Investigations into North Korea's Lazarus group's recent cyberattacks on global cryptocurrency companies and software developers have revealed a hidden administrative layer. This platform is used by the attackers to centrally control the campaign's command and control (C2) framework.

Discovery of the Admin Layer

Researchers at SecurityScorecard have exposed how Lazarus uses this newly detected infrastructure to supervise compromised systems, manage payload distribution, and efficiently oversee data theft. This group employs the same web-based admin system in other operations, such as impersonating IT professionals.

Operational Security Measures

Despite the sophisticated security measures adopted by the attackers to camouflage their activities, SecurityScorecard managed to connect the infrastructure and its global campaign to North Korea confidently. The campaign, targeting the cryptocurrency domain, has led to hundreds of victims executing malicious payloads that funnel stolen data back to Pyongyang.

SecurityScorecard named this admin layer "Phantom Circuit" during their investigation into "Operation 99," a campaign deceiving software developers globally through fake recruiter approaches on platforms like LinkedIn. Victims unwittingly clone harmful GitHub repositories linked to Lazarus C2 infrastructure, leading to data-stealing malware breaches.

Malicious Tactics

By deploying obfuscated backdoors into legitimate applications, such as authentication and cryptocurrency software, Lazarus tricks developers into running harmful software. Over 230 victims have reportedly downloaded these malicious payloads in the group's ongoing campaign.

Dual Motivation Behind Attacks

Lazarus group's motives are twofold: cryptocurrency theft and corporate network infiltration. Developers lured by the group often execute compromised code on their professional networks, risking development secrets.

Accessing the Phantom Circuit

SecurityScorecard discovered the Phantom Circuit admin layer while examining how Lazarus manages stolen information from Operation 99. The group uses a sophisticated network of Astrill VPNs and proxies, known for anonymity, to clandestinely access C2 infrastructure.

Proxy Network Operations

Researchers uncovered the use of intermediate proxy networks registered to a Russian freight company, allowing connection to Operation 99's infrastructure. Their operations conceal true origins by masking IP addresses through fictitious companies like "Stark Industries, LLC."

SecurityScorecard identified six distinctive IP addresses in Pyongyang initiating VPN connections to the C2 network. This hidden operational network, dubbed Phantom Circuit, leads directly to Pyongyang, also tied to other campaigns involving identity theft to impersonate IT professionals.

The link has been copied!