110119/
https://swanleesec.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-2
https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware-0
https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/
https://securingtomorrow.mcafee.com/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048d
https://blog.cylance.com/the-ghost-dragon
https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf
https://therecord.media/north-koreans-initial-laundering-bybit-hack
https://vipyrsec.com/research/elf64-rat-malware/
https://eng.nis.go.kr/common/download.do?type=&seq=8E464392CD0485169FA97278AEE8B607
https://securityintelligence.com/posts/defensive-considerations-lazarus-fudmodule/
https://blogs.vmware.com/security/2020/09/detecting-threats-in-real-time-with-active-c2-information.html
https://www.us-cert.gov/ncas/alerts/TA14-353A
https://www.jamf.com/blog/bluenoroff-apt-targets-macos-rustbucket-malware/
https://www.reversinglabs.com/blog/vmconnect-supply-chain-campaign-continues
https://sansec.io/research/north-korea-magecart
https://www.linkedin.com/posts/alessio-di-santo-712348197_iocs-ttps-lazarusgroup-activity-7263976334807220224-N6Ue/
https://global.ahnlab.com/global/upload/download/techreport/[AhnLab]Andariel_a_Subgroup_of_Lazarus%20(3).pdf
https://therecord.media/north-korea-accused-of-orchestrating-100-million-harmony-crypto-hack/
https://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/
https://medium.com/s2wlab/analysis-of-threatneedle-c-c-communication-feat-google-tag-warning-to-researchers-782aa51cf74
https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/
https://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/
https://www.secureworks.com/research/threat-profiles/iron-viking
https://www.us-cert.gov/ncas/analysis-reports/AR19-129A
https://www.cisa.gov/news-events/analysis-reports/ar18-165a
https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-latin-american-financial-organizations-again/
http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks
https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/
https://us-cert.cisa.gov/ncas/alerts/aa22-108a
https://asec.ahnlab.com/en/56405/
https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/
https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today
https://www.fireeye.com/content/dam/fireeye-www/global/en/blog/threat-research/FireEye_HWP_ZeroDay.pdf
https://www.youtube.com/watch?v=LUxOcpIRxmg
https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers/
https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html
https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage
https://baesystemsai.blogspot.com/2017/02/lazarus-false-flag-malware.html
https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/
https://www.trmlabs.com/post/north-korean-hackers-stole-600-million-in-crypto-in-2023
https://therecord.media/3cx-attack-north-korea-lazarus-group
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/
https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/
https://cocomelonc.github.io/tutorial/2021/09/04/simple-malware-av-evasion.html
https://asec.ahnlab.com/ko/47751/
https://twitter.com/ShadowChasing1/status/1399369260577681426?s=20
https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170728/Guerrero-Saade-Raiu-VB2017.pdf
https://www.gendigital.com/blog/news/innovation/lazarus-fudmodule-v3
https://www.us-cert.gov/ncas/analysis-reports/ar20-045g
https://krebsonsecurity.com/2017/05/u-k-hospitals-hit-in-widespread-ransomware-attack/
https://asec.ahnlab.com/wp-content/uploads/2022/09/Analysis-Report-on-Lazarus-Groups-Rootkit-Attack-Using-BYOVD_Sep-22-2022.pdf
https://twitter.com/ccxsaber/status/1277064824434745345
https://www.virusbulletin.com/uploads/pdf/conference/vb2023/papers/Lazarus-campaigns-and-backdoors-in-2022-2023.pdf
https://sites.temple.edu/care/ci-rw-attacks/
https://twitter.com/greglesnewich/status/1742575613834084684
https://www.welivesecurity.com/2021/04/08/are-you-afreight-dark-watch-out-vyveva-new-lazarus-backdoor/
https://www.group-ib.com/blog/btc_changer
https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox
https://research.nccgroup.com/2022/05/05/north-koreas-lazarus-and-their-initial-access-trade-craft-using-social-media-and-social-engineering/
https://public.intel471.com/blog/partners-in-crime-north-koreans-and-elite-russian-speaking-cybercriminals/
https://attack.mitre.org/groups/G0082
https://www.sysnet.ucsd.edu/sysnet/miscpapers/darkmatter-www20.pdf
https://www.bleepingcomputer.com/news/security/fbi-links-north-korean-hackers-to-308-million-crypto-heist/
https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists
https://blog.prevailion.com/2020/06/the-gh0st-remains-same8.html
https://blog.trendmicro.com/trendlabs-security-intelligence/what-we-can-learn-from-the-bangladesh-central-bank-cyber-heist/
https://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970
https://www.us-cert.gov/ncas/alerts/TA17-164A
https://www.telsy.com/download/5394/?uid=28b0a4577e
https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside
https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-action-disrupt-illicit-revenue-generation
https://doubleagent.net/fastcash-for-linux/
https://www.secureworks.com/research/threat-profiles/aluminum-saratoga
https://www.justice.gov/opa/pr/three-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and
https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/592/original/Hashes_IOCs_for_coverage.txt
https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds
https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia
https://medium.com/s2wlab/analysis-of-lazarus-malware-abusing-non-activex-module-in-south-korea-7d52b9539c12
https://www.bloomberg.com/news/articles/2018-05-29/mexico-foiled-a-110-million-bank-heist-then-kept-it-a-secret
https://www.attackiq.com/2023/01/05/emulating-the-highly-sophisticated-north-korean-adversary-lazarus-group/
https://twitter.com/RedDrip7/status/1595365451495706624
https://www.bleepingcomputer.com/news/security/lazarus-hackers-linked-to-60-million-alphapo-cryptocurrency-heist/
https://www.splunk.com/en_us/blog/security/splunk-insights-investigating-the-3cxdesktopapp-supply-chain-compromise.html
https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/
https://blogs.microsoft.com/on-the-issues/2017/12/19/microsoft-facebook-disrupt-zinc-malware-attack-protect-customers-internet-ongoing-cyberthreats/
https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/the-hack-of-sony-pictures-what-you-need-to-know
https://www.mandiant.com/resources/blog/north-korea-cyber-structure-alignment-2023
https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344
https://www.zdnet.com/article/google-north-korean-hackers-have-targeted-security-researchers-via-social-media/
https://us-cert.cisa.gov/ncas/alerts/aa21-048a
https://www.intezer.com/blog/malware-analysis/chinaz-relations/
https://www.us-cert.gov/ncas/analysis-reports/ar19-304a
https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability
https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html
https://asec.ahnlab.com/en/48223/
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a
https://www.malwarebytes.com/blog/news/2018/03/hermes-ransomware-distributed-to-south-koreans-via-recent-flash-zero-day
https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns
https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf
https://www.us-cert.gov/ncas/analysis-reports/ar20-045f
https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/
https://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt
https://securityscorecard.com/wp-content/uploads/2025/01/Operation-Phantom-Circuit-Report_012725_03.pdf
https://www.tgsoft.it/files/report/download.asp?id=7481257469
https://brandefense.io/blog/apt-groups/mythic-leopard-apt-group/
https://www.secureworks.com/research/threat-profiles/bronze-globe
https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-cloud-snooper-report.pdf
https://www.bitdefender.com/files/News/CaseStudies/study/185/Bitdefender-Business-2017-WhitePaper-PZCHAO-crea2452-en-EN-GenericUse.pdf
https://objective-see.org/blog/blog_0x74.html
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020OverWatchNowheretoHide.pdf
http://www.nartv.org/mirror/ghostnet.pdf
https://securelist.com/gopuram-backdoor-deployed-through-3cx-supply-chain-attack/109344/
https://securingtomorrow.mcafee.com/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/
https://blogs.vmware.com/security/2021/12/tigerrat-advanced-adversaries-on-the-prowl.html
https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html
https://thehackernews.com/2023/03/lazarus-group-exploits-zero-day.html
https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/
https://labs.sentinelone.com/the-deadly-planeswalker-how-the-trickbot-group-united-high-tech-crimeware-apt/
