In this VB2021 talk, Seongsu Park explains why Lazarus should not be treated as one simple cluster and walks through multiple Lazarus-related malware clusters and their connections. The transcript discusses activity from Manuscrypt after Sony Pictures through clusters such as AppleJeus, ThreatNeedle, Bookcode, and CookieTime, with examples involving cryptocurrency exchanges, macOS malware, Android targets, defense industry targeting, South Korean software companies, supply chain delivery, and steganographic C2. Park argues that Lazarus initial-stage payloads change often while later-stage and post-exploitation components are more stable, so cluster-level attribution is safer than collapsing all North Korean activity into a single label.