Geek-Guy.com

Threat Actor Dossier: APT38 (Lazarus Group)

THREAT ACTOR DOSSIER

Threat Actor Dossier: APT41 (BARIUM/BRASS TYPHOON/WICKED PANDA)

====================

BASIC INFORMATION

Name: APT38 (Lazarus Group)
 
 Aliases: APT38, HIDDEN COBRA, DHARMA, DPRK THREAT ACTOR, NORTH KOREAN CYBER WARFARE, G0032
 
 MITRE ATT&CK Group ID: G0032
 
 Country of Origin: North Korea (DPRK)
 
 Affiliation: North Korean state-sponsored cyber warfare unit
 
 Type: State-sponsored cyber warfare (espionage, theft, disruption, ransomware)

MOTIVATION

Primary Motivation: State-sponsored cyber warfare and financial theft
 
 Secondary Motivations:

  • Funding North Korean regime
  • Strategic intelligence gathering
  • Destructive attacks and disruption
  • Extortion through ransomware operations
  • Intellectual property theft

Geographic Focus:

  • South Korea
  • United States
  • Japan
  • Australia
  • Taiwan
  • Middle East
  • Healthcare sector (U.S.)

MITRE ATT&CK TTP MAPPING

Initial Access:

  • T1566.001 – Phishing: Spearphishing Attachment
  • T1566.002 – Phishing: Spearphishing Link
  • T1190 – Exploit Public-Facing Application
  • T1577 – Compromise Host via Supply Chain

Execution:

  • T1059.001 – PowerShell
  • T1059.004 – Python
  • T1204.002 – User Execution: Malicious File
  • T1059.003 – Command and Scripting Interpreter: PowerShell

Persistence:

  • T1547.001 – Boot or Logon Autostart Execution
  • T1546.004 – Accessibility Features
  • T1590 – Lateral Tool Transfer

Privilege Escalation:

  • T1068 – Exploitation for Privilege Escalation
  • T1548.002 – Abuse Elevation Control Mechanism
  • T1548.004 – Abuse Installed Service

Defense Evasion:

  • T1070.005 – Clear Windows Event Logs
  • T1071.001 – Application Layer Protocol
  • T1055 – Process Injection
  • T1027 – Obfuscated Files or Information

Credential Access:

  • T1555.001 – Input Capture: Keyboard
  • T1555.004 – Input Capture: Hardware Token
  • T1003 – OS Credential Dumping
  • T1110.001 – Brute Force

Discovery:

  • T1082 – Identify Windows System
  • T1083 – File and Directory Discovery
  • T1087 – Account Discovery
  • T1085 – Active Directory Permissions Discovery

Lateral Movement:

  • T1021.002 – SMB/Windows Admin Shares
  • T1021.004 – Remote Desktop Protocol
  • T1076 – Remote Services
  • T1570 – Overlay Tools

Collection:

  • T1005 – Data from Local System
  • T1003.001 – LSADump File
  • T1003.003 – Credential Dump
  • T1213 – Security Information Collection

Command and Control:

  • T1071.004 – Remote Services
  • T1571 – Non-Application Layer Protocol
  • T1102 – Web Service
  • T1071.001 – Application Layer Protocol: Web Protocol

Exfiltration:

  • T1041 – Exfiltration Over C2 Channel
  • T1567 – Exfiltration Over Web Service
  • T1570 – Overlay Tools

TOOLS AND INFRASTRUCTURE

Primary Tools:

  • Medusa Ransomware – Extortion ransomware for healthcare and nonprofit targets
  • Hidden Cobra – Custom malware and tools
  • Dharma – Remote access trojan
  • Cobalt Strike – Post-exploitation framework
  • Dharma RAT – Remote access trojan

Secondary Tools:

  • Ragnar Locker – Ransomware framework
  • BlackCat/ALPHV – Ransomware operations
  • Custom PowerShell scripts – Initial access and post-exploitation
  • Covenant – C2 framework
  • Sliver – Modern C2 framework

Infrastructure:

  • C2 domains embedded in malware
  • Hardcoded IP addresses in malware
  • Proxy servers for C2 communication
  • Compromised websites for C2
  • North Korean infrastructure

TARGETED SECTORS

Primary Targets:

  • Healthcare – U.S. hospitals, healthcare providers, patient data
  • Finance – Banks, financial institutions, payment processors
  • Government – Federal agencies, state/local governments
  • Technology – Semiconductor companies, tech vendors
  • Critical Infrastructure – Energy, utilities, transportation

Secondary Targets:

  • Education – Universities, research institutions
  • Transportation – Aviation, shipping, logistics companies
  • Media – Broadcasting companies, news organizations
  • Retail – E-commerce, retail stores

ASSOCIATED MALWARE

Primary Malware Families:

  • Medusa Ransomware – Extortion ransomware (current operations)
  • Hidden Cobra – Custom malware framework
  • Dharma RAT – Remote access trojan
  • Ragnar Locker – Ransomware (previous operations)
  • BlackCat/ALPHV – Ransomware (collaboration)

Secondary Malware Families:

