Lazarus Exposed: Real-Time Sting Tracks North Korean Hackers Recruiting Remote Employees
A joint investigation by BCA LTD, NorthScan, and ANY.RUN has revealed, in real time, one of North Korea’s most covert cyber-operations. The team managed, under the guise of an ordinary hiring process, to track how operators of Lazarus Group — specifically its Famous Chollima subunit — are embedded into companies worldwide as remote IT employees using stolen identities.
The operation was initiated by BCA LTD founder Mauro Eldritch, who coordinated with the NorthScan initiative and the interactive malware-analysis platform ANY.RUN. NorthScan specialists created a fictitious American developer, on whose behalf Heiner Garcia entered into dialogue with a Lazarus recruiter calling himself Aaron “Blaze.” Posing as an employment intermediary, Blaze attempted to onboard the fabricated candidate as a front for North Korean IT workers, targeting companies in the financial, cryptocurrency, healthcare, and engineering sectors.
The scheme hinges entirely on identity substitution and remote access. Stolen documents and online profiles are selected and appropriated; interviews are conducted using AI services and pre-scripted answers.
Once employed, the work is carried out through a real person’s laptop, while the salary is siphoned back to the DPRK. When the recruiter demanded the full portfolio of personal data — Social Security number, copies of IDs, access to LinkedIn and Gmail, and the ability to connect to the device around the clock — the investigation shifted into its active phase.
Instead of a physical laptop, Mauro Eldritch deployed a series of virtual machines in ANY.RUN, imitating the developer’s personal workstations with usage histories, installed toolchains, and traffic routed through U.S. residential proxies. This created, for the operators, the illusion of a legitimate machine, while their every action was fully monitored and controlled. The team could force failures, throttle connectivity, capture system snapshots — all without betraying the surveillance.
The sessions showed that the focus lay not on sophisticated malware, but on account takeover and persistent access. After synchronizing the Chrome profile, operators launched various automation tools for mass job applications and interview preparation, such as Simplify Copilot, AiApply, and Final Round AI.
For bypassing two-factor authentication, they relied on browser-based one-time-code generators like OTP.ee and Authenticator.cc. Remote control was established through Google Remote Desktop, configured via PowerShell with a permanent PIN. Standard reconnaissance was performed using utilities such as dxdiag, systeminfo, and whoami.
All traffic flowed through the Astrill VPN service, previously linked to Lazarus infrastructure. In one session, an operator even left a request in Notepad for uploads of identity documents, a Social Security number, and banking details — confirming unequivocally that the goal was to seize total control of the accounts and work environment, without deploying separate malicious code.
The case underscores how remote hiring has become a convenient vector for identity-based intrusions. An attempted breach often begins with a credible job offer and escalates into demands for device access and credentials for corporate systems. Once embedded, such an “employee” gains access to internal dashboards, sensitive information, and executive accounts, creating serious operational risks.
Timely coordination between HR and IT, rigorous candidate-verification procedures, and the ability to safely consult on suspicious requests can halt these schemes at the very first point of contact.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
