The North Korean threat actor known as the Lazarus Group has been observed leveraging a “web-based administrative platform” to oversee its command-and-control (C2) infrastructure, giving the adversary the ability to centrally supervise all aspects of their campaigns.
“Each C2 server hosted a web-based administrative platform, built with a React application and a Node.js API,” SecurityScorecard’s STRIKE team said in a new report shared with The Hacker News. “This administrative layer was consistent across all the C2 servers analyzed, even as the attackers varied their payloads and obfuscation techniques to evade detection.”
The hidden framework has been described as a comprehensive system and a hub that allows attackers to organize and manage exfiltrated data, maintain oversight of their compromised hosts, and handle payload delivery.
The web-based admin panel has been identified in connection with a supply chain attack campaign dubbed Operation Phantom Circuit targeting the cryptocurrency sector and developers worldwide with trojanized versions of legitimate software packages that contain backdoors.
“These are legitimate packages ranging from cryptocurrency applications to authentication solutions,” Ryan Sherstobitoff, senior vice president of Threat Research and Intelligence at SecurityScorecard, told The Hacker News. “What they have in common is that many of these applications are web apps using Node.js.”
“They are embedding obfuscated code into the repositories and tricking software developers into running the code as part of a skills test, interview or some other opportunity, often these developers are running it on their corporate laptops. This then allows for the operators to infiltrate companies around the world.”
The campaign, which took place between September 2024 and January 2025, is estimated to have claimed 233 victims across the world in January and 1,639 in total, with most of them identified in Brazil, France, and India. Of the 233 entities that were targeted, 110 are located in India.
The Lazarus Group has become something of a social engineering expert, luring prospective targets using LinkedIn as an initial infection vector under the guise of lucrative job opportunities or a joint collaboration on crypto-related projects.
The operation’s links to Pyongyang stem from the use of Astrill VPN – which has previously been linked to the fraudulent information technology (IT) worker scheme – and the discovery of six distinct North Korean IP addresses that have been found initiating connections, which were routed through Astrill VPN exit nodes and Oculus Proxy endpoints.
“The obfuscated traffic ultimately reached the C2 infrastructure, hosted on Stark Industries servers. These servers facilitated payload delivery, victim management, and data exfiltration,” SecurityScorecard said.
Further analysis of the admin component has revealed that it allows the threat actors to view exfiltrated data from victims, as well as search and filter of interest.
It is suspected that the web administrative platform has been used in all campaigns related to the IT Worker threat, serving as a conduit for the threat actors to manage the collected information from victims abroad, per Sherstobitoff.
“By embedding obfuscated backdoors into legitimate software packages, Lazarus deceived users into executing compromised applications, enabling them to exfiltrate sensitive data and manage victims through command-and-control (C2) servers over port 1224,” the company said.
“The campaign’s infrastructure leveraged hidden React-based web-admin panels and Node.js APIs for centralized management of stolen data, affecting over 233 victims worldwide. This exfiltrated data was traced back to Pyongyang, North Korea, through a layered network of Astrill VPNs and intermediate proxies.”