OS
AA
BACK TO ARCHIVE
TLP:REDINTERNAL
ID: REP-2026-045
Date: 2026-02-15

CROSS-SECTOR ANALYSIS: SHARED INFRASTRUCTURE BETWEEN MIDNIGHT BLIZZARD AND LAZARUS GROUP

ImpactCritical
ConfidenceMedium
Regions:
APACEUROPE

Summary

New signals intelligence suggests a potential collaboration or resource sharing agreement between Midnight Blizzard and Lazarus Group.

This is significant as it represents a cross-regional alliance between state-sponsored actors traditionally operating in isolation.

Analysis

The shared infrastructure involves a C2 node (203.0.113.88) that has been observed receiving beacons from malware families associated with both groups.

  • Hypothesis 1: A broker is selling access to both groups (Most Likely).
  • Hypothesis 2: Direct collaboration on a specific operation (Less Likely).

Recommendations

Immediate blocking of the identified C2 node is required.

Omnisite Intelligence Platform // v0.1-MVP

Stylistic classification markings only; OSINT-based analysis. Not for operational use on classified networks.

PUBLIC DEMO ENVIRONMENT - DO NOT UPLOAD PII/PHI

Key Entities
Midnight BlizzardLazarus GroupCentral Bank of Swift
Vectors
Supply Chain CompromiseDLL Side-Loading

Local Graph

Midnight Bli...Lazarus GroupCentral Bank...Supply Chain...DLL Side-Loa...THIS BRIEF

Chronology

2026-02-10Convergence Discovery

Analysts identified shared C2 infrastructure.

2026-02-12Joint Operation Suspected

Technical Indicators

TYPEVALUE
IP203.0.113.88

Related Intelligence

2026-01-27Critical
Executive Summary: Emerging Lazarus Group Activity Targeting SWIFT Nodes
2026-02-14High
Analyzed: Advanced persistent threat group 'Midnight Blizzard' leveraging new OAuth exploits

AUTOMATED ANALYTICS v1.0