https://www.cisa.gov/uscert/ncas/alerts/aa22-108a
https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12
https://www.bleepingcomputer.com/news/security/coinspaid-blames-lazarus-hackers-for-theft-of-37-300-000-in-crypto/
https://blog.reversinglabs.com/blog/hidden-cobra
https://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html
https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/WannaCry-Aftershock.pdf
https://www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties/
https://www.cfr.org/interactive/cyber-operations/lazarus-group
https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf
https://www.youtube.com/watch?v=uakw2HMGZ-I
https://www.picussecurity.com/resource/blog/fbi-north-korean-lazarus-group-bybit-crypto-heist
https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf
https://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits
https://www.fortinet.com/blog/threat-research/3cx-desktop-app-compromised
https://www.darkreading.com/remote-workforce/dprk-using-unpatched-zimbra-devices-to-spy-on-researchers-
https://github.com/monoxgas/sRDI
https://threatrecon.nshc.net/2019/01/23/sectora01-custom-proxy-utility-tool-analysis/
https://blogs.blackberry.com/en/2023/03/initial-implants-and-network-analysis-suggest-the-3cx-supply-chain-operation-goes-back-to-fall-2022
https://www.youtube.com/watch?v=rjA0Vf75cYk
https://medium.com/insomniacs/what-happened-between-the-bigbadwolf-and-the-tiger-925549a105b2
https://twitter.com/KevinPerlow/status/1160766519615381504
https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e
https://ti.qianxin.com/blog/articles/Analysis-of-attacks-by-Lazarus-using-Daewoo-shipyard-as-bait/
https://www.brighttalk.com/webcast/18282/493986
http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/
https://www.reversinglabs.com/blog/red-flags-fly-over-supply-chain-compromised-3cx-update
https://web.archive.org/web/20131123012339/https://www.symantec.com/connect/blogs/trojankoredos-comes-unwelcomed-surprise
https://www.us-cert.gov/ncas/analysis-reports/AR18-165A
https://blog.cyble.com/2022/07/12/new-ransomware-groups-on-the-rise/
https://www.reversinglabs.com/blog/vmconnect-malicious-pypi-packages-imitate-popular-open-source-modules
https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf
https://unit42.paloaltonetworks.com/tdrop2-attacks-suggest-dark-seoul-attackers-return/
https://vb2020.vblocalhost.com/conference/presentations/unveiling-the-cryptomimic/
https://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html
https://www.cisa.gov/news-events/analysis-reports/ar20-232a
https://www.cfr.org/interactive/cyber-operations/compromise-cryptocurrency-exchanges-south-korea
https://www.trmlabs.com/post/inside-north-koreas-crypto-heists
https://mp.weixin.qq.com/s/nnLqUBPX8xZ3hCr5u-iSjQ
https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/
https://go.recordedfuture.com/hubfs/reports/cta-2023-1130.pdf
https://www.elliptic.co/blog/north-korean-hackers-return-to-tornado-cash-despite-sanctions
https://www.mandiant.com/resources/blog/north-korea-supply-chain
https://securelist.com/lazarus-threatneedle/100803/
https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA==&mid=2247505438&idx=1&sn=cf1947c7af6581f4a66460ae6d14dc2f
https://cofense.com/blog/open-source-gh0st-rat-still-haunting-inboxes-15-years-after-release/
http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf
https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-targeting-brazil
https://www.sentinelone.com/blog/the-blindingcan-rat-and-malicious-north-korean-activity/
https://any.run/cybersecurity-blog/darkcomet-rat-technical-analysis/
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-summary-of-our-latest-analysis/
https://www.trendmicro.com/en_us/research/23/b/earth-kitsune-delivers-new-whiskerspy-backdoor.html
https://www.group-ib.com/blog/3cx-supply-chain-attack/?utm_source=twitter&utm_campaign=3cx-blog&utm_medium=social
https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf
https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats
https://www.anquanke.com/post/id/223817
https://malwareandstuff.com/peb-where-magic-is-stored/
https://twitter.com/VK_Intel/status/1182730637016481793
https://cyware.com/news/lazarus-hacking-group-expand-their-attack-horizon-by-targeting-an-israeli-defense-company-02e2ec77
https://blog.sekoia.io/the-dprk-delicate-sound-of-cyber/
