{"id":17149,"date":"2025-12-04T11:51:50","date_gmt":"2025-12-04T11:51:50","guid":{"rendered":"\/cybersecurity-blog\/?p=17149"},"modified":"2025-12-08T09:35:07","modified_gmt":"2025-12-08T09:35:07","slug":"lazarus-group-it-workers-investigation","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/lazarus-group-it-workers-investigation\/","title":{"rendered":"Smile,\u00a0You&#8217;re\u00a0on\u00a0Camera:\u00a0A\u00a0Live\u00a0Stream from Inside\u00a0Lazarus Group\u2019s\u00a0IT Workers\u00a0Scheme\u00a0"},"content":{"rendered":"\n<p><strong><em>Editor\u2019s note:&nbsp;<\/em><\/strong><em>This work is a collaboration between Mauro&nbsp;Eldritch from&nbsp;BCA LTD, a company dedicated to threat intelligence and hunting, Heiner&nbsp;Garc\u00eda from&nbsp;NorthScan,&nbsp;a threat intelligence initiative uncovering North Korean IT worker infiltration, and&nbsp;<\/em><a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=interview_with_Chollima_exposed&amp;utm_term=041225&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a><em>, the leading company in malware analysis and threat intelligence<\/em>. <\/p>\n\n\n\n<p><em>The article was written by Mauro and Heiner.<\/em><\/p>\n\n\n\n<p>In this article,&nbsp;we&#8217;ll&nbsp;uncover an entire&nbsp;<strong>North Korean infiltration operation<\/strong>&nbsp;aimed at deploying&nbsp;<a href=\"https:\/\/www.reuters.com\/legal\/government\/doj-announces-arrest-indictments-north-korean-it-worker-scheme-2025-06-30\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\"><strong>remote IT workers<\/strong><\/a>&nbsp;across different companies in the American&nbsp;<strong>financial and crypto\/Web3 sectors<\/strong>, with the&nbsp;objective&nbsp;of conducting&nbsp;<strong>corporate&nbsp;espionage&nbsp;<\/strong>and generating&nbsp;<strong>funding<\/strong>&nbsp;for the sanctioned regime. We attributed this effort to the&nbsp;<strong>state-sponsored APT<\/strong>&nbsp;(Advanced Persistent Threat)&nbsp;<a href=\"https:\/\/any.run\/cybersecurity-blog\/lazarus-group-attacks-2025\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Lazarus<\/strong><\/a>, specifically the&nbsp;<a href=\"https:\/\/www.crowdstrike.com\/adversaries\/famous-chollima\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\"><strong>Famous Chollima<\/strong><\/a>&nbsp;division.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Key Takeaways&nbsp;<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>North\u00a0Korean\u00a0operators\u00a0are\u00a0infiltrating\u00a0companies<\/strong>\u00a0by\u00a0posing\u00a0as\u00a0remote IT workers and\u00a0using\u00a0stolen\u00a0or\u00a0rented\u00a0identities.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Famous\u00a0Chollima\u00a0relies\u00a0on social engineering<\/strong>,\u00a0not\u00a0advanced\u00a0malware,\u00a0convincing\u00a0stories, pressure, and\u00a0identity\u00a0fraud\u00a0drive the\u00a0operation.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Recruitment\u00a0is\u00a0wide-scale<\/strong>,\u00a0using\u00a0GitHub spam, Telegram\u00a0outreach, and fake job-seeking\u00a0setups.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Victims\u00a0are\u00a0pushed\u00a0to hand over full\u00a0identity\u00a0data<\/strong>,\u00a0including\u00a0SSNs, bank accounts, and device access.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Extended\u00a0<\/strong><a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=interview_with_Chollima_exposed&amp;utm_term=041225&amp;utm_content=linksandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>ANY.RUN\u00a0sandbox<\/strong><\/a><strong>\u00a0environments\u00a0enabled\u00a0real-time monitoring<\/strong>, capturing every click, file action, and network request.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Operators\u00a0used\u00a0a\u00a0predictable\u00a0toolkit<\/strong>,\u00a0including\u00a0AnyDesk, Google Remote Desktop, AI-based\u00a0interview\u00a0helpers, and OTP extensions.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Shared\u00a0infrastructure\u00a0and\u00a0repeated\u00a0mistakes<\/strong>\u00a0revealed\u00a0their\u00a0poor\u00a0operational\u00a0security and\u00a0overlapping\u00a0roles.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Controlled\u00a0crashes and resets\u00a0kept\u00a0them\u00a0contained<\/strong>,\u00a0preventing\u00a0any\u00a0real\u00a0malicious\u00a0activity\u00a0while\u00a0intelligence\u00a0was\u00a0gathered.\u00a0<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>The\u00a0investigation\u00a0provides\u00a0a rare inside\u00a0view<\/strong>\u00a0of\u00a0how\u00a0these\u00a0operatives\u00a0work,\u00a0communicate, and\u00a0attempt\u00a0to\u00a0maintain\u00a0access.\u00a0<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">How the\u00a0Investigation\u00a0Was\u00a0Set Up\u00a0<\/h2>\n\n\n\n<p>We divided this effort into two stages: approaching one of their&nbsp;<strong>recruiters<\/strong>, building a trusted relationship, and receiving an offer to help them set up&nbsp;<strong>laptops<\/strong>&nbsp;&#8220;to work&#8221; (conducted by&nbsp;<strong>Heiner&nbsp;Garc\u00eda&nbsp;<\/strong>from<strong>&nbsp;NorthScan<\/strong>), and then setting up a simulated&nbsp;<strong>laptop farm<\/strong> using&nbsp;<strong>sandboxed environments<\/strong>&nbsp;provided by&nbsp;<a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=interview_with_Chollima_exposed&amp;utm_term=041225&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>ANY.RUN<\/strong><\/a>, to record their activity in real-time and&nbsp;analyze&nbsp;their&nbsp;<strong>toolchain and TTPs<\/strong>&nbsp;(conducted by&nbsp;<strong>Mauro&nbsp;Eldritch<\/strong>&nbsp;from&nbsp;<strong>BCA LTD<\/strong>).&nbsp;<\/p>\n\n\n\n<p>Controlled&nbsp;crashes and resets&nbsp;kept&nbsp;them&nbsp;contained. This&nbsp;prevented any malicious&nbsp;activity.<\/p>\n\n\n\n<p>All interviews with DPRK agents and their activities on the laptop farm were recorded from start to finish, in an unprecedented effort that publicly documents their operations from the inside<strong>&nbsp;for the first time.<\/strong>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"591\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/A-1024x591.png\" alt=\"\" class=\"wp-image-17156\" style=\"width:650px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/A-1024x591.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/A-300x173.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/A-768x444.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/A-1536x887.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/A-2048x1183.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/A-370x214.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/A-270x156.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/A-740x427.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>&#8220;Aaron&#8221; AKA &#8220;Blaze&#8221;,&nbsp;Recruiter&nbsp;for&nbsp;Famous&nbsp;Chollima<\/em><\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Introduction:&nbsp;The&nbsp;Spies&nbsp;<\/h2>\n\n\n\n<p><em>Introducing&nbsp;Famous&nbsp;Chollima&nbsp;|&nbsp;Mauro&nbsp;Eldritch&nbsp;(BCA&nbsp;LTD)<\/em>&nbsp;<\/p>\n\n\n\n<p>There&#8217;s&nbsp;a long story of cyber heists conducted by the&nbsp;<strong>Lazarus<\/strong>&nbsp;<strong>Group<\/strong>. They are among the&nbsp;<em>most creative<\/em>&nbsp;threat actors: from hacking&nbsp;<a href=\"https:\/\/www.bbc.com\/news\/articles\/c2kgndwwd7lo\" target=\"_blank\" rel=\"noreferrer noopener nofollow\"><strong>cryptocurrency exchanges<\/strong><\/a>&nbsp;and&nbsp;<a href=\"https:\/\/www.fbi.gov\/news\/press-releases\/fbi-confirms-lazarus-group-cyber-actors-responsible-for-harmonys-horizon-bridge-currency-theft\" target=\"_blank\" rel=\"noreferrer noopener nofollow\"><strong>crypto bridges<\/strong><\/a>&nbsp;to conducting&nbsp;<a href=\"https:\/\/quetzal.bitso.com\/i\/144282227\/corporate-catfish\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>fake job interviews,<\/strong><\/a>&nbsp;they&#8217;ve&nbsp;done it all.&nbsp;<\/p>\n\n\n\n<p>Their&nbsp;<strong>social engineering<\/strong>&nbsp;tactics are often daring. In one scheme, they set up fake job interviews targeting&nbsp;<strong>crypto developers<\/strong>&nbsp;with&nbsp;<a href=\"https:\/\/phrack.org\/issues\/71\/3\" target=\"_blank\" rel=\"noreferrer noopener nofollow\"><strong>malicious coding challenges<\/strong><\/a>. In another,&nbsp;they&nbsp;pose as&nbsp;<strong>fake&nbsp;VC&nbsp;investors<\/strong>&nbsp;targeting startups. During these calls, the &#8220;investors&#8221;&nbsp;<a href=\"https:\/\/news.mefiltraron.com\/p\/edicion-especial-como-domar-un-chollima\" target=\"_blank\" rel=\"noreferrer noopener nofollow\"><strong>pretend they cannot hear the victims<\/strong><\/a>&nbsp;no&nbsp;matter&nbsp;what,&nbsp;suggesting&nbsp;to&nbsp;re-schedule&nbsp;the&nbsp;call&nbsp;later. Eventually, one participant shares a &#8220;Zoom fix&#8221;, and whilst panicking about&nbsp;losing their funding opportunity, the victims run it and&nbsp;inf<strong>ect themselves<\/strong>.&nbsp;<\/p>\n\n\n\n<p>Over&nbsp;the last few&nbsp;years,&nbsp;I&#8217;ve&nbsp;analyzed&nbsp;different&nbsp;strains&nbsp;of their malware (and&nbsp;have even&nbsp;<a href=\"https:\/\/www.clarin.com\/tecnologia\/hecho-corea-norte-descubren-nuevo-virus-funciona-molotov-digital_0_fR36LRX5mj.html\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">discovered and named some of them myself<\/a>).&nbsp;<\/p>\n\n\n\n<p>None were particularly&nbsp;clever or&nbsp;sophisticated at all, but that taught me something important which is core to this research: when you&nbsp;fall for&nbsp;<strong>Lazarus<\/strong>, most of&nbsp;the time you&nbsp;don&#8217;t&nbsp;fall for zero days or complex exploit chains;&nbsp;<strong>you fall for&nbsp;<em>a good story<\/em><\/strong>. They may be mediocre programmers, but they are&nbsp;<strong>great&nbsp;actors,<\/strong>&nbsp;indeed.&nbsp;And&nbsp;this&nbsp;is&nbsp;what&nbsp;<strong>Famous&nbsp;Chollima<\/strong>&nbsp;is&nbsp;all&nbsp;about: (almost)&nbsp;<strong>no&nbsp;malware, pure&nbsp;acting<\/strong>.&nbsp;<\/p>\n\n\n\n<p>This division focuses on&nbsp;<strong>obtaining jobs in Western companies<\/strong>, especially in the&nbsp;<strong>finance<\/strong>,&nbsp;<strong>crypto<\/strong>&nbsp;and&nbsp;<strong>healthcare<\/strong>&nbsp;sectors, but has recently expanded its operations to include the&nbsp;<a href=\"https:\/\/www.wired.com\/story\/north-korean-scammers-are-doing-architectural-design-now\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\"><strong>civil engineering and architecture sectors<\/strong><\/a>. Once inside the&nbsp;organizations, they may conduct&nbsp;<strong>corporate&nbsp;espionage,<\/strong>&nbsp;whilst also obtaining clean funds that are&nbsp;ultimately&nbsp;channeled&nbsp;back to the&nbsp;<strong>Democratic People&#8217;s Republic of Korea<\/strong>, a sanctioned regime. It is believed that these funds&nbsp;ultimately go&nbsp;towards the&nbsp;<a href=\"https:\/\/home.treasury.gov\/news\/press-releases\/sm774\" target=\"_blank\" rel=\"noreferrer noopener nofollow\"><strong>development of their ballistic missiles programme<\/strong><\/a>.&nbsp;<\/p>\n\n\n\n<p>To obtain the jobs,&nbsp;two methods of operation become clear: the first where the&nbsp;<strong>threat actors&nbsp;<\/strong><a href=\"https:\/\/quetzalteam.substack.com\/p\/interview-with-the-chollima-iii\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>steal identities and CVs<\/strong><\/a>&nbsp;from other engineers&nbsp;<a href=\"https:\/\/quetzalteam.substack.com\/p\/interview-with-the-chollima-iv\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>and attend meetings themselves<\/strong><\/a>, in a daredevil stunt that was&nbsp;<a href=\"https:\/\/quetzalteam.substack.com\/p\/interview-with-the-chollima-vi\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>highly observed<\/strong><\/a>&nbsp;during this investigation; and the second one where&nbsp;<strong>they lure engineers<\/strong>&nbsp;(especially junior ones)&nbsp;<a href=\"https:\/\/quetzalteam.substack.com\/p\/interview-with-the-chollima-v\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>into &#8220;working for them&#8221;<\/strong><\/a>.<\/p>\n\n\n\n<p>They declare having a company of 10 or so developers and only need the&nbsp;victim&nbsp;engineer to&nbsp;<strong>attend the interviews on their behalf<\/strong>,&nbsp;while&nbsp;receiving technical help to pass them.&nbsp;If hired, the victim receives a 35% cut of the monthly salary, while the operatives handle the actual work through \u201cghost developers.