A joint investigation led by Mauro Erdrich, founder of BCA LTD, and conducted in collaboration with NorthScan, a threat intelligence company, and ANY.RUN, an interactive malware analysis and threat intelligence solution, revealed a network of remote IT employees tied to one of North Korea’s most persistent intrusion schemes, the Lazarus Group’s famous Chollima division.
For the first time, researchers were able to observe the operators working live, capturing their activities on what is believed to be a real developer’s laptop. However, these machines were fully controlled, long-running sandbox environments created by ANY.RUN.
How it works: Recruit and then let them join the company
Screenshot of a message from a recruiter offering a fake job offer
The operation began when NorthScan’s Heiner García used the alias “Aaron” (also known as “Blaze”) to impersonate a U.S. developer targeted by Lazarus recruiters.
Blaze tried to hire a fake developer as a front man under the guise of a job placement “business.” A known Chillima tactic used to recruit North Korean IT workers into Western companies, primarily in the finance, cryptocurrency, healthcare, and engineering sectors.
Interview flow
This scheme followed a well-known pattern.
Steal or borrow identities, use AI tools to pass interviews and share answers, work remotely via victims’ laptops, and repatriate salaries to North Korea.
The team moved to Phase 2 when Blaze requested full access, including SSN, ID, LinkedIn, Gmail, and 24/7 laptop availability.
Trap: A “laptop farm” that wasn’t real
A secure virtual environment provided by ANY.RUN’s interactive sandbox
Instead of using a real laptop, Mauro Eldritch of BCA LTD deployed an ANY.RUN Sandbox virtual machine. Each virtual machine is configured like a fully active personal workstation with usage history, developer tools, and US residential proxy routing.
The team could also force crashes, adjust connections, and take snapshots of every movement without alerting operators.
What they found inside the famous Cholima toolkit
The sandbox session exposed a lean and effective toolset built for identity takeover and remote access, not malware deployment. When the Chrome profile was synced, the operator loaded:
AI-powered job automation tools (Simplify Copilot, AiApply, Final Round AI) automatically fill out application forms and generate interview responses. A browser-based OTP generator (OTP.ee / Authenticator.cc) to handle the victim’s 2FA after identity documents have been collected. Google Remote Desktop. Configured via PowerShell with a fixed PIN, providing permanent control of the host. Regular system reconnaissance (dxdiag, systeminfo, whoami) to validate hardware and environment. Connections are consistently routed through Astrill VPN, a pattern associated with previous Lazarus infrastructure.
In one session, the operator left a notepad message asking “developers” to upload their ID, SSN, and bank account details, confirming the goal of the operation to take over complete identities and workstations without introducing any malware.
A warning to companies and recruitment teams
Remote employment has become a quiet but reliable entry point for identity-based threats. Attackers often reach organizations by targeting individual employees and sending seemingly legitimate interview requests. Once they get inside, the risk extends far beyond a single employee’s intrusion. Intruders gain access to internal dashboards, sensitive business data, and manager-level accounts that impact real-world operations.
Raising internal awareness and providing your team with a safe place to check for anything suspicious can be the difference between aborting an approach early or dealing with a full-blown internal breach later.
Source link
