top of page

The North Korean Lazarus Group's Shifting Tactics and Tools

North Korean threat actor, Lazarus Group, has been observed shifting its focus and rapidly evolving its tools and tactics. The nation-state adversary is known for its persistent attacks on the cryptocurrency sector, but has recently been targeting the automotive, academic, and defense sectors in Eastern Europe and other parts of the world. This is seen as a "significant" pivot by researchers. "At this point, the actor switched all the decoy documents to job descriptions related to defense contractors and diplomatic services," Kaspersky researcher Seongsu Park said in an analysis published Wednesday. The deviation in targeting, along with the use of updated infection vectors, is said to have occurred in April 2020. The phishing attacks directed against crypto businesses typically entail using bitcoin mining-themed lures in email messages to entice potential targets into opening macro-laced documents in order to drop the Manuscrypt (aka NukeSped) backdoor on the compromised machine. The targeting of the automotive and academic verticals is tied to Lazarus Group's broader attacks against the defense industry, as documented by the Russian cybersecurity firm in October 2021, leading to the deployment of BLINDINGCAN (aka AIRDRY or ZetaNile) and COPPERHEDGE implants. This is a significant shift in focus for Lazarus Group and could have major implications for the industries they are targeting. It's important to stay vigilant and be aware of the changing tactics of this adversary.


bottom of page