The North Korean state-sponsored hacking group, Lazarus Group, has been detected utilizing a sophisticated React-based web administration platform to coordinate its global cyber attack campaigns. This command-and-control (C2) infrastructure enables Lazarus to centrally oversee their malware operations, optimize payload distribution, and manage compromised systems.
React-Based Admin Panel Used for Centralized Attack Management
According to a recent SecurityScorecard STRIKE team report, Lazarus has deployed a web-based C2 framework featuring a React-powered frontend and a Node.js API. This admin interface remains a consistent feature across multiple attack operations, despite variations in payloads and obfuscation tactics aimed at evading detection.
“Each C2 server hosted a web-based administrative platform, built with a React application and a Node.js API,” the report stated.
The hidden framework allows Lazarus to orchestrate payload deployment, monitor infected hosts, and manage exfiltrated data with ease. It acts as a cyber command center, streamlining attack operations while maintaining a covert presence within targeted networks.
Operation Phantom Circuit: Supply Chain Attacks on Cryptocurrency Sector
The React-based admin panel has been identified in connection with Operation Phantom Circuit, a supply chain attack campaign aimed at cryptocurrency firms and developers. Lazarus injected trojanized software packages with stealthy backdoors, compromising systems worldwide.
Key Details of Operation Phantom Circuit:
Timeframe: September 2024 – January 2025
Victims: 233 worldwide, with a major concentration in Brazil, France, and India
India alone faced 110 targeted attacks in January 2025
Social Engineering & Advanced Evasion Tactics
Lazarus Group has honed its social engineering tactics, leveraging LinkedIn to lure unsuspecting victims with fake job offers and crypto-related collaboration proposals.
The campaign’s North Korean connection was reinforced by:
Use of Astrill VPN, previously linked to fraudulent IT worker schemes
Six North Korean IP addresses, detected routing through Astrill VPN exit nodes and Oculus Proxy endpoints
SecurityScorecard noted:
How Lazarus Exploits React-Based Admin Panels
An in-depth analysis of the admin panel revealed key functionalities, including:
Viewing & filtering exfiltrated data
Monitoring infected systems in real time
Deploying and managing malware payloads
By embedding obfuscated backdoors into legitimate software, Lazarus deceives users into executing compromised applications, enabling them to exfiltrate sensitive data via C2 servers operating on port 1224.
Global Cybersecurity Implications
The use of React-based admin panels highlights the evolving sophistication of nation-state threat actors. As Lazarus Group refines its tactics, organizations must bolster threat detection, endpoint security, and supply chain defenses to counter these stealthy cyber threats.
Key Takeaways:
Lazarus Group is leveraging React and Node.js for centralized attack management
Operation Phantom Circuit targeted 233 victims across major crypto hubs
North Korean ties confirmed via VPN activity and proxy routing
Organizations must enhance cybersecurity measures to combat advanced APT tactics
Stay Updated on Cyber Threats
For the latest cybersecurity insights, follow Doomsec and stay ahead of emerging threats in 2025.