{"id":15784,"date":"2025-09-10T09:21:28","date_gmt":"2025-09-10T09:21:28","guid":{"rendered":"\/cybersecurity-blog\/?p=15784"},"modified":"2025-09-23T13:42:21","modified_gmt":"2025-09-23T13:42:21","slug":"lazarus-group-attacks-2025","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/lazarus-group-attacks-2025\/","title":{"rendered":"Lazarus Group Attacks in 2025: Here’s Everything SOC Teams Need to Know\u00a0"},"content":{"rendered":"\n

The Lazarus Group, North Korea\u2019s state-sponsored hacking collective, has held the title of the most notorious advanced persistent threat (APT) for almost two decades now. In 2025, it escalated its cyber operations, targeting tech industries with fake IT workers, fraudulent job interviews, and hijacked open-source software.  <\/p>\n\n\n\n

It\u2019s time to take a closer look at its current activities and see how SOC teams can proactively detect and track the group attacks using ANY.RUN\u2019s solutions<\/a>. <\/p>\n\n\n\n

Biggest Lazarus Group Campaigns So Far <\/h2>\n\n\n\n

Lazarus\u2019s 2025 campaigns combine sophisticated social engineering and supply chain attacks, posing severe risks to businesses\u2019 financial stability, data security, and operational continuity. <\/p>\n\n\n\n

North Korean IT Workers <\/h3>\n\n\n\n

Since 2024, Lazarus Group has been deploying North Korean operatives posing as legitimate remote IT workers to infiltrate companies, particularly in the U.S. and UK. Using stolen or AI-enhanced identities, these operatives secure tech roles to steal sensitive data, deploy malware, or generate illicit revenue for North Korea. <\/p>\n\n\n\n

According to the U.S. Department of Justice, these schemes compromised over 100 U.S. companies, including Fortune 500 firms. For example, an Atlanta-based blockchain company lost over $900,000<\/a> in virtual currency due to insider access by fake IT workers. <\/p>\n\n\n\n

Beyond financial losses, businesses face reputational damage, loss of intellectual property, and regulatory scrutiny for hiring vulnerabilities. Extortion attempts, where operatives hold stolen data hostage, further disrupt operations and erode customer trust. <\/p>\n\n\n

\n
\"\"
PyLangGhost, malware operated by Lazarus, analyzed in ANY.RUN’s Interactive Sandbox<\/em> <\/figcaption><\/figure><\/div>\n\n\n

To detect such attacks early, SOC teams require a reliable solution for proactive analysis of suspicious files and URLs. ANY.RUN\u2019s Interactive Sandbox<\/a> provides a fast, isolated, and hands-on way to expose malware and phishing in seconds.  <\/p>\n\n\n\n\n

\n\n

\nBoost detection rate of evasive malware and phishing
Analyze threats inside a fully interactive<\/span> sandbox\u00a0   \n<\/p>\n\n\nGet started\n<\/a>\n<\/div>\n\n\n\n