Cyber Resilience

Threat actor · all actors

Lazarus GroupG0032 state

🇰🇵 KP · RGB · Bureau 121 / Lab 110

aka Lazarus Group, Labyrinth Chollima, HIDDEN COBRA, Guardians of Peace, ZINC, NICKEL ACADEMY, Diamond Sleet, Operation DarkSeoul, Dark Seoul, Hastati Group, Andariel, Unit 121, Bureau 121, NewRomanic Cyber Army Team, Bluenoroff, Subgroup: Bluenoroff, Group 77, Operation Troy, Operation GhostSecret, Operation AppleJeus, APT38, APT 38, Stardust Chollima, Whois Hacking Team, Appleworm, APT-C-26, NICKEL GLADSTONE, COVELLITE, ATK3, G0032, ATK117, G0082, Citrine Sleet, DEV-0139, DEV-1222, Sapphire Sleet, COPERNICIUM, TA404, BeagleBoyz, Moonstone Sleet, Black Artemis

Last updated: 2026-07-03

12attributed CVEs
128ATT&CK techniques
36.2IDF score (tooling uniqueness)
1exclusive CVEs
2017–2022years active

About this actor

[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). (Citation: US-CERT HIDDEN COBRA June 2017) (Citation: Treasury North Korean Cyber Groups September 2019) [Lazarus Group](https://attack.mitre.org/groups/G0032) has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by [Lazarus Group](https://attack.mitre.org/groups/G0032) correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.(Citation: Novetta Blockbuster) North Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses “Lazarus Group” as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns.(Citation: Mandiant DPRK Laz Org Breakdown 2022)(Citation: Mandiant DPRK Groups 2023)(Citation: JPCert Blog Laz Subgroups 2025)

Source: MITRE ATT&CK

Activity timeline

Profile

CVERiskCVSSEPSSPublishedProducts
CVE-2021-3018 8.09.80.79332021-01-05see CVE
CVE-2021-44142 8.08.80.74042022-02-21see CVE
CVE-2021-45837 8.09.80.81082022-04-25see CVE
CVE-2021-40684 7.09.10.01152021-09-22see CVE
CVE-2022-24663 7.09.90.02102022-02-16see CVE
CVE-2022-24664 7.09.90.01592022-02-16see CVE
CVE-2022-24665 7.09.90.02442022-02-16see CVE
CVE-2019-15637 6.08.10.22732019-08-26see CVE
CVE-2022-22005 6.08.80.17212022-02-09see CVE
CVE-2015-6585 5.57.80.02492017-07-25see CVE
CVE-2017-4946 5.57.80.00512018-01-05see CVE
CVE-2022-24785 5.57.50.05662022-04-04see CVE

Mitigating controls (NIST 800-53)

ControlTechniques coveredCoverage
SI-477 / 12860%
CM-267 / 12852%
CM-665 / 12851%
SI-365 / 12851%
CA-750 / 12839%
AC-649 / 12838%
AC-348 / 12838%
CM-744 / 12834%
SC-741 / 12832%
AC-239 / 12830%
AC-437 / 12829%
SI-735 / 12827%
AC-528 / 12822%
IA-226 / 12820%
CM-525 / 12820%

Co-occurring actors

Similar actors

Similar TTPs

Overlapping CVEs

Active in same years

Same nation-state