
A newly uncovered cyber espionage campaign orchestrated by North Korea’s Lazarus Group has been exposed in SecurityScorecard’s latest report, “Operation Phantom Circuit.” The report details how the nation-state-backed group has been executing a sophisticated data exfiltration operation that has targeted cryptocurrency firms, software developers, and supply chains worldwide since September 2024.
The campaign, which remains active as of January 2025, is distinguished by its advanced obfuscation techniques, hidden command-and-control (C2) infrastructure, and a centralized administrative system that allows Lazarus to manage stolen data with surgical precision.
Investigators from SecurityScorecard’s STRIKE team uncovered a previously undetected component of Lazarus’s infrastructure: a concealed web-based administrative platform built using React and Node.js. This system provided real-time oversight of compromised machines, data exfiltration management, and payload distribution.
“Each C2 server hosted a web-based administrative platform… not just an interface but a comprehensive system that allowed the attackers to: organize and manage exfiltrated data with precision, maintain direct oversight of compromised systems, and control payload delivery from a centralized hub,” the report states.
One of the most alarming aspects of Operation Phantom Circuit is its use of supply chain attacks. Lazarus operators were found to be embedding backdoors within legitimate software packages, deceiving developers into executing compromised applications.
“Lazarus has been observed altering legitimate software packages by embedding obfuscated backdoors, deceiving developers into executing these compromised packages,” the report explains.
The report suggests that the compromised software ranged from cryptocurrency applications to authentication solutions, leading to a widespread impact.
Through network traffic analysis and attribution efforts, investigators successfully traced the operation back to Pyongyang, North Korea. The Lazarus Group employed a multi-layered obfuscation strategy to conceal their origin and manage their global campaign.
SecurityScorecard identified four key operational layers used by Lazarus:
- Initial Connection: Investigators observed six distinct North Korean IP addresses initiating connections to establish the attack infrastructure.
- VPN Obfuscation: Attackers routed traffic through Astrill VPN exit nodes, masking their true origin.
- Proxy Relay: Traffic was then funneled through an intermediate proxy layer hosted by Sky Freight Limited in Hasan, Russia, blending malicious activity with legitimate network traffic.
- Command-and-Control Servers: The obfuscated traffic reached C2 infrastructure hosted on Stark Industries servers, facilitating payload delivery, victim management, and data exfiltration.
“This layered infrastructure tied the six North Korean IP addresses directly to the C2 servers, confirming Lazarus Group’s role in managing the operation from within North Korea,” the report confirms.
The operation has affected victims worldwide, with 233 confirmed compromises since September 2024. SecurityScorecard’s forensic analysis revealed that Lazarus-controlled C2 servers were actively managing victims across multiple continents, with India and Brazil among the most impacted nations.

Investigators also discovered that Lazarus was leveraging Dropbox services to exfiltrate stolen data. The compromised C2 servers were found making repeated connections to Dropbox IPs, indicating data transfers between December 4, 2024, and January 24, 2025.
“Throughout the December campaign, we observed the C2 server at 185.153.182.241 repeatedly connecting to multiple Dropbox IPs,” SecurityScorecard confirms.
Another noteworthy discovery in Operation Phantom Circuit was the identification of a React-based web-admin panel deployed on Lazarus’s C2 servers. This hidden dashboard was found to be accessible only via port 1245 and allowed Lazarus operators to:
- Browse and categorize exfiltrated data from victims.
- Manage payload delivery and botnet activity.
- Oversee network infiltration efforts in real time.
Investigators noted that this sophisticated panel was custom-built, reinforcing the theory that Lazarus is evolving its tactics by incorporating modern web technologies.
“The C2 servers also hosted a ‘hidden’ web-admin panel… facilitating the display of exfiltrated data from victims and providing attackers with the ability to search and filter the information,” the report details.
Related Posts:
- FBI arrests CEO Phantom who sold customized BlackBerry to Sinaloa drug trafficking group
- CVE-2023-20569 (Inception): New Transient Execution Attack in AMD Zen CPUs
- Temptation from Money: Lazarus APT extended to cryptocurrencies
- Lazarus Group Deploys Electron-Based Malware to Target Cryptocurrency Enthusiasts