Full Report
A joint investigation led by Mauro Eldritch, founder of BCA LTD, conducted together with threat-intel initiative NorthScan and ANY.RUN, a solution for interactive malware analysis and threat intelligence, has uncovered one of North Korea’s most persistent infiltration schemes: a network of remote IT workers tied to Lazarus Group’s Famous Chollima division. For the first time, researchers managed
Analysis Summary
# Threat Actor: Lazarus Group (Famous Chollima Division)
## Attribution & Identity
**Primary Attribution:** Lazarus Group.
**Specific Unit:** Famous Chollima division.
**Known Aliases:** The recruiter impersonated by researchers used the alias **"Aaron"** (also known as **"Blaze"**).
**Associated Groups:** Directly tied to North Korea's persistent infiltration schemes.
## Activity Summary
Researchers, through a joint investigation involving BCA LTD, NorthScan, and ANY.RUN, monitored the Famous Chollima division's "remote IT worker" infiltration scheme live within controlled sandbox environments. The operation focuses on using fraudulent employment as a vector to place North Korean IT workers as frontmen inside target Western companies.
The standard operational cycle observed involves:
1. **Recruitment:** A recruiter ("Blaze"/"Aaron") targets individuals (impersonated by researchers) for remote IT roles.
2. **Deception:** Identity theft/borrowing is used, followed by interviews (aided by AI tools like Simplify Copilot and Final Round AI).
3. **Infiltration:** The actor gains remote access to the victim's actual work laptop.
4. **Exfiltration:** Salaried funds are funneled back to the DPRK.
## Tactics, Techniques & Procedures
This TTP set focuses heavily on identity takeover and establishing remote access rather than traditional malware deployment.
- **Human-Machine Teaming (HMT) for Recruiting:** Using AI-driven job automation tools (**Simplify Copilot, AiApply, Final Round AI**) to automate application filling and generate interview responses.
- **Credential/Identity Harvesting:** Requesting sensitive PII from the "employee" (SSN, ID, Gmail, banking details).
- **Multi-Factor Authentication (MFA) Bypass:** Utilizing browser-based OTP generators (**OTP.ee / Authenticator.cc**) once identity documents are obtained.
- **Persistent Remote Access:** Establishing control via **Google Remote Desktop**, configured with a fixed PIN via PowerShell.
- **Environment Reconnaissance:** Conducting routine system checks (**dxdiag, systeminfo, whoami**) to validate the host environment.
- **Infrastructure Obfuscation:** Consistently routing connections through **Astrill VPN**.
- **Non-Malware Approach:** Achieving initial access and control without deploying direct malware artifacts to the host system.
- *(MITRE ATT&CK IDs not explicitly provided in the context, but relevant TTPs fall under Initial Access, Persistence, and Credential Access.)*
## Targeting
**Sectors:** Finance, Crypto, Healthcare, and Engineering.
**Geography:** Targeting Western companies (implied by the targeting of U.S. developers and use of U.S. residential proxies).
**Victims:** Companies within the targeted sectors that hire remote developers/IT workers, serving as entry points for long-term infiltration.
## Tools & Infrastructure
- **AI Tools:** Simplify Copilot, AiApply, Final Round AI.
- **MFA Tools:** OTP.ee / Authenticator.cc.
- **Remote Access:** Google Remote Desktop (configured via PowerShell).
- **VPN/C2:** Astrill VPN (consistent pattern tied to Lazarus infrastructure).
- **Monitoring Infrastructure:** ANY.RUN Sandbox environments configured with usage history and U.S. residential proxy routing for operational camouflage.
## Implications
The identified scheme represents a highly sophisticated, supply-chain-like threat where attackers insert validated, seemingly legitimate human operators directly into enterprise networks for persistent, low-detection access. This method bypasses traditional endpoint detection by relying on legitimate user credentials and tools (like Google Remote Desktop) instead of overt malware, increasing the risk of accessing sensitive internal dashboards and manager-level accounts.
## Mitigations
- **Enhanced Vetting for Remote Hires:** Implement deep background checks for remote IT and developer roles, focusing on identity verification beyond standard digital footprints.
- **Zero Trust Implementation:** Enforce strict Zero Trust principles, especially regarding access requests originating from newly onboarded remote employees, limiting initial permissions severely.
- **MFA Complexity:** Mandate hardware tokens or complex application-based MFA methods over easily phishable browser-integrated OTP generators.
- **Endpoint Control Monitoring:** Monitor for the unusual installation or configuration of remote access tools (like Google Remote Desktop) via PowerShell or administrative functions on developer machines.
- **Security Awareness Training:** Educate hiring and onboarding teams about social engineering tactics involving remote job placement scams.