The Lazarus Group Threat Profile: An Expert Analysis
Contents
Key takeaways:
- Lazarus operates as a modular organization: TraderTraitor (crypto), BlueNoroff (banking/SWIFT), Andariel (espionage/ransomware)
- Financial theft operations are often followed by destructive wiper deployment (Whiskey series) to cover tracks
- Incident response must prioritize forensic capture before remediation due to irreversible destruction capabilities
Lazarus Group (aka TraderTraitor) is an APT (Advanced Persistent Threat) that mixes espionage with large-scale financially motivated operations targeting banks, exchanges, and VASPs. This article maps their primary TTPs to MITRE, lists referenced IoCs, and provides prioritized detection and mitigation steps for SOCs and VASPs.
Quick actions for SOCs / VASPs
- Block or monitor transactions involving the following wallet addresses.
- Enforce MFA (multi-factor authentication) and restrict RDP (Remote Desktop Protocol); require just-in-time admin access.
- Integrate IoFC (Indicators of Financial Compromise) feeds into transaction monitoring and build alerts for known laundering services.
Overview
The Lazarus Group, also known as Guardians of Peace or Whois Team, is internationally recognized as a sophisticated state-sponsored Advanced …
- Lazarus operates as a modular organization: TraderTraitor (crypto), BlueNoroff (banking/SWIFT), Andariel (espionage/ransomware)
- Financial theft operations are often followed by destructive wiper deployment (Whiskey series) to cover tracks
- Incident response must prioritize forensic capture before remediation due to irreversible destruction capabilities
Lazarus Group (aka TraderTraitor) is an APT (Advanced Persistent Threat) that mixes espionage with large-scale financially motivated operations targeting banks, exchanges, and VASPs. This article maps their primary TTPs to MITRE, lists referenced IoCs, and provides prioritized detection and mitigation steps for SOCs and VASPs.
Quick actions for SOCs / VASPs
- Block or monitor transactions involving the following wallet addresses.
- Enforce MFA (multi-factor authentication) and restrict RDP (Remote Desktop Protocol); require just-in-time admin access.
- Integrate IoFC (Indicators of Financial Compromise) feeds into transaction monitoring and build alerts for known laundering services.
Overview
The Lazarus Group, also known as Guardians of Peace or Whois Team, is internationally recognized as a sophisticated state-sponsored Advanced …
IoC
62.84.240.140
185.66.41.17
40e98FeEEbaD7Ddb0F0534Ccaa617427eA10187e
96244D83DC15d36847C35209bBDc5bdDE9bEc3D8
689cfaa9319f3f7529a31472ecf6b2e0ca6891b736de009e0b6c2ebac958cc94
2360a69e5fd7217e977123c81d3dbb60bf4763a9dae6949bc1900234f7762df1
51E9d833Ecae4E8D9D8Be17300AEE6D3398C135D
185.66.41.17
40e98FeEEbaD7Ddb0F0534Ccaa617427eA10187e
96244D83DC15d36847C35209bBDc5bdDE9bEc3D8
689cfaa9319f3f7529a31472ecf6b2e0ca6891b736de009e0b6c2ebac958cc94
2360a69e5fd7217e977123c81d3dbb60bf4763a9dae6949bc1900234f7762df1
51E9d833Ecae4E8D9D8Be17300AEE6D3398C135D