Lazarus Group
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 27/03/2026 01:13
- Updated at
- 27/03/2026 01:13
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 14 reports, 112 attack patterns (mitre), 68 malware, 4 sectors, 13 countries, 100 indicators, 1 vulnerabilities (cve), 3 tool
Aliases
HIDDEN COBRA Guardians of Peace NICKEL ACADEMY ZINC Labyrinth Chollima Diamond Sleet
Description
[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). (Citation: US-CERT HIDDEN COBRA June 2017) (Citation: Treasury North Korean Cyber Groups September 2019) [Lazarus Group](https://attack.mitre.org/groups/G0032) has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by [Lazarus Group](https://attack.mitre.org/groups/G0032) correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.(Citation: Novetta Blockbuster)
North Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses “Lazarus Group” as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns.(Citation: Mandiant DPRK Laz Org Breakdown 2022)(Citation: Mandiant DPRK Groups 2023)(Citation: JPCert Blog Laz Subgroups 2025)
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
- mitre-attack (G0032)
- Microsoft Threat Actor Naming July 2023
- US-CERT HIDDEN COBRA June 2017
- CrowdStrike Labyrinth Chollima Feb 2022
- Treasury North Korean Cyber Groups September 2019
- US-CERT HOPLIGHT Apr 2019
- Novetta Blockbuster
- Mandiant DPRK Laz Org Breakdown 2022
- JPCert Blog Laz Subgroups 2025
- Secureworks NICKEL ACADEMY Dec 2017
- Microsoft ZINC disruption Dec 2017
- Mandiant DPRK Groups 2023