North Korean IT workers are now using real LinkedIn accounts of professionals they impersonate to secure remote positions, marking a dangerous escalation in their long-running fraud scheme.
The Democratic People's Republic of Korea (DPRK) has escalated its sophisticated IT worker infiltration scheme by impersonating real professionals on LinkedIn to secure remote positions at Western companies, according to a new report from Security Alliance (SEAL).
Real Profiles, Real Credentials
The North Korean operatives are now applying for remote positions using actual LinkedIn accounts of individuals they're impersonating, complete with verified workplace emails and identity badges. This marks a significant evolution from their previous tactics of creating entirely fabricated profiles.
"These profiles often have verified workplace emails and identity badges, which DPRK operatives hope will make their fraudulent applications appear legitimate," SEAL stated in a series of posts on X.
The IT worker threat, also tracked as Jasper Sleet, PurpleDelta, and Wagemole, represents a long-running operation where North Korean operatives pose as remote workers to secure jobs under stolen or fabricated identities. The scheme serves multiple purposes: generating revenue to fund North Korea's weapons programs, conducting espionage by stealing sensitive data, and in some cases, demanding ransoms to avoid leaking stolen information.
A "High-Volume Revenue Engine"
Cybersecurity company Silent Push recently described the DPRK remote worker program as a "high-volume revenue engine" for the regime. The operation enables threat actors to gain administrative access to sensitive codebases and establish persistent access within corporate infrastructure.
Once salaries are paid, the operatives transfer cryptocurrency through various money laundering techniques. Blockchain analysis firm Chainalysis noted that IT workers break the link between source and destination of funds using chain-hopping and token swapping through decentralized exchanges and bridge protocols.
Protecting Your Identity
To counter this threat, individuals who suspect their identities are being misappropriated should consider posting warnings on their social media accounts, listing official communication channels and verification methods. Companies are advised to validate that accounts listed by candidates are controlled by the email they provide.
"Simple checks like asking them to connect with you on LinkedIn will verify their ownership and control of the account," SEAL recommended.
Norwegian Businesses Targeted
The Norwegian Police Security Service (PST) issued an advisory last week, stating it's aware of "several cases" over the past year where Norwegian businesses have been impacted by IT worker schemes. "The businesses have been tricked into hiring what likely North Korean IT workers in home office positions," PST said. "The salary income North Korean employees receive through such positions probably goes to finance the country's weapons and nuclear weapons program."
Contagious Interview Campaign
Running parallel to the IT worker scheme is another social engineering campaign dubbed "Contagious Interview." This operation uses fake hiring flows to lure prospective targets into interviews after approaching them on LinkedIn with job offers.
The malicious phase begins when individuals posing as recruiters and hiring managers instruct targets to complete skill assessments that lead to executing malicious code. In one case targeting tech workers using a hiring process resembling that of digital asset infrastructure company Fireblocks, threat actors asked candidates to clone a GitHub repository and run commands to install an npm package, triggering malware execution.
Security researcher Ori Hershko explained that the campaign employed EtherHiding, a novel technique that leverages blockchain smart contracts to host and retrieve command-and-control infrastructure, making the malicious payload more resilient to takedowns.
Koalemos RAT Campaign
Another variant of the intrusion set documented by Panther involves the use of malicious npm packages to deploy a modular JavaScript remote access trojan (RAT) framework called Koalemos. The RAT enters a beacon loop to retrieve tasks from an external server, execute them, send encrypted responses, and sleep for random intervals before repeating.
The RAT supports 12 different commands for filesystem operations, file transfers, discovery instructions (like whoami), and arbitrary code execution. Security researcher Alessandra Rizzo noted that the initial loader performs DNS-based execution gating and engagement date validation before downloading and spawning the RAT module as a detached process.
Labyrinth Chollima's Evolution
CrowdStrike revealed that the prolific North Korean hacking crew known as Labyrinth Chollima has evolved into three separate clusters with distinct objectives:
- Core Labyrinth Chollima: Focused on cyber espionage using tools like the FudModule rootkit
- Golden Chollima: Targets consistent, smaller-scale cryptocurrency thefts in economically developed regions
- Pressure Chollima: Pursues high-value heists targeting organizations with significant digital asset holdings
Despite their independence, these adversaries continue to share tools and infrastructure, suggesting centralized coordination within the DPRK cyber apparatus. All three employ remarkably similar tradecraft, including supply chain compromises, HR-themed social engineering campaigns, trojanized legitimate software, and malicious Node.js and Python packages.
This evolution represents a more sophisticated and compartmentalized approach to North Korea's cyber operations, making detection and attribution increasingly challenging for security researchers and defenders.
Comments
Please log in or register to join the discussion