"The operation began when NorthScan's Heiner García impersonated a U.S. developer targeted by a Lazarus recruiter using the alias "Aaron" (also known as "Blaze"). Posing as a job-placement "business," Blaze attempted to hire the fake developer as a frontman; a known Chollima tactic used to slip North Korean IT workers into Western companies, mainly in the finance, crypto, healthcare, and engineering sectors."
"The scheme followed a familiar pattern: steal or borrow an identity, pass interviews with AI tools and shared answers, work remotely via the victim's laptop, funnel salary back to DPRK. Once Blaze asked for full access, including SSN, ID, LinkedIn, Gmail, and 24/7 laptop availability, the team moved to phase two. The Trap: A "Laptop Farm" That Wasn't Real Instead of using a real laptop, BCA LTD's Mauro Eldritch deployed the ANY.RUN Sandbox's virtual machines,"
A coordinated operation impersonated a U.S. developer to engage a Lazarus recruiter using the alias "Aaron" (also known as "Blaze"). Blaze sought to hire a fake developer as a frontman to insert North Korean IT workers into Western finance, crypto, healthcare, and engineering companies. The tactic relied on stolen or borrowed identities, AI-assisted interview answers, remote work through victims' laptops, and salary exfiltration to DPRK. ANY.RUN sandbox virtual machines were presented as real laptops, enabling live monitoring, forced crashes, connectivity control, and snapshots. The observed toolkit emphasized identity takeover and remote access rather than traditional malware deployment.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]