The Phantom Circuit: the Lazarus Group's evolution in supply chain compromise

Thursday 25 September 14:00 - 14:30, Green room

Ryan Sherstobitoff (SecurityScorecard)

In December 2024, a routine software update concealed a global cyber threat. The North Korean state-sponsored Lazarus Group infiltrated trusted development tools, launching a sophisticated supply chain attack code-named Phantom Circuit. This campaign compromised hundreds of victims across cryptocurrency and technology sectors, leveraging advanced obfuscation techniques via proxy servers in Hasan, Russia.

STRIKE's investigation uncovered a critical shift in Lazarus Group's tactics – embedding malware directly into widely used development applications. The attackers utilized an extensive command-and-control (C2) infrastructure, operational since September 2024, to manage exfiltrated data. Their administrative platform, secured behind proxy relays, facilitated persistent remote access and data organization through a hidden React-based interface with Node.js APIs. Further analysis indicated overlap between Phantom Circuit and North Korean IT worker schemes, where state-sponsored actors disguised as freelance developers contributed to compromised software projects.

This study presents a detailed analysis of Phantom Circuit, including its layered infrastructure, anonymization techniques, and global scale of compromise. Our findings indicate:

• Infrastructure sophistication: Lazarus employed VPNs and commercial proxy services to obscure North Korean IP addresses before routing traffic to C2 servers.
• Targeted sectors: Over 1,500 developers worldwide, primarily in technology and cryptocurrency, were compromised.
• Data exfiltration: Stolen credentials, authentication tokens, and system configurations were systematically organized and stored in Dropbox for further exploitation.
• Operational adaptations: The use of modern frameworks like React and Node.js for managing stolen data underscores Lazarus Group's evolution in cyber operations.

Our investigation leveraged a combination of OSINT analysis and netflow and STRIKE threat intelligence feeds. We identified key North Korean IP addresses originating traffic to Astrill VPN endpoints. These endpoints then relayed through the Oculus Proxy network, registered to Sky Freight Limited in Hasan, Russia, before reaching the command-and-control infrastructure. Further analysis showed connections between these IPs and previous cyber operations linked to North Korean state-sponsored activities, confirming the involvement of Lazarus Group actors operating from Pyongyang. Additionally, overlaps were identified between Phantom Circuit and North Korea's IT worker schemes, where operatives, masquerading as freelance developers, injected malicious code into software repositories used in global development projects.

This presentation will discuss:

• Technical breakdown of Phantom Circuit: how the malware was embedded into development tools and its operational flow.
• C2 infrastructure and anonymization: the Lazarus Group's use of VPNs, proxies, and spoofed domains.
• Victimology and global impact: a review of compromised regions and sectors.
• Overlap with North Korean IT worker schemes: analysis of how Lazarus-affiliated developers infiltrate legitimate software projects.
• Defensive measures: best practices for securing software supply chains and detecting such threats.
• Future trends in cyber threats: how state-sponsored actors are evolving in their tactics and what to expect next.

Our analysis highlights the increasing complexity of state-sponsored cyber attacks and the necessity for robust software supply chain security. The insights gained from Phantom Circuit emphasize the urgency of monitoring development environments, verifying software dependencies, and deploying advanced threat intelligence to mitigate such sophisticated intrusions.

Back to VB2025 Programme page

Back to VB2025 conference page

Other VB2025 papers