Operation-Phantom-Circuit-Report_012725_03.pdf (1 MB)

SecurityScorecard describes Operation Phantom Circuit as a Lazarus Group campaign that embedded malware in trusted development tools to compromise cryptocurrency and technology developers worldwide. The infrastructure used C2 servers active from late 2024 into January 2025, a hidden administrative platform, spoofed domains, VPN and proxy routing through Hasan, Russia, and Dropbox for exfiltrated data storage. STRIKE reported more than 1,500 compromised systems across three waves, with stolen development credentials, authentication tokens, browser passwords, and system information collected from victims.