\u201d&nbsp;<\/p>\n\n\n\n<p>The engineer&nbsp;has to&nbsp;accept the offer,&nbsp;<strong>receive the company equipment (laptop)&nbsp;<\/strong>and allow one of the &#8220;ghost developers&#8221; to remotely log in to &#8220;work&#8221;.&nbsp;Amongst his few responsibilities are&nbsp;<strong>attending the daily stand-ups<\/strong>&nbsp;and&nbsp;<strong>taking occasional calls where he should show his face<\/strong>.&nbsp;<\/p>\n\n\n\n<p>While&nbsp;the offer seems tempting for many, the engineer is&nbsp;actually&nbsp;<strong>renting&nbsp;out their own&nbsp;identity<\/strong>&nbsp;and&nbsp;will&nbsp;ultimately be&nbsp;<strong>the sole person responsible for any material, intellectual,&nbsp;reputational&nbsp;or monetary damage<\/strong>&nbsp;done to the&nbsp;victim&nbsp;companies.&nbsp;<\/p>\n\n\n\n<p>Federal agencies have already&nbsp;<a href=\"https:\/\/www.reuters.com\/legal\/government\/doj-announces-arrest-indictments-north-korean-it-worker-scheme-2025-06-30\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\"><strong>conducted arrests<\/strong><\/a>&nbsp;for these operations and are&nbsp;<a href=\"https:\/\/www.justice.gov\/opa\/pr\/justice-department-announces-coordinated-nationwide-actions-combat-north-korean-remote\" target=\"_blank\" rel=\"noreferrer noopener nofollow\"><strong>actively looking to disband both laptop farms and IT worker clusters<\/strong><\/a>.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"1024\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/lazarus_photos-1-1024x1024.png\" alt=\"\" class=\"wp-image-17209\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/lazarus_photos-1-1024x1024.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/lazarus_photos-1-300x300.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/lazarus_photos-1-150x150.png 150w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/lazarus_photos-1-768x768.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/lazarus_photos-1-1536x1536.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/lazarus_photos-1-2048x2048.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/lazarus_photos-1-70x70.png 70w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/lazarus_photos-1-370x370.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/lazarus_photos-1-270x270.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/lazarus_photos-1-740x740.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Photos of Lazarus IT workers<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>During my time leading&nbsp;&nbsp;<strong>Bitso&#8217;s&nbsp;Quetzal Team<\/strong>&nbsp;(LATAM&#8217;s first Web3 Threats Research Team) I managed to document our encounters with different&nbsp;<strong>Lazarus<\/strong>&nbsp;divisions, be it in the form of them trying to&nbsp;<a href=\"https:\/\/www.youtube.com\/watch?v=DB6yDJeb6U8\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>trick us into running malware<\/strong><\/a>&nbsp;or this newer division&nbsp;<a href=\"https:\/\/quetzal.bitso.com\/p\/interview-with-the-chollima-ii\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>attempting to get a job with us<\/strong><\/a>. For this last case, I documented an extended saga which I titled &#8220;<a href=\"https:\/\/quetzal.bitso.com\/p\/interview-with-the-chollima\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Interview with the Chollima<\/strong><\/a>&#8221; where we recorded them when&nbsp;interacting and gathering intelligence.&nbsp;&nbsp;<\/p>\n\n\n\n<p>For now, this should be enough of an introduction to our hosts today. They are not monsters;&nbsp;they are&nbsp;<strong>normal<\/strong>&nbsp;people amongst us, just a few clicks and a job posting away from entering our lives or&nbsp;<strong>becoming a<\/strong>&nbsp;<strong>coworker<\/strong>.&nbsp;<\/p>\n\n\n\n<p>So,&nbsp;for the next chapter, we need that to happen.&nbsp;<strong>One of us needs to be recruited<\/strong>.&nbsp;<\/p>\n\n\n\n<p>Heiner&nbsp;took that role; the bravest among us!&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Chapter&nbsp;I:&nbsp;The&nbsp;Rookie&nbsp;<\/h2>\n\n\n\n<p><em>Getting&nbsp;recruited&nbsp;by&nbsp;Famous&nbsp;Chollima&nbsp;|&nbsp;Heiner Garc\u00eda (NorthScan)<\/em>&nbsp;<\/p>\n\n\n\n<p>The first approach with their recruiter was via&nbsp;<strong>GitHub<\/strong>. A cluster of accounts was&nbsp;<strong>spamming<\/strong>&nbsp;<strong>repositories<\/strong>&nbsp;with a strange message:&nbsp;<\/p>\n\n\n\n<p class=\"has-text-align-center\"><em>I&nbsp;have&nbsp;reviewed&nbsp;your&nbsp;Github&nbsp;and LinkedIn&nbsp;profile.&nbsp;<\/em>&nbsp;<\/p>\n\n\n\n<p class=\"has-text-align-center\"><em>Really&nbsp;appreacited&nbsp;at&nbsp;your&nbsp;good&nbsp;skills.<\/em>&nbsp;<\/p>\n\n\n\n<p class=\"has-text-align-center\"><em>I&#8217;d&nbsp;like&nbsp;to&nbsp;offer&nbsp;your&nbsp;an&nbsp;opportunity&nbsp;that&nbsp;I&nbsp;think&nbsp;could&nbsp;be&nbsp;interesting.<\/em>&nbsp;<\/p>\n\n\n\n<p class=\"has-text-align-center\"><em>I run a US-based&nbsp;job&nbsp;hunting&nbsp;business, and I&nbsp;noticed&nbsp;you&nbsp;had&nbsp;experience&nbsp;working&nbsp;with&nbsp;US&nbsp;companies.&nbsp;Here&#8217;s&nbsp;the&nbsp;idea:<\/em>&nbsp;<\/p>\n\n\n\n<p class=\"has-text-align-center\"><em>I&nbsp;tipically&nbsp;have&nbsp;about&nbsp;4 interviews per&nbsp;day,&nbsp;which&nbsp;is&nbsp;getting&nbsp;difficult&nbsp;to&nbsp;manage,&nbsp;I&#8217;m&nbsp;looking&nbsp;for&nbsp;someone&nbsp;to&nbsp;attend&nbsp;these&nbsp;interviews&nbsp;on&nbsp;my&nbsp;behalf,&nbsp;using&nbsp;my&nbsp;name&nbsp;and resume.&nbsp;If&nbsp;you&#8217;re&nbsp;interested,&nbsp;this&nbsp;could&nbsp;be a&nbsp;great&nbsp;way&nbsp;for&nbsp;you&nbsp;to&nbsp;increase&nbsp;your&nbsp;income.&nbsp;Here&#8217;s&nbsp;how&nbsp;itwould&nbsp;work:<\/em>&nbsp;<\/p>\n\n\n\n<p class=\"has-text-align-center\"><em>You&nbsp;would&nbsp;handle&nbsp;the&nbsp;technical&nbsp;interviews (topics&nbsp;could&nbsp;range&nbsp;from&nbsp;.NET, Java, C#, Python, JavaScript, Ruby,&nbsp;Golang,&nbsp;Blockchain,&nbsp;etc).<\/em>&nbsp;<\/p>\n\n\n\n<p class=\"has-text-align-center\"><em>Don&#8217;t&nbsp;worry&nbsp;about&nbsp;the&nbsp;questions; I can&nbsp;assist&nbsp;you&nbsp;on&nbsp;how&nbsp;to&nbsp;respond&nbsp;to&nbsp;interviewers&nbsp;effectively.&nbsp;If&nbsp;the&nbsp;interview&nbsp;goes&nbsp;well&nbsp;and&nbsp;we&nbsp;receive&nbsp;an&nbsp;offer,&nbsp;I&#8217;ll&nbsp;manage&nbsp;the&nbsp;background&nbsp;check&nbsp;process&nbsp;and&nbsp;all&nbsp;other&nbsp;formalities.<\/em>&nbsp;<\/p>\n\n\n\n<p class=\"has-text-align-center\"><em>After&nbsp;securing&nbsp;the&nbsp;job,&nbsp;you&nbsp;could&nbsp;either&nbsp;work&nbsp;on&nbsp;the&nbsp;project&nbsp;yourself&nbsp;or&nbsp;simply&nbsp;handle&nbsp;the&nbsp;daily&nbsp;standup&nbsp;meetings, as I&nbsp;have&nbsp;a&nbsp;team&nbsp;of&nbsp;5&nbsp;experienced&nbsp;developers&nbsp;who&nbsp;can&nbsp;cover&nbsp;the&nbsp;technical&nbsp;work.<\/em>&nbsp;<\/p>\n\n\n\n<p class=\"has-text-align-center\"><em>As&nbsp;for&nbsp;the&nbsp;pay,&nbsp;we&nbsp;can&nbsp;split&nbsp;the&nbsp;salary, and&nbsp;you&nbsp;can&nbsp;expect&nbsp;to&nbsp;make&nbsp;around&nbsp;$3000 per&nbsp;month.&nbsp;Let&nbsp;me&nbsp;know&nbsp;if&nbsp;this&nbsp;opportunity&nbsp;interests&nbsp;you.<\/em>&nbsp;<\/p>\n\n\n\n<p class=\"has-text-align-center\"><em>Or&nbsp;if&nbsp;you&nbsp;know&nbsp;someone&nbsp;in&nbsp;your&nbsp;network&nbsp;who&nbsp;might&nbsp;be&nbsp;interested,&nbsp;please&nbsp;refer&nbsp;them&nbsp;to&nbsp;me, and&nbsp;I&#8217;ll&nbsp;compensate&nbsp;you&nbsp;for&nbsp;the&nbsp;referral. And&nbsp;then&nbsp;let&nbsp;me&nbsp;explain&nbsp;more&nbsp;details<\/em>&nbsp;<\/p>\n\n\n\n<p class=\"has-text-align-center\"><em>Best&nbsp;regards,&nbsp;Neyma&nbsp;Diaz<\/em>&nbsp;<\/p>\n\n\n\n<p class=\"has-text-align-center\"><em>[Link&nbsp;to&nbsp;Calendly]<\/em>&nbsp;<\/p>\n\n\n\n<p class=\"has-text-align-center\"><em>When&nbsp;you&nbsp;are free,&nbsp;schedule&nbsp;the&nbsp;meeting&nbsp;here, I&nbsp;look&nbsp;forward&nbsp;to&nbsp;hearing&nbsp;from&nbsp;you&nbsp;soon.&nbsp;Thank&nbsp;you.<\/em>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"726\" height=\"627\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/B.png\" alt=\"\" class=\"wp-image-17159\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/B.png 726w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/B-300x259.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/B-370x320.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/B-270x233.png 270w\" sizes=\"(max-width: 726px) 100vw, 726px\" \/><figcaption class=\"wp-element-caption\"><em>Famous&nbsp;Chollima&nbsp;recruiters&nbsp;openly&nbsp;phishing&nbsp;for&nbsp;collaborator<\/em>s<\/figcaption><\/figure><\/div>\n\n\n<p>This generic message was&nbsp;<strong>publicly<\/strong>&nbsp;sent to dozens of developers as&nbsp;<strong>pull requests&nbsp;<\/strong>on their own repositories, which could be easily listed by browsing the&nbsp;spammer&#8217;s&nbsp;account or by searching GitHub globally for a couple of the strings contained in it.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"675\" height=\"594\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/C.png\" alt=\"\" class=\"wp-image-17160\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/C.png 675w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/C-300x264.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/C-370x326.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/C-270x238.png 270w\" sizes=\"(max-width: 675px) 100vw, 675px\" \/><figcaption class=\"wp-element-caption\"><em>List&nbsp;of&nbsp;pull&nbsp;requests&nbsp;opened&nbsp;by&nbsp;the&nbsp;spam&nbsp;accounts<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Since the spam seemed&nbsp;<strong>massive rather than targeted<\/strong>&nbsp;(unlike spear-phishing efforts), I inferred that traceability of the contacted profiles would be poor or non-existent.&nbsp;So,&nbsp;the next step was to&nbsp;<strong>impersonate<\/strong>&nbsp;one of the previously contacted individuals. The lucky&nbsp;draw&nbsp;was a developer named&nbsp;<strong>Andy Jones<\/strong>.&nbsp;<\/p>\n\n\n\n<p>To replicate him, a new profile account was created, closely resembling the one used by the legitimate GitHub profile. I reviewed Andy&#8217;s public repositories and associated information to ensure consistency during interactions, reinforcing the impression that our account was a U.S.-based developer, making the persona more attractive as a potential recruitment candidate.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"712\" height=\"468\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/D.png\" alt=\"\" class=\"wp-image-17161\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/D.png 712w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/D-300x197.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/D-370x243.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/D-270x177.png 270w\" sizes=\"(max-width: 712px) 100vw, 712px\" \/><figcaption class=\"wp-element-caption\"><em>Calendly meeting scheduled<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>In the&nbsp;initial&nbsp;meeting, the strategy was to keep the webcam turned off to introduce a mild sense of distrust, simulating natural hesitation. This was followed by a question&nbsp;regarding&nbsp;ethnicity, explicitly asking &#8220;<em>are you a black man?<\/em>&#8220;.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"438\" height=\"623\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/E.png\" alt=\"\" class=\"wp-image-17162\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/E.png 438w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/E-211x300.png 211w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/E-370x526.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/E-270x384.png 270w\" sizes=\"(max-width: 438px) 100vw, 438px\" \/><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"438\" height=\"620\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/F.png\" alt=\"\" class=\"wp-image-17163\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/F.png 438w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/F-212x300.png 212w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/F-370x524.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/F-270x382.png 270w\" sizes=\"(max-width: 438px) 100vw, 438px\" \/><figcaption class=\"wp-element-caption\"><em>Telegram conversation with Aaron<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>On a second call, which lasted approximately 20 minutes, the primary&nbsp;objective&nbsp;was to adopt a&nbsp;naive&nbsp;posture, appearing unaware of the broader context or implications of the interaction.