Information technology (IT) employees associated with the Democratic People’s Republic of Korea (DPRK) are now applying for remote jobs using the real LinkedIn accounts of impersonated individuals, marking a new expansion of fraud.
“These profiles often include verified work emails and ID badges, which North Korean operatives hope will make fraudulent applications appear legitimate,” the Security Alliance (SEAL) said in a series of posts on X.
The threat to IT workers is a long-running North Korean operation in which North Korean agents pose as remote workers and use stolen or fabricated identities to secure jobs at Western companies and elsewhere. This threat is also tracked by the broader cybersecurity community, including Jasper Sleet, PurpleDelta, and Wagemole.
The ultimate goal of these efforts is two-pronged. One is to generate a steady source of income to fund a country’s weapons program, one is to conduct espionage by stealing sensitive data, and in some cases go further by demanding ransom to avoid information leakage.
Cybersecurity firm Silent Push last month described North Korea’s remote worker program as a “massive revenue stream” for the regime, saying it also allows threat actors to gain administrative access to sensitive codebases and establish a permanent presence within corporate infrastructure.
“Once their salaries are paid, North Korean IT workers transfer cryptocurrencies through various money laundering methods,” blockchain analysis firm Chainalysis said in a report released in October 2025.
“One of the ways IT officials and money launderers sever the link between the source and destination of on-chain funds is through chain hopping or token swapping. They utilize smart contracts, such as decentralized exchanges and bridge protocols, to complicate the tracking of funds.”
To combat this threat, individuals who suspect their identity has been used for fraudulent job applications should consider posting a warning on their social media accounts, as well as listing official communication channels and contact verification methods (such as company email).
“Always verify that the account a candidate lists is controlled by the email provided by the candidate,” the Security Alliance said. “A simple check, such as asking us to connect with you on LinkedIn, confirms ownership and control of your account.”
The disclosure comes after the Norwegian Police and Security Service (PST) issued an advisory saying it was aware of “several cases” of Norwegian companies being affected by the IT workers scheme over the past year.
PST said last week that “companies were likely deceived into hiring North Korean IT workers to work from home.” “The salary income that North Korean employees receive through such positions would likely be used to fund the country’s weapons and nuclear weapons program.”
Running parallel to the IT workforce plan is another social engineering campaign called “contagion interviewing.” This involves using a fake recruitment flow to approach potential targets with a job offer on LinkedIn, then lure them into an interview. The malicious phase of the attack begins when an individual claiming to be a recruiter or hiring manager instructs the target to complete a skills assessment, which ultimately leads to the execution of malicious code.
In one case of a spoof recruitment campaign targeting high-tech workers using a hiring process similar to that of digital asset infrastructure company Fireblocks, threat actors allegedly asked candidates to clone a GitHub repository and run a command that installed an npm package that triggered execution of malware.
“This campaign also employs EtherHiding, a new technology that utilizes blockchain smart contracts to host and obtain command and control infrastructure, making it more resistant to removal of malicious payloads,” said security researcher Ori Hershko. “These steps triggered the execution of malicious code hidden within the project. The setup process downloaded and executed malware onto the victim’s system, giving the attacker a foothold on the victim’s machine.”
Abstract Security and OpenSourceMalware report that in recent months, new variants of the Contagious Interview campaign have been observed using malicious Microsoft VS Code task files to execute JavaScript malware disguised as web fonts, ultimately leading to the deployment of BeaverTail and InvisibleFerret, allowing persistent access and theft of cryptocurrency wallets and browser credentials.
Coremos RAT Campaign
Another variant of the intrusion set documented by Panther is suspected of using a malicious npm package to deploy a modular JavaScript remote access Trojan (RAT) framework called Koalemos through a loader. RATs are designed to enter a beacon loop, retrieve tasks from external servers, execute them, send encrypted responses, and sleep at random time intervals before repeating again.
It supports 12 different commands to perform file system operations, transfer files, execute discovery instructions (such as whoami), and execute arbitrary code. The names of some packages associated with activities are:
env-workflow-test sra-test-test sra-testing-test vg-medallia-digital vg-ccc-client vg-dev-env
“The initial loader performs DNS-based execution gate and engagement date validation before downloading and spawning the RAT module as a separate process,” said security researcher Alessandra Rizzo. “Koalemos performs system fingerprinting, establishes encrypted command and control communications, and provides full remote access capabilities.”
Labyrinth Senriuma will be divided into specialized operational units.
The development comes as it was revealed that a prolific North Korean hacking collective known as Labyrinth Chollima has evolved into three separate clusters with distinct objectives and tradecraft. namely, the core Labyrinth Chollima group, Golden Chollima (aka AppleJeus, Citrine Sleet, UNC4736), and Pressure Chollima (aka Jade Sleet, TraderTraitor, UNC4899).
It is worth noting that according to DTEX evaluation, Labyrinth Chollima, along with Andariel and BlueNoroff, is considered a subcluster within the Lazarus group (aka Diamond Sleet and Hidden Cobra), and BlueNoroff has split into TraderTraitor and CryptoCore (aka Sapphire Sleet).
Despite their newfound independence, these adversaries continue to share tools and infrastructure, suggesting centralized coordination and resource allocation within North Korea’s cyber apparatus. Golden Chollima focuses on consistent small-scale cryptocurrency theft in economically developed regions, while Pressure Chollima singles out organizations with large amounts of digital assets and pursues high-value heists using sophisticated implants.
New North Korea cluster
Labyrinth Chollima’s activities, on the other hand, are motivated by cyber espionage, using tools such as the FudModule rootkit to achieve stealth. The latter is also believed to be the result of Operation Dream Job, another Job-centric social engineering campaign aimed at distributing malware for information gathering purposes.
“The sharing of infrastructure elements and cross-pollination of tools shows that these sectors remain closely aligned,” CrowdStrike said. “All three attackers are using very similar techniques, including supply chain compromises, HR-themed social engineering campaigns, trojanized legitimate software, and malicious Node.js and Python packages.”
Source link
