How Lazarus Group built a cyber espionage empire

Since September 2024, SecurityScorecard’s STRIKE team has been investigating Lazarus Group’s activity, uncovering key details about their infrastructure. Despite variations in payload delivery and obfuscation techniques, the campaign relied on a consistent C2 framework.

Hidden control panel

Through deep analysis, researchers identified a hidden administrative layer within the C2 servers, offering the attackers centralized control over compromised systems. This web-based administrative platform, built with React and Node.js, enabled Lazarus to:

• Precisely organize and manage exfiltrated data.
• Oversee compromised systems worldwide.
• Deliver payloads and execute operations from a single interface.

This central hub, consistent across all analyzed C2 servers, provided Lazarus with operational oversight, even as they employed sophisticated techniques to avoid detection.

Global software supply chain attack

Lazarus Group executed a supply chain attack, embedding malicious backdoors into legitimate software packages. These altered packages – from cryptocurrency apps to authentication solutions – tricked developers and victims into unknowingly installing compromised software. Once executed, the payloads facilitated data exfiltration and system compromise.

Attribution to North Korea

Using NetFlow analysis and temporal traffic patterns, STRIKE traced the operation back to Pyongyang, North Korea, with high confidence. The campaign leveraged a multi-layered obfuscation strategy, routing traffic through Astrill VPNs and proxy servers registered to Sky Freight Limited in Russia, ultimately masking the group’s origins.

Key findings include:

• Six distinct North Korean IP addresses connected to the operation.
• Astrill VPN endpoints and proxies used to blend malicious traffic with legitimate activity.
• 233 global victims, primarily in the cryptocurrency industry, identified between September 2024 and January 2025.

“This operation highlights the growing sophistication of software supply chain attacks and the global reach of state-sponsored threat actors” explains Ryan Sherstobitoff, SVP of Research and Threat Intelligence at STRIKE. “By uncovering Lazarus Group’s infrastructure and methods, we’re providing the cybersecurity community with the tools needed to defend against similar attacks in the future.”