
The North Korean hacking group, known as the Lazarus Group, has recently begun using a web-based admin platform to manage its command-and-control (C2) infrastructure, enabling central oversight of its cyber operations. According to a report from SecurityScorecard’s STRIKE team, each C2 server utilized a web-based management system built with React and Node.js. This structure remained consistent across their various servers, even as the attackers adjusted their payloads and techniques to avoid detection.
The admin panel acts as a centralized hub for the attackers, allowing them to organize and oversee the data they exfiltrate, manage compromised systems, and control payload delivery. This method has been linked to a supply chain attack campaign dubbed "Operation Phantom Circuit," which primarily targets the cryptocurrency sector. The operation involved distributing trojanized versions of legitimate software packages that contained hidden backdoors, leading to successful intrusions.
From September 2024 to January 2025, this campaign affected 233 victims across multiple countries, with the most significant impact noted in Brazil, France, and India. In January 2025 alone, most of the activity targeted 110 unique victims in India.
The Lazarus Group is well-known for exploiting social engineering tactics, utilizing platforms like LinkedIn to entice potential targets with promises of job opportunities or collaborative projects in the cryptocurrency space. Their activities have connections to Pyongyang, evidenced by the use of Astrill VPN—a tool previously associated with deceptive IT employment schemes—and the identification of six North Korean IP addresses that were involved in establishing connections through Astrill VPN nodes.
The analysis highlights that the obfuscated traffic from these operations was eventually funneled to C2 infrastructure hosted on Stark Industries’ servers, which facilitated the delivery of payloads, victim management, and unauthorized data extraction.
The web-based admin panel enables Lazarus operatives to view and categorize the stolen data, allowing for efficient information management and retrieval. By embedding hidden backdoors within supposedly safe software, the group tricks users into inadvertently running compromised applications, which can then transmit sensitive data back to the attackers.
Overall, the campaign’s sophisticated use of React-based management tools and Node.js APIs illustrates a significant advancement in the Lazarus Group’s approach, allowing them to effectively coordinate their operations and expand their victim reach on a global scale.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.