Lazarus, Bluenoroff, and Andariel are three notorious APT groups which are believed from the same country infamous for deconstruction, cyber heist, and espionage attacks. From DarkSeoul to Sony Picture Entertainment breach, the groups conducted several operations that have attracted international public attention.Starting from 2016, we have observed a significant change in the targets and motivation of these groups. While the groups have a long history of conducting cybercrime and cyber espionage attacks, their operations have become more aggressive and more focused on the cybercrime attacks targeting financial institutions. In February 2016, a series of attacks from Lazarus group - which leveraged the SWIFT banking network used to target Bangladesh banks - were revealed. Later in May, the global WannaCry ransomware attack was also linked back to the nation. However, these attacks were just the tip of the iceberg. In this talk, we will disclose four recent campaigns conducted by the groups. These campaign targeted banks in South Korea and EMEA, an ATM company and several Bitcoin exchanges service provider. We will introduce the malware, vulnerabilities, IOC, and attack vectors discovered in these attacks. In addition, we will explain how we uncovered the new C&C; infrastructure acquired through bitcoin payment and the TTP key-finding we summarized from their recent operations. In the hope of making the world a safer place, we disclose this information to help financial institutions react to the substantial threat.