Researchers exposed a Lazarus scheme using remote IT workers tied to North Korea’s Famous Chollima APT group in a joint investigation.
Researchers filmed Lazarus APT group’s remote-worker scheme in action, uncovering a North Korean network of IT contractors linked to the Famous Chollima unit, TheHackerNews reported.
Recently, multiple cybersecurity firms and government agencies observed North Korea-linked APT groups, such as Chollima, using IT workers to infiltrate organizations across finance, crypto, healthcare, and engineering sectors.
The joint investigation by the researcher Mauro Eldritch, NorthScan, and ANY.RUN uncovered one of North Korea’s most persistent infiltration schemes.
— BCA LTD (@BirminghamCyber) December 2, 2025
After months inside #Lazarus’ fake hiring pipeline, we achieved something never seen before: the full Famous Chollima attack cycle captured on video, including their tools, tactics and targets.
This wouldn’t have been possible without our friends at ANY RUN (@anyrun_app)… pic.twitter.com/mDivdZdHfn
The researchers spotted Lazarus operators live for the first time by luring them into controlled sandbox environments disguised as real developer laptops. The operation began when NorthScan’s Heiner García posed as a U.S. developer targeted by a recruiter called “Aaron/Blaze,” who tried to hire him as a front to place North Korean IT workers inside Western companies.
— Mauro Eldritch
Meet Aaron AKA Blaze, a #Lazarus recruiter.
He offered 35% of a salary if we let his operators use our laptops "to work in" (infiltrate) Western companies.
We gave him ANYRUN sandboxes, recording everything they did.
Full article below. Full disclosure on Dec 4. pic.twitter.com/iOjBVbBpWi
(@MauroEldritch) December 2, 2025
The scheme unfolded predictably: the operators grabbed or reused someone’s identity, used AI tools and shared answer sheets to pass interviews, worked remotely through the victim’s laptop, and sent all earnings back to North Korea. When Blaze pushed for full access, asking for the victim’s SSN, ID, LinkedIn, Gmail, and 24/7 control of the laptop, the team moved to phase two.
Instead of handing over a real machine, Mauro Eldritch from BCA LTD set up a “laptop farm” using ANY.RUN virtual machines. Each one looked like a genuine developer workstation, complete with browsing history, tools, and a U.S. residential proxy. The team could crash sessions, slow the connection, and capture every action the operators took, all without tipping them off.
Then the researchers analyzed the sandbox and found evidence of a simple but effective toolkit focused on stealing identities and taking over remote machines, not on planting malware. As soon as their Chrome profile synced, they began loading their usual tools.
They relied on AI job-automation apps like Simplify Copilot, AiApply, and Final Round AI to fill out applications and generate interview responses for them. They opened browser-based OTP generators (OTP.ee and Authenticator.cc) so they could handle the victim’s 2FA once they collected identity documents. They installed Google Remote Desktop and configured it through PowerShell with a fixed PIN, giving themselves ongoing control of the system.
They ran routine checks—dxdiag, systeminfo, whoami—to make sure the machine matched what they expected. Every connection traveled through Astrill VPN, a hallmark of earlier Lazarus operations.
In one session, the operator even typed a Notepad message asking the “developer” to upload their ID, SSN, and banking information, making their goal unmistakable: take over the victim’s identity and workstation without deploying any malware at all.
Building awareness and giving staff a safe way to report suspicious contacts helps stop threats early before they turn into full internal compromises.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, remote IT workers)
Source: SecurityAffairs
Source Link: https://securityaffairs.com/185271/hacking/researchers-spotted-lazaruss-remote-it-workers-in-action.html