React-Based Admin Panel is Used by Lazarus Group to Defend Global Cyber Strikes

Jan 29, 2025Ravie LakshmananThreat Intelligence / Malware

The North Korean threat actor known as the has been observed leveraging a “web-based administrative platform” to oversee its command-and-control ( C2 ) infrastructure, giving the adversary the ability to centrally supervise all aspects of their campaigns.

” Each C2 client hosted a web-based operational program, built with a Respond program and a Node. java AP I”, SecurityScorecard’s STRIKE team said in a new statement shared with The Hacker News. Even as the attackers changed the payloads and subterfuge strategies used to avoid recognition, this operational layer remained the same across all the C2 servers analyzed.

The hidden platform has been described as a complete system and hub that enables hackers to manage and control exfiltrated data, maintain control over their affected hosts, and control payload delivery.

The web-based administration screen has been identified as part of Operation Phantom Circuit, a supply chain attack campaign that targets developers around the world with ransomware that contains backdoors and targets the cryptocurrency industry.

” These are genuine items ranging from crypto uses to login solutions”, Ryan Sherstobitoff, senior vice president of Threat Research and Intelligence at SecurityScorecard, told The Hacker News. They all share the notion that many of these software are web applications running Node. js”.

They are embedding disguised code into the repositories and deceiving software developers into using the script as part of a skills evaluation, interview, or other opportunity, and frequently these developers are using it on their business laptops. The users can therefore penetrate businesses around the world.

The plan, which took place between September 2024 and January 2025, is estimated to have claimed 233 patients across the world in January and 1, 639 in complete, with most of them identified in Brazil, France, and India. Of the 233 companies that were targeted, 110 are located in India.

The has evolved into a social engineering consulting firm, attracting potential clients with LinkedIn as a starting point for profitable employment options or joint ventures in crypto-related jobs.

The operation’s connections to Pyongyang are the result of the use of Astrill VPN, which has to the fraudulent information technology ( IT ) worker scheme, and the discovery of six distinct North Korean IP addresses that have been found initiating connections and passed through Astrill VPN exit nodes and Oculus Proxy endpoints.

” The disguised traffic finally reached the C2 facilities, hosted on machines. These machines facilitated device delivery, victim administration, and data exfiltration”, SecurityScorecard said.

Further examination of the administrative element has revealed that it enables the threat actors to search for and screen interest in addition to viewing exfiltrated data from victims.

According to Sherstobitoff, it is believed that the internet operational platform was used in all campaigns involving the to serve as a conduit for the threat actors to maintain the information that was collected from victims worldwide.

” By embedding obfuscated backdoors into legitimate software packages, Lazarus deceived users into executing compromised applications, enabling them to exfiltrate sensitive data and manage victims through command-and-control ( C2 ) servers over port 1224″, the company said.

” The campaign’s system utilized hidden React-based web-admin sections and Node. java APIs for unified administration of stolen information, affecting over 233 sufferers worldwide. This exfiltrated information was traced back to Pyongyang, North Korea, through a split system of Astrill VPNs and middle proxies”.

Found this post exciting? To read more unique information we post, follow us on and Twitter.

Leave a Comment