https://www.us-cert.gov/ncas/analysis-reports/ar20-045a
https://www.us-cert.gov/ncas/analysis-reports/ar19-252a
https://unit42.paloaltonetworks.com/unit42-the-blockbuster-sequel/
https://blog.alyac.co.kr/2105
https://www.comae.com/posts/pandorabox-north-koreans-target-security-researchers/
https://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/
https://www.secureworks.com/research/threat-profiles/bronze-edison
https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko
https://www.cyberbit.com/dtrack-apt-malware-found-in-nuclear-power-plant/
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://www.elliptic.co/blog/how-the-lazarus-group-is-stepping-up-crypto-hacks-and-changing-its-tactics
https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168
https://i.blackhat.com/eu-20/Wednesday/eu-20-Rivera-From-Zero-To-Sixty-The-Story-Of-North-Koreas-Rapid-Ascent-To-Becoming-A-Global-Cyber-Superpower.pdf
https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america/
https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
https://thehackernews.com/2022/04/chinese-hackers-target-vmware-horizon.html
https://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and
https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/
https://decoded.avast.io/luiginocamastra/from-byovd-to-a-0-day-unveiling-advanced-exploits-in-cyber-recruiting-scams/
https://threatpost.com/lazarus-apt-spinoff-linked-to-banking-hacks/124746/
https://therecord.media/eu-sanctions-north-korea-ukraine-war-lazarus-group
https://www.secureworks.com/research/threat-profiles/bronze-fleetwood
https://community.broadcom.com/symantecenterprise/viewdocument/attackers-target-dozens-of-global-b
https://www.sentinelone.com/blog/dprk-crypto-theft-macos-rustbucket-droppers-pivot-to-deliver-kandykorn-payloads/
https://asec.ahnlab.com/ko/22975/
http://www.hexblog.com/?p=1248
https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.102_ENG%20(4).pdf
https://research.openanalysis.net/3cx/northkorea/apt/triage/2023/03/30/3cx-malware.html#Functionality
https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/
https://www.seqrite.com/blog/rat-used-by-chinese-cyberspies-infiltrating-indian-businesses/
https://blog.malwarebytes.com/threat-analysis/2012/10/dark-comet-2-electric-boogaloo/
https://asec.ahnlab.com/ko/53832/
https://www.us-cert.gov/ncas/analysis-reports/ar20-045c
https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf
https://securelist.com/bluenoroff-new-macos-malware/111290/
https://twitter.com/ESETresearch/status/1559553324998955010
https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html
https://securelist.com/dtrack-targeting-europe-latin-america/107798/
https://themoscowtimes.com/news/wcry-virus-reportedly-infects-russian-interior-ministrys-computer-network-57984
https://unit42.paloaltonetworks.com/north-korean-threat-group-play-ransomware/
https://hackcon.org/uploads/327/05%20-%20Kwak.pdf
https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/
https://www.youtube.com/watch?v=Q90uZS3taG0
https://www.us-cert.gov/ncas/alerts/TA18-149A
https://blog.malwarebytes.com/threat-analysis/2020/05/new-mac-variant-of-lazarus-dacls-rat-distributed-via-trojanized-2fa-app/
https://www.bleepingcomputer.com/news/security/fbi-links-largest-crypto-hack-ever-to-north-korean-hackers/
http://www.malware-traffic-analysis.net/2018/01/04/index.html
https://content.fireeye.com/apt/rpt-apt38
https://asec.ahnlab.com/ko/40495/
https://dissectingmalwa.re/third-times-the-charm-analysing-wannacry-samples.html
https://www.bleepingcomputer.com/news/security/north-korean-hackers-linked-to-defense-sector-supply-chain-attack/
https://www.us-cert.gov/ncas/analysis-reports/ar20-045e
https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/
https://www.malwarebytes.com/blog/threat-intelligence/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat
https://hub.elliptic.co/analysis/north-korea-s-lazarus-group-likely-responsible-for-35-million-atomic-crypto-theft/
https://www.bleepingcomputer.com/news/security/us-seizes-sinbad-crypto-mixer-used-by-north-korean-lazarus-hackers/
https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a
https://www.bleepingcomputer.com/news/security/debridge-finance-crypto-platform-targeted-by-lazarus-hackers/
https://threatray.com/wp-content/uploads/2021/12/threatray-establishing-the-tigerrat-and-tigerdownloader-malware-families.pdf
