Information technology (IT) workers affiliated with the Democratic People’s Republic of Korea (DPRK) are now applying to remote positions using the real LinkedIn accounts of those individuals, marking a new escalation in the fraud scheme.
“These profiles often contain verified work emails and identification badges, allowing DPRK operators to hope that their fraudulent applications will look legitimate,” the Security Alliance (SEAL) said in a series of posts on X.
IT worker intimidation is a long-running operation conducted by North Korea in which the country’s operators pose as remote workers under stolen or fabricated identities to secure jobs at Western companies and elsewhere. This threat is also tracked by the broader cybersecurity community as Jasper Sleet, PurpleDelta, and VegMole.
The ultimate goal of these efforts is two-fold: generating a steady revenue stream to fund the country’s weapons programs, carrying out espionage by stealing sensitive data, and, in some cases, furthering it by demanding ransom to avoid leaking information.
Last month, cybersecurity company Silent Push described the DPRK remote worker program as a “high-volume revenue engine” for the regime, enabling threat actors to gain administrative access to sensitive codebases and establish remote locations within corporate infrastructure.
“Once paid their salaries, DPRK IT employees transfer cryptocurrencies through various money laundering techniques,” blockchain analysis firm Chainalysis said in a report published in October 2025.
“One way IT personnel, as well as their money laundering counterparts, break the link between the source and destination of funds on the chain is through chain-hopping and/or token swapping. They leverage decentralized exchanges and smart contracts like bridge protocols to complicate the tracing of funds.”
To counter the threat, individuals who suspect that their identities are being misused in fraudulent job applications are advised to list their official communication channels and use a verification method to contact them (for example, company email), as well as consider posting a warning on their social media accounts.
“Always verify that accounts listed by candidates are controlled by the email they provide,” the Security Alliance said. “Simple checks such as asking them to connect with you on LinkedIn will verify their ownership and control of the account.”
The revelations come as the Norwegian Police Protection Service (PST) issued an advisory saying it is aware of “several cases” over the past year where Norwegian businesses have been affected by IT worker schemes.
“Businesses have been duped into possibly hiring North Korean IT workers for home office positions,” the PST said last week. “The salary income that North Korean employees receive from such positions probably goes to finance the country’s armaments and nuclear weapons program.”
Running parallel to the IT worker scheme is another social engineering campaign called contagious interviewing which involves using fake recruitment streams to lure potential targets into interviews after contacting them on LinkedIn with a job offer. The malicious phase of the attack begins when individuals pose as recruiters and hiring managers instruct the target to complete a skills assessment that ultimately leads them to execute malicious code.
In one case of a recruitment impersonation campaign targeting technical staff using a recruitment process similar to that of digital asset infrastructure company Fireblocks, threat actors were said to have asked candidates to run commands to clone a GitHub repository and install npm packages to trigger malware execution.
“The campaign also employed etherhiding, a new technology that leverages blockchain smart contracts to host and retrieve command-and-control infrastructure, making malicious payloads more resilient to removal,” said security researcher Ori Hershko. “These steps triggered the execution of malicious code hidden within the project. Running the setup process resulted in the malware being downloaded and executed on the victim’s system, giving the attackers the opportunity to gain a foothold in the victim’s machine.”
In recent months, according to reports from Abstract Security and OpenSourceMalware, new variants of the Infectious Interview campaign have been observed using malicious Microsoft VS Code task files to execute JavaScript malware disguised as web fonts, ultimately leading to the deployment of BeaverTail and InvisibleFerret, allowing persistent access and theft of cryptocurrency wallets and browser credentials.
|
| Koalemos RAT campaign |
Another variant of the intrusion set documented by Panther is suspected to involve the use of malicious NPM packages to deploy a modular JavaScript remote access trojan (RAT) framework called Koalemos via a loader. The RAT is designed to enter a beacon loop to retrieve tasks from an external server, execute them, send encrypted responses, and sleep for a random time interval before repeating again.
It supports 12 different commands to conduct file system operations, move files, run search commands (for example, whoomi), and execute arbitrary code. The names of some packages related to the activity are as follows –
- env-workflow-test
- sra-test-test
- sra-test-test
- vg-medalia-digital
- vg-ccc-client
- vg-dev-env
“The initial loader performs DNS-based execution gating and engagement date verification before downloading and generating the RAT module as a separate process,” said security researcher Alessandra Rizzo. “The Colemos system performs fingerprinting, establishes encrypted command-and-control communications, and provides full remote access capabilities.”
Labyrinth Chollima divided into specific operational units
The development comes as CrowdStrike revealed that the prolific North Korean hacking crew known as Labyrinth Chollima has evolved into three distinct groups with distinct objectives and tradecraft: the core Labyrinth Chollima group, Golden Chollima (aka Applegeous, Citrine Sleet, and UNC4736), and Pressure Chollima (aka Jade Sleet, TraderTraitor, and UNC4899).
It’s worth noting that, according to an assessment by DTEX, Labyrinth Chollima, along with Andariel and Bluenoroff, are considered sub-groups within the Lazarus group (aka Diamond Sleet and Hidden Cobra), with Bluenoroff splitting into TraderTraitor and Cryptocore (aka Sapphire Sleet).
Despite the newfound independence, these adversaries continue to share equipment and infrastructure, suggesting centralized coordination and resource allocation within the DPRK cyber apparatus. Golden Chollima focuses on persistent, small-scale cryptocurrency thefts in economically developed regions, while Pressure Chollima pursues high-value thefts with advanced implants to organizations with significant digital asset holdings.
|
| new north korea cluster |
On the other hand, Labyrinth Chollima’s operations are inspired by cyber espionage, using tools such as the FoodModule rootkit to secretly gain access. The latter is also attributed to Operation Dream Job, another job-focused social engineering campaign designed to distribute malware to collect intelligence.
“Shared infrastructure elements and tool cross-pollination indicate that these entities maintain close coordination,” CrowdStrike said. “All three adversaries use remarkably similar tradecraft – including supply chain compromise, HR-themed social engineering campaigns, Trojanized legitimate software, and malicious Node.js and Python packages.”
