{“lastseen”:”2025-12-02T15:04:29″,”description”:”\\n\\nA joint investigation led by Mauro Eldritch, founder of **BCA LTD** , conducted together with threat-intel initiative **NorthScan **and **ANY.RUN, **a solution for interactive malware analysis and threat intelligence, has uncovered one of North Korea’s most persistent infiltration schemes: a network of remote IT workers tied to Lazarus Group’s Famous Chollima division.\\n\\nFor the first time, researchers managed to watch the operators work **live** , capturing their activity on what they believed were real developer laptops. The machines, however, were fully controlled, long-running sandbox environments created by ANY.RUN.\\n\\n## The Setup: Get Recruited, Then Let Them In\\n\\n \\n— \\nScreenshot of a recruiter message offering a fake job opportunity \\n \\nThe operation began when NorthScan’s **Heiner Garc\u00eda** impersonated a U.S. developer targeted by a Lazarus recruiter using the alias \\”Aaron\\” (also known as \\”Blaze\\”).\\n\\nPosing as a job-placement \\”business,\\” Blaze attempted to hire the fake developer as a frontman; a known Chollima tactic used to slip North Korean IT workers into Western companies, mainly in the **finance, crypto, healthcare, and engineering** sectors.\\n\\n \\n— \\nThe process of interviews \\n \\nThe scheme followed a familiar pattern:\\n\\n * steal or borrow an identity,\\n * pass interviews with AI tools and shared answers,\\n * work remotely via the victim’s laptop,\\n * funnel salary back to DPRK.\\n\\n\\n\\nOnce Blaze asked for full access, including SSN, ID, LinkedIn, Gmail, and 24\/7 laptop availability, the team moved to phase two.\\n\\n## The Trap: A \\”Laptop Farm\\” That Wasn’t Real\\n\\n \\n— \\nA safe virtual environment provided by ANY.RUN’s Interactive Sandbox \\n \\nInstead of using a real laptop, BCA LTD’s Mauro Eldritch deployed the ANY.RUN Sandbox’s virtual machines, each configured to resemble a fully active personal workstation with usage history, developer tools, and U.S. residential proxy routing.\\n\\nThe team could also force crashes, throttle connectivity, and snapshot every move without alerting the operators.\\n\\n## What They Found Inside the Famous Chollima’s Toolkit\\n\\nThe sandbox sessions exposed a lean but effective toolset built for identity takeover and remote access rather than malware deployment. Once their Chrome profile synced, the operators loaded:\\n\\n * **AI-driven job automation tools** (Simplify Copilot, AiApply, Final Round AI) to auto-fill applications and generate interview answers.\\n * **Browser-based OTP generators** (OTP.ee \/ Authenticator.cc) for handling victims’ 2FA once identity documents were collected.\\n * **Google Remote Desktop** , configured via PowerShell with a fixed PIN, providing persistent control of the host.\\n * Routine **system reconnaissance** (dxdiag, systeminfo, whoami) to validate the hardware and environment.\\n * Connections consistently routed through **Astrill VPN** , a pattern tied to previous Lazarus infrastructure.\\n\\n\\n\\nIn one session, the operator even left a Notepad message asking the \\”developer\\” to upload their ID, SSN, and banking details, confirming the operation’s goal: full identity and workstation takeover without deploying a single piece of malware.\\n\\n## A Warning for Companies and Hiring Teams\\n\\nRemote hiring has become a quiet but reliable entry point for identity-based threats. Attackers often reach your organization by targeting individual employees with seemingly legitimate interview requests. Once they’re inside, the risk goes far beyond a single compromised worker. An infiltrator can gain access to internal dashboards, sensitive business data, and manager-level accounts that carry real operational impact.\\n\\nRaising awareness inside the company and giving teams a safe place to check anything suspicious can be the difference between stopping an approach early and dealing with a full-blown internal compromise later.\\n\\nFound this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.\\n”,”published”:”2025-12-02T15:00:00″,”modified”:”2025-12-02T15:02:12″,”type”:”thn”,”title”:”Researchers Capture Lazarus APT’s Remote-Worker Scheme Live on Camera”,”source”:””,”references”:””,”id”:”THN:621EB754185F663257F354D8E109D325″,”bulletinFamily”:”info”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/thehackernews.com\/2025\/12\/researchers-capture-lazarus-apts-remote.html”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-02T15:04:29″,”description”:”\\n\\nA joint investigation led by Mauro Eldritch, founder of **BCA LTD** , conducted together with threat-intel initiative **NorthScan **and **ANY.RUN, **a solution for interactive malware…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,13,33,7,11,43,5],"class_list":["post-28289","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-security","tag-tapic","tag-thn","tag-vulnerability"],"yoast_head":"\n