The notorious Lazarus Group, a North Korean state-sponsored Advanced Persistent Threat (APT), has been implicated in a large-scale cyberattack campaign dubbed “Operation Phantom Circuit.”
This operation involves embedding malicious backdoors into legitimate software packages, targeting developers and organizations worldwide.
The campaign, which began in September 2024, has already impacted over 233 victims globally, with a significant concentration in the cryptocurrency and technology sectors.
The Lazarus Group’s modus operandi in this campaign involves manipulating trusted software packages—ranging from cryptocurrency apps to authentication tools—by embedding obfuscated malware.
These compromised applications are distributed through legitimate-looking platforms like GitLab and other open-source repositories.
Unsuspecting developers download and execute these altered packages, unknowingly initiating the infection chain.
Analysts at STRIKE identified Once executed, the malware establishes communication with Command-and-Control (C2) servers.
These servers are hosted on infrastructure designed to evade detection, using advanced obfuscation techniques such as routing traffic through Astrill VPN endpoints and proxy servers registered to Sky Freight Limited in Russia.
This multi-layered approach masks the true origin of the attacks, which have been traced back to six distinct North Korean IP addresses.
Operational Infrastructure of Attacker
The Lazarus Group’s infrastructure features a hidden administrative layer within its C2 servers.
Built using React and Node.js, this platform allows attackers to ‘Manage exfiltrated data,’ ‘Oversee compromised systems,’ ‘Deliver payloads via a centralized interface.’
.webp)
The C2 servers operate over ports such as 1224 and 1245, with the latter hosting a concealed web-admin panel requiring authentication. This panel facilitates the organization of stolen data and provides operators with advanced search and filtering capabilities.
The campaign has unfolded in multiple waves:-
- November 2024: Targeted 181 victims, primarily developers in Europe.
- December 2024: Expanded to over 1,225 victims globally, including 284 in India.
- January 2025: Added 233 victims, with India again being heavily affected (110 victims).
Stolen data includes credentials, authentication tokens, system information, and sensitive project files. The Lazarus Group has also been observed using Dropbox as an exfiltration medium for stolen data.
Using NetFlow analysis and temporal traffic patterns, researchers have confidently attributed the operation to North Korea.
The Lazarus Group employs sophisticated tactics like leveraging Astrill VPNs linked to North Korean IP ranges (175.45.176.0/22) and blending malicious traffic with legitimate activity through Russian proxies.
To enhance security, it is essential to implement rigorous code verification processes and regularly audit third-party software dependencies.
Monitoring network traffic for anomalies helps detect potential threats, while educating developers on recognizing social engineering tactics further strengthens overall cybersecurity.
Additionally, industries at higher risk—such as cryptocurrency and technology—must adopt proactive defenses like endpoint detection and response (EDR) solutions and enforce zero-trust security models.
Collect Threat Intelligence with TI Lookup to Improve Your Company’s Security - Get 50 Free Request
