Full Report
The North Korean threat actor known as the Lazarus Group has been observed leveraging a "web-based administrative platform" to oversee its command-and-control (C2) infrastructure, giving the adversary the ability to centrally supervise all aspects of their campaigns. "Each C2 server hosted a web-based administrative platform, built with a React application and a Node.js API," SecurityScorecard's
Analysis Summary
# Threat Actor: Lazarus Group
## Attribution & Identity
Attributed to North Korean threat actor Lazarus Group.
## Activity Summary
Lazarus Group utilized a sophisticated **web-based administrative platform** (built with a React application and a Node.js API) to centrally manage and supervise their global command-and-control (C2) infrastructure. This activity was primarily linked to **Operation Phantom Circuit**, a supply chain attack campaign observed between September 2024 and January 2025. This operation targeted the cryptocurrency sector and developers globally by distributing **trojanized versions of legitimate software packages** containing backdoors.
## Tactics, Techniques & Procedures
- **Centralized C2 Management:** Use of a consistent, web-based administrative platform (React/Node.js) across all C2 servers for campaign oversight, data organization/exfiltration, and payload delivery management.
- **Supply Chain Compromise:** Delivering backdoors via trojanized legitimate software packages.
- **Social Engineering:** Experienced use of LinkedIn to lure targets with promises of lucrative job opportunities or joint crypto-related collaborations (Initial Infection Vector).
- **Evasion:** Varying payloads and obfuscation techniques to evade detection, even while using the consistent C2 framework.
- **Infrastructure Link:** Observed use of Astrill VPN, previously linked retrospectively to the actor.
## Targeting
- **Sectors:** Cryptocurrency sector, developers worldwide.
- **Geography:** Global, with identified victims in **Brazil, France, and India**. (110 unique victims in India during January 2025 alone).
- **Victims:** Estimated 233 victims identified globally during the operation timeframe.
## Tools & Infrastructure
- **Malware families used:** Trojanized versions of legitimate software packages containing backdoors.
- **Infrastructure (C2, domains, IPs):**
- C2 servers featuring a web-based administrative platform built with a React application and a Node.js API.
- Use of Astrill VPN noted in past correlation studies.
## Implications
The adoption of a mature, centralized, web-based administrative framework demonstrates Lazarus Group's commitment to scalable and efficient global cyber operations, particularly those targeting financial and crypto assets. The success of Operation Phantom Circuit highlights the ongoing efficacy of supply chain attacks combined with targeted social engineering against vulnerable technical communities.
## Mitigations
- **Software Supply Chain Security:** Implement stringent verification procedures for all third-party software dependencies and updates, especially those sourced from developers or open-source channels.
- **Social Engineering Awareness:** Increase vigilance regarding unsolicited job offers or collaboration requests, particularly those brokered via professional networking sites like LinkedIn, especially when related to high-value sectors like cryptocurrency.
- **Network Segmentation and Monitoring:** Monitor outbound traffic for connections to unusual or web-based C2 interfaces that may be used to manage compromised hosts.