Tempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus’s Subgroup

This JPCERT/CC blog post argues that the historical label “Lazarus” now describes a collection of multiple subgroups and task-force-like entities with overlapping tools and tactics; it explains why subgroup-level identification matters for targeted alerts, counter-operations, and deterrence. The report documents trends such as SNS-based targeting of engineers to deploy malicious npm/PyPI packages, reuse and overlap of RATs (Comebacker, PoolRAT/PondRAT), supply-chain activity, and examples of active campaigns (Moonstone Sleet, Gleaming/Citrine Sleet, Contagious Interview), and calls for dynamic classification to support effective defensive measures.