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"582\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/G-large-1024x582.jpeg\" alt=\"\" class=\"wp-image-17164\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/G-large-1024x582.jpeg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/G-large-300x171.jpeg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/G-large-768x437.jpeg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/G-large-370x210.jpeg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/G-large-270x154.jpeg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/G-large-740x421.jpeg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/G-large.jpeg 1280w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Aaron, Recruiter for Famous Chollima<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>This approach encouraged the&nbsp;threat&nbsp;actor to share detailed instructions and elaborate on their intentions&nbsp;regarding&nbsp;the use of the (impersonated) identity. By asking seemingly&nbsp;<em>innocent<\/em>&nbsp;but&nbsp;<em>targeted<\/em>&nbsp;questions, I aimed to extract as much information on the operation as possible while&nbsp;maintaining&nbsp;the illusion of trust and compliance.&nbsp;<\/p>\n\n\n\n<p>We briefly discuss the ICE situation, my visa status, and then he asks for&nbsp;<strong>access to my laptop 24\/7<\/strong>&nbsp;so that &#8220;he can work remotely from it.&#8221;&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"Lazarus #1: Asks for laptop remote\" width=\"770\" height=\"433\" src=\"https:\/\/www.youtube.com\/embed\/Crv9FubepEg?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><figcaption class=\"wp-element-caption\"><em>Aaron, Recruiter for Famous Chollima<\/em><\/figcaption><\/figure>\n\n\n\n<p><a href=\"https:\/\/youtu.be\/Crv9FubepEg\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Watch the video on YouTube<\/strong><\/a><\/p>\n\n\n\n<p>He&nbsp;also&nbsp;explains that he will need my&nbsp;<strong>ID, full name, visa&nbsp;status,&nbsp;and address<\/strong>&nbsp;to&nbsp;apply&nbsp;to&nbsp;interviews on my behalf.&nbsp;&nbsp;<\/p>\n\n\n\n<p>The interviewer then explains that I will handle the interviews myself with his full support, adding that he will help me set up LinkedIn, prepare my CV, and schedule the calls. He offers a&nbsp;<strong>20% cut<\/strong>&nbsp;if I&nbsp;<strong>act as the&nbsp;frontman<\/strong>, or&nbsp;<strong>10%<\/strong>&nbsp;if he only&nbsp;<strong>uses my information and laptop<\/strong>&nbsp;while he conducts the interviews himself.&nbsp;<\/p>\n\n\n\n<p>He then walks through the payment methods, mentioning bank details and&nbsp;<strong>Payoneer&nbsp;or PayPal account<\/strong>s, and asks for my&nbsp;<strong>Social Security Number<\/strong>&nbsp;for background checks, stressing that having a clean criminal record is \u201cvery critical.\u201d Next, he tells me not to worry about setting up the laptop, as he will download&nbsp;everything&nbsp;he needs himself.&nbsp;<\/p>\n\n\n\n<p>Next, he mentions that I will need to verify all accounts with my documents on various platforms to meet&nbsp;<strong>KYC requirements<\/strong>, and he asks me to download&nbsp;<strong>AnyDesk<\/strong>, a popular remote desktop tool. <\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"Lazarus #4: Asks for verification of documents and download anydesk and negotiates payment\" width=\"770\" height=\"433\" src=\"https:\/\/www.youtube.com\/embed\/QsINHG1SUL8?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><figcaption class=\"wp-element-caption\"><em>Aaron asks me to download&nbsp;AnyDesk<\/em><\/figcaption><\/figure>\n\n\n\n<p><a href=\"https:\/\/youtu.be\/QsINHG1SUL8\" target=\"_blank\" rel=\"noreferrer noopener\">Watch the video on YouTube<\/a><\/p>\n\n\n\n<p>I tell him I also have another laptop he can use, and we go back and forth as he asks me to \u201cremove my background\u201d so he can see the machine more clearly. I refuse, saying my room is messy.&nbsp;<\/p>\n\n\n\n<p>Then, we&nbsp;discuss how to set up my environment to start working straight away. He&nbsp;says&nbsp;he has no preference&nbsp;regarding&nbsp;the operating system.&nbsp;<\/p>\n\n\n\n<p>I&nbsp;apologize&nbsp;for&nbsp;keeping him up&nbsp;late&nbsp;and he&nbsp;replies&nbsp;that &#8220;<em>he works&nbsp;from&nbsp;different time zones,&nbsp;so it&#8217;s ok<\/em>&#8220;.&nbsp;<\/p>\n\n\n\n<p>We agree to install&nbsp;AnyDesk&nbsp;so he can walk me through everything step by step.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-embed aligncenter is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"Lazarus #5: Discuss seting up the laptop\" width=\"770\" height=\"433\" src=\"https:\/\/www.youtube.com\/embed\/Kug15Cd0qMs?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><figcaption class=\"wp-element-caption\"><em>Aaron discusses my setup<\/em><\/figcaption><\/figure>\n\n\n\n<p><a href=\"https:\/\/youtu.be\/Kug15Cd0qMs\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Watch the video on YouTube<\/strong><\/a><\/p>\n\n\n\n<p>We&nbsp;continue&nbsp;chatting&nbsp;on&nbsp;<strong>Telegram<\/strong>.&nbsp;The&nbsp;next&nbsp;day&nbsp;he&nbsp;plans&nbsp;to&nbsp;look&nbsp;for&nbsp;jobs&nbsp;with my&nbsp;LinkedIn&nbsp;profile.<\/p>\n\n\n\n<p>He&nbsp;then&nbsp;shares&nbsp;the&nbsp;sectors&nbsp;he\u2019s&nbsp;interested&nbsp;in targeting:&nbsp;<strong>IT,&nbsp;fintech, e-commerce, and&nbsp;healthcare.<\/strong>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"489\" height=\"592\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/H.png\" alt=\"\" class=\"wp-image-17165\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/H.png 489w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/H-248x300.png 248w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/H-370x448.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/H-270x327.png 270w\" sizes=\"(max-width: 489px) 100vw, 489px\" \/><figcaption class=\"wp-element-caption\"><em>Sectors targeted by Famous Chollima<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Later&nbsp;that&nbsp;day,&nbsp;we&nbsp;do a final&nbsp;review&nbsp;of&nbsp;our&nbsp;terms,&nbsp;agreeing&nbsp;that&nbsp;I&nbsp;will&nbsp;receive&nbsp;a&nbsp;<strong>20%&nbsp;cut<\/strong>&nbsp;and share&nbsp;access&nbsp;to&nbsp;Gmail, LinkedIn,&nbsp;bank&nbsp;accounts,&nbsp;my&nbsp;SSN, and&nbsp;any&nbsp;background-check&nbsp;information. After&nbsp;that, he&nbsp;asks&nbsp;me&nbsp;to&nbsp;set \u201c123qwe!#QWE\u201d as&nbsp;the&nbsp;password&nbsp;for&nbsp;AnyDesk.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"420\" height=\"628\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/I.png\" alt=\"\" class=\"wp-image-17166\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/I.png 420w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/I-201x300.png 201w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/I-370x553.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/I-270x404.png 270w\" sizes=\"(max-width: 420px) 100vw, 420px\" \/><figcaption class=\"wp-element-caption\"><em>Final review of our terms<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>I&nbsp;took some time off while Mauro and&nbsp;<a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=interview_with_Chollima_exposed&amp;utm_term=041225&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>&nbsp;set up the farm, so I had to&nbsp;come up with&nbsp;an excuse. In a follow-up meeting, Aaron tells me not to disappear and to stay in touch on Telegram, saying that&nbsp;<strong>communication is important<\/strong>&nbsp;and that he wants to be connected to me&nbsp;<strong>24\/7<\/strong>. He again asks me to set a specific password on&nbsp;AnyDesk&nbsp;and keep the machine available around the clock. I tell him I&nbsp;will and&nbsp;jokingly ask him not to peek at my photos. We share a laugh, and he assures me he&nbsp;won\u2019t&nbsp;do anything outside \u201chis work.\u201d&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-embed aligncenter is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"Lazarus #6: Asks to connect 24 7 and set a password for anydesk\" width=\"770\" height=\"433\" src=\"https:\/\/www.youtube.com\/embed\/PXsV7YpZvzk?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><figcaption class=\"wp-element-caption\"><em>Aaron requests 24\/7 machine availability<\/em><\/figcaption><\/figure>\n\n\n\n<p><a href=\"https:\/\/youtu.be\/PXsV7YpZvzk\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Watch the video on YouTube<\/strong><\/a><\/p>\n\n\n\n<p>Then, I&nbsp;allow&nbsp;him&nbsp;to&nbsp;connect&nbsp;to&nbsp;my&nbsp;&#8220;laptop.&#8221;&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Chapter&nbsp;II:&nbsp;The&nbsp;Farm&nbsp;<\/h2>\n\n\n\n<p><em>Trapping&nbsp;Famous&nbsp;Chollima&nbsp;|&nbsp;Mauro&nbsp;Eldritch&nbsp;(BCA LTD),&nbsp;ANY.RUN<\/em>&nbsp;<\/p>\n\n\n\n<p>We never had spare laptops for them.&nbsp;<strong>It was a bluff&nbsp;<\/strong>to earn their trust. In fact, our plan was to force them into a&nbsp;<strong>controlled environment<\/strong>, a sandbox,&nbsp;so we could&nbsp;monitor&nbsp;everything they did in real time.&nbsp;<\/p>\n\n\n\n<p>Our obvious choice was&nbsp;<a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=interview_with_Chollima_exposed&amp;utm_term=041225&amp;utm_content=linksandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>ANY.RUN<\/strong>&#8216;s&nbsp;malware&nbsp;sandbox<\/a>,&nbsp;which we had&nbsp;already used to analyze&nbsp;previous&nbsp;DPRK samples (<strong>QRLog, Docks,&nbsp;InvisibleFerret,&nbsp;BeaverTail,&nbsp;OtterCookie,&nbsp;ChaoticCapybara, and&nbsp;PyLangGhostRAT<\/strong>).&nbsp;&nbsp;<\/p>\n\n\n\n<p>But there was one limitation: the standard sandbox sessions were not designed to run for more&nbsp;than about&nbsp;half an hour; enough for malware analysis, but not enough to convince state-sponsored operators that they were using a real machine.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"579\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/J-1024x579.png\" alt=\"\" class=\"wp-image-17167\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/J-1024x579.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/J-300x170.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/J-768x434.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/J-1536x869.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/J-2048x1159.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/J-370x209.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/J-270x153.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/J-740x419.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>A normal ANY.RUN&nbsp;instance<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>While this could have been an obstacle, we reached out to ANY.RUN, and they arranged extended-runtime instances for us.&nbsp;&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nDetect phishing threats in under 60 seconds<br>\nIntegrate <span class=\"highlight\">ANY.RUN\u2019s Sandbox <\/span>in your SOC\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=interview_with_Chollima_exposed&#038;utm_term=041225&#038;utm_content=linktoregistration#register\/\" target=\"_blank\" rel=\"noopener\">\nSign up now\u00a0<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>In an unprecedented&nbsp;effort, and&nbsp;delivered in record time, they provided a&nbsp;<strong>special version of the sandbox<\/strong>&nbsp;that could run for hours, complete with&nbsp;<strong>pre-installed development tools and a realistic usage history<\/strong>&nbsp;to mimic a laptop actively used by a real developer.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"577\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/K-1024x577.png\" alt=\"\" class=\"wp-image-17168\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/K-1024x577.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/K-300x169.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/K-768x433.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/K-1536x865.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/K-2048x1154.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/K-370x208.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/K-270x152.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/K-740x417.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Our&nbsp;special&nbsp;ANY.RUN&nbsp;instance<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>This setup was enough to trap the&nbsp;Chollimas&nbsp;inside and extract as much information as possible; from the files they opened, downloaded, or&nbsp;modified, to their network activity (including their IP addresses and contacted servers), to every single click they made. Everything was broadcast and recorded in real time for us to&nbsp;observe.