down-B-1.pdf (4 MB)

Zscaler ThreatLabZ frames North Korean cyber attribution as increasingly difficult because Lazarus and Kimsuky have evolved into umbrella structures with specialized sub-clusters, shared tooling, and overlapping infrastructure. The material traces Lazarus from early activity through Sony Pictures, WannaCry, AppleJeus, ThreatNeedle, Bookcode, DeathNote, and later clusters, while describing Kimsuky-linked tooling such as BabyShark, AppleSeed, httpSpy, FPSpy, MillionOK, and AiTM phishing kits. Case studies highlight hybrid intrusions where Andariel and Kimsuky appear to contribute different phases, including supply-chain delivery through a legitimate security product, Durian Golang RAT activity, HazyLoad proxy tooling, ngrok, account manipulation, and Chrome Remote Desktop deployment. The report also uses PEBBLEDASH-related research to show how code reuse, C2 overlap, and shifting personnel can blur Lazarus-versus-Kimsuky attribution, making TTP-based clustering more reliable than single indicators.