Researchers Capture Lazarus Apt's Remote-worker Scheme Live On Camera

A joint investigation led by Mauro Eldritch, founder of BCA LTD, conducted together with threat-intel initiative NorthScan and ANY.RUN, a solution for interactive malware analysis and threat intelligence, has uncovered one of North Korea's most persistent infiltration schemes: a network of remote IT workers tied to Lazarus Group's Famous Chollima division.

For the first time, researchers managed to watch the operators work live, capturing their activity on what they believed were real developer laptops. The machines, however, were fully controlled, long-running sandbox environments created by ANY.RUN.

The operation began when NorthScan's Heiner García impersonated a U.S. developer targeted by a Lazarus recruiter using the alias "Aaron" (also known as "Blaze").

Posing as a job-placement "business," Blaze attempted to hire the fake developer as a frontman; a known Chollima tactic used to slip North Korean IT workers into Western companies, mainly in the finance, crypto, healthcare, and engineering sectors.

Once Blaze asked for full access, including SSN, ID, LinkedIn, Gmail, and 24/7 laptop availability, the team moved to phase two.

Instead of using a real laptop, BCA LTD's Mauro Eldritch deployed the ANY.RUN Sandbox's virtual machines, each configured to resemble a fully active personal workstation with usage history, developer tools, and U.S. residential proxy routing.

The team could also force crashes, throttle connectivity, and snapshot every move without alerting the operators.

The sandbox sessions exposed a lean but effective toolset built for identity takeover and remote access rather than malware deployment. Once their Chrome profile synced, the operators loaded:

In one session, the operator even left a Notepad message asking the "developer" to upload their ID, SSN, and banking details, confirming the operation's goal: full identity and workstation takeover without deploying a single piece of malware.

Remote hiring has become a quiet but reliable entry point for identity-based threats. Attackers often reach your organization by targeting individual employees with seemingly legitimate interview requests. Once they're inside, the risk goes far beyond a single compromised worker. An infiltrator can gain access to internal dashboards, sensitive business data, and manager-level accounts that carry real operational impact.

Source: The Hacker News