&nbsp;<\/p>\n\n\n\n<p>It was time to open the farm and let them in.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Chapter&nbsp;III:&nbsp;The&nbsp;Watchers&nbsp;<\/h2>\n\n\n\n<p><em>Spying&nbsp;on&nbsp;Famous&nbsp;Chollima&nbsp;|&nbsp;Mauro&nbsp;Eldritch&nbsp;(BCA LTD),&nbsp;ANY.RUN, Heiner Garc\u00eda (NorthScan)<\/em>&nbsp;<\/p>\n\n\n\n<p>For this experiment we instantiated multiple&nbsp;<strong>sandboxed environments;<\/strong>&nbsp;some featuring a normal&nbsp;<strong>Windows 10<\/strong>&nbsp;with basic apps and config, and another one with&nbsp;<strong>Windows 11<\/strong>&nbsp;and&nbsp;<strong>pre-installed userland<\/strong>&nbsp;to make it look like a real developer\u2019s personal laptop.&nbsp;<\/p>\n\n\n\n<p>The environments were routed through a residential proxy to create the appearance of&nbsp;being located in&nbsp;the&nbsp;<strong>United States<\/strong>, matching the threat actors\u2019 preference for U.S.-based developers.&nbsp;<\/p>\n\n\n\n<p>In addition, we could&nbsp;monitor&nbsp;their<strong>&nbsp;screen, network, and file system activity in real time<\/strong>&nbsp;without them noticing, and we had&nbsp;<strong>full control<\/strong>&nbsp;over the machines at any moment. This allowed us to disconnect them from the internet while keeping their remote desktop session active (simply blocking their ability to browse) or even force-shutdown the machines to prevent them from carrying out any&nbsp;real malicious&nbsp;activity against third parties.&nbsp;<\/p>\n\n\n\n<p>We divided these recordings into &#8220;<strong>tapes<\/strong>&#8221; to make it easier to appreciate their&nbsp;behaviour.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Tape 1:&nbsp;The&nbsp;Planning&nbsp;<\/h3>\n\n\n\n<p><strong>Note: Some tapes have been edited for brevity, removing periods of inactivity.<\/strong>&nbsp;<\/p>\n\n\n\n<p>We set up the&nbsp;<strong>initial&nbsp;laptop<\/strong>&nbsp;(Windows 11) following the instructions received from the recruiter and setting the password&nbsp;designated&nbsp;by him. A few minutes later, &#8220;<strong>Blaze<\/strong>&#8221; (<strong>Aaron<\/strong>, our recruiter) connects via&nbsp;<strong>AnyDesk<\/strong>&nbsp;and starts&nbsp;<strong>scouting the machine<\/strong>.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"579\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/L-1024x579.png\" alt=\"\" class=\"wp-image-17183\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/L-1024x579.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/L-300x170.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/L-768x434.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/L-1536x869.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/L-2048x1158.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/L-370x209.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/L-270x153.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/L-740x419.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Blaze&nbsp;connects&nbsp;to&nbsp;our&nbsp;&#8220;laptop&#8221;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The first thing he does is run&nbsp;<a href=\"https:\/\/en.wikipedia.org\/wiki\/DirectX_Diagnostic_Tool\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>DxDiag<\/strong><\/a>&nbsp;(DirectX Diagnostic Tool) to get&nbsp;<strong>a full report on the machine&#8217;s hardware<\/strong>. Having foreseen this possibility, the machine presented standard hardware and drivers from well-known manufacturers,&nbsp;<strong>mimicking real pieces<\/strong> commonly found in most home setups and laptops.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/M-1024x576.png\" alt=\"\" class=\"wp-image-17169\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/M-1024x576.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/M-300x169.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/M-768x432.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/M-1536x864.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/M-2048x1152.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/M-370x208.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/M-270x152.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/M-740x416.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>DxDiag&nbsp;showing&nbsp;common&nbsp;drivers and&nbsp;devices<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Next, he opened&nbsp;<strong>Google Chrome<\/strong>&nbsp;and visited the&nbsp;<strong>Gmail<\/strong>&nbsp;website. He went back to&nbsp;<strong>DxDiag<\/strong>&nbsp;and browsed through the different tabs, scouting the machine&#8217;s configuration, and then he set&nbsp;<strong>Chrome<\/strong>&nbsp;as the default browser.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"577\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/N-1024x577.png\" alt=\"\" class=\"wp-image-17170\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/N-1024x577.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/N-300x169.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/N-768x432.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/N-1536x865.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/N-2048x1153.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/N-370x208.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/N-270x152.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/N-740x417.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Blaze&nbsp;sets Google Chrome as default browser<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Finally, he opened&nbsp;<strong>Visual Studio<\/strong>, played&nbsp;around&nbsp;and searched online for &#8220;<em>where is my location<\/em>&#8221; (sic). <\/p>\n\n\n\n<p>He&nbsp;was met&nbsp;with some&nbsp;<strong>CAPTCHAs<\/strong>. While&nbsp;he&nbsp;was&nbsp;busy&nbsp;sorting&nbsp;buses and&nbsp;staircases&nbsp;we&nbsp;started&nbsp;monitoring&nbsp;his&nbsp;network&nbsp;activity.&nbsp;<\/p>\n\n\n\n<p>He was connected from an IP address&nbsp;located&nbsp;in the&nbsp;<strong>United&nbsp;Kingdom<\/strong>.<\/p>\n\n\n\n<p>According&nbsp;to&nbsp;<a href=\"https:\/\/otx.alienvault.com\/indicator\/ip\/194.33.45.162\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">OTX<\/a>&nbsp;(United&nbsp;States&nbsp;for&nbsp;most&nbsp;scanners)&nbsp;belonging to&nbsp;<strong>Astrill&nbsp;VPN<\/strong>, one of the&nbsp;<a href=\"https:\/\/gbhackers.com\/north-korean-workers-linked-astrill-vpn-ip-addresses\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">North Korean threat actors&#8217; favourite tools<\/a>.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Then,&nbsp;we&nbsp;decided&nbsp;it&nbsp;was&nbsp;time&nbsp;to&nbsp;crash the machine.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"577\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/O-1024x577.png\" alt=\"\" class=\"wp-image-17171\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/O-1024x577.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/O-300x169.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/O-768x433.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/O-1536x865.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/O-2048x1154.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/O-370x208.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/O-270x152.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/O-740x417.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Blaze&nbsp;searches&nbsp;&#8220;where&nbsp;is&nbsp;my&nbsp;location&#8221;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>These&nbsp;crashes&nbsp;were&nbsp;<strong>intentional<\/strong>, both to prevent him from engaging in malicious activities and&nbsp;<strong>to<\/strong>&nbsp;<strong>delay his actions<\/strong>.&nbsp;<\/p>\n\n\n\n<p>The&nbsp;system&nbsp;remained&nbsp;unavailable&nbsp;until&nbsp;we&nbsp;manually&nbsp;started&nbsp;AnyDesk&nbsp;once&nbsp;again, and after&nbsp;every &#8220;recovery&#8221; we convinced him that a&nbsp;<a href=\"https:\/\/en.wikipedia.org\/wiki\/System_Restore\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">System Restore<\/a>&nbsp;was needed, thus&nbsp;<strong>reversing any progress he made<\/strong>. This tactic helped us keep him in the loop for weeks.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"Lazarus #7: Tape 1   The Planning\" width=\"770\" height=\"433\" src=\"https:\/\/www.youtube.com\/embed\/hJ0PFjMIYRE?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><figcaption class=\"wp-element-caption\"><em>Tape 1:&nbsp;Blaze&nbsp;scouting&nbsp;the&nbsp;fake&nbsp;laptop<\/em><\/figcaption><\/figure>\n\n\n\n<p><a href=\"https:\/\/youtu.be\/hJ0PFjMIYRE\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Watch the video on YouTube<\/strong><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Tape 2: A&nbsp;Note&nbsp;for&nbsp;Andy&nbsp;<\/h3>\n\n\n\n<p>After the instance&nbsp;&#8220;crashed&#8221;&nbsp;we had an excuse to switch him to another &#8220;laptop&#8221;, this time running Windows 10,&nbsp;<strong>setting back all his progress<\/strong>. He started&nbsp;the same&nbsp;dance, changing his default browser&nbsp;to&nbsp;Chrome&nbsp;and looking up &#8220;<em>where is my location<\/em>&#8220;.&nbsp;<\/p>\n\n\n\n<p>Google started acting up, putting him into a&nbsp;<strong>never-ending CAPTCHA loop<\/strong>&nbsp;which he stoically endured, solving them patiently. He then opened&nbsp;a&nbsp;<strong>command line interpreter<\/strong>&nbsp;and&nbsp;ran&nbsp;the command &#8220;<em>whoami<\/em>&#8220;, which returned&nbsp;the username &#8220;<em>admin<\/em>&#8220;, and &#8220;<em>systeminfo<\/em>&#8220;. The latter&nbsp;returned&nbsp;<strong>consistent information&nbsp;regarding&nbsp;system hardware and software<\/strong>.&nbsp;<\/p>\n\n\n\n<p>He&nbsp;trusted&nbsp;the system and opened&nbsp;a&nbsp;<strong>Notepad<\/strong>&nbsp;window, where he left&nbsp;<strong>a note for &#8220;Andy&#8221;<\/strong>&nbsp;(Heiner&#8217;s alter ego):&nbsp;<\/p>\n\n\n\n<p class=\"has-text-align-center\"><em>Hi, Andy?<\/em>&nbsp;<\/p>\n\n\n\n<p class=\"has-text-align-center\"><em>Are&nbsp;you&nbsp;there?<\/em>&nbsp;<\/p>\n\n\n\n<p class=\"has-text-align-center\"><em>I am&nbsp;able&nbsp;to&nbsp;access&nbsp;to&nbsp;your&nbsp;laptop&nbsp;now.<\/em>&nbsp;<\/p>\n\n\n\n<p class=\"has-text-align-center\"><em>But&nbsp;you&nbsp;aren&#8217;t&nbsp;ready&nbsp;with&nbsp;your&nbsp;info, so I am&nbsp;not&nbsp;starting&nbsp;to&nbsp;work&nbsp;now.<\/em>&nbsp;<\/p>\n\n\n\n<p class=\"has-text-align-center\"><em>I&nbsp;want&nbsp;you&nbsp;to&nbsp;give&nbsp;me&nbsp;your&nbsp;all&nbsp;doc&nbsp;and&nbsp;info&nbsp;today&nbsp;so&nbsp;that&nbsp;I can&nbsp;start&nbsp;ASAP.<\/em>&nbsp;<\/p>\n\n\n\n<p class=\"has-text-align-center\"><em>And&nbsp;now,&nbsp;could&nbsp;you&nbsp;possibly&nbsp;log in&nbsp;your&nbsp;email and&nbsp;linkedin&nbsp;here&nbsp;in laptop?<\/em>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/P-1024x576.png\" alt=\"\" class=\"wp-image-17172\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/P-1024x576.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/P-300x169.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/P-768x432.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/P-1536x864.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/P-2048x1152.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/P-370x208.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/P-270x152.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/P-740x416.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Blaze&#8217;s&nbsp;note&nbsp;for&nbsp;Andy<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>We left him&nbsp;<strong>waiting<\/strong>&nbsp;to test his patience. He&nbsp;didn&#8217;t&nbsp;insist,&nbsp;and we&nbsp;proceeded&nbsp;to crash this &#8220;laptop&#8221; as&nbsp;well;&nbsp;to make him believe we were not able to catch his message and&nbsp;<strong>delay him<\/strong>&nbsp;further.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Every minute spent with us was one less minute scamming someone else.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"Lazarus #8: Tape 2   Note for Andy\" width=\"770\" height=\"433\" src=\"https:\/\/www.youtube.com\/embed\/0hxSKdA39gI?