North Korean actor threats known as Group Lazarus The use of the “Internet administrative platform” was noted to control the infrastructure of the teams and control (C2), giving the enemy the possibility of centralized control over all aspects of their companies.
“Each C2 server conducted a web administrative platform built with the React and API Node.js,” the Securityscard’s Strikes said in the new team report Share with Hacker News. “This administrative layer was consistent for all analyzed C2 servers, even when the attackers changed their useful loads and methods of aggravation for evasion.”
The hidden base was described as a comprehensive system and a center that allows the attackers to organize and manage exclusive data, maintain the supervision of the disturbed hosts and process the delivery of useful load.
The administrator panel, based on the web administration, was determined in connection with the supply chain attack company, called “Phant Circuit Operation” aimed at the cryptocurrency sector and developers around the world with trajonized versions of legitimate software packages.
The company estimated from September 2024 to January 2025 estimated that 233 victims around the world were found in Brazil, France and India. In January alone, the activities were sent for 110 unique victims in India.
A Group Lazarus became something out of an expert on social engineeringAttraction promising objective Using LinkedIn as an initial vector of infection under the guise of profitable employment opportunities or co-operation over crypto projects.
Link operations with Pyongyang is associated with the use of Astrill VPN – having Previously been bound to the workers’ scheme (IT) for fraudulent information technologies – and the opening of six different North Korean IPs that were found, which started connections that were directed via Exit Exits Astrill VPN and the final points of Oculus Proxy.
“As a result, stubborn traffic eventually reached the C2 infrastructure organized on Starting branches Servers. These servers contributed to the delivery of useful load, the victim management and the expansion of data, “said SecurityScorecard.
Further analysis of the administrator’s component showed that it allows the subject to view the victims, as well as the search and filter of interest.
“Having built the embarrassed scraps into the legal software packages, Lazarus cheated on users in compromised applications, allowing them to allocate sensitive data and manage the victims through team servers and control (C2) over the port 1224,” the company said.
“The company’s infrastructure uses hidden administration panels based on response and API Node.js for centralized management data, affecting more than 233 victims world and intermediate trusts. “
