lazarusholic

Everyday is lazarus.dayβ

Operation Phantom Circuit: North Korea's Global Data Exfiltration Campaign

2025-01-29, SecurityScorecard
https://securityscorecard.com/blog/operation-phantom-circuit-north-koreas-global-data-exfiltration-campaign/
Operation-Phantom-Circuit-Report_012725_03.pdf, 1.2 MB
#Lazarus #PhantomCircuit

Contents

Operation Phantom Circuit: North Korea’s Global Data Exfiltration Campaign
In December 2024, a routine software update concealed a global threat. Attackers from the Lazarus Group, based in North Korea, infiltrated trusted development tools, compromising hundreds of victims worldwide. This sophisticated campaign, code-named “Phantom Circuit,” targeted cryptocurrency and technology developers, employing advanced obfuscation techniques through proxy servers in Hasan, Russia.
STRIKE’s investigation of ‘Phantom Circuit’ revealed a critical shift in Lazarus Group tactics: embedding malware directly into trusted applications. “This approach allows widespread impact and long-term access while evading detection,” explains Ryan Sherstobitoff, Senior Vice President of Research and Threat Intelligence at STRIKE.
Investigation
STRIKE’s investigation began with Operation 99, uncovering the Lazarus Group’s use of command-and-control (C2) servers. These servers, active since September 2024, formed the backbone of an elaborate infrastructure to manage and exfiltrate stolen data. Further analysis revealed a concealed administrative platform designed to view and filter data.
| Campaign Start Date | …

IoC

http://sageskills-uk.com
5.253.43.122
83.234.227.53
70.39.70.197
70.39.70.196
94.131.9.32
175.45.176.27
86.104.74.51
175.45.178.14
175.45.178.130
175.45.176.68
83.234.227.51
45.58.143.196
83.234.227.50
83.234.227.52
199.115.99.62
83.234.227.49
185.153.182.241
175.45.178.11
175.45.178.10
175.45.178.9
45.128.52.14
204.188.233.68