Researchers Infiltrate Lazarus Group’s “Famous Chollima” Job-Fraud Network Using Fake Developer Laptops

Overview

A joint investigation by BCA LTD, NorthScan, and ANY.RUN has exposed one of North Korea’s most persistent infiltration pipelines — a vast network of remote IT workers tied to Lazarus Group’s Famous Chollima division.

For the first time, researchers were able to watch Lazarus operators work in real time, tricking them into using fake developer laptops that were actually long-running interactive sandboxes controlled entirely by analysts. The investigation sheds new light on how North Korea embeds covert workers inside Western companies to steal identities, siphon salaries, and gain access to corporate infrastructure.

Phase 1: Infiltration Through Fake Recruitment

The operation began when NorthScan’s Heiner García posed as a U.S.-based developer — a common target for North Korean recruiters. The adversary, using the alias “Aaron” or “Blaze”, attempted to hire the fake developer as a frontman.

The tactic follows the typical Famous Chollima recruitment chain:

• Use stolen or borrowed identities
• Coach candidates using AI to pass interviews
• Operate remotely through the victim’s laptop
• Funnel contractor earnings back to the DPRK

Once “Blaze” demanded full identity takeover — including SSN, ID, Gmail access, LinkedIn credentials, and 24/7 laptop availability — the researchers moved into the second phase.

Screenshot of a recruiter message offering a fake job opportunity

Phase 2: The “Laptop Farm” That Wasn’t Real

Instead of providing a real machine, ANY.RUN deployed multiple sandbox virtual desktops tailored to look like legitimate developer workstations. These decoy systems included:

• Fake usage history
• Developer tooling (IDEs, repos, browser profiles)
• U.S. residential proxies for realism
• Long uptime patterns to resemble active users

Because the machines were fully under researcher control, they could:

• Monitor all operator actions
• Force system crashes on command
• Capture screenshots, sessions, and executed commands
• Track file uploads and browser sync activity
• Log VPN, network, and remote-access setup

The Lazarus operator believed they were working on a real target device the entire time.

A safe virtual environment provided by ANY.RUN’s Interactive Sandbox

Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Phase 3: Inside Famous Chollima’s Toolkit

Once logged into the fake workstation, the operator’s behavior revealed a clear pattern. Notably, no malware was deployed — evidence that the operation relies on identity takeover, not technical exploits.

Tools and techniques observed:

1. Identity & job automation

• Simplify Copilot
• AiApply
• Final Round AI
  (Used to auto-fill applications, answer interview questions, and pass hiring filters.)

2. OTP & authentication bypass tools

• OTP.ee
• Authenticator.cc
  (Used after stealing identity documents to manage victims’ 2FA.)

3. Persistent remote access

• Google Remote Desktop installed via PowerShell
• Fixed PIN configuration for ongoing access

4. System reconnaissance

• dxdiag
• systeminfo
• whoami
  (Used to confirm machine validity and profile hardware.)

5. Infrastructure ties

All traffic routed through Astrill VPN, a known indicator in prior Lazarus operations.

In one session, the operator even left a Notepad message instructing the fake developer to upload:

• SSN
• Government ID
• Bank account details

Confirming the goal: identity theft + endpoint takeover.

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: thehackernews.com

Source Link