Lazarus Group Exploits Trusted Apps for Data Theft via Dropbox

In an alarming development, North Korea’s infamous Lazarus Group has been linked to a global cyber espionage campaign, code-named Operation Phantom Circuit.

Beginning in September 2024, this operation exploited trusted software development tools to infiltrate systems worldwide, targeting cryptocurrency and technology developers.

The campaign’s advanced obfuscation techniques and infrastructure demonstrate a significant evolution in the group’s tactics.

According to STRIKE, a leading cybersecurity firm, the attackers embedded malware into legitimate software updates, enabling them to compromise over 1,500 systems across three waves of attacks between November 2024 and January 2025.

The malware allowed the group to exfiltrate sensitive data, including development credentials, authentication tokens, and browser-stored passwords.

The stolen data was systematically transferred to Dropbox for organization and further exploitation.

Advanced Command-and-Control Infrastructure

The Lazarus Group utilized a sophisticated command-and-control (C2) infrastructure to manage infected systems and exfiltrated data.

Key servers were identified as central nodes for payload delivery and communication with compromised devices.

For instance:

• 94.131.9.32: Active in January 2025, managing connections from 233 victims.
• 185.153.182.241: Played a pivotal role in December 2024 campaigns.
• 86.104.74.51: Spoofed domains like sageskills-uk[.]com during November 2024 attacks.

The infrastructure featured an administrative platform accessible via port 1245, built using React and Node.js frameworks.

This platform enabled attackers to monitor victim systems, organize stolen credentials, and maintain persistent access through Remote Desktop Protocol (RDP) sessions lasting up to 10 days.

Proxy Networks

To conceal their activities, the Lazarus Group routed traffic through a network of VPNs and proxies, including the Oculus Proxy service hosted in Hasan, Russia.

Traffic originating from North Korean IP addresses (e.g., 175.45.178.130) was relayed through proxies registered under Sky Freight Limited before reaching the C2 servers.

This multi-layered approach ensured anonymity while complicating detection efforts.

The attackers leveraged Astrill VPN endpoints to mask their origins further, connecting through IPs such as 70.39.70.196 and 204.188.233.68 before routing traffic via Russian proxies.

The attackers’ focus on cryptocurrency-related applications aligns with North Korea’s history of using cyberattacks to fund state programs.

Between 2017 and 2023, North Korea reportedly amassed $1.7 billion through cryptocurrency thefts.

STRIKE emphasizes the critical need for organizations to safeguard their software supply chains against such sophisticated threats:

• Validate Software Updates: Use cryptographic checksums or signatures to ensure authenticity.
• Monitor Network Traffic: Pay attention to unusual ports like 1224 and 1245.
• Audit Development Tools: Regularly review tools for vulnerabilities.
• Detect Proxy Usage: Block suspicious proxy networks linked to malicious campaigns.

This campaign underscores the growing risks posed by supply chain attacks and highlights the importance of proactive security measures in mitigating such threats globally.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Start Now for Free.