Lazarus

Lazarus Group is a DPRK-linked threat actor associated with North Korea’s Reconnaissance General Bureau umbrella and is described in the content as a major driver of North Korean state-backed cryptocurrency theft. Known aliases in the provided content include APT-C-26, BadClone, Black Artemis, Copernicium, Diamond Sleet, Genie Spider, Guardians of Peace, Hidden Cobra, Labyrinth Chollima, Nickel Academy, Nickel Gladstone, Pukchong, Purple Bravo, Selective Pisces, Stardust Chollima, Storm-0139, Storm-0954, Storm-1222, Storm-1877, TA404, TAG-121, TempHermit, UNC2970, WaterPlum, and Zinc. The content also references related or overlapping DPRK-linked clusters and subgroups including BlueNoroff, APT38, TraderTraitor/UNC4899, AppleJeus/Citrine Sleet/UNC4736, and activity overlapping with Gleaming Pisces. The reporting in the content shows Lazarus targeting developers, financial organizations, cryptocurrency organizations, and the broader cryptocurrency ecosystem. ESET states that Lazarus and DeceptiveDevelopment invested in long-term relationship building with high-value targets, and that Lazarus continued Operation DreamJob targeting European drone manufacturers. The content also links Lazarus-aligned activity to cryptocurrency theft and financially motivated operations, including attribution of the Kelp DAO/LayerZero bridge exploit to TraderTraitor, described as part of the broader Lazarus Group. Tactics and tradecraft directly described in the content include social engineering, supply-chain compromise, open-source ecosystem abuse, long-term persistence, stealthy in-memory malware, reflective loading, direct-syscall evasion, ETW suppression, process injection, scheduled-task persistence, Startup-folder and Registry Run-key persistence, and actor-in-the-loop payload delivery. One Sonatype-reported Lazarus campaign used dozens of malicious npm packages in a brandjacking operation, employing suffix addition, embedding, version mimicry, and typosquatting to impersonate legitimate packages. In that campaign, malicious packages such as buffer-utilities acted as droppers for a Node.js backdoor/downloader that collected host information, contacted C2, created a hidden .vscode directory, downloaded additional payloads, and used Base64-encoded www.jsonkeeper.com URLs with eval()-based execution. The content also describes a Lazarus-linked malware ecosystem composed of DPAPILoader, RemotePELoader, and RemotePE, used against financial and cryptocurrency organizations. This framework uses victim-specific DPAPI decryption, reflective PE loading, HellsGate/TartarusGate-style syscall techniques, remapping of clean DLLs to evade userland hooks, patching of EtwEventWrite to suppress telemetry, encrypted in-memory execution, plugin-based capability extension, and secure deletion. Fox-IT assessed this memory-only toolset as overlapping with historic AppleJeus and Gleaming Pisces activity and replacing older Lazarus tooling such as ThemeForestRAT and PondRAT in some incidents. Additional content aligns Lazarus with crypto-focused intrusion clusters behind PHANTOMPULSE/REF6598. Elastic assessed that PHANTOMPULSE tradecraft, targeting, and infrastructure align closely with DPRK-linked groups including Lazarus, BlueNoroff, UNC5342/Contagious Interview, and APT38. Reported PHANTOMPULSE capabilities include abuse of Obsidian plugins for delivery, an in-memory loader named PHANTOMPULL, multiple process-injection methods, UAC bypass, scheduled-task persistence, AMSI/WLDP/ETW bypass via hardware breakpoints, and blockchain-based command-and-control resolution. The content further notes Lazarus-linked persistence via Startup folders and Registry Run keys, including Operation Dream Job placing LNK files in Startup folders. It also references Lazarus malware families such as TangoDelta and SHARPKNOT in the context of impairing defenses, with TangoDelta attempting to terminate McAfee-related processes and SHARPKNOT disabling Microsoft Windows System Event Notification and Alerter services. Overall, the provided content characterizes Lazarus Group as a North Korea-linked, highly capable threat actor conducting espionage, supply-chain compromise, developer targeting, and financially motivated intrusions, especially against financial and cryptocurrency targets, using stealthy, persistent, and increasingly memory-resident tooling.