A joint investigation led by Mauro Eldritch, founder of BCA LTD, conducted together with threat-intel initiative NorthScan and ANY.RUN, a solution for interactive malware analysis and threat intelligence, has uncovered one of North Korea’s most persistent infiltration schemes: a network of remote IT workers tied to Lazarus Group’s Famous Chollima division.
For the first time, researchers managed to watch the operators work live, capturing their activity on what they believed were real developer laptops. The machines, however, were fully controlled, long-running sandbox environments created by ANY.RUN.
The Setup: Get Recruited, Then Let Them In
 |
| Screenshot of a recruiter message offering a fake job opportunity |
The operation began when NorthScan’s Heiner GarcÃa impersonated a U.S. developer targeted by a Lazarus recruiter using the alias “Aaron” (also known as “Blaze”).
Posing as a job-placement “business,” Blaze attempted to hire the fake developer as a frontman; a known Chollima tactic used to slip North Korean IT workers into Western companies, mainly in the finance, crypto, healthcare, and engineering sectors.
 |
| The process of interviews |
The scheme followed a familiar pattern:
- steal or borrow an identity,
- pass interviews with AI tools and shared answers,
- work remotely via the victim’s laptop,
- funnel salary back to DPRK.
Once Blaze asked for full access, including SSN, ID, LinkedIn, Gmail, and 24/7 laptop availability, the team moved to phase two.
The Trap: A “Laptop Farm” That Wasn’t Real
 |
| A safe virtual environment provided by ANY.RUN’s Interactive Sandbox |
Instead of using a real laptop, BCA LTD’s Mauro Eldritch deployed the ANY.RUN Sandbox’s virtual machines, each configured to resemble a fully active personal workstation with usage history, developer tools, and U.S. residential proxy routing.
The team could also force crashes, throttle connectivity, and snapshot every move without alerting the operators.
What They Found Inside the Famous Chollima’s Toolkit
The sandbox sessions exposed a lean but effective toolset built for identity takeover and remote access rather than malware deployment. Once their Chrome profile synced, the operators loaded:
- AI-driven job automation tools (Simplify Copilot, AiApply, Final Round AI) to auto-fill applications and generate interview answers.
- Browser-based OTP generators (OTP.ee / Authenticator.cc) for handling victims’ 2FA once identity documents were collected.
- Google Remote Desktop, configured via PowerShell with a fixed PIN, providing persistent control of the host.
- Routine system reconnaissance (dxdiag, systeminfo, whoami) to validate the hardware and environment.
- Connections consistently routed through Astrill VPN, a pattern tied to previous Lazarus infrastructure.
In one session, the operator even left a Notepad message asking the “developer” to upload their ID, SSN, and banking details, confirming the operation’s goal: full…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
