Smile, You’re on Camera A Live Stream from Inside Lazarus Group’s IT Workers Scheme

In this article, we’ll uncover an entire North Korean infiltration operation aimed at deploying remote IT workers across different companies in the American financial and crypto/Web3 sectors, with the objective of conducting corporate espionage and generating funding for the sanctioned regime. We attributed this effort to the state-sponsored APT (Advanced Persistent Threat) Lazarus, specifically the Famous Chollima division.

Key Takeaways

• North Korean operators are infiltrating companies by posing as remote IT workers and using stolen or rented identities.
• Famous Chollima relies on social engineering, not advanced malware; convincing stories, pressure, and identity fraud drive the operation.
• Recruitment is wide-scale, using GitHub spam, Telegram outreach, and fake job-seeking setups.
• Victims are pushed to hand over full identity data, including SSNs, bank accounts, and device access.
• Extended ANY.RUN sandbox environments enabled real-time monitoring, capturing every click, file action, and network request.
• Operators used a predictable toolkit, including AnyDesk, Google Remote Desktop, AI-based interview helpers, and OTP extensions.
• Shared infrastructure and repeated mistakes revealed their poor operational security and overlapping roles.
• Controlled crashes and resets kept them contained, preventing any real malicious activity while intelligence was gathered.

The investigation provides a rare inside view of how these operatives work, communicate, and attempt to maintain access.

To read the complete article see: https://any.run/cybersecurity-blog/lazarus-group-it-workers-investigation/