A recent investigation conducted by STRIKE, a division of SecurityScorecard, has unveiled the intricate and far-reaching operation of the Lazarus Group, a North Korean advanced persistent threat (APT) group.
Dubbed “Operation Phantom Circuit,” the campaign highlights a deliberate and sophisticated effort to infiltrate global systems through compromised software supply chains and advanced Command-and-Control (C2) infrastructure.
The operation primarily targeted developers and the cryptocurrency sector, with critical data being siphoned back to Pyongyang.
.png
)
The investigation revealed that Lazarus employed multiple C2 servers, which became active in September 2024 and featured an additional hidden operational layer.
The servers housed a React-based web-admin interface integrated with Node.js APIs, enabling centralized control.
Through these interfaces, attackers could systematically manage exfiltrated data, oversee infected systems, and execute payload delivery.
This consistent design was evident across all analyzed C2 servers, suggesting a high degree of operational maturity and standardization.
Supply Chain Intrusion and Global Impact
Lazarus exploited legitimate software packages by embedding obfuscated backdoors, tricking developers into deploying compromised applications.
These supply chain attacks targeted a broad audience, especially in the cryptocurrency domain, leading to the execution of malicious payloads on host systems.
STRIKE’s analysis identified hundreds of victims across multiple campaigns, with data traces pointing back to Lazarus’s infrastructure in North Korea.
The operation, which spanned from November 2024 to January 2025, utilized obfuscation tactics and layered infrastructure to evade detection.
Key elements of the infrastructure included Astrill VPNs, intermediate proxies registered to Russian entities, and C2 servers managed through ports like 1224 and 1245.
NetFlow analysis and connection logs allowed STRIKE to confidently trace these activities back to North Korean IPs, including the limited range of addresses assigned to Pyongyang.
Advanced Obfuscation Techniques
Lazarus’s operations epitomized strategic obfuscation. Traffic was anonymized through VPNs and proxies, blending malicious activity with legitimate network traffic to complicate detection.
For example, traffic initiated from Pyongyang was routed through Astrill VPN exit points and subsequently masked via intermediate proxies in Russia.
The C2 servers, hosted on infrastructure provided by entities like Stark Industries, were used to exfiltrate sensitive data, including credentials and system information.
Key findings include the use of a hidden web-admin panel on C2 servers, accessible only through a secured login.
This panel provided attackers with granular control over exfiltrated data, displaying victim details and facilitating data manipulation through custom-built interfaces.
Additionally, the Lazarus Group’s reliance on commercial services such as Dropbox for data transfer further emphasized their robust operational security measures.
The findings from Operation Phantom Circuit underscore the urgent need for intensified cybersecurity measures, particularly in the software supply chain.
Organizations are advised to implement rigorous code signing and verification processes, enhance monitoring of network traffic, and deploy proactive defenses against evolving tactics employed by APT groups like Lazarus.
With over 233 victims identified globally in the campaign’s latest phase, including a significant concentration in India and Brazil, the operation serves as a stark reminder of the vulnerabilities that sophisticated actors can exploit.
Industries, especially those handling sensitive or financial data, must prioritize collaborative threat intelligence sharing and adopt advanced detection tools to counter such persistent threats.
Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free
