North Koreans clone open source projects to plant backdoors, steal credentials

North Korea's Lazarus Group compromised hundreds of victims across the globe in a massive secret-stealing supply chain attack that was ongoing as of earlier this month, according to security researchers.

The crew's latest operation, dubbed Phantom Circuit, planted backdoors in clones of legitimate software packages and open source tools so that developers and others specifically in the cryptocurrency industry would accidentally use them, compromising their machines. These poisoned projects would be shared via places like Gitlab.

The campaign unfolded in multiple waves, according to SecurityScorecard researchers, who spotted the supply chain attack and disclosed it in research [PDF] published today.

In November, Kim Jong Un's cyberspies targeted 181 developers in mostly European tech sectors. The following month, they expanded to 1,225 victims, including 284 in India, and 21 in Brazil. And in January, they added 233 victims, which included 110 in India's technology sector. 

Stolen data included credentials, authentication tokens, passwords, and other system information. 

Lazarus Group primarily forked open source projects for this campaign, we're told. If you've come across, or installed, any of the malware-laced packages identified by SecurityScorecard, be aware and take action.

The modified repositories included Codementor, CoinProperty, Web3 E-Store, a Python-based password manager, and other cryptocurrency-related apps, authentication packages, and web3 technologies, Ryan Sherstobitoff, senior VP of research and threat intelligence at SecurityScorecard, told The Register.

"These are examples of code repos they host on Gitlab, for example, which is a clone of legit software and they embed into Node.js obfuscated backdoor," he said. "The scary thing is that these developers will clone this code from git directly onto corporate laptops, we have seen this directly with two devs already. Basically they can do it for almost any package."

Once a developer unknowingly downloads and begins using a malicious fork, the malware in that cloned code executes and installs a backdoor on the compromised device, allowing North Koreans to connect in, steal sensitive data, and send it back to Pyongyang.

This campaign — embedding malware into copies of legitimate software — also reveals a shift in Lazarus Group's modus operandi, Sherstobitoff added.

"This approach allows widespread impact and long-term access while evading detection," Sherstobitoff said in a write-up about his team's investigation.

During its earlier investigation into a fake job offer scam Operation 99, SecurityScorecard's incident response team uncovered the Lazarus Group command-and-control (C2) servers that were active since September 2024. Further analysis revealed that these servers were later used in the Phantom Circuit campaign to communicate with infected systems, deliver malware, and exfiltrate stolen data.

However, "critical questions — such as how exfiltrated data was handled and what infrastructure was used to manage these servers — remained unanswered until now," the researchers noted.

• Crypto klepto North Korea stole $659M over just 5 heists last year
• Feds reach for sliver of crypto-cash nicked by North Korea's notorious Lazarus Group
• North Korean chap charged for attacks on US hospitals, military, NASA – and even China
• New Nork-ish cyberespionage outfit uncovered after three years

The incident response team identified a concealed administrative system hosted on each C2 server that provided centralized control over the supply chain attack. The administrative platform, which managed exfiltrated data and controlled payload delivery, was built with a React application and a Node.js API. 

Lazarus Group also used layered obfuscation to hide the origin of this campaign, we're told.

This included routing traffic through Astrill VPN endpoints to obscure their geographic origin, followed by an intermediate proxy layer registered to Sky Freight Limited in Hasan, Russia, blending malicious activity with legitimate network traffic.

After mixing with legitimate traffic, the data-stealing campaign ultimately reached the Lazarus Group's C2 infrastructure, hosted on Stark Industries servers.

SecurityScorecard researchers spotted six North Korean IP addresses connecting to the C2 servers — one of which was tied to the earlier Lazarus Group attacks against the Codementor platform.

From the C2 servers, the digital crooks uploaded the stolen goods to Dropbox. 

"This layered infrastructure tied the six North Korean IP addresses directly to the C2 servers, confirming Lazarus Group's role in managing the operation from within North Korea," the report said. ®