The Lazarus Group [1] [2] [3] [4] [5], also known as Hidden Cobra or TEMP.Hermit [4], is a cybercriminal organization with ties to North Korea. They have been responsible for stealing approximately $3.5 billion from cryptocurrency projects since 2016. This group employs various tactics, including the use of trojanized versions of Virtual Network Computing (VNC) applications [2] [3] [4], to carry out their operations.


The Lazarus Group’s long-term campaign, known as Operation Dream Job [1], involves contacting potential targets through suspicious accounts on platforms such as LinkedIn [3] [4], Telegram [3] [4], and WhatsApp [3] [4]. They offer enticing job opportunities as a means to deceive individuals and install malware. Recently, ESET disclosed their latest operation, which targeted an aerospace company in Spain. The threat actor posed as a Meta recruiter on LinkedIn and delivered an implant called LightlessCan [4]. This backdoored application operates discreetly to avoid detection and retrieves additional payloads [2] [3], including Lazarus Group malware and a backdoor known as COPPERHEDGE [2] [3]. The Lazarus Group specifically targets the defense industry and nuclear engineers, with a focus on businesses involved in defense manufacturing [2]. Another hacking group [2] [3] [4], APT37 [2] [3], has also been linked to North Korea and has targeted a trading company associated with Russia and North Korea [2]. There is a noticeable overlap in infrastructure [2] [3], tooling [2] [3], and targeting between various North Korean hacking outfits [2] [3], making attribution difficult [2] [3]. Additionally, there has been an increased interest in developing macOS malware for high-value targets in the cryptocurrency and blockchain industries [2] [3].


The activities of the Lazarus Group and other North Korean hacking outfits have significant implications for cybersecurity. The theft of billions of dollars from cryptocurrency projects highlights the need for enhanced security measures within the industry. Businesses involved in defense manufacturing and nuclear engineering should be particularly vigilant, as they are prime targets for these cybercriminal organizations. The overlap in infrastructure and tooling among North Korean hacking groups further complicates attribution and underscores the need for international cooperation in addressing this issue. Additionally, the growing interest in developing macOS malware for high-value targets in the cryptocurrency and blockchain industries calls for increased efforts in securing these platforms.