Operation Phantom Circuit: North Korea's Global Data Exfiltration Campaign
Essential information
- Published
- 30/01/2025 16:13
- Modified
- 30/01/2025 16:33
- Tags
- 2025-01-30 command and control cryptocurrency data exfiltration north korea phantom circuit software supply chain
- Related entities
- 13 observables, 1 intrusion sets (apt), 13 techniques (mitre), 4 others
Description
In December 2024, the Lazarus Group, a North Korean threat actor, launched a sophisticated global campaign targeting cryptocurrency and technology developers. The operation, code-named 'Phantom Circuit,' involved embedding malware into trusted development tools, compromising hundreds of victims worldwide. The attackers utilized advanced obfuscation techniques, including proxy servers in Russia, to evade detection. The campaign unfolded in three waves, affecting over 1,500 systems globally. The infrastructure included command-and-control servers, spoofed domains, and persistent remote management sessions. The attackers exfiltrated critical data, including development credentials and authentication tokens, storing it in Dropbox. The operation's administrative platform showcased advanced capabilities in managing stolen data, emphasizing the group's technical expertise and planning.