Trusted Design

Lazarus Group

G0032 · MITRE Pageへのリンク

脅威アクターの詳細

[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). (Citation: US-CERT HIDDEN COBRA June 2017) (Citation: Treasury North Korean Cyber Groups September 2019) [Lazarus Group](https://attack.mitre.org/groups/G0032) has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by [Lazarus Group](https://attack.mitre.org/groups/G0032) correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.(Citation: Novetta Blockbuster) North Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses “Lazarus Group” as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns.(Citation: Mandiant DPRK Laz Org Breakdown 2022)(Citation: Mandiant DPRK Groups 2023)(Citation: JPCert Blog Laz Subgroups 2025)

別名・別称

Lazarus Group
Labyrinth Chollima
HIDDEN COBRA
Guardians of Peace
ZINC
NICKEL ACADEMY
Diamond Sleet

利用した攻撃手法

• T1053.005 - Scheduled Task
• T1047 - Windows Management Instrumentation
• T1033 - System Owner/User Discovery
• T1218.011 - Rundll32
• T1132.001 - Standard Encoding
• T1027.009 - Embedded Payloads
• T1056.001 - Keylogging
• T1561.002 - Disk Structure Wipe
• T1027.013 - Encrypted/Encoded File
• T1560.003 - Archive via Custom Method
• T1588.004 - Digital Certificates
• T1542.003 - Bootkit
• T1074.001 - Local Data Staging
• T1036.005 - Match Legitimate Resource Name or Location
• T1489 - Service Stop
• T1587.001 - Malware
• T1204.002 - Malicious File
• T1573.001 - Symmetric Cryptography
• T1543.003 - Windows Service
• T1566.002 - Spearphishing Link
• T1021.004 - SSH
• T1566.001 - Spearphishing Attachment
• T1574.001 - DLL
• T1553.002 - Code Signing
• T1082 - System Information Discovery
• T1106 - Native API
• T1070.003 - Clear Command History
• T1202 - Indirect Command Execution
• T1005 - Data from Local System
• T1140 - Deobfuscate/Decode Files or Information
• T1583.001 - Domains
• T1560.002 - Archive via Library
• T1218 - System Binary Proxy Execution
• T1070.006 - Timestomp
• T1620 - Reflective Code Loading
• T1547.009 - Shortcut Modification
• T1010 - Application Window Discovery
• T1021.002 - SMB/Windows Admin Shares
• T1562.004 - Disable or Modify System Firewall
• T1560 - Archive Collected Data
• T1585.002 - Email Accounts
• T1557.001 - LLMNR/NBT-NS Poisoning and SMB Relay
• T1134.002 - Create Process with Token
• T1110.003 - Password Spraying
• T1090.002 - External Proxy
• T1589.002 - Email Addresses
• T1016 - System Network Configuration Discovery
• T1070 - Indicator Removal
• T1083 - File and Directory Discovery
• T1036.004 - Masquerade Task or Service
• T1049 - System Network Connections Discovery
• T1218.005 - Mshta
• T1104 - Multi-Stage Channels
• T1583.006 - Web Services
• T1491.001 - Internal Defacement
• T1057 - Process Discovery
• T1041 - Exfiltration Over C2 Channel
• T1591 - Gather Victim Org Information
• T1059.001 - PowerShell
• T1547.001 - Registry Run Keys / Startup Folder
• T1098 - Account Manipulation
• T1588.002 - Tool
• T1574.013 - KernelCallbackTable
• T1562.001 - Disable or Modify Tools
• T1078 - Valid Accounts
• T1571 - Non-Standard Port
• T1585.001 - Social Media Accounts
• T1036.003 - Rename Legitimate Utilities
• T1102.002 - Bidirectional Communication
• T1203 - Exploitation for Client Execution
• T1001.003 - Protocol or Service Impersonation
• T1012 - Query Registry
• T1059.003 - Windows Command Shell
• T1485 - Data Destruction
• T1070.004 - File Deletion
• T1189 - Drive-by Compromise
• T1071.001 - Web Protocols
• T1059.005 - Visual Basic
• T1584.004 - Server
• T1046 - Network Service Discovery
• T1105 - Ingress Tool Transfer
• T1027.007 - Dynamic API Resolution
• T1021.001 - Remote Desktop Protocol
• T1564.001 - Hidden Files and Directories
• T1008 - Fallback Channels
• T1680 - Local Storage Discovery
• T1124 - System Time Discovery
• T1055.001 - Dynamic-link Library Injection
• T1566.003 - Spearphishing via Service
• T1090.001 - Internal Proxy
• T1561.001 - Disk Content Wipe
• T1048.003 - Exfiltration Over Unencrypted Non-C2 Protocol
• T1529 - System Shutdown/Reboot

