A recent investigation by STRIKE, the cybersecurity division of SecurityScorecard, has uncovered a meticulously orchestrated cyber espionage campaign, dubbed “Operation Phantom Circuit,” spearheaded by North Korea’s Advanced Persistent Threat (APT) group, Lazarus.
This operation, active between September 2024 and January 2025, leveraged advanced techniques to breach global cryptocurrency platforms and developer environments, affecting over 1,641 victims across multiple countries.
The campaign relied on an intricate command-and-control (C2) infrastructure, which utilized embedded backdoors in legitimate software packages downloaded by unsuspecting developers.
These altered applications, ranging from cryptocurrency tools to authentication software, executed malicious payloads once installed, enabling Lazarus to exfiltrate sensitive data stealthily.
Central to the operation was a custom-built React-based web-admin interface, coupled with a Node.js API, that provided attackers with robust capabilities for managing compromised systems, delivering payloads, and overseeing stolen data.
Pyongyang’s Signature
Attribution efforts linked the campaign to Pyongyang with high confidence, based on meticulous traffic analysis and the discovery of a multi-layered obfuscation strategy.
Lazarus operators routed their malicious communications through North Korean IP addresses, commercial Astrill VPN endpoints, and intermediate proxies located in Russia, effectively concealing their origins.
Command-and-control infrastructure hosted on “Stark Industries” servers was accessed over designated ports (1224, 1245, and 3389) to manage operations and transmit exfiltrated data.
Between December 2024 and January 2025, Lazarus exploited this infrastructure to target victims in countries including India (394 victims), Brazil, and the United States.
The campaign peaked in January 2025, with a newly established C2 server (94.131.9.32) managing connections from 233 unique victims, predominantly in India.
Data siphoned through these operations was transferred to cloud platforms like Dropbox, suggesting its use for persistent storage and exploitation.
Hidden Layers Amplify Attack Complexity
STRIKE’s investigation revealed a hidden administrative layer within the C2 infrastructure an advanced React application with API endpoints exposing detailed functionalities for managing victim data.
The backend system displayed stolen credentials, URLs, PC names, and other sensitive information.
Intermediate proxies such as those linked to Sky Freight Limited in Hasan, Russia, further obfuscated origin connections.
These proxies, paired with Astrill VPNs used historically by other North Korean campaigns, showcased Lazarus’s operational sophistication and resilience against attribution.
Furthermore, Lazarus weaponized supply chain vulnerabilities by tampering with software packages.
These compromised programs, once executed by developers worldwide, enabled attackers to penetrate systems, elevate privileges, and extract critical data.
The revelations from Operation Phantom Circuit highlight an urgent need for bolstering cybersecurity practices, especially in industries vulnerable to supply chain attacks, such as cryptocurrency.
Security experts recommend enforcing rigorous software code reviews, implementing robust monitoring of network traffic, and deploying incident response mechanisms.
Organizations are advised to adopt proactive safeguards, such as advanced threat detection and response solutions.
SecurityScorecard underscores the importance of global collaboration between security teams to share threat intelligence and counteract Lazarus’s evolving tactics.
For immediate response or to assess vulnerabilities, organizations are encouraged to contact STRIKE’s specialized investigation team.
The campaign’s exposure serves as a stark reminder of the proactive measures required to address the risks posed by state-sponsored actors.
