Researchers Capture Lazarus APT's Remote-Worker Scheme Live on Camera
Summary:
Security researchers have conducted an extensive investigation led by Mauro Eldritch on the North Korean state-sponsored Lazarus subgroup, Famous Chollima (WageMole), which often targets and recruits legitimate IT professionals to conduct cyberespionage and funnel illicit wages. The threat actors use sophisticated social-engineering tactics, including leveraging stolen or rented IDs, deepfake videos, and AI tools like AIApply and Final Round AI, to secure remote positions at major Western companies. One of the methods involves recruiting an engineer as a proxy who uses their identity, attends interviews, and then grants the DPRK agent remote access to their computer for malicious activities to better obscure the agent’s traces and location. The engineer receives a percentage of the salary (20% to 35%), but they bear all the legal risk for any resulting malicious activity resulting from their rented identity.
Threat intelligence specialist Mauro Eldritch and Heiner García of NorthScan set up a simulated laptop farm honeypot using ANY.RUN sandbox services to infiltrate the operation. Posing as a previously contacted US-based developer, Andy Jones, García engaged with a DPRK agent who sought the full identity details (name, SSN, visa status, address) and 24/7 remote access via AnyDesk for “remote work”.
The researchers recorded the threat actor's activity in real time. They observed system reconnaissance, the use of Astrill VPN, and the installation of AI-powered browser extensions for autofilling applications and generating real-time interview responses. In one instance, by stalling the agent and trapping him in a login and CAPTCHA loop, they forced him to reveal more information. Notably, the agent logged into his Google account, syncing his preferences, which exposed details like email subscriptions to job platforms, Slack workspace names, and communication with other operatives, including one named Zeeshan Jamshed. This particular operation was found to involve a team of at least six members who compete with other North Korean fundraising teams. The collected data is crucial for enterprises to anticipate and disrupt these infiltration attempts.
Security Officer Comments:
This operation confirms the increasing scale via automation of North Korean state-sponsored financial crime. The adoption of AI tools like AIApply for resume generation and interview assistance, coupled with identity rental, makes it easier for DPRK agents to secure high-value remote jobs at scale. The most notable aspect of this observed operation is that they employ a social-engineering framework (the frontman proxy scheme) that offloads 100% of the operational and legal risk onto the compromised, but acquiescent, engineer. This intelligence operation underscores the critical need to consider prioritizing rigorous identity verification during remote hiring to recognize proxies and continuous system monitoring for unusual remote access tool activity (like AnyDesk) on legitimate employee devices.
Suggested Corrections:
FBI Recommendations:
Scrutinize identity verification documents: Check for misspellings and cross-reference photographs and contact information (e.g. phone numbers, addresses, emails, etc.) with social media profiles, portfolio websites, and payment platforms.
Verify prior employment and education: Verify prior employment and higher education history directly with businesses and educational institutions.
Require in-person meetings: When possible, mandate in-person drug tests or fingerprinting to verify identity and claimed location. If needing to rely on virtual meetings:
Analyze payment methods: Compare payment accounts of all employees, flagging those using similar documentation to establish accounts or with matching banking information. Monitor employees who change their bank accounts often, due to banks closing accounts of concern. Beware of agreements to pay employees using virtual currency, which enables funds to be transferred internationally without high levels of scrutiny.
Shipping work related materials: If sending documents or work-related equipment such as a laptop, only send to the address listed in the employee's identification documents. If the employee requests delivery to a different address, require additional documentation to verify the address. Additionally, do not grant access to any systems until the background check is completed.
Contracted IT workers: If your company employs contracted IT workers that have been hired by a third-party company, seek to educate the third-party company about this guidance. Contract IT work is a common way that North Korean IT workers procure employment.
Contact your local FBI Field Office Private Sector Coordinator: Building and maintaining a working relationship with your FBI Private Sector Coordinator allows beneficial collaboration and information-sharing between the FBI and the private sector; while mitigating threats through longstanding, mutually beneficial partnerships.
