Threat actor · all actors
Lazarus GroupG0032 state
🇰🇵 KP · RGB · Bureau 121 / Lab 110
aka Lazarus Group, Labyrinth Chollima, HIDDEN COBRA, Guardians of Peace, ZINC, NICKEL ACADEMY, Diamond Sleet, Operation DarkSeoul, Dark Seoul, Hastati Group, Andariel, Unit 121, Bureau 121, NewRomanic Cyber Army Team, Bluenoroff, Subgroup: Bluenoroff, Group 77, Operation Troy, Operation GhostSecret, Operation AppleJeus, APT38, APT 38, Stardust Chollima, Whois Hacking Team, Appleworm, APT-C-26, NICKEL GLADSTONE, COVELLITE, ATK3, G0032, ATK117, G0082, Citrine Sleet, DEV-0139, DEV-1222, Sapphire Sleet, COPERNICIUM, TA404, BeagleBoyz, Moonstone Sleet, Black Artemis
Last updated: 2026-07-03
About this actor
[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). (Citation: US-CERT HIDDEN COBRA June 2017) (Citation: Treasury North Korean Cyber Groups September 2019) [Lazarus Group](https://attack.mitre.org/groups/G0032) has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by [Lazarus Group](https://attack.mitre.org/groups/G0032) correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.(Citation: Novetta Blockbuster) North Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses “Lazarus Group” as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns.(Citation: Mandiant DPRK Laz Org Breakdown 2022)(Citation: Mandiant DPRK Groups 2023)(Citation: JPCert Blog Laz Subgroups 2025)
Source: MITRE ATT&CK
Activity timeline
- 2022 — 7 CVE published
- 2021 — 2 CVE published
- 2019 — 1 CVE published
- 2018 — 1 CVE published
- 2017 — 1 CVE published
Profile
| CVE | Risk | CVSS | EPSS | Published | Products |
|---|---|---|---|---|---|
CVE-2021-3018 | 8.0 | 9.8 | 0.7933 | 2021-01-05 | see CVE |
CVE-2021-44142 | 8.0 | 8.8 | 0.7404 | 2022-02-21 | see CVE |
CVE-2021-45837 | 8.0 | 9.8 | 0.8108 | 2022-04-25 | see CVE |
CVE-2021-40684 | 7.0 | 9.1 | 0.0115 | 2021-09-22 | see CVE |
CVE-2022-24663 | 7.0 | 9.9 | 0.0210 | 2022-02-16 | see CVE |
CVE-2022-24664 | 7.0 | 9.9 | 0.0159 | 2022-02-16 | see CVE |
CVE-2022-24665 | 7.0 | 9.9 | 0.0244 | 2022-02-16 | see CVE |
CVE-2019-15637 | 6.0 | 8.1 | 0.2273 | 2019-08-26 | see CVE |
CVE-2022-22005 | 6.0 | 8.8 | 0.1721 | 2022-02-09 | see CVE |
CVE-2015-6585 | 5.5 | 7.8 | 0.0249 | 2017-07-25 | see CVE |
CVE-2017-4946 | 5.5 | 7.8 | 0.0051 | 2018-01-05 | see CVE |
CVE-2022-24785 | 5.5 | 7.5 | 0.0566 | 2022-04-04 | see CVE |
T1001T1001.003T1005T1008T1010T1012T1016T1021T1021.001T1021.002T1021.004T1027T1027.007T1027.009T1027.013T1033T1036T1036.003T1036.004T1036.005T1041T1046T1047T1048T1048.003T1049T1053T1053.005T1055T1055.001T1056T1056.001T1057T1059T1059.001T1059.003T1059.005T1070T1070.003T1070.004T1070.006T1071T1071.001T1074T1074.001T1078T1082T1083T1090T1090.001T1090.002T1098T1102T1102.002T1104T1105T1106T1110T1110.003T1124T1132T1132.001T1134T1134.002T1140T1189T1202T1203T1204T1204.002T1218T1218.005T1218.011T1485T1489T1491T1491.001T1529T1542T1542.003T1543T1543.003T1547T1547.001T1547.009T1553T1553.002T1557T1557.001T1560T1560.002T1560.003T1561T1561.001T1561.002T1564T1564.001T1566T1566.001T1566.002T1566.003T1571T1573T1573.001T1574T1574.001T1574.013T1583T1583.001T1583.006T1584T1584.004T1585T1585.001T1585.002T1587T1587.001T1588T1588.002T1588.004
Mitigating controls (NIST 800-53)
| Control | Techniques covered | Coverage |
|---|---|---|
SI-4 | 77 / 128 | 60% |
CM-2 | 67 / 128 | 52% |
CM-6 | 65 / 128 | 51% |
SI-3 | 65 / 128 | 51% |
CA-7 | 50 / 128 | 39% |
AC-6 | 49 / 128 | 38% |
AC-3 | 48 / 128 | 38% |
CM-7 | 44 / 128 | 34% |
SC-7 | 41 / 128 | 32% |
AC-2 | 39 / 128 | 30% |
AC-4 | 37 / 128 | 29% |
SI-7 | 35 / 128 | 27% |
AC-5 | 28 / 128 | 22% |
IA-2 | 26 / 128 | 20% |
CM-5 | 25 / 128 | 20% |
Co-occurring actors
- Andariel 11 shared CVEs
- Maui ransomware 11 shared CVEs
- Storm-0530 11 shared CVEs
Similar actors
Similar TTPs
- APT32 0.39
- Magic Hound 0.37
- Mustang Panda 0.36
- Kimsuky 0.36
- Sandworm Team 0.34
Overlapping CVEs
- Andariel 0.92
- Storm-0530 0.92
- Maui ransomware 0.92
Active in same years
- Andariel 4.00
- Storm-0530 4.00
- Maui ransomware 4.00
- APT1 2.00
- Deep Panda 2.00
Same nation-state
- Operation Dream Job 1.00
- 3CX Supply Chain Attack 1.00
- APT37 1.00
- APT38 1.00
- Kimsuky 1.00
Same category
- Night Dragon 1.00
- FunnyDream 1.00
- C0011 1.00
- Operation Wocao 1.00
- Operation Dream Job 1.00