In a chilling revelation, STRIKE has uncovered a global cyber espionage campaign orchestrated by North Korea’s Lazarus Group.
Dubbed “Operation Phantom Circuit,” the attack involved embedding malware into trusted development tools, compromising over 1,500 systems worldwide between September 2024 and January 2025.
This operation targeted cryptocurrency and technology developers, leveraging advanced obfuscation techniques through proxy servers in Hasan, Russia.
The campaign began with the Lazarus Group infiltrating command-and-control (C2) servers in September 2024.
These servers acted as the backbone of their operation, enabling communication with infected systems via port 1224 and managing stolen data through a hidden administrative platform on port 1245.
The infrastructure demonstrated an exceptional level of sophistication, featuring a React-based web application and a Node.js API for efficient data management.
Ryan Sherstobitoff, Senior Vice President of Research and Threat Intelligence at STRIKE, emphasized the attackers’ strategic focus on long-term access and evasion.
A Layered Approach to Stealth
The Lazarus Group employed a multi-layered infrastructure to ensure anonymity and evade detection.
Traffic originating from North Korean IP addresses was routed through VPNs and proxies before reaching C2 servers hosted on Stark Industries assets.
Key VPN endpoints included Astrill VPN nodes, while traffic was further obfuscated through the Oculus Proxy network in Hasan, Russia.
This deliberate routing strategy added layers of anonymity, complicating attribution efforts.
The attackers’ infrastructure also included spoofed domains such as sageskills-uk[.]com and persistent RDP sessions lasting up to 10 days.
Data exfiltration was conducted systematically, with stolen credentials, authentication tokens, and system information uploaded to Dropbox for storage.
STRIKE observed that some servers maintained active connections to Dropbox for over five hours, underscoring the methodical nature of the operation.
Operation Phantom Circuit unfolded in three waves:
- November 2024: Targeted 181 European technology developers.
- December 2024: Expanded globally, with significant hotspots in India (284 victims) and Brazil (32 victims).
- January 2025: Added 233 victims, including 110 systems in India’s technology sector.
The attackers exploited compromised development tools to infiltrate production environments, exfiltrating critical data that could be weaponized for further attacks or financial gain.
This campaign aligns with North Korea’s documented use of cyberattacks to fund state programs, with reports estimating $1.7 billion generated from cryptocurrency thefts between 2017 and 2023.
Advanced Administrative Platform
STRIKE’s analysis revealed a custom-built administrative platform used by Lazarus to manage stolen data.
The platform featured advanced capabilities such as system tracking, credential management, and activity logging.
Built on modern frameworks like React and Node.js, it allowed operators to search, filter, and organize exfiltrated information with precision.
Operation Phantom Circuit underscores the urgent need for robust supply chain security measures.
STRIKE recommends validating software updates using cryptographic checksums, monitoring uncommon ports like 1224 and 1245, detecting suspicious proxy usage, auditing development tools regularly, and scrutinizing persistent RDP sessions.
Organizations are urged to adopt proactive security measures to safeguard against evolving threats.
