CyberSecurity news
FlagThis
Help Net Security@Help Net Security - 28d
Researchers have uncovered that the Lazarus Group, a North Korean state-sponsored hacking group, is using a web-based administrative panel built with React and Node.js to manage their global cyber operations. This platform gives them a centralized control point for overseeing compromised systems, organizing stolen data, and delivering malicious payloads. The administrative layer, dubbed "Phantom Circuit," is consistent across the group's command-and-control servers, allowing them to orchestrate campaigns with precise control, even while varying their payloads and obfuscation techniques.
This hidden framework is part of a supply chain attack named "Operation Phantom Circuit," where the Lazarus Group targets cryptocurrency entities and software developers by embedding backdoors into legitimate software packages. They trick developers into downloading and running compromised open-source GitHub repositories, which then connect to the group's C2 infrastructure. This approach allows the Lazarus Group to infiltrate companies around the world and exfiltrate sensitive data back to Pyongyang. The operation has claimed over 233 victims, primarily within the cryptocurrency industry, between September 2024 and January 2025, and it is linked to North Korea through the use of Astrill VPNs and six distinct North Korean IP addresses.
ImgSrc: img.helpnetsecu
References :
This hidden framework is part of a supply chain attack named "Operation Phantom Circuit," where the Lazarus Group targets cryptocurrency entities and software developers by embedding backdoors into legitimate software packages. They trick developers into downloading and running compromised open-source GitHub repositories, which then connect to the group's C2 infrastructure. This approach allows the Lazarus Group to infiltrate companies around the world and exfiltrate sensitive data back to Pyongyang. The operation has claimed over 233 victims, primarily within the cryptocurrency industry, between September 2024 and January 2025, and it is linked to North Korea through the use of Astrill VPNs and six distinct North Korean IP addresses.
ImgSrc: img.helpnetsecu
Share:
References :
- ciso2ciso.com: The ongoing investigation into recent attacks by the Lazarus Group on cryptocurrency entities and software developers.
- The Hacker News: The Lazarus Group uses React application for C2 control.
- Pyrzout :vm:: North Koreans clone open source projects to plant backdoors, steal credentials – Source: go.theregister.com
- gbhackers.com: Reporting on the Lazarus Group's targeting of developers through malicious NPM packages
Classification:
- HashTags: #APT #CyberEspionage #LazarusGroup
- Company: North Korea
- Target: Cryptocurrency, Software Developers
- Attacker: Lazarus Group
- Product: Open Source Projects
- Feature: backdoor
- Malware: TorNet
- Type: Espionage
- Severity: Major