関連するCVE (攻撃手法に関連)

• CVE-2014-4114 (T1059.005)
• CVE-2017-0143 (T1566.003)
• CVE-2013-6282 (T1562.001)
• CVE-2012-1856 (T1529)
• CVE-2014-6332 (T1055.001)
• CVE-2012-0158 (T1529)
• CVE-2015-1701 (T1529)
• CVE-2012-4969 (T1055.001)
• CVE-2014-1776 (T1055.001)
• CVE-2013-3660 (T1055.001)
• CVE-2010-0806 (T1055.001)
• CVE-2015-2360 (T1529)
• CVE-2010-4398 (T1529)
• CVE-2015-2545 (T1562.001)
• CVE-2014-6271 (T1566.003)
• CVE-2013-3906 (T1203)
• CVE-2010-3081 (T1046)
• CVE-2012-0507 (T1566.003)
• CVE-2013-2465 (T1566.003)
• CVE-2025-13335 (T1571)
• CVE-2025-13927 (T1078)
• CVE-2025-13928 (T1078)
• CVE-2025-34026 (T1203)
• CVE-2026-0723 (T1218.005)
• CVE-2026-1102 (T1078)
• CVE-2025-55182 (T1562.001)
• CVE-2023-1389 (T1566.003)
• CVE-2025-24893 (T1566.003)
• CVE-2025-55184 (T1562.001)
• CVE-2025-68645 (T1046)
• CVE-2016-1898 (T1090.002)
• CVE-2016-1897 (T1090.002)
• CVE-2015-0932 (T1218.005)
• CVE-2017-12149 (T1218.005)
• CVE-2010-1553 (T1566.003)
• CVE-2016-9494 (T1562.001)
• CVE-2012-1258 (T1046)
• CVE-2014-4322 (T1027.007)
• CVE-2017-16929 (T1218.005)
• CVE-2013-0074 (T1203)
• CVE-2014-8439 (T1046)
• CVE-2010-0232 (T1529)
• CVE-2009-3129 (T1566.003)
• CVE-2017-0001 (T1566.003)
• CVE-2017-7255 (T1562.001)
• CVE-2015-3043 (T1203)
• CVE-2016-1990 (T1078)
• CVE-2016-1991 (T1218.005)
• CVE-2015-2852 (T1203)
• CVE-2015-2854 (T1203)
• CVE-2015-2853 (T1203)
• CVE-2016-1287 (T1566.003)
• CVE-2016-1562 (T1562.001)
• CVE-2013-7331 (T1090.001)
• CVE-2016-4117 (T1203)
• CVE-2015-1770 (T1021.001)
• CVE-2017-0199 (T1021.001)
• CVE-2014-6352 (T1059.005)
• CVE-2015-0016 (T1203)
• CVE-2010-3333 (T1046)
• CVE-2010-0188 (T1059.003)
• CVE-2010-2884 (T1059.003)
• CVE-2013-0640 (T1059.003)
• CVE-2011-0611 (T1566.003)
• CVE-2015-2546 (T1566.003)
• CVE-2014-4113 (T1529)
• CVE-2017-0263 (T1566.003)
• CVE-2015-0057 (T1036.003)
• CVE-2014-4148 (T1036.003)
• CVE-2015-0071 (T1189)
• CVE-2015-7755 (T1203)
• CVE-2015-8286 (T1562.004)
• CVE-2015-8287 (T1203)
• CVE-2014-1761 (T1203)
• CVE-2012-1876 (T1203)
• CVE-2012-2539 (T1203)
• CVE-2013-5990 (T1529)
• CVE-2012-4792 (T1105)
• CVE-2015-0310 (T1027.007)
• CVE-2015-5897 (T1078)
• CVE-2015-4495 (T1189)
• CVE-2014-8361 (T1071.001)
• CVE-2012-6422 (T1566.003)
• CVE-2016-0189 (T1027.007)
• CVE-2025-66478 (T1566.003)
• CVE-2015-2426 (T1055.001)
• CVE-2015-5119 (T1203)
• CVE-2015-5122 (T1203)
• CVE-2015-1427 (T1566.003)
• CVE-2013-2094 (T1529)
• CVE-2015-3628 (T1203)
• CVE-2015-6034 (T1078)
• CVE-2015-7261 (T1218.005)
• CVE-2016-6532 (T1218.005)
• CVE-2016-9496 (T1529)
• CVE-2016-9495 (T1203)
