Researchers Capture Lazarus APT's Remote-Worker Scheme Live on Camera
A collaborative investigation by BCA LTD, NorthScan, and ANY.RUN has exposed a persistent infiltration scheme operated by North Korea’s Lazarus Group, specifically its Famous Chollima division. For the first time, researchers managed to observe these operators working live within what they believed were real developer laptops, which were in fact controlled, long-running sandbox environments. This operation revealed a sophisticated network of remote IT workers designed to infiltrate Western companies through identity-based recruitment.
The scheme initiated with NorthScan impersonating a U.S. developer targeted by a Lazarus recruiter using the alias “Aaron” or “Blaze.” This individual sought to hire the fake developer as a frontman, a common Chollima tactic to place North Korean IT workers into companies, particularly in the finance, crypto, healthcare, and engineering sectors. The pattern involved identity theft, leveraging AI tools for interviews, remote work via the victim’s laptop, and funneling salaries back to the DPRK. Once the recruiter requested full access, including SSN, ID, LinkedIn, Gmail, and 24/7 laptop availability, the research team deployed ANY.RUN Sandbox virtual machines. These VMs were meticulously configured to mimic active personal workstations with usage history, developer tools, and U.S. residential proxy routing, allowing researchers to monitor, throttle connectivity, and snapshot every action without detection.
Within these controlled environments, the investigation unveiled the Famous Chollima’s lean but effective toolset. After syncing a Chrome profile, operators loaded AI-driven job automation tools like Simplify Copilot, AiApply, and Final Round AI to auto-fill applications and generate interview answers. They utilized browser-based OTP generators (OTP.ee / Authenticator.cc) to handle two-factor authentication once identity documents were compromised. Persistent control of the host was established through Google Remote Desktop, configured via PowerShell with a fixed PIN. Routine system reconnaissance using commands such as dxdiag, systeminfo, and whoami was observed. Connections were consistently routed through Astrill VPN, a pattern previously associated with Lazarus infrastructure. In one session, an operator directly requested the “developer’s” ID, SSN, and banking details via Notepad, confirming the goal of full identity and workstation takeover.
This detailed exposure highlights that remote hiring practices have become a critical entry point for identity-based threats into organizations. Attackers frequently initiate contact by targeting individual employees with seemingly legitimate interview requests. The risk extends beyond a single compromised worker, as an infiltrator can subsequently gain access to internal dashboards, sensitive business data, and manager-level accounts, leading to significant operational impact. To mitigate this threat, organizations must prioritize raising internal awareness regarding suspicious recruitment attempts and establish secure channels for employees to report and verify any questionable job-related communications. Proactive vigilance can prevent early approaches from escalating into full-blown internal compromises.