The Lazarus APT: A Closer Look at One of the Most Notorious Cyber Threats

At WRAVEN, we’re always looking into real-world cyber threats to understand how attackers operate. One of the most well-known Advanced Persistent Threat (APT) groups we’ve been researching is Lazarus Group; a state-sponsored hacking organization linked to North Korea. This group has been responsible for some of the most high-profile cyber attacks in history, and their techniques continue to evolve.

So what makes Lazarus so dangerous? Let’s take a look at their history, tactics, and why cybersecurity professionals should be paying attention.

A Brief History of Lazarus Group

Lazarus Group has been active since at least 2009 and has been linked to various cyber espionage and financial theft operations. Some of their most well-known attacks include:

• 2014: Sony Pictures Hack – Lazarus leaked sensitive Sony Pictures data, including emails and unreleased movies, allegedly as retaliation for The Interview, a comedy about North Korea.

• 2016: Bangladesh Bank Heist – The group stole $81 million by exploiting the SWIFT banking system.

• 2017: WannaCry Ransomware – A massive ransomware attack that crippled hospitals, businesses, and government agencies worldwide.

• Ongoing Cryptocurrency Theft – Lazarus has stolen billions in cryptocurrency through phishing campaigns and malware, helping fund North Korea’s economy. They hold the record for the most cryptocurrency stolen in a single heist (Bybit, 2025).

How They Operate: Tactics and Techniques

Lazarus Group is known for using a mix of social engineering, malware, and advanced persistence to carry out their attacks. Some key techniques they use:

• Spear Phishing: Lazarus often sends fake emails to trick employees into clicking malicious links or opening infected attachments.

• Supply Chain Attacks: They target software providers and compromise legitimate updates to spread malware (e.g., the 3CX supply chain attack).

• Custom Malware: They develop sophisticated malware strains like AppleJeus (used to target cryptocurrency companies) and RATs (Remote Access Trojans) for espionage.

• Zero-Day Exploits: They have access to high-level exploits that allow them to bypass security defenses.

Why This Matters for Cybersecurity Professionals

Lazarus isn’t just some hacker group looking for quick money. They are a government-backed organization with serious resources and long-term objectives. Their ability to blend financial crime with cyber warfare makes them one of the most unpredictable threats in the industry.

For cybersecurity students and researchers, understanding how APT groups operate is crucial for building better defenses. Lazarus Group’s methods provide valuable lessons in threat hunting, forensic analysis, and incident response.

What WRAVEN is Doing

As part of WRAVEN’s ongoing research, we’re:

• Analyzing Lazarus Group’s latest attacks to understand their evolving tactics.

• Looking at malware samples used by the group to see how they avoid detection.

• Exploring detection techniques to identify Lazarus-related activity on networks.

If you’re interested in contributing to this research or learning more, come to our next meeting! We’ll be discussing APTs and how students can get involved in real-world cybersecurity investigations. Our final paper on Lazarus group is being released soon!

Meeting time:
Monday, 5:30pm
2225 Khorman Hall

Feel free to drop in!