Link(s):
https://thehackernews.com/2025/12/researchers-capture-lazarus-apts-remote.html
https://www.bleepingcomputer.com/ne...-to-rent-identities-in-fake-it-worker-scheme/
https://www.ic3.gov/PSA/2025/PSA250723-4
Security researchers have conducted an extensive investigation led by Mauro Eldritch on the North Korean state-sponsored Lazarus subgroup, Famous Chollima (WageMole), which often targets and recruits legitimate IT professionals to conduct cyberespionage and funnel illicit wages. The threat actors use sophisticated social-engineering tactics, including leveraging stolen or rented IDs, deepfake videos, and AI tools like AIApply and Final Round AI, to secure remote positions at major Western companies. One of the methods involves recruiting an engineer as a proxy who uses their identity, attends interviews, and then grants the DPRK agent remote access to their computer for malicious activities to better obscure the agent’s traces and location. The engineer receives a percentage of the salary (20% to 35%), but they bear all the legal risk for any resulting malicious activity resulting from their rented identity.
Threat intelligence specialist Mauro Eldritch and Heiner García of NorthScan set up a simulated laptop farm honeypot using ANY.RUN sandbox services to infiltrate the operation. Posing as a previously contacted US-based developer, Andy Jones, García engaged with a DPRK agent who sought the full identity details (name, SSN, visa status, address) and 24/7 remote access via AnyDesk for “remote work”.
The researchers recorded the threat actor's activity in real time. They observed system reconnaissance, the use of Astrill VPN, and the installation of AI-powered browser extensions for autofilling applications and generating real-time interview responses. In one instance, by stalling the agent and trapping him in a login and CAPTCHA loop, they forced him to reveal more information. Notably, the agent logged into his Google account, syncing his preferences, which exposed details like email subscriptions to job platforms, Slack workspace names, and communication with other operatives, including one named Zeeshan Jamshed. This particular operation was found to involve a team of at least six members who compete with other North Korean fundraising teams. The collected data is crucial for enterprises to anticipate and disrupt these infiltration attempts.
Security Officer Comments:
This operation confirms the increasing scale via automation of North Korean state-sponsored financial crime. The adoption of AI tools like AIApply for resume generation and interview assistance, coupled with identity rental, makes it easier for DPRK agents to secure high-value remote jobs at scale. The most notable aspect of this observed operation is that they employ a social-engineering framework (the frontman proxy scheme) that offloads 100% of the operational and legal risk onto the compromised, but acquiescent, engineer. This intelligence operation underscores the critical need to consider prioritizing rigorous identity verification during remote hiring to recognize proxies and continuous system monitoring for unusual remote access tool activity (like AnyDesk) on legitimate employee devices.
Suggested Corrections:
FBI Recommendations:
Scrutinize identity verification documents: Check for misspellings and cross-reference photographs and contact information (e.g. phone numbers, addresses, emails, etc.) with social media profiles, portfolio websites, and payment platforms.
Verify prior employment and education: Verify prior employment and higher education history directly with businesses and educational institutions.
Require in-person meetings: When possible, mandate in-person drug tests or fingerprinting to verify identity and claimed location. If needing to rely on virtual meetings:
- Mandate video and request that their backgrounds be unobscured.
- Have the individual point the camera out a window and ask questions about their claimed current location and the location listed on their identification documents.
- Ask the individual to wave their hand in front of their face as it may prompt a malfunction in AI generated video.
Analyze payment methods: Compare payment accounts of all employees, flagging those using similar documentation to establish accounts or with matching banking information. Monitor employees who change their bank accounts often, due to banks closing accounts of concern. Beware of agreements to pay employees using virtual currency, which enables funds to be transferred internationally without high levels of scrutiny.
Shipping work related materials: If sending documents or work-related equipment such as a laptop, only send to the address listed in the employee's identification documents. If the employee requests delivery to a different address, require additional documentation to verify the address. Additionally, do not grant access to any systems until the background check is completed.
Contracted IT workers: If your company employs contracted IT workers that have been hired by a third-party company, seek to educate the third-party company about this guidance. Contract IT work is a common way that North Korean IT workers procure employment.
Contact your local FBI Field Office Private Sector Coordinator: Building and maintaining a working relationship with your FBI Private Sector Coordinator allows beneficial collaboration and information-sharing between the FBI and the private sector; while mitigating threats through longstanding, mutually beneficial partnerships.
Link(s):
https://thehackernews.com/2025/12/researchers-capture-lazarus-apts-remote.html
https://www.bleepingcomputer.com/ne...-to-rent-identities-in-fake-it-worker-scheme/
https://www.ic3.gov/PSA/2025/PSA250723-4