#Lazarus

DPRK-aligned APT focused on financial gain (cryptocurrency exchanges, banks, defence contractors)


#Lazarus

DPRK-aligned APT focused on financial gain

IOCs by window

Today

0

IOCs tagged #Lazarus

Week

7

IOCs tagged #Lazarus

Month

20

IOCs tagged #Lazarus

Year

153

IOCs tagged #Lazarus

Counts as of 2026-04-29. Regenerated daily.

About #Lazarus

  • Threat actor: DPRK-aligned APT active since at least 2007, also tracked as Hidden Cobra, ZINC, Diamond Sleet (Microsoft) and TraderTraitor. MITRE ATT&CK G0032.
  • Targets: cryptocurrency exchanges, decentralised-finance protocols, banks (SWIFT-targeted operations), defence contractors and aerospace. Notable operations: 2014 Sony Pictures, 2016 Bangladesh Bank SWIFT, 2017 WannaCry, 2022 Ronin / Harmony bridge thefts.
  • Tactics: spearphishing with weaponised LinkedIn lures, supply-chain compromise via npm and PyPI packages, custom backdoors (LightlessCan, MagicLine, Manuscrypt), DPRK-aligned RAT families (AppleJeus for macOS targets).
  • References: MITRE ATT&CK G0032 · CISA AA20-239A.

Recent IOCs tagged #Lazarus

Latest 10 IOCs from the past 30 days. Live JSON: api.tweetfeed.live/v1/month/lazarus.

Date Type Value Source
Apr 27, 13:54 url http://195.201.104.53 @500mk500
Apr 27, 13:54 url http://195.201.104.53:6931 @500mk500
Apr 27, 13:54 url http://195.201.104.53:6936 @500mk500
Apr 27, 13:54 url http://195.201.104.53:6939 @500mk500
Apr 27, 13:54 url http://216.126.224.220:5976 @500mk500
Apr 27, 13:54 ip 195.201.104.53 @500mk500
Apr 27, 13:54 ip 216.126.224.220 @500mk500
Apr 17, 02:21 domain mobileokgroup.site @cyberwar_15
Apr 17, 02:21 url http://mobileokgroup.site @cyberwar_15
Apr 17, 02:21 domain eastasiagroup.online @cyberwar_15

Related tags

Tags that frequently co-occur with #Lazarus.

See all tags on the Dashboard or browse the full IOC feed.

Frequently asked questions

What is Lazarus?

Lazarus (also tracked as Hidden Cobra, ZINC, Diamond Sleet and TraderTraitor) is a DPRK-aligned advanced persistent threat group active since at least 2007. Lazarus is best known for financially motivated operations - cryptocurrency exchange thefts, SWIFT-targeted bank intrusions, the 2017 WannaCry outbreak - and for sophisticated long-running supply-chain attacks against defence contractors and aerospace targets. MITRE ATT&CK tracks the cluster as G0032.

Is Lazarus the same as Kimsuky?

No. Both are DPRK-aligned but they are distinct clusters with different objectives and tradecraft. Lazarus focuses on financial gain (cryptocurrency, banking, defence). Kimsuky focuses on intelligence collection (foreign policy, defence research, academia). Researchers track them as separate entities; the #Kimsuky tag on TweetFeed groups its own IOCs.

How is this list updated?

Every 15 minutes. The TweetFeed pipeline scrapes RSS feeds from public Twitter/X security researcher accounts and lists, extracts IOCs, tags them with the relevant malware family or threat actor, and republishes the result in CSV, JSON and RSS. Lazarus-tagged IOCs are surfaced on this page within the next 15-minute tick. The page itself is regenerated daily by a GitHub Action.

What is the license? Can I use this commercially?

All TweetFeed IOC data, including this Lazarus subset, is released under CC0 1.0 Universal (Public Domain Dedication). No attribution required, no warranty. Commercial use is allowed. The TweetFeed website code and branding are not covered by CC0.

License

Lazarus IOC data: CC0 1.0 Public Domain. No attribution required, no warranty. Source code for the pipeline: github.com/0xDanielLopez/TweetFeed (MIT).