North Korean hacking group Lazarus has been exposed using a hidden administrative layer, dubbed "Phantom Circuit," to manage their global cybercrime operations targeting cryptocurrency entities and software developers.
SecurityScorecard's research team revealed that this concealed infrastructure allows Lazarus to oversee compromised systems, control malware delivery, and manage stolen data. The discovery emerged during investigations into "Operation 99," a deceptive campaign where hackers pose as recruiters on LinkedIn to target software developers.
The group tricks victims into cloning malicious GitHub repositories, which connect to Lazarus-controlled command-and-control (C2) servers. Over 230 victims have reportedly downloaded these harmful payloads, which are often disguised as legitimate authentication apps and cryptocurrency software.
The administrative layer employs sophisticated methods to hide its origins, utilizing Astrill VPN services across 142 cities and a complex proxy network registered to a freight company in Russia. Despite these elaborate concealment efforts, researchers traced the activity back to six distinct IP addresses in Pyongyang.
Ryan Sherstobitoff, SecurityScorecard's senior vice president of threat intelligence, explained that Lazarus has dual objectives: stealing cryptocurrency and infiltrating corporate networks. The group specifically targets developers who might execute malicious code on corporate devices, enabling the theft of development secrets.
The same infrastructure was also linked to another Lazarus operation where attackers impersonated IT workers to infiltrate target organizations. The discovery provides unprecedented insight into how North Korean cyber operations maintain control over their global campaigns while attempting to evade detection.
This revelation demonstrates the growing sophistication of state-sponsored cyber operations and highlights the need for increased vigilance in the software development and cryptocurrency sectors.