🇰🇵Lazarus Group
🇰🇵 Lazarus Group is a tracked threat actor in the Clankerusecase corpus. Attributed to KP. Primary motivation: State. We map 26 detection use cases to this actor across 147 MITRE ATT&CK techniques, with 5 threat-intel articles citing them. Active in our corpus from 2025-10-23 to 2026-05-28.
crit 5
26Use cases
5Articles
147Techniques
32IOCs
Known aliases
LazarusLazarus GroupHidden CobraGuardians of PeaceZINCDiamond SleetLabyrinth ChollimaHIDDEN COBRANICKEL ACADEMY
Top techniques
All other tracked techniques
T1001.003 · Protocol or Service ImpersonationT1003 · OS Credential DumpingT1003.001 · LSASS MemoryT1005 · Data from Local SystemT1008 · Fallback ChannelsT1010 · Application Window DiscoveryT1012 · Query RegistryT1016 · System Network Configuration DiscoveryT1020 · Automated ExfiltrationT1021.001 · Remote Desktop ProtocolT1021.002 · SMB/Windows Admin SharesT1021.004 · SSHT1027 · Obfuscated Files or InformationT1027.007 · Dynamic API ResolutionT1027.009 · Embedded PayloadsT1027.013 · Encrypted/Encoded FileT1033 · System Owner/User DiscoveryT1036.003 · Rename Legitimate UtilitiesT1036.004 · Masquerade Task or ServiceT1036.005 · Match Legitimate Resource Name or LocationT1041 · Exfiltration Over C2 ChannelT1046 · Network Service DiscoveryT1047 · Windows Management InstrumentationT1048.003 · Exfiltration Over Unencrypted Non-C2 ProtocolT1049 · System Network Connections DiscoveryT1053.005 · Scheduled TaskT1055 · Process InjectionT1055.001 · Dynamic-link Library InjectionT1056.001 · KeyloggingT1057 · Process DiscoveryT1059.003 · Windows Command ShellT1059.005 · Visual BasicT1059.007 · JavaScriptT1070 · Indicator RemovalT1070.003 · Clear Command HistoryT1070.004 · File DeletionT1070.006 · TimestompT1071 · Application Layer ProtocolT1071.001 · Web ProtocolsT1071.004 · DNST1074.001 · Local Data StagingT1078 · Valid AccountsT1082 · System Information DiscoveryT1083 · File and Directory DiscoveryT1090 · ProxyT1090.001 · Internal ProxyT1090.002 · External ProxyT1098 · Account ManipulationT1102 · Web ServiceT1102.002 · Bidirectional CommunicationT1104 · Multi-Stage ChannelsT1105 · Ingress Tool TransferT1106 · Native APIT1110.003 · Password SprayingT1112 · Modify RegistryT1113 · Screen CaptureT1115 · Clipboard DataT1119 · Automated CollectionT1124 · System Time DiscoveryT1125 · Video CaptureT1129 · Shared ModulesT1132.001 · Standard EncodingT1134.002 · Create Process with TokenT1140 · Deobfuscate/Decode Files or InformationT1189 · Drive-by CompromiseT1195.002 · Compromise Software Supply ChainT1202 · Indirect Command ExecutionT1203 · Exploitation for Client ExecutionT1204.001 · Malicious LinkT1204.004 · Malicious Copy and PasteT1218 · System Binary Proxy ExecutionT1218.005 · MshtaT1218.010 · Regsvr32T1218.011 · Rundll32T1219 · Remote Access ToolsT1406 · T1406T1407 · T1407T1420 · T1420T1422 · T1422T1426 · T1426T1429 · T1429T1430 · T1430T1437.001 · T1437.001T1474.003 · T1474.003T1480.001 · Environmental KeyingT1481.002 · T1481.002T1485 · Data DestructionT1486 · Data Encrypted for ImpactT1489 · Service StopT1491.001 · Internal DefacementT1497 · Virtualization/Sandbox EvasionT1513 · T1513T1529 · System Shutdown/RebootT1532 · T1532T1533 · T1533T1541 · T1541T1542.003 · BootkitT1543.003 · Windows ServiceT1546.016 · Installer PackagesT1547.001 · Registry Run Keys / Startup FolderT1547.009 · Shortcut ModificationT1553.002 · Code SigningT1555 · Credentials from Password StoresT1555.003 · Credentials from Web BrowsersT1557.001 · Name Resolution Poisoning and SMB RelayT1560 · Archive Collected DataT1560.002 · Archive via LibraryT1560.003 · Archive via Custom MethodT1561.001 · Disk Content WipeT1561.002 · Disk Structure WipeT1564.001 · Hidden Files and DirectoriesT1564.003 · Hidden WindowT1566 · PhishingT1566.001 · Spearphishing AttachmentT1566.002 · Spearphishing LinkT1566.003 · Spearphishing via ServiceT1567.002 · Exfiltration to Cloud StorageT1568.002 · Domain Generation AlgorithmsT1569.002 · Service ExecutionT1571 · Non-Standard PortT1573.001 · Symmetric CryptographyT1574.001 · DLLT1574.002 · T1574.002T1574.013 · KernelCallbackTableT1583.001 · DomainsT1583.006 · Web ServicesT1584.004 · ServerT1585.001 · Social Media AccountsT1585.002 · Email AccountsT1585.003 · Cloud AccountsT1587.001 · MalwareT1588.002 · ToolT1588.004 · Digital CertificatesT1589.002 · Email AddressesT1591 · Gather Victim Org InformationT1608.001 · Upload MalwareT1620 · Reflective Code LoadingT1636.002 · T1636.002T1636.003 · T1636.003T1636.004 · T1636.004T1646 · T1646T1680 · Local Storage DiscoveryT1685 · Disable or Modify ToolsT1686.003 · Windows Host Firewall
Detection use cases (26)
Lazarus 'Contagious Interview' — node.exe spawning curl/python loader for BeaverTail/InvisibleFerret Lazarus Operation Dream Job — DLL side-loaded by legitimate signed host executed from user-writable path Trojanized axios npm package postinstall: node.exe spawned from plain-crypto-js dependency axios RAT Windows persistence: %PROGRAMDATA%\wt.exe drop + %TEMP%\6202033.vbs/.ps1 staging axios RAT C2 callout to sfrclak.com / 142.11.206.73:8000 Phishing-link click correlated to endpoint execution Email attachment opened from external sender Office app spawning script/LOLBin child process Ransomware-style mass file rename / extension change LSASS process access / dump (credential theft) Remote service execution — PsExec / SMB lateral movement Trusted vendor binary / installer launching unusual children Kimsuky HelloDoor 'tdll' Run-key persistence with regsvr32 loader Kimsuky httpMalice persistence: 'Everything 1.9a-/1.8a-' Run-key or CacheDB service install 1Password impossible-travel sign-in Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) Developer interpreter / package-manager process exfiltrating tokens to public code-hosting / worker domains Developer package install spawning script-host with non-registry C2 within 5 minutes Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes OAuth Device-Code Consent Phish to Cross-IP Cloud Token ReplayThreat-intel articles (5)
crit ESET APT Activity Report Q4 2025–Q1 2026 · 2026-05-28
crit ESET APT Activity Report Q2 2025–Q3 2025 · 2025-11-06
crit Gotta fly: Lazarus targets the UAV sector · 2025-10-23
Tracked indicators
Domains (18)
anvil.org.ph bandarpowder.com coralsunmarine.com ecudecode.mx female-disorder-beta-met galaterrace.com kazitradebd.com mediostresbarbas.com.ar mnmathleague.org oldlinewoodwork.com partnerls.pl pierregems.com scgestor.com.br spaincaramoon.com sqgame.com.cn sqgame.net trainingpharmacist.co.uk xiazai.sqgame.com.cnIP addresses (14)
104.21.80.1 104.247.162.67 108.181.92.71 152.42.239.211 172.67.193.139 185.148.129.24 193.39.187.165 23.111.133.162 45.148.29.122 66.29.144.75 70.32.24.131 75.102.23.3 77.55.252.111 95.217.119.214CVEs (2)
CVE-2024-42009 CVE-2025-8088