Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Redazione RHC : 3 December 2025 17:59
A joint investigation by BCA LTD, NorthScan, and ANY.RUN has exposed one of North Korea’s most secretive hacking schemes. Under the guise of routine recruitment, the team monitored how operators from the Lazarus Group, a division of Famous Chollima , infiltrated companies around the world as remote IT workers with stolen identities.
The operation was initiated by BCA LTD founder Mauro Eldritch , who joined forces with the NorthScan initiative and the interactive malware analysis service ANY.RUN . NorthScan specialists created a fictitious American developer , who was used by Heiner Garcia to communicate with a Lazarus recruiter under the alias Aaron “Blaze.”
Heiner Garcia posed as a job broker and attempted to present the fake candidate as a front for North Korean IT employees , targeting companies in the financial, cryptocurrency, medical, and engineering sectors.
The entire scheme is based on identity substitution and remote access. First, other people’s documents and online profiles are selected and assigned, then interviews are conducted using artificial intelligence services and pre-set responses.
Once hired, the work is performed via a real person’s laptop, and the salary is transferred to North Korea. The investigation entered its active phase when the recruiter requested a complete set of personal information: social security numbers, copies of IDs, LinkedIn and Gmail access, and 24/7 device connectivity.
Instead of a real laptop, Mauro Eldritch deployed a series of virtual machines in ANY.RUN that mimicked the developer’s personal workstations , complete with usage history, installed tools, and traffic through American home proxies. This created the illusion of a real computer for the operators, but their entire activity was fully monitored and tracked. The team could force crashes, throttle connections, and take snapshots of the system state, all without revealing any surveillance.
The sessions revealed a focus not on sophisticated malware, but on account takeover and long-term access. After syncing the Chrome profile, the operators launched automated services for preparing job applications and interview responses, such as Simplify Copilot, AiApply, and Final Round AI.
To enable two-factor authentication, the browser-based one-time code generators OTP.ee and Authenticator.cc were used. For remote control, Google Remote Desktop was used, configured via PowerShell with a persistent PIN. Standard system reconnaissance was performed using the dxdiag, systeminfo, and whoami utilities.
Traffic flowed continuously through Astrill’s VPN service, which had previously connected to Lazarus’s infrastructure. During one session, the operator left a request in Notepad to upload scanned documents, Social Security numbers, and banking information, which ultimately confirmed the goal: complete control of accounts and work environments without installing any separate malware.
History shows how remote hiring has become a convenient channel for identity spoofing attacks. An attempt to infiltrate a target often begins with a credible job advertisement and continues with requests for access to company devices and services. If successfully infiltrated, these “staff” gain access to internal dashboards, confidential information, and executive accounts, creating real operational risks.
Timely notification to HR and IT teams, clear candidate screening procedures, and the ability to securely review suspicious requests help stop such schemes at the initial contact stage.
Redazione