The North Korean threat actor known as the Lazarus Group has been observed leveraging a “web-based administrative platform” to oversee its command-and-control (C2) infrastructure, giving the adversary the ability to centrally supervise all aspects of their campaigns.
“Each C2 server hosted a web-based administrative platform, built with a React application and a Node.js API,” SecurityScorecard’s STRIKE team said in a new report shared with The Hacker News. “This administrative layer was consistent across all the C2 servers analyzed, even as the attackers varied their payloads and obfuscation techniques to evade detection.”
The hidden framework has been described as a comprehensive system and a hub that allows attackers to organize and manage exfiltrated data, maintain oversight of their compromised hosts, and handle payload delivery.
The web-based admin panel has been identified in connection with a supply chain attack campaign dubbed Operation Phantom Circuit targeting the cryptocurrency sector and developers worldwide with trojanized versions of legitimate software packages that contain backdoors.
The campaign, which took place between September 2024 and January 2025, is estimated to have claimed 233 victims across the world, with most of them identified in Brazil, France, and India. In January alone, the activity targeted 110 unique victims in India.
The Lazarus Group has become something of a social engineering expert, luring prospective targets using LinkedIn as an initial infection vector under the guise of lucrative job opportunities or a joint collaboration on crypto-related projects.
The operation’s links to Pyongyang stem from the use of Astrill VPN – which has previously been linked to the fraudulent information technology (IT) worker scheme – and the discovery of six distinct North Korean IP addresses that have been found initiating connections, which were routed through Astrill VPN exit nodes and Oculus Proxy endpoints.
“The obfuscated traffic ultimately reached the C2 infrastructure, hosted on Stark Industries servers. These servers facilitated payload delivery, victim management, and data exfiltration,” SecurityScorecard said.
Further analysis of the admin component has revealed that it allows the threat actors to view exfiltrated data from victims, as well as search and filter of interest.
“By embedding obfuscated backdoors into legitimate software packages, Lazarus deceived users into executing compromised applications, enabling them to exfiltrate sensitive data and manage victims through command-and-control (C2) servers over port 1224,” the company said.
“The campaign’s infrastructure leveraged hidden React-based web-admin panels and Node.js APIs for centralized management of stolen data, affecting over 233 victims worldwide. This exfiltrated data was traced back to Pyongyang, North Korea, through a layered network of Astrill VPNs and intermediate proxies.”
