The notorious North Korean hacking collective Lazarus Group, also tracked as APT38, Dark Seoul, or Hidden Cobra, has earned its reputation as high-profile nation-backed threat actors, mainly targeting cryptocurrency companies. In the newly discovered malicious campaign dubbed DeathNote, adversaries are shifting their focus by primarily setting eyes on the defense organizations along with automotive and academic sectors.

Detecting DeathNote Campaign by Lazarus Hacker Squad

Having been in the limelight in the cyber threat arena since 2009, Lazarus hackers are constantly challenging cyber defenders with new threats and enhanced offensive capabilities. In the latest DeathNote campaign, the group’s experiments with new targets and the use of more sophisticated tools and techniques require ultra responsiveness from the defensive forces. To help organizations timely identify the adversary activity in their infrastructure, SOC Prime has recently released a new Sigma rule written by our keen Threat Bounty developer, Emre Ay:

Possible Discovery Activity of Lazarus Apt Group by Accessing the Default Domain Controllers Policy (via process_creation)

This Sigma rule detects the latest Lazarus APT Group activity attempting to access the default domain controller’s policy to discover information about the compromised system. The detection is aligned with the latest MITRE ATT&CK® framework v12 addressing the Discovery tactic and the corresponding Group Policy Discovery (T1615) technique. To ensure cross-tool compatibility, the rule can be instantly translated to 20+ SIEM, EDR, XDR, and BDP solutions. 

Cybersecurity professionals looking for ways to monetize their detection and hunting ideas can tap into the power of our Threat Bounty Program to share their own Simga rules with industry peers and contribute to collective expertise while converting their skills into financial benefits. 

Due to high volumes of attacks attributed to the Lazarus hacking collective and its constantly evolving adversary toolkit, progressive organizations are striving to strengthen their cyber defense capabilities and proactively detect related threats. By clicking the Explore Detections button below, defenders can immediately reach the entire list of Sigma rules for the Lazarus Group activity detection. All detection algorithms are enriched with CTI, ATT&CK links, executable binaries, and more relevant metadata for simplified threat investigation. 

Explore Detections

Lazarus Hacker Group’s Attack Analysis: What’s Behind DeathNote Campaign

The infamous North Korean threat actor is rapidly evolving its toolkit and strategies related to the long-lasting DeathNote campaign. The latest investigation reveals that Lazarus switches from cryptocurrency-related businesses to defense contractors, academic institutions, and automotive companies, significantly expanding the list of potential victims. 

DeathNote cluster, also tracked as NukeSped or Operation Dream Job, entails exploiting phony job opportunities to trick victims into following harmful links or clicking on infected files, resulting in the deployment of espionage malware. The initial campaign launch dates back to 2019-2020, initially concentrating on cryptocurrency market players. The spikes of DeathNote activity were recorded in August 2020 and July 2021, shifting the area of hackers’ interest to the government, defense, and engineering sectors. Based on the most recent observations, security experts estimate that Eastern European countries are now under attack, with all decoy documents and job descriptions related to defense contractors and diplomatic entities being renewed by Lazarus.

The cryptocurrency vector of the Lazarus activity typically follows the same malicious routine. The hacker group relies on the Bitcoin mining-themed lures to drop macro-laced documents and trigger the Manuscrypt backdoor on the compromised instances. 

The automotive and academic sectors are targeted over a slightly different strategy tied to a broader campaign against the defense industry by Lazarus. Such attacks frequently end up with BLINGCAN and COPPERHEDGE implants being deployed to the victims’ machines. 

The alternative attack kill chain linked to DeathNote relies on a legitimated PDF reader app dubbed SumatraPDF to proceed with further malicious activities. The abuse of legitimate software has been recorded in attacks against organizations in Latvia and South Korea leading to backdoors and infostealers delivery. It is a widely-used attack method for the state-sponsored actor, with a proven track record on supply chain capabilities. For example, Lazarus has been blamed for an attack against enterprise VoIP service provider 3CX revealed in March 2023.

Growing volumes of cyber attacks by the infamous state-backed Lazarus APT group and their increasing sophistication require ultra-responsiveness from cyber defenders. Rely on SOC Prime to be fully equipped with detection content addressing APT-related tools and attacks. Gain access to 1000+ rules to detect behaviors associated with state-sponsored actors. Get 200+ Sigma rules for free at or reach the entire list of relevant detection algorithms by choosing the On Demand subscription tailored to your security needs at

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts