A joint investigation led by Mauro Eldritch, founder of BCA LTD, conducted together with threat-intel initiative NorthScan and ANY.RUN, a solution for interactive malware analysis and threat intelligence, has uncovered one of North Korea’s most persistent infiltration schemes: a network of remote IT workers tied to Lazarus Group’s Famous Chollima division.
For the first time, researchers managed to watch the operators work live, capturing their activity on what they believed were real developer laptops. The machines, however, were fully controlled, long-running sandbox environments created by ANY.RUN.
The Setup: Get Recruited, Then Let Them In
 |
| Screenshot of a recruiter message offering a fake job opportunity |
The operation began when NorthScan’s Heiner García impersonated a U.S. developer targeted by a Lazarus recruiter using the alias “Aaron” (also known as “Blaze”).
Posing as a job-placement “business,” Blaze attempted to hire the fake developer as a frontman; a known Chollima tactic used to slip North Korean IT workers into Western companies, mainly in the finance, crypto, healthcare, and engineering sectors.
 |
| The process of interviews |
The scheme followed a familiar pattern:
- steal or borrow an identity,
- pass interviews with AI tools and shared answers,
- work remotely via the victim’s laptop,
- funnel salary back to DPRK.
Once Blaze asked for full access, including SSN, ID, LinkedIn, Gmail, and 24/7 laptop availability, the team moved to phase two.
The Trap: A “Laptop Farm” That Wasn’t Real
 |
| A safe virtual environment provided by ANY.RUN’s Interactive Sandbox |
Instead of using a real laptop, BCA LTD’s Mauro Eldritch deployed the ANY.RUN Sandbox’s virtual machines, each configured to resemble a fully active personal workstation with usage history, developer tools, and U.S. residential proxy routing.
The team could also force crashes, throttle connectivity, and snapshot every move without alerting the operators.
What They Found Inside the Famous Chollima’s Toolkit
The sandbox sessions exposed a lean but effective toolset built for identity takeover and remote access rather than malware deployment. Once their Chrome profile synced, the operators loaded:
- AI-driven job automation tools (Simplify Copilot, AiApply, Final Round AI) to auto-fill applications and generate interview answers.
- Browser-based OTP generators (OTP.ee / Authenticator.cc) for handling victims’ 2FA once identity documents were collected.
- Google Remote Desktop, configured via PowerShell with a fixed PIN, providing persistent control of the host.
- Routine system reconnaissance (dxdiag, systeminfo, whoami) to validate the hardware and environment.
- Connections consistently routed through Astrill VPN, a pattern tied to previous Lazarus infrastructure.
In one session, the operator even left a Notepad message asking the “developer” to upload their ID, SSN, and banking details, confirming the operation’s goal: full identity and workstation takeover without deploying a single piece of malware.
A Warning for Companies and Hiring Teams
Remote hiring has become a quiet but reliable entry point for identity-based threats. Attackers often reach your organization by targeting individual employees with seemingly legitimate interview requests. Once they’re inside, the risk goes far beyond a single compromised worker. An infiltrator can gain access to internal dashboards, sensitive business data, and manager-level accounts that carry real operational impact.
Raising awareness inside the company and giving teams a safe place to check anything suspicious can be the difference between stopping an approach early and dealing with a full-blown internal compromise later.
