APT-C-26 or Lazarus Group

Bluenoroff (APT38, Stardust Chollima, NICKEL GLADSTONE): Primarily focused on financially motivated cybercrime, targeting banks, financial institutions, and cryptocurrency exchanges through sophisticated heists (e.g., Bangladesh Bank Heist).

Andariel (Silent Chollima, Dark Seoul, Wassonite, Onyx Sleet): Primarily targets South Korean entities, including government, defense, and critical infrastructure, often employing ransomware and espionage tactics.

Spear Phishing (T1566): Highly targeted emails, often masquerading as job offers ("Dream Job" campaigns) or using tailored lures relevant to the target organization or sector (e.g., COVID-19 research for pharmaceutical companies).

Watering Hole Attacks (T1189): Compromising legitimate websites frequented by potential victims to deliver malware.

Supply Chain Attacks: Compromising software vendors or updates to gain access to downstream targets.

Exploitation of Vulnerabilities: Leveraging both zero-day exploits (purchased or discovered) and known vulnerabilities (N-days) in software like Adobe Flash, Microsoft Office, Hancom Hangul (popular South Korean word processor), and network infrastructure (e.g., Log4Shell - CVE-2021-44228 in "Operation Blacksmith").

Command and Scripting Interpreters: Extensive use of Windows Command Shell (T1059.003), PowerShell (T1059.001), and JavaScript (T1059.007).

User Execution (T1204.002): Relies on users opening malicious attachments or clicking malicious links.

Mshta (T1218.005): Executing malicious HTA files.

Boot or Logon Autostart Execution (T1547.001): Using Registry Run Keys or Startup Folders.

Scheduled Task/Job (T1053.005): Creating scheduled tasks for malware execution.

Pre-OS Boot: Bootkit (T1542.003): Modifying the Master Boot Record (MBR) for persistence (e.g., WhiskeyAlfa-Three bootkit).

Valid Accounts (T1078): Using stolen credentials, often administrator accounts.

Brute Force: Password Spraying (T1110.003): Targeting common accounts like "Administrator" with weak passwords across network shares. Understanding what is brute force will help.

Exploitation for Privilege Escalation: Using exploits to gain higher privileges.

Remote Services (T1021): Utilizing SSH, RDP, or other remote services for movement, sometimes leveraging tools like PuTTY PSCP (T1021.004).

Internal Proxy (T1090.001): Using compromised routers or devices as proxies to pivot within networks.

Network Share Discovery (T1135): Mapping network drives and shares.

Masquerading (T1036): Disguising malicious files or processes as legitimate ones (T1036.004 - Masquerade Task or Service).

Indicator Removal (T1070): Clearing logs (T1070.001 - Clear Windows Event Logs), deleting files securely (T1485 - Data Destruction by overwriting), clearing command history (especially on network devices), restoring modified code.

Timestomping (T1070.006): Modifying file timestamps to match legitimate system files.

Reflective Code Loading (T1620): Injecting shellcode directly into memory.

Process Injection (T1055.001): Injecting malicious code into legitimate processes (DLL Injection).

Non-Standard Port (T1571): Using unusual ports for C2 communication to bypass firewall rules.

System Information Discovery (T1082): Gathering OS, hardware, and configuration details.

System Network Configuration Discovery (T1016): Retrieving IP address, gateway, DNS, etc.

System Network Connections Discovery (T1049): Identifying active network connections (e.g., using net use).

Network Service Discovery (T1046): Scanning for open ports and services (e.g., using nmap).

Query Registry (T1012): Checking for security software, VNC/RDP presence, and cryptocurrency wallet information.

Application Window Discovery (T1010): Identifying active application windows.

System Time Discovery (T1124): Obtaining system time, potentially for synchronization or evasion.

Archive Collected Data (T1560): Compressing stolen data using tools like RAR or custom malware (T1560.001 - Archive via Utility; T1560.002 - Archive via Library, e.g., Zlib).

Exfiltration Over C2 Channel (T1041): Sending stolen data back through the established command and control channel.

Application Layer Protocol: Using standard protocols like HTTP/HTTPS, often mimicking legitimate traffic. Mail Protocols (T1071.003) are sometimes used.

Web Service (T1102.002): Abusing legitimate services like GitHub for C2 communication.

Fallback Channels (T1008): Using multiple hardcoded C2 servers or domains.

Multi-Stage Channels (T1104): Employing staged payloads where initial implants download further components.

Data Destruction (T1485): Using wiper malware (e.g., KillDisk, Destroyer, Whiskey series) to destroy data (T1561.001 - Disk Content Wipe).

Service Stop (T1489): Stopping critical services (e.g., MSExchangeIS).

System Shutdown/Reboot (T1529): Rebooting systems after destruction.

Ransomware: Deploying ransomware like WannaCry for widespread disruption and financial gain.

Financial Sector: Banks, financial institutions, and SWIFT system users globally have been primary targets for large-scale theft (e.g., Bangladesh Bank, Banco del Austro, Polish and Mexican banks). This directly supports the regime by generating hard currency.

Cryptocurrency Ecosystem: Cryptocurrency exchanges, wallet providers, DeFi platforms (e.g., Axie Infinity's Ronin Bridge, Harmony's Horizon Bridge, Atomic Wallet, Stake.com), and individual users (especially in South Korea) are heavily targeted. Stolen cryptocurrency is laundered (sometimes using mixers like the sanctioned Blender.io) to bypass financial sanctions.

Government & Defense: Espionage operations frequently target government agencies, defense contractors, aerospace companies, and military organizations, primarily in South Korea, the United States, and increasingly other nations perceived as adversaries or possessing valuable technology (e.g., NPO Mashinostroyeniya in Russia).

