Researchers spotted Lazarus’s remote IT workers in action

Researchers exposed a Lazarus scheme using remote IT workers tied to North Korea’s Famous Chollima APT group in a joint investigation.

Researchers filmed Lazarus APT group’s remote-worker scheme in action, uncovering a North Korean network of IT contractors linked to the Famous Chollima unit, TheHackerNews reported.

Recently, multiple cybersecurity firms and government agencies observed North Korea-linked APT groups, such as Chollima, using IT workers to infiltrate organizations across finance, crypto, healthcare, and engineering sectors.

The joint investigation by the researcher Mauro Eldritch, NorthScan, and ANY.RUN uncovered one of North Korea’s most persistent infiltration schemes.

The researchers spotted Lazarus operators live for the first time by luring them into controlled sandbox environments disguised as real developer laptops. The operation began when NorthScan’s Heiner García posed as a U.S. developer targeted by a recruiter called “Aaron/Blaze,” who tried to hire him as a front to place North Korean IT workers inside Western companies.

The scheme unfolded predictably: the operators grabbed or reused someone’s identity, used AI tools and shared answer sheets to pass interviews, worked remotely through the victim’s laptop, and sent all earnings back to North Korea. When Blaze pushed for full access, asking for the victim’s SSN, ID, LinkedIn, Gmail, and 24/7 control of the laptop, the team moved to phase two.

Instead of handing over a real machine, Mauro Eldritch from BCA LTD set up a “laptop farm” using ANY.RUN virtual machines. Each one looked like a genuine developer workstation, complete with browsing history, tools, and a U.S. residential proxy. The team could crash sessions, slow the connection, and capture every action the operators took, all without tipping them off.

Then the researchers analyzed the sandbox and found evidence of a simple but effective toolkit focused on stealing identities and taking over remote machines, not on planting malware. As soon as their Chrome profile synced, they began loading their usual tools.

They relied on AI job-automation apps like Simplify Copilot, AiApply, and Final Round AI to fill out applications and generate interview responses for them. They opened browser-based OTP generators (OTP.ee and Authenticator.cc) so they could handle the victim’s 2FA once they collected identity documents. They installed Google Remote Desktop and configured it through PowerShell with a fixed PIN, giving themselves ongoing control of the system.

They ran routine checks—dxdiag, systeminfo, whoami—to make sure the machine matched what they expected. Every connection traveled through Astrill VPN, a hallmark of earlier Lazarus operations.

In one session, the operator even typed a Notepad message asking the “developer” to upload their ID, SSN, and banking information, making their goal unmistakable: take over the victim’s identity and workstation without deploying any malware at all.

Building awareness and giving staff a safe way to report suspicious contacts helps stop threats early before they turn into full internal compromises.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, remote IT workers)