Request a Demo
Rewterz
ICS: Multiple Siemens Products Vulnerabilities
December 2, 2025
Rewterz
Multiple WordPress Plugins Vulnerabilities
December 2, 2025

Lazarus aka Hidden Cobra APT Group – Active IOCs

Severity

High

Analysis Summary

Lazarus APT, one of North Korea’s most sophisticated and well-funded threat actors, has been active since at least 2009. Initially focused on South Korea, the group has expanded to target organizations worldwide, including in the United States, Japan, and other nations. While early operations centered on espionage, Lazarus has increasingly engaged in financially motivated attacks, such as targeting financial institutions, cryptocurrency platforms, and government and military entities.

The group is known for employing a wide range of tactics, techniques, and procedures (TTPs), including spear-phishing, malware deployment, and social engineering. One of their recent operations, the “Dream Job” campaign, targets individuals in cryptocurrency-adjacent sectors by posing as legitimate job recruiters and luring victims into downloading malicious software. In some cases, Lazarus uses the ClickFix technique to deliver malware disguised under the name “Nvidia,” further enhancing its deception capabilities.

Lazarus is closely linked to other North Korean cyber units, such as Bluenoroff and Andariel, which are believed to be subgroups or affiliates. These connections, along with suspected collaborations with non-state actors, have enabled the group to conduct a variety of malicious campaigns, including cryptocurrency theft, ransomware distribution, and cyber espionage.

Given the group’s capabilities and global reach, it is considered a significant threat to both organizations and individuals. Effective defenses include maintaining up-to-date software and security patches, implementing multi-factor authentication, exercising caution with emails and attachments, and regularly backing up critical data. Organizations in high-risk sectors must remain vigilant to detect and counter Lazarus’s evolving tactics.

Impact

  • Information Theft and Espionage
  • Exposure to Sensitive Data

Indicators of Compromise

MD5

  • 0f3e5058154de146fb3f1921c7f89952
  • d28f74a6b2dd6301f2d30f46600f6bd6
  • 2fec3d77be5fec093c10cc979911520e
  • 4b55b429d14d89224867fc7acfd52f77
  • f70ff2102bc0039df206f37b7c7f75d5
  • f21c6b0807043722876c8fcf79930458
  • c393a281f4969fa7e0223df247c1e45d

SHA-256

  • 6bc272a88d1eec9d561c09920e42793bb4c3d29b4da0fa57c553c4f9be28bafd
  • e19ce3bd1cbd980082d3c55a4ac1eb3af4d9e7adf108afb1861372f9c7fe0b76
  • 473fd2e4d4c7f59591cc43a9c811fc57d54c5c82f1994fa2031d25fe79a6d2a4
  • 0a508134d51a52c1df725e0c06242d1c7822c62028e446a02bd264c4b932de2d
  • 2a4e14d849348b8bf05c30a6b2ff0ebffb3af76a81b3de1d17b63332e1c19e9d
  • 98ae863b4714a707d9c9fc81a208da0cb82d6f4ad95e648b2f269f3b02eb1fed
  • bf3ed63cceb83e12cebc844f1ba8cbd40d87301fc6701710ead8f3eb6646d786

SHA1

  • 6a79104f950c73b4a74231765389780f89d899fb
  • f7aaad1821314cdb0987754a74cb6bb31b3b982e
  • 96a2c230446d74040fa0548b8f6352fcf7084209
  • 00738cf785b255b4acdaee5e2d36dc33dcc77266
  • 4dd1e4a7fa723d4403c6e01eb9f1775a32bce0ff
  • c9ed17948aa75791c25b8e65f4d17ecb866d5e32
  • e7d4b302512004e6bbed6c8568d703e4ede1a510

URL

  • http://attach.docucloud.o-r.kr/FreeDownload.php

Remediation

  • Always be suspicious about emails sent by unknown senders.
  • Never click on links/attachments sent by unknown senders.
  • Block all threat indicators at your respective controls.
  • Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
  • Ensure that general security policies are employed including implementing strong passwords, correct configurations, and proper administration security policies.
  • Enable two-factor authentication.
  • Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.