In an unprecedented intelligence operation, security researchers exposed how North Korean IT recruiters lure developers into renting their identities for illicit fundraising. The threat actor, Famous Chollima (also known as WageMole) and part of the state sponsored Lazarus group, uses social engineering to infiltrate Western companies for espionage and revenue generation for the regime.
Identity Rental and Remote Code Execution
The group tricks recruiters and secures jobs at Fortune 500 companies by leveraging stolen identities, deep fake videos, and by avoiding appearing on camera during interviews. Another key method is recruiting legitimate engineers to act as a figurehead for DPRK agents to secure a remote job at a targeted company.
The engineer acts as the face of the agents during interviews and receives 20% to 35% of the salary. To receive a larger sum, the engineer must allow DPRK agents to use their computer as a proxy for malicious activities. This hides the North Korean agent’s location and traces. Mauro Eldritch, a threat intelligence specialist, warns that the compromised engineer assumes all risk, as they are solely responsible for any damage done.
The Honeypot Operation
Eldritch and Heiner García from the NorthScan threat intelligence initiative developed a plan to uncover this infiltration. Eldritch, familiar with Famous Chollima’s recruiting tactics from his previous work, found multiple GitHub accounts spamming repositories with a recruitment announcement. The offer was for individuals to attend technical interviews (for .NET, Java, Python, etc.) under a provided fake identity, promising around $3,000 per month.
The researchers used sandboxed services from ANY.RUN to set up a simulated "laptop farm" honeypot that recorded the activity in real time. García assumed the role of a rookie engineer named Andy Jones, based in the United States. Following initial interactions, the North Korean recruiter requested 24/7 remote access to the laptop over AnyDesk for "remote work."
The agent slowly disclosed the need for the engineer's ID, full name, visa status, and address to apply to interviews as Andy Jones. The frontman would receive 20% of the salary, or 10% for only providing their information and laptop while the agent conducted the interviews remotely. The DPRK agent also asked for the social security number for background checks and confirmed that all accounts needed to be verified on KYC compliant platforms.
Tools and Tradecraft Exposed
After the DPRK agent connected remotely to the sandboxed environment, the connection was noticed coming through Astrill VPN, a service popular among North Korean fake IT workers. The agent immediately performed system reconnaissance, checking the hardware and verifying the location of the station.
By stalling the North Korean's activity, the researchers gathered more information about the operation and the tools used. The agents relied heavily on AI powered browser extensions like AIApply, Simplify Copilot, Final Round AI, and Saved Prompts. These extensions helped the threat actor autofill job applications, create resumes, save ChatGPT prompts, and generate real time replies during technical interviews.
The agent also revealed OTP authentication extensions and routine system reconnaissance tactics. At one point, the fake recruiter logged into his Google account, which synchronized preferences and exposed his email inbox, revealing subscriptions to job seeking platforms and partial Slack chats. The Famous Chollima team involved in this operation consisted of six members who used the names Mateo, Julián, Aaron, Jesús, Sebastián, and Alfredo.
The information collected from this controlled interaction is crucial for defenders, providing an early warning of potential infiltration attempts and helping them anticipate the group’s behaviors to disrupt workflows.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
