Researchers Uncover Lazarus Group Admin Layer for C2 Servers

2025-01-29

The Lazarus Group, a notorious North Korean cyber threat actor, has been ramping up its campaigns against cryptocurrency entities and software developers worldwide. A recent investigation by SecurityScorecard has unearthed a hidden administrative layer, dubbed “Phantom Circuit,” which the group has been using to manage their command and control (C2) infrastructure. This discovery sheds new light on the group’s sophisticated operational techniques and their ability to orchestrate global attacks while evading detection.

Key Findings

SecurityScorecard’s investigation into Lazarus Group’s operations revealed a complex and highly concealed command-and-control infrastructure, used for overseeing compromised systems, controlling payload delivery, and managing exfiltrated data. The group has employed a variety of VPNs and proxies, including Astrill VPNs, to obfuscate their activities and divert attribution back to Pyongyang.

The Phantom Circuit network was found to be pivotal in managing Lazarus’ Operation 99 campaign. This campaign primarily targeted cryptocurrency developers by impersonating recruiters and offering fraudulent job opportunities. Victims were tricked into downloading malicious payloads that compromised their systems, leading to data exfiltration, including sensitive corporate and development data.

Researchers tracked the infrastructure back to a set of IP addresses in Pyongyang, further confirming North Korean involvement. The Lazarus group has been using these methods to not only target financial institutions for cryptocurrency theft but also to infiltrate corporate networks, causing widespread concern about the scale of their operations.

What Undercode Says:

Lazarus Group’s ongoing success in executing high-profile attacks speaks volumes about their ever-evolving capabilities. The uncovering of the Phantom Circuit administrative layer highlights how advanced the group’s tactics have become. The combination of proxy networks, VPNs, and a layered approach to C2 management reflects a highly organized cyber-espionage operation, one that goes beyond simple cryptocurrency theft to infiltrate organizations with valuable intellectual property and development secrets.

The group’s use of VPN services like Astrill, coupled with proxies routed through remote locations such as Russia, suggests a deliberate strategy to hide the true origin of their attacks. This is a clear attempt to bypass geo-location detection tools, further complicating efforts to trace their actions back to North Korea. The use of what appears to be a fictional entity, “Stark Industries, LLC,” adds another layer of confusion, making attribution much harder.

This incident reveals a dual-pronged strategy by Lazarus: financial gain through cryptocurrency theft and the infiltration of corporate networks for espionage. By targeting software developers—individuals often granted elevated privileges within corporate environments—they are able to slip malware past traditional security measures. Once the payloads are executed, sensitive data such as development code and proprietary corporate information is exfiltrated back to North Korea.

What is particularly noteworthy is the Lazarus

The

As this investigation continues, one can expect more detailed insights into Lazarus’ techniques, as well as an evolving security landscape where defending against such persistent and creative threats requires constant vigilance. With state-sponsored actors like Lazarus involved, companies must reassess their security postures and bolster their defenses to avoid falling victim to the sophisticated and far-reaching attacks of the future.

In the broader context of cyber espionage, the Lazarus Group’s activities serve as a reminder of the ongoing cyber arms race. Nation-state actors are increasingly using the same tools and techniques as cybercriminals, blurring the lines between traditional hacking and state-sponsored operations. This convergence of interests has resulted in an environment where financial theft, intellectual property theft, and espionage are all part of the same complex web of global cyber threats.