Lazarus Group Deploys Hidden Web Admin Panel to Control Global Cyber Attacks

Cybersecurity researchers have uncovered a sophisticated web-based administrative platform used by North Korea's Lazarus Group to manage its command-and-control (C2) infrastructure, allowing the threat actors to oversee and coordinate their operations from a centralized hub.

According to SecurityScorecard’s STRIKE team, every C2 server linked to the group featured an admin panel built with React and a Node.js API, enabling attackers to manage exfiltrated data, monitor compromised devices, and distribute malicious payloads. This hidden framework remained consistent across various campaigns, even as Lazarus adapted its attack methods to avoid detection.

Supply Chain Attacks & Operation Phantom Circuit

The web-based admin panel has been directly linked to Operation Phantom Circuit, a large-scale supply chain attack campaign targeting the cryptocurrency industry and software developers worldwide. Lazarus embedded obfuscated backdoors into legitimate software packages, tricking developers into unknowingly executing malicious code—often as part of job interviews, skills tests, or collaboration opportunities.

“These are genuine applications, from cryptocurrency platforms to authentication tools, often built using Node.js,” said Ryan Sherstobitoff, senior vice president of Threat Research and Intelligence at SecurityScorecard. “Attackers inject hidden code into repositories, deceiving developers into running it on their corporate devices, granting access to infiltrate companies globally.”

Between September 2024 and January 2025, the campaign compromised 1,639 victims worldwide, with 233 new victims recorded in January alone. India was heavily targeted, accounting for 110 of the 233 affected entities, followed by victims in Brazil and France.

Lazarus’ Social Engineering Tactics & North Korean Links

Lazarus has refined its social engineering techniques, frequently using LinkedIn to lure victims by posing as recruiters offering high-paying jobs or promising partnerships on crypto-related projects.

Investigations tied the operation back to North Korea, thanks to the use of Astrill VPN—previously linked to North Korea’s fraudulent IT worker scheme—and the discovery of six North Korean IP addresses connecting to the C2 infrastructure through Oculus Proxy endpoints.

“The obfuscated traffic was ultimately routed to C2 servers hosted on Stark Industries infrastructure, which facilitated payload deployment, victim monitoring, and data theft,” SecurityScorecard reported.

A Sophisticated Command Hub for Cyber Operations

Further analysis of the admin panel revealed that it provides advanced search and filtering capabilities, allowing Lazarus operators to sift through stolen data efficiently. Researchers suspect that this centralized management tool has been a core element in all IT Worker threat campaigns, enabling the adversaries to process and exploit stolen information from their targets worldwide.

By embedding backdoors into trusted applications, Lazarus successfully exfiltrated sensitive data and controlled infected systems via C2 servers running on port 1224. The React-based web admin panel and Node.js-powered APIs played a key role in managing the attack infrastructure, affecting hundreds of victims across the globe.

This latest revelation underscores the growing sophistication of North Korean cyber operations, as state-sponsored groups continue to refine their tactics to evade detection and exploit emerging technologies.