• CVE-2012-0056 (T1078)
• CVE-2012-3213 (T1203)
• CVE-2014-0322 (T1059.005)
• CVE-2011-3544 (T1218.005)
• CVE-2015-3636 (T1529)
• CVE-2017-17215 (T1036.003)
• CVE-2012-4681 (T1124)
• CVE-2015-1761 (T1078)
• CVE-2010-1297 (T1059.003)
• CVE-2013-2678 (T1218.005)
• CVE-2008-1436 (T1529)
• CVE-2014-3393 (T1566.003)
• CVE-2014-3897 (T1189)
• CVE-2015-2419 (T1189)
• CVE-2025-31125 (T1078)
• CVE-2026-20127 (T1529)
• CVE-2015-6585 (T1585.002)
• CVE-2015-3456 (T1027.007)
• CVE-2015-3090 (T1566.003)
• CVE-2016-0984 (T1036.003)
• CVE-2015-0313 (T1203)
• CVE-2014-0329 (T1562.001)
• CVE-2015-5134 (T1566.003)
• CVE-2015-5539 (T1566.003)
• CVE-2015-5557 (T1566.003)
• CVE-2015-5563 (T1566.003)
• CVE-2015-5559 (T1566.003)
• CVE-2015-5540 (T1566.003)
• CVE-2015-5561 (T1566.003)
• CVE-2015-5551 (T1566.003)
• CVE-2015-5564 (T1566.003)
• CVE-2015-5565 (T1566.003)
• CVE-2015-5550 (T1566.003)
• CVE-2015-5566 (T1566.003)
• CVE-2015-5127 (T1566.003)
• CVE-2015-5556 (T1566.003)
• CVE-2016-2342 (T1046)
• CVE-2013-2551 (T1189)
• CVE-2014-0569 (T1083)
• CVE-2015-3785 (T1562.001)
• CVE-2015-3113 (T1203)
• CVE-2015-2590 (T1036.003)
• CVE-2015-2424 (T1218.005)
• CVE-2015-0097 (T1059.005)
• CVE-2015-2502 (T1189)
• CVE-2016-1010 (T1566.003)
• CVE-2016-1019 (T1566.003)
• CVE-2016-1001 (T1566.003)
• CVE-2016-0998 (T1566.003)
• CVE-2015-1641 (T1218.005)
• CVE-2015-0359 (T1203)
• CVE-2015-5130 (T1566.003)
• CVE-2015-6022 (T1218.005)
• CVE-2017-0261 (T1059.005)
• CVE-2017-0262 (T1059.005)
• CVE-2015-0311 (T1203)
• CVE-2015-0336 (T1566.003)
• CVE-2014-3153 (T1203)
• CVE-2015-3105 (T1203)
• CVE-2014-0497 (T1203)
• CVE-2014-0515 (T1203)
• CVE-2014-0556 (T1566.003)
• CVE-2015-5560 (T1036.003)
• CVE-2014-9163 (T1046)
• CVE-2012-1723 (T1036.003)
• CVE-2014-8440 (T1218.005)
• CVE-2011-3402 (T1036.003)
• CVE-2014-6324 (T1078)
• CVE-2014-7247 (T1529)
• CVE-2014-2273 (T1562.001)
• CVE-2015-4902 (T1566.003)
• CVE-2015-2387 (T1078)
• CVE-2010-2572 (T1218.005)
• CVE-2011-1255 (T1203)
• CVE-2017-8570 (T1566.003)
• CVE-2012-0611 (T1027.007)
• CVE-2025-55183 (T1078)
• CVE-2015-5477 (T1218.005)
• CVE-2015-7645 (T1203)
• CVE-2015-8562 (T1218.005)
• CVE-2015-7808 (T1203)
• CVE-2012-1889 (T1218.005)
• CVE-2015-5749 (T1218.005)
• CVE-2015-6036 (T1218.005)
• CVE-2015-7262 (T1529)
• CVE-2016-2343 (T1218.005)
• CVE-2017-3212 (T1562.001)
• CVE-2014-7911 (T1529)
• CVE-2010-2883 (T1046)
• CVE-2013-0634 (T1566.003)
• CVE-2012-5054 (T1218.005)
• CVE-2010-0738 (T1566.003)
• CVE-2013-0641 (T1059.003)
• CVE-2013-2595 (T1027.007)

Actor – Pulse グラフ

---

← 脅威アクター一覧に戻る