Beyond the Headlines: Inside the World of North Korea’s Lazarus Hackers

In a recent report, Palo Alto Networks detailed the activities of hacker groups associated with North Korean intelligence. These groups, often collectively referred to as Lazarus in public reports, operate on behalf of the DPRK government, engaging in cyber espionage, financial crimes, and destructive attacks across various industries worldwide.

RGB is a structure comprised of several divisions, each with distinct objectives and specializations. To date, six key groups have been identified:

• Alluring Pisces (also known as Bluenoroff) — specializes in attacks on financial institutions, cryptocurrency companies, and ATMs. This group is responsible for significant cyber heists.
• Gleaming Pisces (Citrine Sleet) — targets cryptocurrency-related companies and is linked to the AppleJeus campaign, which spread counterfeit cryptocurrency applications.
• Jumpy Pisces (Andariel) — focuses on cyber espionage but is also known for conducting ransomware attacks.
• Selective Pisces (TEMP.Hermit) — aims at media, defense, and IT companies, engaging in both espionage and network-destroying or compromising attacks.
• Slow Pisces (TraderTraitor) — notorious for attacking blockchain companies and engaging in supply chain compromises, distributing malicious applications such as TraderTraitor.
• Sparkling Pisces (Kimsuky) — primarily gathers intelligence, with its operations funded through cybercrime activities.

The report also includes an analysis of 10 newly discovered malware families developed by North Korean groups. These programs, targeting Windows, macOS, and Linux, are used for various types of attacks, including information gathering, corporate network breaches, and ransomware dissemination.

The report highlights malware such as RustBucket, KANDYKORN, SmoothOperator, ObjCShellz, and Fullhouse. These malicious tools encompass a broad range of functions, from stealthy infiltration of systems to data theft and control over infected devices.

One of the most notable programs is RustBucket, a multi-stage macOS malware discovered in 2023. Its stages include downloading and executing multiple components, making it difficult to detect and remove. KANDYKORN is another example of a complex multi-stage attack that begins with social engineering, tricking the victim into executing a malicious script disguised as a regular file.

The SmoothOperator malware was also singled out, reportedly used to attack clients of the popular 3CX application. The malware was embedded in installation files and collected data from infected devices.

Researchers emphasize that RGB-controlled groups have become notorious for high-profile incidents, such as the Sony Pictures hack in 2014, the global WannaCry epidemic in 2017, and numerous attacks on cryptocurrency exchanges. The activities of North Korean hackers have persisted since 2007, spanning various sectors and regions worldwide.

Due to the scale and complexity of North Korean group operations, in 2024, they were included in the annual MITRE ATT&CK security assessment, which analyzes their methods, tactics, and tools. Palo Alto Networks continues to develop and enhance solutions aimed at protecting companies from the threats posed by these hacker groups.

The report underscores the necessity of a comprehensive approach to organizational security to mitigate the risks associated with state-sponsored hackers like the North Korean groups under RGB’s command.