The information technology (IT) workers associated with the Democratic People’s Republic of Korea (DPRK) are now applying to remote positions using real LinkedIn accounts of individuals they’re impersonating, marking a new escalation of the fraudulent scheme.
“These profiles often have verified workplace emails and identity badges, which DPRK operatives hope will make their fraudulent applications appear legitimate,” Security Alliance (SEAL) said in a series of posts on X.
The IT worker threat is a long-running operation mounted by North Korea in which operatives from the country pose as remote workers to secure jobs in Western companies and elsewhere under stolen or fabricated identities. The threat is also tracked by the broader cybersecurity community as Jasper Sleet, PurpleDelta, and Wagemole.
The end goal of these efforts is two-pronged: to generate a steady revenue stream to fund the nation’s weapons programs, conduct espionage by stealing sensitive data, and, in some cases, take it further by demanding ransoms to avoid leaking the information.
Last month, cybersecurity company Silent Push described the DPRK remote worker program as a “high-volume revenue engine” for the regime, enabling the threat actors to also gain administrative access to sensitive codebases and establish living-off-the-land persistence within corporate infrastructure.
“Once their salaries are paid, DPRK IT workers transfer cryptocurrency through a variety of different money laundering techniques,” blockchain analysis firm Chainalysis noted in a report published in October 2025.
“One of the ways in which IT workers, as well as their money laundering counterparts, break the link between source and destination of funds on-chain, is through chain-hopping and/or token swapping. They leverage smart contracts such as decentralized exchanges and bridge protocols to complicate the tracing of funds.”
To counter the threat, individuals who suspect their identities are being misappropriated in fraudulent job applications are advised to consider posting a warning on their social media accounts, along with listing their official communication channels and the verification method to contact them (e.g., company email).
“Always validate that accounts listed by candidates are controlled by the email they provide,” Security Alliance said. “Simple checks like asking them to connect with you on LinkedIn will verify their ownership and control of the account.”
The disclosure comes as the Norwegian Police Security Service (PST) issued an advisory, stating it’s aware of “several cases” over the past year where Norwegian businesses have been impacted by IT worker schemes.
“The businesses have been tricked into hiring what likely North Korean IT workers in home office positions,” PST said last week. “The salary income North Korean employees receive through such positions probably goes to finance the country’s weapons and nuclear weapons program.”
Running parallel to the IT worker scheme is another social engineering campaign dubbed Contagious Interview that involves using fake hiring flows to lure prospective targets into interviews after approaching them on LinkedIn with job offers. The malicious phase of the attack kicks in when individuals presenting themselves as recruiters and hiring managers instruct targets to complete a skill assessment that eventually leads to them executing malicious code.
In one case of a recruiting impersonation campaign targeting tech workers using a hiring process resembling that of digital asset infrastructure company Fireblocks, the threat actors are said to have asked candidates to clone a GitHub repository and run commands to install an npm package to trigger malware execution.
“The campaign also employed EtherHiding, a novel technique that leverages blockchain smart contracts to host and retrieve command-and-control infrastructure, making the malicious payload more resilient to takedowns,” security researcher Ori Hershko said. “These steps triggered the execution of malicious code hidden within the project. Running the setup process resulted in malware being downloaded and executed on the victim’s system, giving the attackers a foothold in the victim’s machine.”
In recent months, new variants of the Contagious Interview campaign have been observed using malicious Microsoft VS Code task files to execute JavaScript malware disguised as web fonts that ultimately lead to the deployment of BeaverTail and InvisibleFerret, allowing persistent access and theft of cryptocurrency wallets and browser credentials, per reports from Abstract Security and OpenSourceMalware.
 |
| Koalemos RAT campaign |
Another variant of the intrusion set documented by Panther is suspected to involve the use of malicious npm packages to deploy a modular JavaScript remote access trojan (RAT) framework dubbed Koalemos via a loader. The RAT is designed to enter a beacon loop to retrieve tasks from an external server, execute them, send encrypted responses, and sleep for a random time interval before repeating again.
It supports 12 different commands to conduct filesystem operations, transfer files, run discovery instructions (e.g., whoami), and execute arbitrary code. The names of some of the packages associated with the activity are as follows –
- env-workflow-test
- sra-test-test
- sra-testing-test
- vg-medallia-digital
- vg-ccc-client
- vg-dev-env
“The initial loader performs DNS-based execution gating and engagement date validation before downloading and spawning the RAT module as a detached process,” security researcher Alessandra Rizzo said. “Koalemos performs system fingerprinting, establishes encrypted command-and-control communications, and provides full remote access capabilities.”
Labyrinth Chollima Segments into Specialized Operational Units
The development comes as CrowdStrike revealed that the prolific North Korean hacking crew known as Labyrinth Chollima has evolved into three separate clusters with distinct objectives and tradecraft: the core Labyrinth Chollima group, Golden Chollima (aka AppleJeus, Citrine Sleet, and UNC4736), and Pressure Chollima (aka Jade Sleet, TraderTraitor, and UNC4899).
It’s worth noting that Labyrinth Chollima, along with Andariel and BlueNoroff, are considered to be sub-clusters within the Lazarus Group (aka Diamond Sleet and Hidden Cobra), with BlueNoroff splintering into TraderTraitor and CryptoCore (aka Sapphire Sleet), according to an assessment from DTEX.
Despite the newfound independence, these adversaries continue to share tools and infrastructure, suggesting centralized coordination and resource allocation within the DPRK cyber apparatus. Golden Chollima focuses on consistent, smaller-scale cryptocurrency thefts in economically developed regions, whereas Pressure Chollima pursues high-value heists with advanced implants to single out organizations with significant digital asset holdings.
 |
| New North Korea Clusters |
On the other hand, Labyrinth Chollima’s operations are motivated by cyber espionage, using tools like the FudModule rootkit to achieve stealth. The latter is also attributed to Operation Dream Job, another job-centred social engineering campaign designed to deliver malware for intelligence gathering.
“Shared infrastructure elements and tool cross-pollination indicate these units maintain close coordination,” CrowdStrike said. “All three adversaries employ remarkably similar tradecraft – including supply chain compromises, HR-themed social engineering campaigns, trojanized legitimate software, and malicious Node.js and Python packages.”