https://www.mandiant.com/resources/blog/dprk-whatsapp-phishing
https://sansorg.egnyte.com/dl/3P3HxFiNgL
https://www.3cx.com/blog/news/mandiant-security-update2/
https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols
https://objective-see.com/blog/blog_0x49.html
https://www.symantec.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware
https://www.us-cert.gov/ncas/analysis-reports/AR18-221A
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/
https://www.youtube.com/watch?v=fTX-vgSEfjk
https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf
https://www.krcert.or.kr/filedownload.do?attach_file_seq=3277&attach_file_id=EpF3277.pdf
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/
https://unit42.paloaltonetworks.com/atoms/iron-taurus/
https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf
https://asec.ahnlab.com/en/57736/
https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments
https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Lazarus-and-BYOVD-evil-to-the-Windows-core.pdf
https://vblocalhost.com/uploads/VB2021-Lee-etal.pdf
https://cn.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.102_ENG%20(4).pdf
http://www.mcafee.com/us/resources/white-papers/wp-dissecting-operation-troy.pdf
https://www.kaspersky.com/about/press-releases/2017_chasing-lazarus-a-hunt-for-the-infamous-hackers-to-prevent-large-bank-robberies
https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf
https://tccontre.blogspot.com/2021/02/gh0strat-anti-debugging-nested-seh-try.html
https://medium.com/threat-intel/lazarus-attacks-wannacry-5fdeddee476c
https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html
https://blog.talosintelligence.com/lazarus-collectionrat/
https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-inside-a-highly-specialized-espionage-infrastructure/
https://blog.cyble.com/2023/03/31/a-comprehensive-analysis-of-the-3cx-attack
https://www.mandiant.com/resources/blog/lightshift-and-lightshow
https://yoroi.company/research/a-deep-dive-into-eternity-group-a-new-emerging-cyber-threat/
https://blog.sekoia.io/bluenoroffs-rustbucket-campaign/
https://youtu.be/_kzFNQySEMw?t=789
https://youtu.be/8hJyLkLHH8Q?t=1208
https://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/
https://www.theregister.co.uk/2019/04/10/lazarus_group_malware/
https://securelist.com/the-lazarus-group-deathnote-campaign/109490/
https://blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/
https://securelist.com/big-threats-using-code-similarity-part-1/97239/
https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html
https://www.microsoft.com/en-us/security/blog/2023/11/22/diamond-sleet-supply-chain-compromise-distributes-a-modified-cyberlink-installer/
https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Kalnai-Poslusny.pdf
https://www.ibtimes.sg/covid-19-relief-north-korea-hackers-lazarus-planning-massive-attack-us-uk-japan-singapore-47072
https://blog.gdatasoftware.com/2017/05/29751-wannacry-ransomware-campaign
https://twitter.com/h2jazi/status/1681426768597778440
https://s.tencent.com/research/report/836.html
https://www.theguardian.com/world/2009/jul/08/south-korea-cyber-attack
https://risky.biz/whatiswinnti/
https://objective-see.com/blog/blog_0x54.html
https://threatpost.com/banco-de-chile-wiper-attack-just-a-cover-for-10m-swift-heist/132796/
https://posts.specterops.io/introducing-venator-a-macos-tool-for-proactive-detection-34055a017e56
https://blog.talosintelligence.com/2022/09/lazarus-magicrat.html
https://www.cadosecurity.com/forensic-triage-of-a-windows-system-running-the-backdoored-3cx-desktop-app/
https://www.virusbulletin.com/uploads/pdf/conference/vb2024/papers/Sugarcoating-KANDYKORN-a-sweet-dive-into-a-sophisticated-MacOS-backdoor.pdf
https://cloud.google.com/blog/topics/threat-intelligence/unc4393-goes-gently-into-silentnight
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/3cx-supply-chain-attack
https://objective-see.com/blog/blog_0x53.html
https://attack.mitre.org/groups/G0026
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/xtrader-3cx-supply-chain
https://www.youtube.com/watch?v=9nuo-AGg4p4
https://securityscorecard.com/wp-content/uploads/2025/02/Operation-Marstech-Mayhem-Report_021025_03.pdf
https://web.archive.org/web/20200922165625/https://dcso.de/2019/03/18/enterprise-malware-as-a-service/
Copyright © 2025 SOCRadar Cyber Intelligence Inc.
All rights
reserved.
