The Democratic People’s Republic of Korea (DPRK) is now utilizing real LinkedIn accounts of individuals they’re impersonating to apply for remote positions in a new escalation of fraudulent activity by IT workers associated with the country.
Security Alliance (SEAL) highlighted that these profiles have verified workplace emails and identity badges to make the fraudulent applications seem legitimate. This long-running operation involves DPRK operatives posing as remote workers to secure jobs in Western companies and elsewhere using stolen or fabricated identities.
The primary goal of these efforts is to generate revenue to fund the nation’s weapons programs, conduct espionage by stealing sensitive data, and even demand ransoms to prevent information leaks.
Last month, cybersecurity company Silent Push described the DPRK remote worker program as a “high-volume revenue engine” that enables threat actors to gain administrative access to sensitive codebases and establish persistence within corporate infrastructure.
Chainalysis noted that DPRK IT workers transfer cryptocurrency through various money laundering techniques, including chain-hopping and token swapping to complicate fund tracing.
To counter this threat, individuals are advised to post warnings on their social media accounts and verify the ownership of accounts listed by candidates applying for jobs.
The Norwegian Police Security Service (PST) issued an advisory regarding several cases where Norwegian businesses have been impacted by North Korean IT worker schemes, with the salary income likely funding the country’s weapons programs.
Another social engineering campaign named Contagious Interview involves fake hiring flows to lure targets into interviews, eventually leading to the execution of malicious code.
New variants of this campaign have been observed using malicious Microsoft VS Code task files to deploy JavaScript malware for persistent access and theft of cryptocurrency wallets.
An intrusion set documented by Panther involves malicious npm packages deploying a JavaScript remote access trojan (RAT) framework called Koalemos, providing remote access capabilities.
Labyrinth Chollima Segments into Specialized Operational Units
CrowdStrike revealed that the North Korean hacking crew Labyrinth Chollima has evolved into three separate clusters with distinct objectives and tradecraft: the core group, Golden Chollima, and Pressure Chollima.
Despite their independence, these adversaries share tools and infrastructure, indicating centralized coordination within the DPRK cyber apparatus. Labyrinth Chollima focuses on cyber espionage using tools like FudModule rootkit for stealth operations.
All three adversaries employ similar tradecraft, including HR-themed social engineering campaigns and trojanized software, showing close coordination among the units.
