Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
North Korean hackers targeted victims all over the world – including Australia – with malware-infected software to steal data, credentials, and system information.
New research has revealed the scale of a widespread North Korean hacking campaign targeting developers and cryptocurrency firms.
The campaign was carried out by the state-backed Lazarus Group and took place between November 2024 and January 2025.
According to SecurityScorecard’s STRIKE intelligence team, with additional analysis provided by Team Cymru, the North Korean hackers were able to embed malware in several “trusted applications, which went on to infect more than 1,500 systems globally.
“This approach allows widespread impact and long-term access while evading detection,” Ryan Sherstobitoff, senior vice president of research and threat intelligence at STRIKE, said in a 29 January blog post.
The Lazarus Group began this particular campaign – dubbed Phantom Circuit – by setting up an extensive command and control network, spoofed domains, and other persistent infrastructure. Several sets of C2 infrastructure and servers were established to operate throughout the campaign to maintain stealth and target particular groups of victims.
“These servers included a complete administrative platform for managing compromised systems worldwide,” Sherstobitoff said.
“This infrastructure demonstrated a level of planning and sophistication that surpassed expectations.”
In some cases, direct access to a victim lasted for up to 10 days.
In November, Lazarus targeted 181 mostly European technology developers, while in December, it expanded the campaign globally, with a particular focus on India, with 284 observed victims, and Brazil, with 32 victims. The campaign continued into January, with 233 more victims added – 110 of them belonging to India’s technology sector.
However, many other countries were targeted to some degree, with at least one Australian victim in each phase of the campaign.
SecurityScorecard’s team was able to analyse the malware’s control panel and was surprised to find a set of advanced capabilities. The hackers were able to closely monitor a device’s details such as PC name, OS, and system configurations; collect URLs, credentials, and authentication tokens; and track timestamps of user interactions. The entire platform was controlled by modern software frameworks.
While much of the malicious network was connected to North Korean IP addresses, much of the traffic was routed via proxies hosted on Russian IP addresses.
“The level of precision and customisation in this platform is troubling,” Sherstobitoff said.
“It shows a deliberate effort to manage stolen data at scale while evading detection.”
Unfortunately, it looks as though the campaign was largely successful. SecurityScorecard observed sensitive data and credentials being uploaded to Dropbox in sessions that lasted for more than five hours in one example.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
