JPCERT/CC discusses the practical attribution problem created by treating Lazarus as a single threat actor label rather than a collection of DPRK-aligned subgroups. The report argues that subgroup-level classification matters for incident response because different Lazarus units can use distinct malware, infrastructure, targeting patterns, and operational goals. It is most useful as analytic context for CTI teams comparing Lazarus-linked activity across campaigns instead of assigning every intrusion to one broad actor name.