A collaborative investigation led by Mauro Eldritch, founder of BCA LTD, alongside NorthScan and ANY.RUN, has unveiled one of North Korea’s most persistent infiltration tactics: a network of remote IT workers linked to the Lazarus Group’s Famous Chollima division.
For the first time, researchers observed the operators live, capturing their activity on what they believed were genuine developer laptops. In reality, the machines were fully controlled sandbox environments created by ANY.RUN.
The Setup: Recruitment as a Gateway
The operation began when NorthScan’s Heiner García impersonated a U.S. developer targeted by a Lazarus recruiter using the alias “Aaron,” also known as “Blaze.” Posing as a legitimate job-placement business, Blaze attempted to hire the fake developer as a frontman—a known Chollima tactic to infiltrate Western companies, particularly in finance, cryptocurrency, healthcare, and engineering sectors.
The scheme followed a predictable pattern:
- Steal or borrow an identity
- Pass interviews using AI tools and shared answers
- Work remotely through the victim’s laptop
- Funnel salaries back to DPRK
When Blaze requested full access, including Social Security Number, ID, LinkedIn, Gmail, and 24/7 laptop availability, the investigation moved to phase two.
The Trap: A “Laptop Farm” That Wasn’t Real
Instead of a real laptop, BCA LTD deployed ANY.RUN sandbox virtual machines. Each machine mimicked an active personal workstation with usage history, developer tools, and U.S.-based residential proxy routing. The team could monitor every action, force crashes, throttle connectivity, and take snapshots without alerting the operators.
Inside Famous Chollima’s Toolkit
The sandbox revealed an efficient toolset aimed at identity takeover and remote access rather than malware deployment. Operators synced their Chrome profiles and loaded:
- AI-powered job automation tools (Simplify Copilot, AiApply, Final Round AI) to auto-fill applications and generate interview answers
- Browser-based OTP generators (OTP.ee / Authenticator.cc) to manage 2FA after collecting identity documents
- Google Remote Desktop configured via PowerShell for persistent access
- Routine system reconnaissance commands (dxdiag, systeminfo, whoami) to validate the environment
- Connections routed through Astrill VPN, consistent with prior Lazarus infrastructure
In one session, an operator even left a Notepad message requesting the “developer” to upload ID, SSN, and banking information, confirming the ultimate goal: complete identity and workstation takeover without deploying a single malware file.
A Warning for Companies and Hiring Teams
Remote recruitment has become a stealthy entry point for identity-based attacks. Attackers often reach organizations by targeting individual employees with seemingly legitimate interview requests. Once inside, the risk extends to internal dashboards, sensitive business data, and manager-level accounts, posing real operational threats.
Raising awareness among staff and providing a secure reporting process for suspicious activity can be the difference between preventing an attack early and facing a full-scale internal compromise.
Found this article interesting? Follow us on Twitter , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
