Researchers from BCA LTD, NorthScan, and ANY.RUN trapped North Korean Lazarus Group operatives, linked to the Famous Chollima division, live in controlled sandboxes during an IT worker infiltration plot targeting U.S. finance and crypto firms.
The team posed as a developer to lure the recruiter “Aaron,” alias “Blaze,” who sought remote laptop access for espionage and revenue generation, which was funneled to the DPRK regime.
Extended ANY.RUN sandbox instances mimicked real developer machines with pre-installed tools, residential proxies for U.S. geolocation, and real-time monitoring of screen, files, and network activity.
The Recruitment and Trap
Threat actors spammed GitHub repositories with job offers, promising developers 20-35% salary cuts to attend interviews using stolen identities while “ghost” North Koreans handled work remotely via tools like AnyDesk.
Heiner García impersonated “Andy Jones,” scheduling Calendly calls where Blaze demanded SSN, bank details, Gmail, LinkedIn access, and 24/7 laptop control with password “123qwe!#QWE.”
Mauro Eldritch deployed a “laptop farm” of Windows 10/11 VMs routed through U.S. proxies, forcing controlled crashes via System Restore to reset progress and block malice.
Operatives connected from Astrill VPN IP 194.33.45.162 (UK/U.S.-geolocated), running dxdiag for hardware intel, systeminfo for OS details, and whoami in CMD.
Blaze synced Chrome, loading extensions like Simplify Copilot (job autofill), AiApply (applications), Final Round AI (interview aids), OTP.ee (2FA), and Google Remote Desktop with PIN 123456.
“Assassin,” a teammate, joined sessions, revealing poor opsec with shared IPs and Slack chats. CAPTCHA loops, proxy flips to Germany, and isolation exposed their frustration, ending in paranoia as Blaze checked IP reputation on Scamalytics.
Exposed Tools and Indicators
Famous Chollima favored social engineering over malware, using off-the-shelf remote access without custom payloads.
Network logs captured Astrill VPN, Slack workspaces (aaronzeeshan.slack.com), Telegram (t.me/peregrine423f), and GitHub spam accounts.
| Category | Indicators |
|---|---|
| IP | 194.33.45.162 |
| AnyDesk IDs | 1686564829, 1291915543 |
| URLs | github.com/7codewizard, calendly.com/7codewizard/30min |
| Tools | AstrillVPN, AnyDesk, GRD, Simplify Copilot, OTP.ee |
| Commands | dxdiag, systeminfo, remoting_start_host.exe |
Companies face risks from lax vetting of remote hires; enforce KYC and device policies, and vet unusual offers. This opsec failure aids defenses amid U.S. DOJ raids on DPRK laptop farms.
