Monday, May 12, 2025
HomeAPT"Lazarus Hackers Group" No Longer Refer to a Single APT Group But...

“Lazarus Hackers Group” No Longer Refer to a Single APT Group But a Collection of Many Sub-Groups

Published on

SIEM as a Service

Follow Us on Google News

The term “Lazarus Group,” once used to describe a singular Advanced Persistent Threat (APT) actor, has evolved to represent a complex network of sub-groups operating under shared objectives and tactics.

This shift reflects the growing scale and diversification of their cyber activities, making traditional classifications increasingly obsolete.

Security analysts now argue that “Lazarus” serves as an umbrella term encompassing multiple specialized units rather than a single cohesive entity.

- Advertisement - Google News

The reclassification stems from the challenges of accurately attributing cyberattacks.

Various sub-groups under the Lazarus umbrella, such as APT38, Bluenoroff, Andariel, and others, have overlapping tactics, techniques, and procedures (TTPs).

These overlaps complicate efforts to distinguish between individual actors and campaigns.

For instance, sub-groups like Citrine Sleet and Moonstone Sleet share similar attack vectors, such as using LinkedIn to lure targets into downloading malicious npm or Python packages.

Multiple subgroups that contact their targets on SNS and have them download malicious packages

Despite these similarities, their objectives ranging from cryptocurrency theft to ransomware deployment often diverge.

Characteristics of Lazarus Sub-Groups

The proliferation of sub-group classifications highlights the complexity of this network.

Security vendors have introduced numerous labels for both attack campaigns and sub-groups, further muddying the waters.

For example:

  • Campaign Names: Operation Dreamjob, AppleJeus, and Contagious Interview.
  • Sub-Group Labels: TEMP.Hermit, Sapphire Sleet, TA444, and Silent Chollima.

Some labels initially referred to specific campaigns but later came to denote entire sub-groups or successor entities.

According to the Report, this inconsistency underscores the difficulty of maintaining a unified taxonomy across the cybersecurity community.

Adding to the complexity is the emergence of task force-like entities such as Bureau325, which operate outside traditional subgroup structures but share TTPs with Lazarus-affiliated units.

Such developments blur the lines between distinct groups and collaborative efforts.

Why Sub-Group Identification Matters

Detailed identification at the subgroup level is critical for several reasons:

  1. Targeted Alerts: By understanding the specific objectives and industries targeted by each subgroup (e.g., cryptocurrency businesses or defense sectors), security professionals can issue more precise warnings.
  2. Effective Countermeasures: Tailoring responses to the unique characteristics of each subgroup enhances the efficacy of defensive strategies.
  3. Strategic Messaging: Accurate attribution sends a deterrent message to attackers by demonstrating defenders’ analytical capabilities.
Lazarus Hackers Group
Transition of Lazarus subgroups

For example, Moonstone Sleet’s ransomware activities differ significantly from Citrine Sleet’s cryptocurrency-focused exploits.

Identifying these distinctions enables more effective resource allocation for mitigation efforts.

The Lazarus Group’s evolution into a constellation of sub-groups reflects broader trends in cyber threat landscapes.

As attackers adopt more sophisticated organizational structures, defenders must refine their attribution methodologies to keep pace.

While subgroup-level analysis may seem overly granular, it offers invaluable insights for long-term threat mitigation and strategic counter-operations.

The cybersecurity community must continue adapting its frameworks to address these challenges effectively.

Find this News Interesting! Follow us on Google NewsLinkedIn, and X to Get Instant Updates!

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Open Source Linux Firewall IPFire 2.29 – Core Update 194 Released: What’s New!

IPFire, the powerful open-source firewall, has unveiled its latest release, IPFire 2.29 – Core...

Threat Actors Leverage DDoS Attacks as Smokescreens for Data Theft

Distributed Denial of Service (DDoS) attacks, once seen as crude tools for disruption wielded...

20-Year-Old Proxy Botnet Network Dismantled After Exploiting 1,000 Unpatched Devices Each Week

A 20-year-old criminal proxy network has been disrupted through a joint operation involving Lumen’s...

“PupkinStealer” – .NET Malware Steals Browser Data and Exfiltrates via Telegram

A new information-stealing malware dubbed “PupkinStealer” has emerged as a significant threat to individuals...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Open Source Linux Firewall IPFire 2.29 – Core Update 194 Released: What’s New!

IPFire, the powerful open-source firewall, has unveiled its latest release, IPFire 2.29 – Core...

Threat Actors Leverage DDoS Attacks as Smokescreens for Data Theft

Distributed Denial of Service (DDoS) attacks, once seen as crude tools for disruption wielded...

20-Year-Old Proxy Botnet Network Dismantled After Exploiting 1,000 Unpatched Devices Each Week

A 20-year-old criminal proxy network has been disrupted through a joint operation involving Lumen’s...