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><figcaption class=\"wp-element-caption\"><em>&nbsp;Blaze&nbsp;scouting&nbsp;the&nbsp;second&nbsp;fake&nbsp;laptop and&nbsp;leaving&nbsp;a note<\/em><\/figcaption><\/figure>\n\n\n\n<p><a href=\"https:\/\/youtu.be\/0hxSKdA39gI\" target=\"_blank\" rel=\"noreferrer noopener\">Watch the video on YouTube<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Tape 3:&nbsp;Incorrect&nbsp;Password&nbsp;<\/h3>\n\n\n\n<p>Another crash, another&nbsp;jump&nbsp;into an&nbsp;<strong>old system recovery point,&nbsp;<\/strong>which&nbsp;<strong>erased&nbsp;all his progress<\/strong>. We started&nbsp;<strong>putting pressure on him<\/strong>, asking what he was doing that crashed the system beyond repair,&nbsp;stating&nbsp;that a&nbsp;<a href=\"https:\/\/en.wikipedia.org\/wiki\/Blue_screen_of_death\" target=\"_blank\" rel=\"noreferrer noopener nofollow\"><strong>Blue Screen of Death<\/strong><\/a>&nbsp;appeared showing something&nbsp;<strong>related to the network<\/strong>,&nbsp;probably a&nbsp;misconfiguration or&nbsp;<strong>weird VPN usage on his side<\/strong>.&nbsp;<\/p>\n\n\n\n<p>He&nbsp;couldn&#8217;t&nbsp;respond satisfactorily to any of these claims and tried once again to log into the accounts. We provided&nbsp;<strong>incomplete information<\/strong>, trapping him in a&nbsp;<strong>login and&nbsp;CAPTCHA loop<\/strong>&nbsp;that lasted for&nbsp;almost an&nbsp;hour, while&nbsp;we extracted indicators of compromise and&nbsp;behavioral&nbsp;patterns.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"Lazarus #9: Tape 3   Incorrect Password\" width=\"770\" height=\"433\" src=\"https:\/\/www.youtube.com\/embed\/5biJZBD_rco?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><figcaption class=\"wp-element-caption\"><em>Blaze&nbsp;trapped&nbsp;in a&nbsp;login&nbsp;and CAPTCHA&nbsp;loop<\/em><\/figcaption><\/figure>\n\n\n\n<p><a href=\"https:\/\/youtu.be\/5biJZBD_rco\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Watch the video on YouTube<\/strong><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Tape 4:&nbsp;Intruder&nbsp;<\/h3>\n\n\n\n<p>This time there was no crash involved and as a gesture of goodwill we built an&nbsp;<strong>autofix&nbsp;BAT script<\/strong>&nbsp;that&nbsp;would&nbsp;<strong>recover the workstation automatically<\/strong>&nbsp;if&nbsp;something&nbsp;occured. We asked Blaze to be careful and gave him a sort of&nbsp;<strong>ultimatum<\/strong>&nbsp;to&nbsp;<strong>stop breaking our laptops<\/strong>&nbsp;and to&nbsp;<strong>start working ASAP<\/strong>, or the deal was done, putting more pressure on him.&nbsp;<\/p>\n\n\n\n<p>This&nbsp;seemed to strike&nbsp;a nerve,&nbsp;<strong>as another&nbsp;AnyDesk&nbsp;account<\/strong>&nbsp;by the name &#8220;<strong>Assassin<\/strong>&#8220;, unknown to us at the time,&nbsp;<strong>logged into the laptop<\/strong>. It went straight to Gmail and&nbsp;attempted&nbsp;to enter Andy&#8217;s account, even clicking on the &#8220;<em>Show password<\/em>&#8221; checkbox to verify the entered credentials. After&nbsp;failing to do&nbsp;so&nbsp;multiple&nbsp;times,&nbsp;<strong>Blaze himself remoted into the laptop<\/strong>. We believe he tried to offload the task to&nbsp;<strong>another affiliate<\/strong>&nbsp;who was (somehow) less savvy than him.&nbsp;<\/p>\n\n\n\n<p>He then&nbsp;proceeded&nbsp;to check the system settings and opened&nbsp;<strong>Chrome<\/strong>, searching for &#8220;<em>Chrome Download<\/em>&#8220;, like a senior person opening the&nbsp;<strong>Google<\/strong>&nbsp;app to search for &#8220;<em>Google<\/em>&#8220;.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"579\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Q-1024x579.png\" alt=\"\" class=\"wp-image-17173\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Q-1024x579.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Q-300x170.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Q-768x435.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Q-1536x869.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Q-2048x1159.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Q-370x209.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Q-270x153.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Q-740x419.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Blaze&nbsp;using&nbsp;Chrome&nbsp;to&nbsp;search&nbsp;for&nbsp;Google Chrome<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Without him noticing, we&nbsp;<strong>removed the residential proxy<\/strong>&nbsp;and&nbsp;<strong>connected the machines through a German VPN<\/strong>&nbsp;server, so his Google search fell once again into a&nbsp;<strong>CAPTCHA&nbsp;hell<\/strong>, being forced to solve at least six multiple-choice challenges before&nbsp;proceeding.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"579\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/R-1024x579.png\" alt=\"\" class=\"wp-image-17174\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/R-1024x579.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/R-300x170.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/R-768x434.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/R-1536x869.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/R-2048x1159.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/R-370x209.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/R-270x153.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/R-740x419.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Blaze&nbsp;solving&nbsp;CAPTCHA&nbsp;challenges<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Once he&nbsp;was greeted by the German version of&nbsp;Google&nbsp;he asked&nbsp;us what happened. We told&nbsp;him that&nbsp;to<strong>&nbsp;avoid the BSOD<\/strong>&nbsp;caused by something faulty in the network,&nbsp;<strong>we&nbsp;were trying a VPN&nbsp;<\/strong><em>&#8220;at router level&#8221;<\/em>. He complained, saying that &#8220;<em>it&#8217;s not optimal<\/em>&#8221; and &#8220;<em>should be fixed<\/em>&#8220;, but regardless, decided&nbsp;to continue.&nbsp;<\/p>\n\n\n\n<p>He searched&nbsp;for &#8220;<em>where is my location<\/em>&#8221; and &#8220;<em>where is my&nbsp;ip<\/em>&#8221; after finally jumping&nbsp;into&nbsp;<strong>LinkedIn<\/strong>. Well&#8230; the German version of LinkedIn.&nbsp;He&nbsp;tried&nbsp;the&nbsp;account&nbsp;and&nbsp;left&nbsp;it&nbsp;there.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"Lazarus #10: Tape 4   Intruder\" width=\"770\" height=\"433\" src=\"https:\/\/www.youtube.com\/embed\/TOsqJdWlyqY?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><figcaption class=\"wp-element-caption\"><em>Blaze&nbsp;and&nbsp;Assassin&nbsp;are&nbsp;forced&nbsp;to&nbsp;browse&nbsp;in German<\/em><\/figcaption><\/figure>\n\n\n\n<p><a href=\"https:\/\/youtu.be\/TOsqJdWlyqY\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Watch the video on YouTube<\/strong><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Tape 5: Criminal&nbsp;Engineering&nbsp;<\/h3>\n\n\n\n<p>This time&nbsp;it works. Blaze connected&nbsp;to the laptop and logged&nbsp;into&nbsp;<strong>his<\/strong>&nbsp;<strong>Google account<\/strong>, &#8220;<em>Aaron S<\/em>&#8220;, t<strong>urning on the sync function<\/strong>&nbsp;and loading his profile,&nbsp;preferences&nbsp;and extensions into the browser.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"612\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/S-1024x612.png\" alt=\"\" class=\"wp-image-17175\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/S-1024x612.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/S-300x179.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/S-768x459.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/S-1536x918.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/S-2048x1224.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/S-370x221.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/S-270x161.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/S-740x442.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Blaze&nbsp;turns&nbsp;on&nbsp;the&nbsp;sync&nbsp;function&nbsp;on&nbsp;Chrome<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>This granted&nbsp;us a first peek into the&nbsp;<strong>Famous Chollima toolset<\/strong>, which includes&nbsp;<strong>multiple AI tools<\/strong>&nbsp;like&nbsp;<strong>Simplify&nbsp;Copilot<\/strong>&nbsp;(to&nbsp;<strong>autofill job applications<\/strong>),&nbsp;<strong>AiApply<\/strong>&nbsp;(to&nbsp;<strong>automate<\/strong>&nbsp;<strong>job<\/strong>&nbsp;<strong>seeking<\/strong>), <strong>Final Round AI<\/strong>&nbsp;(which provides&nbsp;<strong>answers for your interview<\/strong>&nbsp;<strong>questions<\/strong>&nbsp;<strong>in real time<\/strong>) and&nbsp;<strong>Saved Prompts&nbsp;for&nbsp;GPT<\/strong>&nbsp;(to bookmark LLM prompts), the&nbsp;<strong>OTP.ee<\/strong>&nbsp;extension (or&nbsp;<strong>Authenticator.cc<\/strong>, an OTP generator) and last but not least,&nbsp;<strong>Google Remote Desktop<\/strong>.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"612\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/T-1024x612.png\" alt=\"\" class=\"wp-image-17176\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/T-1024x612.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/T-300x179.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/T-768x459.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/T-1536x918.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/T-2048x1224.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/T-370x221.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/T-270x161.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/T-740x442.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Simplify&nbsp;Copilot&nbsp;extension&nbsp;installed<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Next, he opened&nbsp;<strong>Google Remote Desktop<\/strong>. With his account already displaying two other hosts, &#8220;<em>AARON-PC<\/em>&#8221; and &#8220;<em>Blaze<\/em>&#8220;, he started&nbsp;setting up this laptop via&nbsp;<strong>command line interface<\/strong>&nbsp;and&nbsp;<strong>PowerShell<\/strong>, putting &#8220;<em>123456<\/em>&#8221; as its&nbsp;<strong>connection PIN<\/strong>. Meanwhile, he checked&nbsp;his email account.&nbsp;<\/p>\n\n\n\n<p>Without&nbsp;any&nbsp;doubt,&nbsp;we understood it was the proper time for&nbsp;<strong>an unexpected crash<\/strong>.&nbsp;He was&nbsp;<strong>kicked<\/strong>&nbsp;from&nbsp;the&nbsp;laptop&nbsp;and we were left alone&nbsp;with his email account open.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"Lazarus #11: Tape 5   Criminal Engineering\" width=\"770\" height=\"433\" src=\"https:\/\/www.youtube.com\/embed\/2G3xhoLWAiU?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><figcaption class=\"wp-element-caption\"><em>Tape 5:&nbsp;Blaze&nbsp;setting&nbsp;up&nbsp;the&nbsp;laptop&nbsp;for&nbsp;remote&nbsp;access<\/em><\/figcaption><\/figure>\n\n\n\n<p><a href=\"https:\/\/youtu.be\/2G3xhoLWAiU\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Watch the video on YouTube<\/strong><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Tape 6:&nbsp;Eavesdropper&nbsp;<\/h3>\n\n\n\n<p>Blaze&nbsp;sent&nbsp;a&nbsp;<strong>Telegram<\/strong>&nbsp;message saying that &#8220;<em>he left his email account open<\/em>&#8221; and&nbsp;asked&nbsp;to&nbsp;<strong>please close it<\/strong>. Andy (Heiner) replied that it was already late and he would do it&nbsp;next&nbsp;morning.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"612\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/U-large-1024x612.jpeg\" alt=\"\" class=\"wp-image-17177\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/U-large-1024x612.jpeg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/U-large-300x179.jpeg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/U-large-768x459.jpeg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/U-large-370x221.jpeg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/U-large-270x161.jpeg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/U-large-740x442.jpeg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/U-large.jpeg 1280w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Blaze&#8217;s&nbsp;email&nbsp;account<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>We&nbsp;remained&nbsp;<strong>offline<\/strong>, checking his email<strong>&nbsp;to avoid him remotely ending the session<\/strong>, finding&nbsp;<strong>multiple subscriptions to job-seeking platforms<\/strong>, peeking at his&nbsp;<strong>extensions<\/strong>&nbsp;and finding different&nbsp;<strong>Slack workspaces<\/strong>&nbsp;and&nbsp;chats.&nbsp;He spoke regularly with an individual named&nbsp;<strong>Zeeshan&nbsp;Jamshed,&nbsp;<\/strong>who in&nbsp;an initial&nbsp;conversation&nbsp;stated&nbsp;that he would be out for&nbsp;<em>Eid<\/em>, the Muslim festivity, and &#8220;<em>to have everything arranged by Monday<\/em>&#8220;, suggesting they were&nbsp;already&nbsp;working&nbsp;together,&nbsp;possibly at&nbsp;a company based in a&nbsp;Muslim-majority region.