SentinelLabs Identifies Hidden Link Between TrickBot “Anchor” & Purported North Korea “Lazarus” Tool Deployment

Discovery of One of the Most Sophisticated & Resourceful Botnet Groups on Crimeware Landscape

Mountain View, Calif. – December 11, 2019 – SentinelOne, the autonomous endpoint protection company, today announced that the company’s research division, SentinelLabs, has identified a first-of-its-kind possible collaboration between crimeware organization TrickBot and North Korean advanced persistent threat (APT) group Lazarus. The TrickBot branch toolset, known as “Anchor Project,” represents the first known link between cybercrime groups and APT actors. The research is evidence of “Anchor Project” tools being used to deploy malware possibly associated with the North Korean regime, a finding with significant national security implications.

“Anchor Project” presents an all-in-one attack framework designed to attack enterprise environments using both custom and existing toolage. While most nation-state groups are primarily concerned with establishing persistent access for espionage, surveillance, and data exfiltration, Lazarus group is also tasked with funding the North Korean regime, and their tooling is making use of TrickBot’s Anchor infections to monetize its activities. The increasing sophistication of Trickbot’s tools combined with Lazarus’s unique priorities led to a previously unseen collaboration between the two. The discovery was identified by the SentinelLabs Team headed by Vitali Kremez, who recently joined SentinelOne to lead SentinelLabs, a bespoke threat intelligence, research, and analysis team.

“Anchor Project” combines a variety of tools for attackers to both exfiltrate sensitive data and also establish long-term persistency, a typical goal of nation-states. The toolkit enables the initial installation of malware and hides its tracks, eliminating any evidence of the infection. This makes “Anchor Project” equally attractive for both nation-state activity and the large-scale cyber-heists typical of criminal enterprises. Upon investigating the “Anchor Project,” and realizing that Lazarus is one of the few groups interested in both data exfiltration and financial gain, SentinelLabs immediately looked for a connection between the two groups and soon found that the tool ‘PowerRatankba’ previously linked to Lazarus was, in fact, delivered to an infected Anchor victim. 

“Cybercrime enterprises like TrickBot, who offer their cybercrime-as-a-service to criminal entities with various goals and objectives, are always looking to break into new markets and find other hacking outfits to sell their malware kits to,” said Kremez. “But because many nation-state groups rarely have monetary goals, it has been notable for TrickBot to gain a foothold in this arena. Evidence of them now being linked to deliveries previously attributed to APT malware toolkits belonging to Lazarus is indicative of a quantum shift in the world of cybercrime.

Further details regarding “Anchor Project” are available on the SentinelLabs threat research blog here. SentinelOne protects against all the techniques used in “Anchor Project,” however many other legacy and next-generation antivirus solutions do not, putting enterprises at risk. Further details on SentinelLabs, and the SentinelOne threat intelligence research is available on the SentinelLabs website  

For further details on SentinelOne, please visit

About SentinelOne

SentinelOne delivers autonomous endpoint protection through a single agent that successfully prevents, detects, responds, and hunts attacks across all major vectors. Designed for extreme ease of use, the S1 platform saves customers time by applying AI to automatically eliminate threats in real time for both on premise and cloud environments and is the only solution to provide full visibility across networks directly from the endpoint. To learn more visit or follow us at @SentinelOne, on LinkedIn or Facebook.


Will Clark
fama PR for SentinelOne
(617) 986-5039
[email protected]