DPRK IT workers evolve from job seekers to recruiters, orchestrating systematic identity harvesting campaigns on Upwork and Freelancer platforms through scripted collaboration requests and remote access tools.
DPRK IntelligenceDPRK IT workers evolve from job seekers to recruiters, orchestrating systematic identity harvesting campaigns on Upwork and Freelancer platforms through scripted collaboration requests and remote access tools.
Malware AnalysisAnalysis of PyLangGhost RAT, a Python-based malware from Lazarus subgroup Famous Chollima targeting finance and tech sectors through fake job interviews, stealing credentials and cryptocurrency wallets.
DPRK AnalysisComprehensive investigation into suspicious GitHub activity revealing coordinated campaigns by DPRK-affiliated actors using fake identities and the #OpenToWork hashtag to infiltrate organizations.
Fraud AlertInvestigation into fraudulent recruiter accounts on GitHub and LinkedIn used by threat actors to target developers and infiltrate organizations through fake job opportunities.
DPRK AnalysisComprehensive recap of findings regarding suspicious Lazarus Group activity on GitHub, analyzing patterns in fake developer profiles, achievement badges, and coordinated campaigns targeting the developer community.
DPRK AnalysisIn-depth analysis of GitHub account activity associated with Lazarus Group, examining commit history manipulation, identity obfuscation techniques, and patterns used by DPRK IT workers to maintain cover identities.
DPRK AnalysisDetailed investigation into suspicious GitHub activity patterns associated with Lazarus Group and DPRK IT workers, revealing coordinated efforts to establish fake developer identities and infiltrate software development communities.
DPRK IntelligenceComprehensive analysis of DPRK IT workers' tactics, behaviors, and operational patterns through direct engagement. Revealing social engineering, remote desktop evasion, and platform manipulation techniques.
Coverage of NorthScan research and DPRK threat intelligence in major publications
Media MentionCointelegraph took part in an investigation centered around a suspected North Korean operative that uncovered a cluster of threat actors attempting to score freelancing gigs in the cryptocurrency industry. The investigation was led by Heiner Garcia, a cyber threat intelligence expert at Telefónica and a blockchain security researcher
Media MentionIn this feature on freelance platform abuse, Heiner García Perez is cited for his research on how North Korean IT workers exploit Upwork and LinkedIn to blend into legitimate ecosystems. His intelligence findings helped illustrate the scope of DPRK remote work infiltration.