The Lazarus Group (also known as the Guardians of Peace or Whois Team) is a state-sponsored hacker group made up of unknown members, alleged to be run by the government of North Korea. While not much is known about the group, researchers have attributed many cyberattacks to them since the 2010s.

Originally deemed as a clandestine criminal group, the group has now been designated as an advanced persistent threat due to its intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra (used by the United States Department of Homeland Security to refer to malicious cyber activity by the North Korean government in general), ZINC and Diamond Sleet (by Microsoft). According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as the 414 Liaison Office.

The Lazarus Group has strong links to North Korea. The United States Department of Justice has claimed the group is part of the North Korean government's strategy to "undermine global cybersecurity ... and generate illicit revenue in violation of ... sanctions". North Korea benefits from conducting cyber operations because it can present an asymmetric threat with a small group of operators, especially to South Korea.

The earliest known attack that the group is responsible for is known as "Operation Troy", which took place from 2009 to 2012. This was a cyber-espionage campaign that utilized unsophisticated distributed denial-of-service attack (DDoS) techniques to target the South Korean government in Seoul. They were also responsible for attacks in 2011 and 2013. Though uncertain, it is possible that they were also behind a 2007 attack targeting South Korea. A notable attack that the group is known for is the 2014 attack on Sony Pictures. The Sony attack used more sophisticated techniques and highlighted how advanced the group has become over time.

The Lazarus Group were reported to have stolen US$12 million from the Banco del Austro in Ecuador and US$1 million from Vietnam's Tien Phong Bank in 2015. They have also targeted banks in Poland and Mexico. The 2016 bank heist included an attack on the Bangladesh Bank, successfully stealing US$81 million and was attributed to the group. In 2017, the Lazarus group was reported to have stolen US$60 million from the Far Eastern International Bank of Taiwan although the actual amount stolen was unclear, and most of the funds were recovered.

It is not clear who is really behind the group, but media reports have suggested the group has links to North Korea. Kaspersky Lab reported in 2017 that Lazarus tended to concentrate on spying and infiltration cyberattacks whereas a sub-group within their organisation, which Kaspersky called Bluenoroff, specialised in financial cyberattacks. Kaspersky found multiple attacks worldwide and a direct link (IP address) between Bluenoroff and North Korea.

However, Kaspersky also acknowledged that the repetition of the code could be a "false flag" meant to mislead investigators and pin the attack on North Korea, given that the worldwide WannaCry worm cyber attack copied techniques from the NSA as well. This ransomware leverages an NSA exploit known as EternalBlue that a hacker group known as Shadow Brokers made public in April 2017. Symantec reported in 2017 that it was "highly likely" that Lazarus was behind the WannaCry attack.

The Lazarus Group's first major hacking incident took place on July 4, 2009, and sparked the beginning of "Operation Troy". This attack utilized the Mydoom and Dozer malware to launch a large-scale, but quite unsophisticated, DDoS attack against US and South Korean websites. The volley of attacks struck about three dozen websites and placed the text "Memory of the Independence Day" in the master boot record (MBR).