  • Cobalt Strike Beacon – Post-exploitation implant
  • PowerShell-based droppers – Initial access
  • Credential theft tools – Mimikatz variants
  • Lateral movement scripts – PsExec, WinRM
  • Data exfiltration tools – Custom C2 clients

NOTABLE CAMPAIGNS

Campaign 1: Healthcare Sector Operations (2026)

  • Targets: U.S. hospitals, healthcare providers
  • Impact: Patient data compromise, intellectual property theft
  • Techniques: Medusa ransomware, phishing, supply chain attacks
  • Recent Operations (2026): Continued operations against U.S. healthcare sector using Medusa ransomware

Campaign 2: South Korean Operations (2009-2025)

  • Targets: South Korean government, financial institutions, tech companies
  • Impact: Strategic intelligence gathering, financial theft
  • Techniques: Phishing, Dharma RAT, Cobalt Strike
  • Recent Operations (2025): Ongoing targeting of South Korean infrastructure

Campaign 3: U.S. Government Operations (2014-2025)

  • Targets: U.S. federal agencies, state/local governments
  • Impact: Strategic intelligence, technology theft
  • Techniques: Spearphishing, zero-day exploitation
  • Recent Operations (2025): Continued U.S. government sector targeting

Campaign 4: Destructive Operations (2018-2025)

  • Targets: Critical infrastructure, energy facilities
  • Impact: Destructive wiper malware deployment
  • Techniques: Exploitation, lateral movement, wiper deployment
  • Recent Operations (2025): Potential destructive operations against critical infrastructure

THREAT LEVEL ASSESSMENT

Overall Threat Level: CRITICAL

Capabilities:

  • State-sponsored cyber warfare capabilities
  • Custom malware development
  • Multi-vector attack campaigns
  • Destructive operation capability
  • Extensive financial theft history

Maturity: Advanced

Resources: Extensive (state-sponsored)

Notable Operations:

  • 2013 South Korea cyberattack (180,000+ devices impacted)
  • 2016 WannaCry ransomware (alleged involvement)
  • 2026 Medusa ransomware operations (healthcare targets)
  • 2018 Sony Pictures attack (destructive operations)
  • 2014-2025 U.S. government targeting
  • 2009-2025 South Korean operations
  • 2026 healthcare sector ransomware operations

CVE AND VULNERABILITY EXPLOITATION

Exploited Vulnerabilities:

  • Unpatched remote code execution vulnerabilities
  • Supply chain software vulnerabilities
  • Legacy system vulnerabilities
  • Zero-day exploits in critical infrastructure

Preferred Exploitation Vectors:

  • Phishing campaigns with malicious attachments
  • Business email compromise (BEC)
  • Supply chain software updates
  • Compromised third-party vendors

INDICATORS OF COMPROMISE (IOCs)

File Hashes:

  • Medusa ransomware variants: Multiple MD5/SHA256 hashes
  • Hidden Cobra tools: Various hashes
  • Cobalt Strike Beacon: Various hashes
  • Custom scripts: Hashes from malware analysis

Network Indicators:

  • C2 domains: Various TLDs and country-code TLDs
  • IP addresses: Compromised infrastructure
  • Malicious URLs: Phishing sites, dropper downloads

SOURCES

Primary Sources:

  • MITRE ATT&CK Groups database (attack.mitre.org/groups/G0032/)
  • Huntress Threat Library (huntress.com/threat-library/threat-actors/cobalt-group)
  • Security.com Lazarus Medusa Ransomware (security.com/threat-intelligence/lazarus-medusa-ransomware)
  • Industrial Cyber Medusa Ransomware (industrialcyber.co/ransomware/lazarus-hackers-adopt-medusa-ransomware-for-extortion-campaigns-targeting-healthcare-and-nonprofits/)
  • Malpedia (malpedia.caad.fkie.fraunhofer.de/actor/lazarus_group)
  • The Hacker News Lazarus Group (thehackernews.com/search/label/lazarus%20group)
  • ClearPhish AI North Korean Lazarus Group (clearphish.ai/news/north-korean-lazarus-group-linked-medusa-ransomware-healthcare-attacks)

Secondary Sources:

  • Picus Security Lazarus Group TTPs and Major Attacks
  • Radware Lazarus Group (radware.com/cyberpedia/ddos-attacks/the-lazarus-group-apt38-north-korean-threat-actor/)
  • FalconFeeds.io Lazarus Group Intelligence Dossier (falconfeeds.io/blogs/lazarus-constellation-dprk-cyber-warfare-intelligence-dossier-2009-2026/)
  • Symantec and Carbon Black threat hunter intelligence
  • Broadcom threat intelligence division

CVE Databases:

  • CVE (Common Vulnerabilities and Exposures)
  • NVD (National Vulnerability Database)
  • MITRE CVE

LAST UPDATED

Date: 2026-06-03
 
 Analyst: IRG Research lurch-bot farm
 
 Review Status: Current
 
 Intelligence Freshness: Recent operations captured (2026)

Note: This dossier is part of a comprehensive threat actor intelligence series. Similar dossiers have been created for APT41, FIN7, and other major threat actors.