He_is_Everywhere.pdf (3 MB)

Financial Security Institute material presents Lazarus as a broad DPRK threat-actor ecosystem rather than a single cluster, tying the name to major cyber incidents and North Korean state activity. The excerpt maps naming conventions and overlaps across public sources, including Mandiant, MITRE ATT&CK, the UN Security Council, and multiple vendor taxonomies. It lists related clusters and aliases such as Labyrinth Chollima, Ricochet Chollima, APT38, TEMP.Hermit, Andariel, APT37, Kimsuky, and APT43, and associates the ecosystem with 143 victim countries. The material also organizes notable activity by motivation, including destruction, espionage, data breaches, financial gain, watering-hole operations, and supply-chain compromise, making it useful as a relationship and attribution-mapping reference.