Security researchers exposed Phantom Circuit — the hidden administrative layer Lazarus Group uses to centrally manage its C2 servers from Pyongyang, routed through a freight company’s proxy network in Russia to obscure attribution. The same infrastructure connects to Operation 99, a campaign targeting Web3 and crypto developers with malicious GitHub repositories that backdoor corporate environments. HN54 also covers Android 16’s Advanced Protection Mode: blocking sideloading, dropping 2G, and adding memory safety extensions.
Stories Covered
Lazarus Group Phantom Circuit: The Admin Layer Behind Their C2 Empire
SecurityScorecard researchers, while following up on Operation 99, discovered a previously unknown administrative layer Lazarus Group uses to manage its command-and-control infrastructure — dubbed Phantom Circuit. The setup routes all operator connections through AstroVPNs to an intermediate proxy network registered under a freight company in Hassan, Russia, before reaching the actual C2 servers (hosted on infrastructure registered to a likely fictional “Stark Industries LLC”). The layering is designed to make attribution point to Russian threat actors rather than Pyongyang.
Operation 99, the campaign Phantom Circuit supports, targets software developers looking for freelance Web3 and cryptocurrency work. Victims are directed — via fake job lures — to clone GitHub repositories that appear legitimate but contain backdoors and obfuscated Python scripts that phone home to Lazarus C2 servers. The malware then exfiltrates development secrets, cryptocurrency wallet data, and environment configuration. More than 230 victims downloaded the malicious payloads across the campaign, with Italy accounting for the highest victim count in disclosed data.
The concern here goes beyond cryptocurrency theft. Lazarus has been inserting backdoors into legitimate authentication apps and crypto software to get developers to run them in corporate environments. Developers with broad access — to source code, infrastructure configs, internal APIs — represent high-value pivot points for supply chain attacks. An infection at the developer level can compromise everything downstream. The same Phantom Circuit proxy network was also used in Lazarus’s IT worker impersonation campaign, confirming shared infrastructure across multiple concurrent operations.
Android 16 Advanced Protection Mode: Sideloading Blocked, 2G Cut Off
Android 16 extends Google’s Advanced Protection Program with device-level enforcement. When enabled, the mode greys out “allow from this source” install options system-wide — no app, not even a privileged system process, can sideload an APK. This closes the same vector SpyLoan and similar campaigns have exploited: users tricked into installing malicious APKs from outside the Play Store.
Advanced Protection Mode also disables 2G connectivity. Most major markets have sunset 2G, but most Android devices still support it as a fallback — and fake cell towers (IMSI catchers / “stingrays”) can force devices down to 2G, where traffic is unencrypted and interceptable. Blocking it at the OS level closes that downgrade attack. Android 16 also adds Memory Tagging Extension (MTE) support, a hardware-assisted mechanism for detecting memory safety bugs — addressing one of the most common vulnerability classes in Android’s native code.
A new API lets apps check enrollment status and apply additional hardening when a user is in Advanced Protection — useful for security-conscious enterprise apps and IT MDM setups. The feature was found in Android 16 beta and has not been formally announced by Google, so final availability is not guaranteed, but the components are present and functional.