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"612\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/V-1024x612.png\" alt=\"\" class=\"wp-image-17178\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/V-1024x612.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/V-300x179.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/V-768x459.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/V-1536x918.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/V-2048x1224.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/V-370x221.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/V-270x161.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/V-740x442.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>A&nbsp;conversation&nbsp;with&nbsp;Zeeshan&nbsp;Jamshed<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>As the conversations&nbsp;continued, the tone&nbsp;turned&nbsp;bitter.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"612\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/W-1024x612.png\" alt=\"\" class=\"wp-image-17179\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/W-1024x612.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/W-300x179.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/W-768x459.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/W-1536x918.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/W-2048x1224.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/W-370x221.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/W-270x161.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/W-740x442.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Another&nbsp;casual&nbsp;conversation&nbsp;with&nbsp;Zeeshan<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>First,&nbsp;<strong>Zeeshan<\/strong>&nbsp;mentioned&nbsp;routine things like having to&nbsp;make&nbsp;a call in a few minutes or wrapping up another meeting soon, but then he seemed&nbsp;to crack under his current reality.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"612\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/X-1024x612.png\" alt=\"\" class=\"wp-image-17180\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/X-1024x612.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/X-300x179.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/X-768x459.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/X-1536x918.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/X-2048x1224.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/X-370x221.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/X-270x161.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/X-740x442.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Zeeshan&nbsp;comments&nbsp;on&nbsp;wrapping&nbsp;a&nbsp;meeting<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Suddenly&nbsp;<strong>Zeeshan<\/strong>&nbsp;stated&nbsp;if they wanted&nbsp;to find &#8220;<em>some real jobs<\/em>&#8221; they&nbsp;had&nbsp;to&nbsp;focus on &#8220;<em>actual real companies and people&#8217;s interviews<\/em>&#8220;, and that he &#8220;<em>has done these [interviews] enough to know all these platforms are just a waste of time<\/em>&#8220;.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"612\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Y-1024x612.png\" alt=\"\" class=\"wp-image-17181\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Y-1024x612.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Y-300x179.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Y-768x459.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Y-1536x918.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Y-2048x1224.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Y-370x221.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Y-270x161.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Y-740x442.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Zeeshan&nbsp;rants&nbsp;about&nbsp;job&nbsp;seeking&nbsp;platforms<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>He ended&nbsp;his rant talking about the &#8220;<em>same 3 questions that&nbsp;keeps&nbsp;asking and asking for the rest of your lives<\/em>&#8220;. Whatever that could mean, it&nbsp;seemed&nbsp;to be&nbsp;something that&nbsp;kept&nbsp;him awake.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"Lazarus #12: Tape 6   Eavesdropper\" width=\"770\" height=\"433\" src=\"https:\/\/www.youtube.com\/embed\/eb8rp_qYUdw?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><figcaption class=\"wp-element-caption\"><em>Tape 6:&nbsp;Reviewing&nbsp;Blaze&#8217;s&nbsp;correspondence<\/em><\/figcaption><\/figure>\n\n\n\n<p><a href=\"https:\/\/youtu.be\/eb8rp_qYUdw\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Watch the video on YouTube<\/strong><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Tape 7:&nbsp;Fool&nbsp;me&nbsp;Twice&nbsp;<\/h3>\n\n\n\n<p>We told&nbsp;<strong>Blaze<\/strong>&nbsp;the&nbsp;<strong>Windows 11<\/strong>&nbsp;laptop was repaired and ready to be used, so he was happy to hop on and<strong>&nbsp;log into&nbsp;<\/strong><strong>all&nbsp;<\/strong><strong>his accounts once&nbsp;<\/strong><strong>again<\/strong>.&nbsp;<\/p>\n\n\n\n<p>After setting up his account again (and&nbsp;<strong>turning on the sync options<\/strong>&nbsp;reinstalling&nbsp;his&nbsp;extensions),&nbsp;he proceeded with his well-known waltz: search for his&nbsp;<strong>location<\/strong>&nbsp;(this time correctly pinned in&nbsp;<strong>Texas, United States<\/strong>), setting up&nbsp;<strong>Google Remote Desktop<\/strong>, checking his&nbsp;<strong>email<\/strong>&nbsp;(without noticing anything odd after our inspection), and facing&nbsp;<strong>unrecoverable problems artificially caused by us<\/strong>.&nbsp;<\/p>\n\n\n\n<p>We&nbsp;messed&nbsp;with&nbsp;the&nbsp;residential&nbsp;proxy and suddenly&nbsp;he was&nbsp;<strong>offline<\/strong>, without any chance of connecting to the internet. He started troubleshooting his way through the classic steps: reviewing the&nbsp;<strong>internet&nbsp;adapter<\/strong>&nbsp;configuration, messing with the&nbsp;<strong>authentication settings<\/strong>, and even&nbsp;<strong>turning off IPv4 completely<\/strong>. Never for a split second did he stop&nbsp;thinking&nbsp;<em>why<\/em>&nbsp;he was still remotely connected to an&nbsp;isolated&nbsp;system<strong>&nbsp;<\/strong>without facing any issues.&nbsp;<\/p>\n\n\n\n<p>He tried to reach the&nbsp;<strong>Google<\/strong>&nbsp;<strong>logout<\/strong>&nbsp;<strong>button<\/strong>&nbsp;but he was already offline.&nbsp;<\/p>\n\n\n\n<p>And when it rains, it pours. What else could happen now?&nbsp;&nbsp;<\/p>\n\n\n\n<p>Of course,&nbsp;<strong>an artificial crash<\/strong>.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"Lazarus #13: Tape 7   Fool me twice\" width=\"770\" height=\"433\" src=\"https:\/\/www.youtube.com\/embed\/B77IPcAFeC4?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><figcaption class=\"wp-element-caption\"><em>Tape 7:&nbsp;Blaze&nbsp;logs in once&nbsp;again&nbsp;into&nbsp;another&nbsp;laptop<\/em><\/figcaption><\/figure>\n\n\n\n<p><a href=\"https:\/\/youtu.be\/B77IPcAFeC4\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Watch the video on YouTube<\/strong><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Tape 8:&nbsp;Realization&nbsp;<\/h3>\n\n\n\n<p><strong>Blaze<\/strong>&nbsp;asked for explanations&nbsp;regarding&nbsp;the machine&#8217;s constant&nbsp;malfunctions and&nbsp;even&nbsp;<strong>grew brave enough to escalate his wording<\/strong>. We made up some excuses and granted him access one last time. This time, we&nbsp;<strong>disabled the proxy<\/strong>&nbsp;and allowed his slow-paced mind to catch up with the events.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Suddenly,&nbsp;realization&nbsp;hit. And sooner rather than later, the&nbsp;realization&nbsp;became desperation:&nbsp;he knew&nbsp;what was going on.&nbsp;<\/p>\n\n\n\n<p>He opened the&nbsp;<strong>Windows Registry<\/strong>&nbsp;and started looking&nbsp;online&nbsp;for his location, now appearing in&nbsp;<strong>Germany<\/strong>. He ran&nbsp;<strong>DxDiag<\/strong>&nbsp;once again, just like when we started this&nbsp;&#8220;collaboration&#8221;, and started looking for his&nbsp;<strong>IP reputation<\/strong>&nbsp;online using search terms like &#8220;<em>ip&nbsp;fraud check<\/em>&#8220;, and visiting sites like&nbsp;<strong>IP Score<\/strong>,&nbsp;<strong>Scamalytics,<\/strong>&nbsp;and&nbsp;<strong>Where Am I<\/strong>.&nbsp;&nbsp;<\/p>\n\n\n\n<p>He tried to confront us via&nbsp;<strong>Telegram<\/strong>, but it was already too late. There was no reason to keep playing,&nbsp;so we ignored him.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"489\" height=\"627\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Z.png\" alt=\"\" class=\"wp-image-17182\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Z.png 489w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Z-234x300.png 234w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Z-370x474.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/Z-270x346.png 270w\" sizes=\"(max-width: 489px) 100vw, 489px\" \/><figcaption class=\"wp-element-caption\"><em>Famous&nbsp;last&nbsp;words<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Paranoia got the best of&nbsp;him,&nbsp;and he ran the&nbsp;<strong>systeminfo<\/strong>&nbsp;command once again, played around with&nbsp;<strong>DxDiag<\/strong>&nbsp;a little bit more and then&#8230; one last&nbsp;artificial crash,&nbsp;ending both the instance and our friend&#8217;s corporate espionage&nbsp;plot.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"Lazarus #14: Tape 8   Realization\" width=\"770\" height=\"433\" src=\"https:\/\/www.youtube.com\/embed\/T5z4Uxsk4EI?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><figcaption class=\"wp-element-caption\"><em>Tape 8:&nbsp;Blaze&nbsp;finds&nbsp;out&nbsp;he&nbsp;is&nbsp;being&nbsp;sandboxed<\/em><\/figcaption><\/figure>\n\n\n\n<p><a href=\"https:\/\/youtu.be\/T5z4Uxsk4EI\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Watch the video on YouTube<\/strong><\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Bonus&nbsp;Chapter:&nbsp;The&nbsp;Jealous&nbsp;<\/h2>\n\n\n\n<p><em>Turning&nbsp;Famous&nbsp;Chollima&nbsp;against&nbsp;each&nbsp;other&nbsp;|&nbsp;Heiner Garc\u00eda (NorthScan)<\/em>&nbsp;<\/p>\n\n\n\n<p>You may&nbsp;probably remember&nbsp;from &#8220;<strong>Tape 4 &#8211;&nbsp;Intruder<\/strong>&#8221; that&nbsp;<em>someone else<\/em>&nbsp;accessed one of our laptops, one of&nbsp;<strong>Blaze&#8217;s<\/strong>&nbsp;collaborators under the nickname &#8220;<strong>Assassin<\/strong>&#8220;. Both had trouble logging into the account and ended up wasting time in a&nbsp;<strong>CAPTCHA&nbsp;hell<\/strong>.&nbsp;<\/p>\n\n\n\n<p>By that&nbsp;time,&nbsp;we had given&nbsp;<strong>Blaze<\/strong>&nbsp;an&nbsp;<strong>ultimatum<\/strong>:&nbsp;<strong>start<\/strong>&nbsp;<strong>working<\/strong>&nbsp;now,&nbsp;<strong>stop<\/strong>&nbsp;<strong>breaking<\/strong>&nbsp;things. But&nbsp;that&#8217;s&nbsp;just&nbsp;a&nbsp;part of the story.&nbsp;<\/p>\n\n\n\n<p>Aiming to put pressure on him,&nbsp;<strong>Heiner<\/strong>&nbsp;came up with&nbsp;the idea of pretending to be scouted by&nbsp;<strong>another DPRK recruiter<\/strong>&nbsp;named &#8220;<strong>Ralph<\/strong>&#8220;. He reached out to&nbsp;<strong>Blaze<\/strong>&nbsp;to tell him that aside from our given conditions, he should be cautious because we already had<strong>&nbsp;a better offer for a bigger salary cut&nbsp;<\/strong>with someone who&nbsp;actually seemed&nbsp;excited to work with us and&nbsp;wouldn&#8217;t&nbsp;give us as much trouble.&nbsp;&nbsp;<\/p>\n\n\n\n<p>He&nbsp;didn&#8217;t&nbsp;take it well, asking&nbsp;<strong>Heiner<\/strong>&nbsp;not to work with him, suggesting that &#8220;he&#8221; (<strong>Ralph<\/strong>) could be the one who &#8220;<em>blocked<\/em>&#8221; their profile or changed their password (referring to the account they&nbsp;hadn&#8217;t&nbsp;managed to access earlier).&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"494\" height=\"635\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/BONUS-1.png\" alt=\"\" class=\"wp-image-17184\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/BONUS-1.png 494w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/BONUS-1-233x300.png 233w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/BONUS-1-370x476.