Adversary Profile: Lazarus
We are officially releasing the first actor profile in the Secure Origin Adversary Emulation Library: Lazarus Group (also known as HIDDEN COBRA, APT38, and Diamond Sleet).
This release translates high-level threat intelligence into actionable code. Instead of static reports, we are providing the configurations and scripts required to test environments against documented Lazarus Group tradecraft.
Threat Actor Profile: Lazarus Group
Lazarus Group is a state-sponsored APT group attributed to high-profile cyberattacks dating back to the early 2010s. While their origins are in espionage—notably the 2014 Sony Pictures breach—they have shifted significant resources toward financially motivated operations targeting cryptocurrency exchanges and the financial sector.
Key Technical Characteristics:
- Multi-staged Execution: Complex infection chains involving trojanized open-source projects and macro-enabled documents.
- Cross-platform Tradecraft: Custom malware families developed for Windows, Linux, and macOS.
- Evasion Techniques: Extensive use of code-signing certificates, custom packers (AES/XOR), and LOLBins (Rundll32, PowerShell).
Emulation Scenarios
The library currently includes two primary scenarios that reflect the group's most frequent operational themes.
Scenario 1: Operation Dream Job (Windows)
Objective: Espionage and credential theft via social engineering. Focuses on the delivery of DLL implants (NukeSped/DRATzarus) and exfiltration to cloud storage.
| Phase | Techniques |
|---|---|
| Initial Access | T1566.001 (Spearphishing Attachment) |
| Execution | T1218.011 (Rundll32), T1059.001 (PowerShell) |
| Persistence | T1547.001 (Registry Run Keys), T1053.005 (Scheduled Task) |
| Exfiltration | T1567.002 (Exfiltration to Cloud Storage) |
Scenario 2: AppleJeus Crypto Intrusion (Linux)
Objective: Financial theft via trojanized trading applications. Focuses on cryptocurrency wallet and SSH private key theft.
| Phase | Techniques |
|---|---|
| Execution | T1059.004 (Unix Shell) |
| Persistence | T1053.003 (Cron) |
| Credential Access | T1552.004 (Private Keys) |
Malware Families Covered
The library includes emulation assets and detection logic for several notable malware families associated with Lazarus Group operations:
| Family | Type | Platform |
|---|---|---|
| NukeSped / DRATzarus | RAT | Windows |
| AppleJeus | Trojan | macOS/Linux/Win |
| Destover | Wiper/RAT | Windows |
Repository Contents
The Lazarus Group actor folder includes:
- Caldera Abilities: YAML files for automated execution within the Caldera framework.
- Sigma Rules: Detection logic for SIEM and EDR platforms, tested against emulated techniques.
- Atomic Red Team: Modular tests for manual validation.
- Technical Documentation: Deep dives into the attack lifecycle and tool usage.
All assets are open-source and vendor-agnostic, designed to be used with existing security testing frameworks without requiring proprietary platforms.
Access the Library
The Lazarus Group profile is now available in the public repository. Community contributions, including new techniques or refined detection rules, are welcome via Pull Request.
GitHub Repository: View Lazarus Group Actor Profile
Upcoming Releases
| Threat Actor | Focus | Status |
|---|---|---|
| APT29 | Cloud-native / Supply Chain | In Research |
| LockBit | Ransomware / ESXi | Planning |
Prove your security controls work against real attacks
