The Lazarus Group, a notorious North Korean state-sponsored Advanced Persistent Threat (APT), is behind a large-scale cyberattack campaign known as “Operation Phantom Circuit.” This operation, which began in September 2024, involves embedding malicious backdoors into legitimate software packages used by developers and organizations worldwide. The Lazarus Group’s targets include a significant number of victims in the cryptocurrency and technology sectors, where the impact has been especially concentrated. The attack has already affected over 233 organizations globally, with many of the compromised applications distributed through trusted platforms like GitLab and other open-source repositories.
The method used by the Lazarus Group in this campaign revolves around manipulating legitimate software packages, such as cryptocurrency apps and authentication tools, to include obfuscated malware. When unsuspecting developers download and execute these altered packages, they unknowingly trigger the infection chain. Once the malware is executed, it establishes communication with Command-and-Control (C2) servers that use advanced evasion techniques, including routing traffic through Astrill VPN endpoints and proxy servers located in Russia.
This multi-layered approach is designed to hide the true origin of the attacks, which have been traced back to North Korean IP addresses.
The C2 servers used by the Lazarus Group feature a hidden administrative layer that allows them to manage exfiltrated data, oversee compromised systems, and deliver additional payloads. The servers use ports such as 1224 and 1245, with the latter hosting a concealed web-admin panel that requires authentication for access. This panel allows operators to organize stolen data and offers advanced search and filtering capabilities to streamline their operations. Since the campaign has unfolded in waves, with each month seeing an increase in targeted victims, it is evident that the Lazarus Group is strategically expanding its attack surface.
Researchers have attributed the campaign to North Korea through the use of NetFlow analysis and the identification of traffic patterns linked to North Korean IP addresses. The Lazarus Group’s infrastructure makes use of proxies and VPNs to obscure the true source of the attacks, further complicating attribution. To defend against such sophisticated tactics, experts recommend implementing rigorous code verification processes, regularly auditing third-party software dependencies, and monitoring network traffic for anomalies. Organizations in high-risk sectors like cryptocurrency and technology are advised to adopt proactive cybersecurity measures, including endpoint detection and response (EDR) solutions and a zero-trust security model.
Reference:
