A coalition led by BCA LTD founder Mauro Eldritch, in collaboration with NorthScan and the interactive malware analysis platform ANY.RUN, has successfully uncovered a significant and ongoing infiltration network operated by North Korea’s Lazarus Group, specifically its Famous Chollima division. This scheme uses remote IT workers to penetrate companies primarily in the finance, crypto, healthcare, and engineering sectors in the West. The breakthrough came when NorthScan’s Heiner García initiated the operation by impersonating a U.S. developer targeted by a Lazarus recruiter using the alias “Aaron” or “Blaze.” This setup allowed the investigative team to simulate the entire recruitment and infiltration process from the perspective of a victim.
The operation’s objective, consistent with known Chollima tactics, was for the recruiter, posing as a job-placement business, to hire a frontman—an individual who would work remotely via a victim’s laptop and funnel their salary back to the DPRK. The scheme meticulously followed a standard pattern: stealing or borrowing an identity, passing interviews with AI assistance, and maintaining persistent remote access to the host machine. The investigators moved to the next phase after “Blaze” demanded full access to the fake developer’s personal and sensitive information, including their SSN, ID, LinkedIn, and Gmail, along with continuous, 24/7 access to the laptop.
Instead of compromising a real device, Eldritch deployed ANY.RUN’s advanced Sandbox virtual machines. These virtual environments were meticulously configured to mimic genuine, active personal workstations, complete with fabricated usage history, developer tools, and U.S. residential proxy routing. This highly controlled setup provided a unique vantage point, enabling the team to monitor every action of the operators live. Crucially, the researchers could also manipulate the sandbox, for example by forcing crashes or throttling connectivity, and capture snapshots of the activity without ever tipping off the operators to the fact that they were working inside a fully controlled simulation.
The sandbox sessions provided unprecedented insight into the Famous Chollima’s operational toolkit. The exposed tools were not focused on traditional malware deployment but on identity takeover and remote access. Operators loaded AI-driven job automation tools like Simplify Copilot, AiApply, and Final Round AI to streamline applications and generate interview responses. They also used browser-based OTP generators (e.g., OTP.ee / Authenticator.cc) to handle two-factor authentication for victim accounts after collecting identity documents. Persistent control was established via Google Remote Desktop, configured with a fixed PIN through PowerShell. All connections were consistently routed through Astrill VPN, a recognized element of previous Lazarus infrastructure.
The core goal of the operation was confirmed when, in one session, an operator explicitly left a Notepad message asking the “developer” to upload their ID, SSN, and banking details. This confirmed the strategy: achieve full identity and workstation takeover without deploying traditional malware, relying entirely on social engineering and legitimate remote access tools. The findings serve as a critical warning, highlighting that remote hiring is a reliable entry point for identity-based threats. An infiltrator, once inside, poses a risk far greater than a single compromised machine, potentially accessing internal dashboards, sensitive data, and manager-level accounts, underscoring the necessity f
Reference:
