A joint investigation by BCA LTD, NorthScan, and ANY.RUN has exposed a sophisticated network of remote IT workers linked to the Lazarus Group’s Famous Chollima division. The attackers used fake job offers and AI-driven tools to gain access to victims’ laptops, which were actually controlled virtual environments created by ANYRUN. Researchers observed operators using legitimate-looking developer tools, including browser-based OTP generators and Google Remote Desktop, to steal sensitive information from unsuspecting employees.
The scheme followed a familiar pattern: impersonation, interview posing, and remote work setup. The attackers stole or borrowed identities, passed interviews with AI tools, worked remotely, and funneled salary back to the DPRK. The investigation revealed a lean but effective toolset used for identity takeover and remote access, including Simplify Copilot and Authenticator.cc.
The findings highlight the risks of remote hiring and the importance of awareness inside companies. Attackers can target individual employees with legitimate interview requests, gaining access to internal dashboards, sensitive data, and manager-level accounts. Companies must raise awareness and provide a safe space for teams to check suspicious activity to prevent such attacks from becoming full-blown internal compromises.
Key takeaways:
* North Korea’s Lazarus Group uses fake job offers and AI-driven tools to infiltrate companies.
* Victims’ laptops were actually controlled virtual environments created by ANYRUN.
* Researchers observed legitimate-looking developer tools used for identity theft and remote access.
* The scheme followed a familiar pattern of impersonation, interview posing, and remote work setup.
By understanding this complex threat, companies can take proactive measures to protect themselves against such attacks.
Source: https://thehackernews.com/2025/12/researchers-capture-lazarus-apts-remote.html