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/BONUS-1-270x347.png 270w\" sizes=\"(max-width: 494px) 100vw, 494px\" \/><figcaption class=\"wp-element-caption\"><em>Blaze&nbsp;blames&nbsp;Ralph&nbsp;for&nbsp;the&nbsp;login&nbsp;problems<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>He then&nbsp;proceeded&nbsp;to insult&nbsp;<strong>Ralph<\/strong>, calling him &#8220;weird&#8221; and explaining that he could affect &#8220;his work&#8221; and that he&nbsp;wouldn&#8217;t&nbsp;like to take a risk with him. Instead, he would&nbsp;<strong>assign one of his team members<\/strong>&nbsp;to work on making things happen.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"546\" height=\"637\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/BONUS-2.png\" alt=\"\" class=\"wp-image-17185\" style=\"width:546px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/BONUS-2.png 546w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/BONUS-2-257x300.png 257w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/BONUS-2-370x432.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/BONUS-2-270x315.png 270w\" sizes=\"(max-width: 546px) 100vw, 546px\" \/><figcaption class=\"wp-element-caption\"><em>Blaze lost it over a fictitious character<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>He promised to get it together and get&nbsp;<strong>everything working<\/strong>,&nbsp;stating&nbsp;that after that we would&nbsp;<strong>no longer need&nbsp;AnyDesk<\/strong>&nbsp;(referring to him later installing&nbsp;<strong>Google Remote Desktop<\/strong>).&nbsp;<\/p>\n\n\n\n<p>When&nbsp;<strong>Heiner<\/strong>&nbsp;asked if he should ignore the other guy,&nbsp;<strong>Blaze<\/strong>&nbsp;insisted he work exclusively with him from now on.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"534\" height=\"598\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/BONUS-3.png\" alt=\"\" class=\"wp-image-17186\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/BONUS-3.png 534w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/BONUS-3-268x300.png 268w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/BONUS-3-370x414.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/BONUS-3-270x302.png 270w\" sizes=\"(max-width: 534px) 100vw, 534px\" \/><figcaption class=\"wp-element-caption\"><em>Blaze&nbsp;asks&nbsp;to&nbsp;ignore Ralph<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>He then shared that one of his team members would try to work with his laptop&nbsp;later&nbsp;that day.&nbsp;This&nbsp;was&nbsp;&#8220;<strong>Assassin<\/strong>&#8220;.&nbsp;<\/p>\n\n\n\n<p>He&nbsp;appears&nbsp;on&nbsp;<strong>Tape4 <\/strong>behind&nbsp;the&nbsp;exact&nbsp;same&nbsp;IP&nbsp;address&nbsp;as&nbsp;<strong>Blaze<\/strong>,&nbsp;which&nbsp;belongs&nbsp;to&nbsp;AstrillVPN.&nbsp;<\/p>\n\n\n\n<p>This hasty decision on his part helped us confirm they were&nbsp;<strong>sharing infrastructure and assets<\/strong>, and that they&nbsp;likely have&nbsp;<strong>poor communication<\/strong>&nbsp;between units, as the idea of&nbsp;<strong>one recruiter stealing<\/strong>&nbsp;an engineer from another seemed&nbsp;<strong>totally<\/strong>&nbsp;<strong>plausible<\/strong>&nbsp;to him. Additionally, when conducting job interviews at target companies,&nbsp;it&#8217;s&nbsp;common to&nbsp;observe<strong>&nbsp;multiple North Korean operatives&nbsp;<\/strong>scheduling interviews for the same position&nbsp;<strong>on the same day<\/strong>&nbsp;(making it more obvious), suggesting a&nbsp;<strong>lack of coordination&nbsp;<\/strong>between different cells.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Until&nbsp;Next Time,&nbsp;Famous&nbsp;Chollima&nbsp;<\/h2>\n\n\n\n<p>This is not the last time&nbsp;we&#8217;ll&nbsp;see&nbsp;<strong>Famous<\/strong>&nbsp;<strong>Chollima<\/strong>, or any other&nbsp;<strong>North Korean&nbsp;<\/strong>actor, infiltrating companies for&nbsp;<strong>espionage<\/strong>&nbsp;<strong>and<\/strong>&nbsp;<strong>profit<\/strong>.&nbsp;<\/p>\n\n\n\n<p>This investigation was aimed at&nbsp;<strong>collecting intelligence<\/strong>&nbsp;from North Korean actors in a&nbsp;<strong>novel way&nbsp;not&nbsp;practiced&nbsp;by any&nbsp;other lab to date<\/strong>,&nbsp;by&nbsp;directly&nbsp;engaging with them&nbsp;and immersing ourselves in their operations. From that standpoint, we understand this publication will help to better understand this threat,&nbsp;their&nbsp;structure,&nbsp;behaviour,&nbsp;tactics,&nbsp;techniques&nbsp;and&nbsp;procedures, and&nbsp;contextualize&nbsp;their&nbsp;skillset&nbsp;and&nbsp;toolset, which&nbsp;now&nbsp;<strong>heavily relies on AI<\/strong>.&nbsp;<\/p>\n\n\n\n<p>If you are an&nbsp;<strong>employer<\/strong>, conduct rigorous&nbsp;<strong>KYC<\/strong>&nbsp;controls and&nbsp;<strong>background checks<\/strong>&nbsp;when&nbsp;hiring&nbsp;new positions.&nbsp;<strong>Train<\/strong>&nbsp;your talent acquisition teams to detect red flags early and&nbsp;don&#8217;t&nbsp;be afraid to&nbsp;<strong>share this story<\/strong>&nbsp;with your candidates, making sure they understand that the &#8220;<em>software company<\/em>&#8221; that offered them something&nbsp;<em>too good to be true<\/em>&nbsp;may not be so legitimate.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"454\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/BONUS-4-1024x454.png\" alt=\"\" class=\"wp-image-17187\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/BONUS-4-1024x454.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/BONUS-4-300x133.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/BONUS-4-768x341.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/BONUS-4-370x164.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/BONUS-4-270x120.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/BONUS-4-740x328.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/BONUS-4.png 1348w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Always&nbsp;doubt<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>If you are&nbsp;<strong>seeking<\/strong>&nbsp;<strong>employment<\/strong>, beware of&nbsp;<strong>malicious<\/strong>&nbsp;<strong>coding<\/strong>&nbsp;<strong>challenges<\/strong>, never conduct interviews on your company&#8217;s equipment and check with companies if someone&nbsp;attempting&nbsp;to hire you&nbsp;out of the blue&nbsp;is affiliated with them.&nbsp;<\/p>\n\n\n\n<p>The same goes for those looking to&nbsp;<strong>raise<\/strong>&nbsp;<strong>funds<\/strong>&nbsp;for their projects: beware of meetings with&nbsp;<strong>fake<\/strong>&nbsp;<strong>VCs<\/strong>, never open their attachments without prior checking their safety, and overall, if something is too good to be true, then maybe it is.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"591\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/BONUS-5-large-1024x591.jpeg\" alt=\"\" class=\"wp-image-17188\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/BONUS-5-large-1024x591.jpeg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/BONUS-5-large-300x173.jpeg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/BONUS-5-large-768x443.jpeg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/BONUS-5-large-370x214.jpeg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/BONUS-5-large-270x156.jpeg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/BONUS-5-large-740x427.jpeg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/BONUS-5-large.jpeg 1280w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Always&nbsp;double&nbsp;check<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>If you are a&nbsp;<strong>security<\/strong>&nbsp;<strong>professional<\/strong>,&nbsp;don&#8217;t&nbsp;be afraid to confront these threats, nor to ask for help in the community. Raise&nbsp;<strong>awareness<\/strong>&nbsp;in your&nbsp;organization&nbsp;and spread the word about their activities. With everyone knowing what to look for, we&nbsp;remain&nbsp;safer.&nbsp;<\/p>\n\n\n\n<p>And for the rest,&nbsp;don&#8217;t&nbsp;forget to&nbsp;<strong>smile<\/strong>.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"463\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/BONUS-6-large-1024x463.jpeg\" alt=\"\" class=\"wp-image-17189\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/BONUS-6-large-1024x463.jpeg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/BONUS-6-large-300x136.jpeg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/BONUS-6-large-768x347.jpeg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/BONUS-6-large-370x167.jpeg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/BONUS-6-large-270x122.jpeg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/BONUS-6-large-740x335.jpeg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/BONUS-6-large.jpeg 1280w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Smile<\/em><\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">How&nbsp;ANY.RUN&nbsp;Supports&nbsp;Investigations&nbsp;Like&nbsp;This&nbsp;<\/h2>\n\n\n\n<p>This operation shows how difficult it is to track human-driven intrusions, especially when they rely on social engineering instead of malware.&nbsp;By moving&nbsp;the actors into controlled&nbsp;<a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=interview_with_Chollima_exposed&amp;utm_term=041225&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>&nbsp;environments, every step, from their tooling to their network activity, became visible in real time.&nbsp;<\/p>\n\n\n\n<p>The&nbsp;interactive sandbox and extended-runtime setups give researchers and SOC teams the same advantage: the ability to&nbsp;observe&nbsp;behavior as it unfolds, uncover hidden actions, and document full attack chains without risking real systems.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nCut MTTR by <span class=\"highlight\">21 minutes<\/span> and reach <span class=\"highlight\">3x<\/span> team performance<br>\nIntegrate ANY.RUN\u2019s solutions in your SOC\u00a0\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=interview_with_Chollima_exposed&#038;utm_term=041225&#038;utm_content=linktodemo\" target=\"_blank\" rel=\"noopener\">\nRequest trial\u00a0\u00a0<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=interview_with_Chollima_exposed&amp;utm_term=041225&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>&nbsp;is a leading provider of&nbsp;<a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=interview_with_Chollima_exposed&amp;utm_term=041225&amp;utm_content=linksandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">interactive malware analysis<\/a>&nbsp;and threat intelligence, helping security teams investigate attacks with real-time behavioral visibility. More than 15,000 organizations and over 500,000 analysts rely on the service to&nbsp;observe&nbsp;live execution, analyze suspicious files and URLs, and uncover hidden activity with an average 60-second time-to-verdict.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Alongside its sandbox, ANY.RUN provides continuously updated&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=interview_with_Chollima_exposed&amp;utm_term=041225&amp;utm_content=linktotifeedslanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Feeds<\/a>&nbsp;sourced from global telemetry, and&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=interview_with_Chollima_exposed&amp;utm_term=041225&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a>, which offers instant enrichment by showing related samples, shared infrastructure, and historical context. Together, these capabilities give analysts a clear view of how threats behave and evolve, supporting faster, more confident decisions across SOC, DFIR, and threat-hunting workflows.