Lazarus Group Uses Hidden Admin Panel for Cyber Attacks

Lazarus Group is using a hidden web-based admin panel to control its global cyber attacks. A recent report reveals that this platform helps manage stolen data and oversee operations.

The group built its system using a React-based application with a Node.js API. Researchers found that each command-and-control (C2) server hosted the same admin interface, despite changes in attack methods. This framework allows the hackers to organize data, control compromised devices, and distribute malicious payloads efficiently.

Investigations linked this admin panel to Operation Phantom Circuit, a supply chain attack targeting cryptocurrency firms and developers. Between September 2024 and January 2025, the campaign compromised 233 victims, with most cases reported in Brazil, France, and India. In January alone, 110 individuals in India fell victim to the attack.

Lazarus Group often uses social engineering tactics, luring victims through LinkedIn job offers or crypto-related collaborations. Attackers trick users into installing software laced with backdoors, allowing them to steal sensitive data. The operation’s links to North Korea were uncovered through VPN connections and six specific IP addresses traced to Pyongyang.

Further analysis found that their admin system enables threat actors to browse stolen data, filter information, and manage infected systems. They used Stark Industries servers to facilitate data theft, payload delivery, and victim tracking. The attackers also disguised their activity by routing traffic through VPNs and proxy servers.

Preventive Measures

To stay protected, users should avoid downloading software from unverified sources. Organizations must conduct security audits and monitor for suspicious network activity. Using endpoint protection and strong authentication methods can help prevent unauthorized access.