Threat Intelligence, Malware

Lazarus Group found using web-based admin panel for campaign management

Computer keyboard, close-up button of the flag of North Korea.

The Hacker News reports that the Lazarus Group has been using a sophisticated web-based administrative platform to oversee its command-and-control operations.

Based on reporting from SecurityScorecard's STRIKE team, the North Korean state-backed threat actor employs a React and Node.js-based system in each C2 server to enable centralized management of stolen data, observation of compromised hosts, and payload distribution. The C2 infrastructure is reportedly hosted on Stark Industries servers. The platform was observed in connection with Operation Phantom Circuit, a supply chain attack that targeted cryptocurrency firms and developers across the globe. In the campaign, Lazarus embedded obfuscated backdoors into legitimate Node.js-based software packages, deceiving developers into executing malicious code while undertaking fake job-related tests. The campaign was active from September 2024 to January 2025 and compromised 1,639 victims, with the highest concentration in India, Brazil, and France. Researchers believe this admin panel has been used across Lazarus’ cyber espionage operations in support of North Korea’s wide-ranging IT Worker scheme. The group also used LinkedIn for social engineering and employed Astrill VPN and North Korean IP addresses to mask its activities.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds