Operation Phantom Circuit: North Korea’s Global Data Exfiltration Campaign
Thumbnail
In December 2024, the Lazarus Group from North Korea initiated a sophisticated cyberattack called “Phantom Circuit,” targeting cryptocurrency and technology developers worldwide by embedding malware in trusted software packages. This campaign leveraged a complex network of command-and-control servers, VPNs, and proxies to exfiltrate sensitive data, including development credentials and authentication tokens. The investigation highlighted the urgent need for organizations to secure their software supply chains and monitor development environments. Affected: Cryptocurrency developers, technology sector, global organizations.

Keypoints :

  • The Lazarus Group launched a global cyberattack code-named “Phantom Circuit” in December 2024.
  • Malware was embedded into trusted development tools, impacting cryptocurrency and technology developers.
  • The attack revealed a shift in tactics, focusing on stealth and long-term access.
  • Command-and-control servers facilitated the management and exfiltration of stolen data.
  • The campaign compromised over 1,500 systems across three waves.
  • Data exfiltrated included critical development credentials and authentication tokens.
  • Persistent connections to Dropbox were used for storing and organizing stolen data.
  • Organizations are urged to verify software dependencies and strengthen supply chain security.

MITRE Techniques :

  • TA0003: Persistent Access – Used persistent RDP sessions to maintain access to compromised systems.
  • TA0008: Command and Control (C2) – Employed C2 servers for communication and data exfiltration over port 1224.
  • TA0040: Exfiltration – Data was exfiltrated to Dropbox following comprehensive data collection.
  • TA0005: Defense Evasion – Embedded malware within trusted applications to evade detection.
  • TA0011: Application Layer Protocol (Abuse Elevation Control Mechanism) – Used APIs in a custom-built administrative platform for managing stolen data.

Indicator of Compromise :

  • [IPv4 Address] 94.131.9.32
  • [IPv4 Address] 185.153.182.241
  • [IPv4 Address] 86.104.74.51
  • [IPv4 Address] 5.253.43.122
  • [IPv4 Address] 175.45.178.130

Full Story: https://securityscorecard.com/blog/operation-phantom-circuit-north-koreas-global-data-exfiltration-campaign/