DPRK Operatives Posing as Professionals on LinkedIn to Infiltrate Companies

Information technology (IT) workers associated with the Democratic People’s Republic of Korea (DPRK) are now applying for remote positions using fake LinkedIn accounts, marking a new surge in the scam.

“These profiles often contain work emails and verified ID badges, which DPRK operatives hope will make their fraudulent applications appear legitimate,” the Security Alliance (SEAL) said in a series of posts on X.

The threat to IT workers is a long-standing practice by North Korea in which workers from the country pose as remote workers to secure jobs at Western companies and elsewhere under stolen or fictitious identities. The threat is also being tracked by the wider cybersecurity community such as Jasper Sleet, PurpleDelta, and Wagemole.

The ultimate goal of these efforts is twofold: to generate continued profits to fund the country’s weapons programs, to engage in espionage by stealing sensitive information, and, in some cases, to pursue fines to prevent information leaks.

Last month, the cybersecurity firm Silent Push described the DPRK’s remote worker program as a “high revenue engine” for the regime, allowing threat actors to gain administrative access to sensitive codes and establish the persistence of extraterrestrial life within corporate infrastructure.

“Once their salaries are paid, DPRK IT workers transfer cryptocurrency through various money laundering techniques,” blockchain analysis firm Chainalysis noted in a report published in October 2025.

“One of the ways IT workers, and their money laundering counterparts, break the link between the source and destination of funds is by hopping and/or exchanging tokens. They use smart contracts like decentralized exchanges and bridge agreements to make it difficult to trace funds.”

To combat the threat, people who suspect that their identities are being misused in fraudulent job applications are advised to consider posting a warning on their social media accounts, as well as listing their official communication channels and a valid means of contacting them (eg, company email).

“Always make sure that the accounts listed by the candidates are controlled by the email they provide,” the Security Alliance said. “A simple check like asking them to connect with you on LinkedIn will confirm their identity and account control.”

The revelations come as the Norwegian Police Security Service (PST) issued an advisory, saying they are aware of “several cases” in the past year where Norwegian businesses have been affected by IT staffing schemes.

“Businesses have been tricked into hiring what may be North Korean IT workers for home office positions,” PST said last week. “The income North Korean workers receive from these positions will likely pay for the country’s weapons and nuclear weapons program.”

Running alongside the IT staffing program is another social engineering campaign called the Contagious Interview which involves using fake recruitment to lure targets into an interview after approaching them on LinkedIn with job offers. The malicious phase of the attack begins when people posing as recruiters and hiring managers instruct targets to complete skill tests that lead to them running malicious code.

In one instance of an impersonation campaign targeting tech workers using a recruitment process similar to that of digital asset infrastructure company Fireblocks, threat actors allegedly asked candidates to compile a GitHub repository and run npm package installation commands to trigger malware executions.

“The campaign also used EtherHiding, a new technique that uses blockchain smart contracts to capture and recover the command and control infrastructure, making malicious payments more resistant to being taken down,” said security researcher Ori Hershko. “These steps triggered the release of malicious code hidden within the project. Executing the setup process led to the malware being downloaded and executed on the victim’s system, giving attackers access to the victim’s machine.”

In recent months, new variants of the Contagious Interview campaign have been seen using malicious Microsoft VS Code executable files to deploy JavaScript malware disguised as web fonts that eventually lead to the use of BeaverTail and InvisibleFerret, allowing continued access and theft of cryptocurrency wallets and browser credentials, according to reports from AbstractMalwa Security and OpenSource.

RAT campaign for Koalemos

Another variant of the exploit set written by Panther is suspected to involve the use of malicious npm packages to execute a modular JavaScript framework for a remote access Trojan (RAT) called Koalemos via a loader. The RAT is designed to include a beacon loop to retrieve tasks from an external server, execute them, send encrypted responses, and sleep for a random amount of time before repeating.

It supports 12 different commands to perform file system operations, transfer files, use discovery commands (eg, whoami), and execute arbitrary code. Names of other job related packages are as follows:-

• env-workflow-test
• sra-test-test
• sra-testing-test
• vg-medallia-digital
• vg-ccc-client
• vg-dev-env

“The first loader performs DNS-based gateway and engagement validation before downloading and exposing the RAT module as a closed process,” said security researcher Alessandra Rizzo. “Koalemos fingerprints the system, establishes written command and control communications, and provides remote access capabilities.”

Labyrinth Chollima Segments into Specialized Functional Units

The development comes as CrowdStrike revealed that the North Korean hacking group known as Labyrinth Chollima has evolved into three separate groups with different goals and trades: core group Labyrinth Chollima, Golden Chollima (also known as AppleJeus, Citrine Sleet, and UNC4736), and Trade Chollimator, Trade Chollimat, Trade Chollima UNC4899).

It is worth noting that Labyrinth Chollima, along with Andariel and BlueNoroff, are considered sub-groups of the Lazarus Group (also known as Diamond Sleet and Hidden Cobra), BlueNoroff splits into TraderTraitor and CryptoCore (also known as Sapphire Sleet), according to an analysis from DTEX.

Despite gaining new autonomy, these dissidents continue to share tools and infrastructure, suggesting centralized coordination and resource sharing within the DPRK’s cyber apparatus. Golden Chollima focuses on consistent, small-scale theft of cryptocurrency in highly developed economies, while Pressure Chollima pursues high-value heists with advanced installations to target organizations with valuable digital assets.

New collections of North Korea

On the other hand, Labyrinth Chollima’s operation is motivated by cyber espionage, using tools like the FudModule rootkit to achieve stealth. The latter was allegedly created by Operation Dream Job, another job-focused social engineering campaign designed to deliver malware to gather intelligence.

“Shared infrastructure features and cross-pollination of tools means these units are ultimately interoperable,” CrowdStrike said. “All three adversaries use strikingly similar tradeoffs – including supply chain compromises, HR-themed social engineering campaigns, trojanized legitimate software, and malicious Node.js and Python packages.”