&nbsp;<\/p>\n\n\n\n<p><strong>Further&nbsp;Reading<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/attack.mitre.org\/groups\/G1052\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Contagious Interview on Mitre ATT&amp;CK<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/linktr.ee\/quetzalteam\" target=\"_blank\" rel=\"noreferrer noopener\">Interview with the Chollima on Bitso Quetzal Team<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/any.run\/cybersecurity-blog\/invisibleferret-malware-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\">InvisibleFerret &amp; BeaverTail (DPRK Malware) on ANY.RUN<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/any.run\/cybersecurity-blog\/ottercookie-malware-analysis\/?utm_source=linkedin&amp;utm_medium=post&amp;utm_campaign=ottercookie&amp;utm_content=linktoblog&amp;utm_term=240625\" target=\"_blank\" rel=\"noreferrer noopener\">OtterCookie (DPRK Malware) on ANY.RUN<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/any.run\/cybersecurity-blog\/pylangghost-malware-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\">PyLangGhostRAT (DPRK Malware) on ANY.RUN<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"http:\/\/phrack.org\/issues\/71\/3\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">QRLog (DPRK Malware) on PHRACK #71<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/pagedout.institute\/download\/PagedOut_006.pdf\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Contagious Interview on PagedOut #4<\/a>&nbsp;(Page 76)&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><strong>IOCs<\/strong>&nbsp;<\/p>\n\n\n\n<p><strong>Indicators&nbsp;of&nbsp;Compromise<\/strong>&nbsp;<\/p>\n\n\n\n<p>IPv4:194.33.45.162&nbsp;<\/p>\n\n\n\n<p>URL:https[:]\/\/t[.]me\/peregrine423f&nbsp;<\/p>\n\n\n\n<p>URL:aaronzeeshan[.]slack[.]com&nbsp;<\/p>\n\n\n\n<p>URL:aaronsfazzy[.]slack[.]com&nbsp;<\/p>\n\n\n\n<p>URL:https[:]\/\/github[.]com\/7codewizard&nbsp;<\/p>\n\n\n\n<p>URL:https[:]\/\/github[.]com\/neymafullstack&nbsp;<\/p>\n\n\n\n<p>URL:https[:]\/\/github[.]com\/swiftcode1121&nbsp;<\/p>\n\n\n\n<p>URL:https[:]\/\/github[.]com\/ghost&nbsp;<\/p>\n\n\n\n<p>URL:https[:]\/\/calendly[.]com\/7codewizard\/30min&nbsp;<\/p>\n\n\n\n<p>URL:https[:]\/\/jackson-portfolio[.]vercel[.]app&nbsp;<\/p>\n\n\n\n<p>URL:https[:]\/\/www[.]linkedin[.]com\/in\/jackson-kidd-1680b2339\/&nbsp;<\/p>\n\n\n\n<p>URL:https[:]\/\/us[.]bold[.]pro\/my\/jaron-gaston-241007104612&nbsp;<\/p>\n\n\n\n<p>Email:kamaunjoroge296[@]gmail[.]com&nbsp;<\/p>\n\n\n\n<p>Email:jacksonkidd216[@]gmail[.]com&nbsp;<\/p>\n\n\n\n<p><strong>Behavioural&nbsp;&amp; Other Indicators<\/strong>&nbsp;<\/p>\n\n\n\n<p>Nickname:Blaze&nbsp;<\/p>\n\n\n\n<p>Nickname:Assassin&nbsp;<\/p>\n\n\n\n<p>AnyDeskID:1686564829&nbsp;<\/p>\n\n\n\n<p>AnyDeskID:1291915543&nbsp;<\/p>\n\n\n\n<p>Password:123qwe!&#8221;#QWE&nbsp;<\/p>\n\n\n\n<p>Password:123456&nbsp;<\/p>\n\n\n\n<p>Search:&#8221;what&nbsp;is&nbsp;my&nbsp;location&#8221;&nbsp;<\/p>\n\n\n\n<p>Search:&#8221;where&nbsp;is&nbsp;my&nbsp;location&#8221;&nbsp;<\/p>\n\n\n\n<p>Search:&#8221;netspeedtest&#8221;&nbsp;<\/p>\n\n\n\n<p>Search:&#8221;where&nbsp;is&nbsp;my&nbsp;ip&#8221;&nbsp;<\/p>\n\n\n\n<p><strong>Identified&nbsp;toolset<\/strong>&nbsp;<\/p>\n\n\n\n<p>VPN and Remote Desktop&nbsp;Connection:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>AstrillVPN&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>AnyDesk&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Google Remote Desktop&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Browser&nbsp;Extensions:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Simplify&nbsp;Copilot&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>AIApply&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Saved&nbsp;Prompts&nbsp;(GPT)&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Final&nbsp;Round&nbsp;AI&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Authenticator[.]cc&nbsp;\/&nbsp;otp[.]ee&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Google Remote Desktop&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Commands&nbsp;observed:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>dxdiag&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>systeminfo&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>remoting_start_host.exe&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Instant&nbsp;Messaging:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Slack&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Telegram&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Online&nbsp;platforms:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Github&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>LinkedIn&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>ZipRecruiter&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Bold Pro&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Vercel&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Calendly&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><strong>TTPs&nbsp;\/ ATT&amp;CK<\/strong>&nbsp;<\/p>\n\n\n\n<p>Reconnaissance&nbsp;<\/p>\n\n\n\n<p>T1593.002 &#8211; Search Open Websites\/Domains: Search Engines&nbsp;<\/p>\n\n\n\n<p>Mass search for developers on GitHub&nbsp;<\/p>\n\n\n\n<p>Initial Access&nbsp;<\/p>\n\n\n\n<p>T1566 &#8211; Phishing&nbsp;<\/p>\n\n\n\n<p>Mass phishing via GitHub&nbsp;pull&nbsp;requests targeting developers&nbsp;<\/p>\n\n\n\n<p>Defense Evasion&nbsp;<\/p>\n\n\n\n<p>T1090 &#8211; Proxy&nbsp;<\/p>\n\n\n\n<p>Use of&nbsp;AstrillVPN&nbsp;to hide real location&nbsp;<\/p>\n\n\n\n<p>Discovery&nbsp;<\/p>\n\n\n\n<p>T1082 &#8211; System Information Discovery&nbsp;<\/p>\n\n\n\n<p>Use of DXDIAG to obtain system information&nbsp;<\/p>\n\n\n\n<p>Use of&nbsp;systeminfo&nbsp;to obtain system information&nbsp;<\/p>\n\n\n\n<p>T1016 &#8211; System Network Configuration Discovery&nbsp;<\/p>\n\n\n\n<p>Use&nbsp;of&nbsp;netspeedtest&nbsp;<\/p>\n\n\n\n<p>Google searches for &#8220;where&nbsp;is&nbsp;my location&#8221;, &#8220;where is my&nbsp;ip&#8221;&nbsp;<\/p>\n\n\n\n<p>T1614 &#8211; System Location Discovery&nbsp;<\/p>\n\n\n\n<p>Use&nbsp;of&nbsp;netspeedtest&nbsp;<\/p>\n\n\n\n<p>Google searches for &#8220;where&nbsp;is&nbsp;my location&#8221;, &#8220;where is my&nbsp;ip&#8221;&nbsp;<\/p>\n\n\n\n<p>Command and Control&nbsp;<\/p>\n\n\n\n<p>T1219 &#8211; Remote Access Software&nbsp;<\/p>\n\n\n\n<p>Use of&nbsp;AnyDesk&nbsp;<\/p>\n\n\n\n<p>Use of Google Remote Desktop&nbsp;<\/p>\n\n\n\n<p>T1090 &#8211; Proxy&nbsp;<\/p>\n\n\n\n<p>Use of&nbsp;AstrillVPN&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Editor\u2019s note:&nbsp;This work is a collaboration between Mauro&nbsp;Eldritch from&nbsp;BCA LTD, a company dedicated to threat intelligence and hunting, Heiner&nbsp;Garc\u00eda from&nbsp;NorthScan,&nbsp;a threat intelligence initiative uncovering North Korean IT worker infiltration, and&nbsp;ANY.RUN, the leading company in malware analysis and threat intelligence. The article was written by Mauro and Heiner. In this article,&nbsp;we&#8217;ll&nbsp;uncover an entire&nbsp;North Korean infiltration operation&nbsp;aimed [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":17153,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,10,34],"class_list":["post-17149","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-cybersecurity","tag-malware-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How We Caught Lazarus&#039;s IT Workers Scheme Live on Camera<\/title>\n<meta name=\"description\" content=\"See how Lazarus Group&#039;s IT workers scheme was exposed on a live camera using real-time monitoring inside ANY.RUN\u2019s sandbox.\u00a0\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/lazarus-group-it-workers-investigation\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Mauro Eldritch and Heiner Garc\u00eda P\u00e9rez\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"32 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/lazarus-group-it-workers-investigation\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/lazarus-group-it-workers-investigation\/\"},\"author\":{\"name\":\"Mauro Eldritch and Heiner Garc\u00eda P\u00e9rez\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Smile,\u00a0You&#8217;re\u00a0on\u00a0Camera:\u00a0A\u00a0Live\u00a0Stream from Inside\u00a0Lazarus Group\u2019s\u00a0IT Workers\u00a0Scheme\u00a0\",\"datePublished\":\"2025-12-04T11:51:50+00:00\",\"dateModified\":\"2025-12-08T09:35:07+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/lazarus-group-it-workers-investigation\/\"},\"wordCount\":7564,\"commentCount\":1,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware analysis\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/lazarus-group-it-workers-investigation\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/lazarus-group-it-workers-investigation\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/lazarus-group-it-workers-investigation\/\",\"name\":\"How We Caught Lazarus's IT Workers Scheme Live on Camera\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2025-12-04T11:51:50+00:00\",\"dateModified\":\"2025-12-08T09:35:07+00:00\",\"description\":\"See how Lazarus Group's IT workers scheme was exposed on a live camera using real-time monitoring inside ANY.RUN\u2019s sandbox.\u00a0\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/lazarus-group-it-workers-investigation\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/lazarus-group-it-workers-investigation\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/lazarus-group-it-workers-investigation\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Smile,\u00a0You&#8217;re\u00a0on\u00a0Camera:\u00a0A\u00a0Live\u00a0Stream from Inside\u00a0Lazarus Group\u2019s\u00a0IT Workers\u00a0Scheme\u00a0\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},[{\"@type\":[\"Person\"],\"@id\":\"https:\/\/any.run\/\",\"name\":\"Mauro Eldritch\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/any.run\/\",\"inLanguage\":\"en_US\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/Mauro-copy-150x150.jpeg\",\"caption\":\"Mauro Eldritch\"}},{\"@type\":[\"Person\"],\"@id\":\"https:\/\/any.run\/\",\"name\":\"Heiner Garc\u00eda P\u00e9rez\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/any.run\/\",\"inLanguage\":\"en_US\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/1666601720229-150x150.jpeg\",\"caption\":\"Heiner Garc\u00eda P\u00e9rez\"}}]]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How We Caught Lazarus's IT Workers Scheme Live on Camera","description":"See how Lazarus Group's IT workers scheme was exposed on a live camera using real-time monitoring inside ANY.RUN\u2019s sandbox.\u00a0","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/lazarus-group-it-workers-investigation\/","twitter_misc":{"Written by":"Mauro Eldritch and Heiner Garc\u00eda P\u00e9rez","Est. reading time":"32 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/lazarus-group-it-workers-investigation\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/lazarus-group-it-workers-investigation\/"},"author":{"name":"Mauro Eldritch and Heiner Garc\u00eda P\u00e9rez","@id":"https:\/\/any.run\/"},"headline":"Smile,\u00a0You&#8217;re\u00a0on\u00a0Camera:\u00a0A\u00a0Live\u00a0Stream from Inside\u00a0Lazarus Group\u2019s\u00a0IT Workers\u00a0Scheme\u00a0","datePublished":"2025-12-04T11:51:50+00:00","dateModified":"2025-12-08T09:35:07+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/lazarus-group-it-workers-investigation\/"},"wordCount":7564,"commentCount":1,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware analysis"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/lazarus-group-it-workers-investigation\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/lazarus-group-it-workers-investigation\/","url":"https:\/\/any.run\/cybersecurity-blog\/lazarus-group-it-workers-investigation\/","name":"How We Caught Lazarus's IT Workers Scheme Live on Camera","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2025-12-04T11:51:50+00:00","dateModified":"2025-12-08T09:35:07+00:00","description":"See how Lazarus Group's IT workers scheme was exposed on a live camera using real-time monitoring inside ANY.RUN\u2019s sandbox.\u00a0","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/lazarus-group-it-workers-investigation\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/lazarus-group-it-workers-investigation\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/lazarus-group-it-workers-investigation\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"Smile,\u00a0You&#8217;re\u00a0on\u00a0Camera:\u00a0A\u00a0Live\u00a0Stream from Inside\u00a0Lazarus Group\u2019s\u00a0IT Workers\u00a0Scheme\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},[{"@type":["Person"],"@id":"https:\/\/any.run\/","name":"Mauro Eldritch","image":{"@type":"ImageObject","@id":"https:\/\/any.run\/","inLanguage":"en_US","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/Mauro-copy-150x150.jpeg","caption":"Mauro Eldritch"}},{"@type":["Person"],"@id":"https:\/\/any.run\/","name":"Heiner Garc\u00eda P\u00e9rez","image":{"@type":"ImageObject","@id":"https:\/\/any.run\/","inLanguage":"en_US","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/12\/1666601720229-150x150.jpeg","caption":"Heiner Garc\u00eda P\u00e9rez"}}]]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/17149"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=17149"}],"version-history":[{"count":39,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/17149\/revisions"}],"predecessor-version":[{"id":17261,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/17149\/revisions\/17261"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/17153"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=17149"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=17149"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=17149"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}