Researchers from BCA LTD, NorthScan, and ANY.RUN trapped North Korean Lazarus Group operatives, linked to the Famous Chollima division, live in controlled sandboxes during an IT worker infiltration plot targeting U.S. finance and crypto firms.
The team posed as a developer to lure the recruiter “Aaron,” alias “Blaze,” who sought remote laptop access for espionage and revenue generation, which was funneled to the DPRK regime.
Extended ANY.RUN sandbox instances mimicked real developer machines with pre-installed tools, residential proxies for U.S. geolocation, and real-time monitoring of screen, files, and network activity.
Threat actors spammed GitHub repositories with job offers, promising developers 20-35% salary cuts to attend interviews using stolen identities while “ghost” North Koreans handled work remotely via tools like AnyDesk.
Heiner García impersonated “Andy Jones,” scheduling Calendly calls where Blaze demanded SSN, bank details, Gmail, LinkedIn access, and 24/7 laptop control with password “123qwe!#QWE.”
Mauro Eldritch deployed a “laptop farm” of Windows 10/11 VMs routed through U.S. proxies, forcing controlled crashes via System Restore to reset progress and block malice.
Operatives connected from Astrill VPN IP 194.33.45.162 (UK/U.S.-geolocated), running dxdiag for hardware intel, systeminfo for OS details, and whoami in CMD.
Blaze synced Chrome, loading extensions like Simplify Copilot (job autofill), AiApply (applications), Final Round AI (interview aids), OTP.ee (2FA), and Google Remote Desktop with PIN 123456.
“Assassin,” a teammate, joined sessions, revealing poor opsec with shared IPs and Slack chats. CAPTCHA loops, proxy flips to Germany, and isolation exposed their frustration, ending in paranoia as Blaze checked IP reputation on Scamalytics.
Famous Chollima favored social engineering over malware, using off-the-shelf remote access without custom payloads.
Network logs captured Astrill VPN, Slack workspaces (aaronzeeshan.slack.com), Telegram (t.me/peregrine423f), and GitHub spam accounts.
| Category | Indicators |
|---|---|
| IP | 194.33.45.162 |
| AnyDesk IDs | 1686564829, 1291915543 |
| URLs | github.com/7codewizard, calendly.com/7codewizard/30min |
| Tools | AstrillVPN, AnyDesk, GRD, Simplify Copilot, OTP.ee |
| Commands | dxdiag, systeminfo, remoting_start_host.exe |
Companies face risks from lax vetting of remote hires; enforce KYC and device policies, and vet unusual offers. This opsec failure aids defenses amid U.S. DOJ raids on DPRK laptop farms.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…