Critical Infrastructure & Energy: Sectors vital to national security and economy are targeted for espionage and potential disruption.

Technology & IT Providers: Targeting IT service providers allows for supply chain attacks, granting access to a wider range of downstream victims.

Pharmaceutical & Research: Attacks intensified during the COVID-19 pandemic, targeting vaccine research and pharmaceutical companies (e.g., AstraZeneca).

Media & Entertainment: The Sony Pictures Entertainment attack remains a prominent example, motivated by opposition to a film critical of the DPRK regime.

NGOs, Human Rights Organizations, Defectors, and Journalists: Individuals and groups critical of the North Korean regime are targeted for espionage and intimidation.

Financial Gain: A critical driver, aimed at funding the regime and circumventing international economic sanctions.

Espionage: Gathering political, military, economic, and technological intelligence.

Sabotage & Disruption: Destructive attacks aimed at causing operational damage or sending political messages.

Operation Troy (2009-2012): Early DDoS attacks targeting South Korean government and financial websites.

Operation DarkSeoul / 1Million (2013): Large-scale attacks involving DDoS and data wiping against South Korean broadcasters and banks.

Sony Pictures Entertainment Hack (Operation Blockbuster) (2014): Destructive wiper attack, data theft, and leaks motivated by the movie "The Interview."

Bank Heists (2015-Present): A series of sophisticated attacks targeting the SWIFT network, including the attempted $1 billion theft ($81 million successfully stolen) from Bangladesh Bank (2016), and attacks on banks in Ecuador, Vietnam, Poland, Mexico, India, and Chile (FastCash ATM attacks).

WannaCry Ransomware Attack (2017): Global ransomware outbreak leveraging the EternalBlue SMB exploit (attributed to the NSA). While debated, attribution points strongly to Lazarus, whether intended for pure financial gain or disruption.

Cryptocurrency Heists (Ongoing): Numerous attacks targeting exchanges (Youbit bankruptcy, Bithumb, Nicehash, CoinEx), DeFi protocols (Axie Infinity/Ronin Bridge - $625M, Harmony Horizon Bridge - $100M, Atomic Wallet - $100M+, Stake.com - $41M), and users (Operation AppleJeus). OFAC has sanctioned specific cryptocurrency addresses linked to Lazarus. Reports suggest hundreds of millions stolen annually.

Attacks on Pharmaceutical Companies (2020): Targeting COVID-19 vaccine research and development efforts globally.

"Dream Job" Campaigns (Ongoing): Social engineering campaigns using fake job offers to target individuals in aerospace, defense, and IT sectors, including security researchers.

NPO Mashinostroyeniya Breach (2021-2022): Espionage campaign targeting a major Russian missile engineering company, potentially seeking missile technology secrets.

VMConnect Campaign (2023): Use of malicious Python packages on PyPI targeting developers.

Operation Blacksmith (2023-Ongoing): Exploitation of the Log4Shell vulnerability using Dlang-based malware (NineRAT, DLRAT) against manufacturing, agricultural, and security companies globally. Linked to the Andariel subgroup (Onyx Sleet).

Bybit Hack (Reported Feb 2025 - Note: This date is futuristic and likely speculative or erroneous in source material; adjust if needed based on real events): Potential large-scale cryptocurrency exchange hack (Details should be verified against actual events). One of the recent news is North Korean Hackers Steal from Bybit.

Strong Authentication & Access Control: Implement Multi-Factor Authentication (MFA) universally, enforce the principle of least privilege, and regularly review access rights.

Patch Management: Aggressively patch vulnerabilities, particularly those known to be exploited by Lazarus (e.g., Log4Shell, Microsoft Office, Adobe products, relevant web frameworks). Prioritize patching internet-facing systems and critical infrastructure.

Email & Web Security: Deploy advanced email filtering solutions to detect spear phishing and malicious attachments. Use web security gateways to block access to known malicious domains and filter malicious content.

Network Security: Implement network segmentation to limit lateral movement. Monitor network traffic for anomalies, C2 communication (including non-standard ports and suspicious DNS requests), and data exfiltration. Employ Intrusion Detection/Prevention Systems (IDPS).

Endpoint Security: Utilize robust Endpoint Detection and Response (EDR) solutions capable of detecting advanced malware, fileless attacks, process injection, and suspicious system behavior (e.g., suspicious mshta.exe or cmd.exe usage, nmap scans). Keep antivirus signatures and behavioral detection engines updated.

User Awareness Training: Educate users about phishing, social engineering tactics (like fake job offers), and safe browsing habits. Emphasize skepticism towards unsolicited communications and attachments.

Threat Intelligence: Leverage threat intelligence feeds to stay informed about Lazarus TTPs, Indicators of Compromise (IoCs - domains, IPs, hashes, crypto addresses), and ongoing campaigns. Integrate this intelligence into security tools (SIEM, EDR, Firewalls). Understanding indicator of compromise is very helpful.

Vulnerability Management: Conduct regular vulnerability scanning and penetration testing to identify and remediate weaknesses proactively.

Incident Response Plan: Develop and regularly test a comprehensive incident response plan specifically considering destructive wiper attacks and large-scale financial theft scenarios. Ensure backups are offline and immutable.

Cryptocurrency Security: For organizations dealing with digital assets, implement stringent wallet security, monitor transactions for known sanctioned addresses (using tools and OFAC SDN list data), and be wary of fake wallet applications or investment schemes.

Supply Chain Risk Management: Vet third-party software and service providers for security practices. Monitor for signs of compromise originating from trusted partners.

Sanctions Compliance: Implement screening processes using OFAC's SDN list and other relevant sanctions lists, particularly for financial transactions and cryptocurrency dealings, understanding the limitations and need for due diligence.