Researchers Capture Lazarus APTโs Remote-Worker Scheme on a Live Camera
DUBAI, DUBAI, UNITED ARAB EMIRATES, December 4, 2025 /EINPresswire.com/ -- ANY.RUN together with NorthScan and BCA LTD, uncovered a North Korean scheme in which Lazarus (Famous Chollima) attempted to place covert IT workers inside U.S. companies. Instead of malware, the operation relied on social engineering, identity theft, and remote-access tools. Researchers captured the operators working live inside a controlled environment.
๐๐๐ฒ ๐ ๐ข๐ง๐๐ข๐ง๐ ๐ฌ ๐๐ซ๐จ๐ฆ ๐ญ๐ก๐ ๐๐ง๐ฏ๐๐ฌ๐ญ๐ข๐ ๐๐ญ๐ข๐จ๐ง
Researchers allowed the Lazarus APT recruiters to believe they had convinced a U.S.-based developer to share his laptop for remote work. In reality, all access went through specially prepared ANY.RUN sandbox environments, giving full visibility into what the operators did on the โlaptopsโ for several weeks.
ยท Identity rental as the initial access vector, with operators asking victims for SSNs, documents, bank accounts, and 24/7 device access.
ยท Use of AnyDesk, Google Remote Desktop, and browser-syncing to establish long-term control over compromised machines.
ยท Recruitment is wide-scale, using GitHub spam, Telegram outreach, and fake job-seeking setups.
ยท AI-assisted job-application automation, including extensions for interview coaching and mass application submissions.
ยท Shared infrastructure among operators, exposing overlapping roles and weak operational security.
ยท Live behavioral capture including click-level actions, file changes, network calls inside the sandbox.
Get the full technical picture, including operator workflows, captured artifacts, and actionable IOCs, on ANY.RUNโs blog.
๐๐ก๐๐ญ ๐๐ซ๐ ๐๐ง๐ข๐ณ๐๐ญ๐ข๐จ๐ง๐ฌ ๐๐ก๐จ๐ฎ๐ฅ๐ ๐๐จ
Companies should verify identities during hiring, monitor for unusual remote-desktop tools, and flag inconsistencies between applicant location, system configuration, and network behavior. Identity theft and remote-worker infiltration are now common entry points for human-driven operations, and the behavioral signals captured in this investigation offer new clues security teams can use to detect them earlier.
๐๐๐จ๐ฎ๐ญ ๐๐๐.๐๐๐
ANY.RUN is a leading platform for interactive malware analysis and threat intelligence, trusted by more than 15,000 organizations and over 500,000 analysts worldwide. The platform provides real-time behavioral visibility with an average 60-second time-to-verdict, enabling fast investigation of files, URLs, and complex attack chains. Alongside its interactive sandbox, ANY.RUN delivers continuously updated Threat Intelligence Feeds sourced from global telemetry, and TI Lookup, a service that reveals related samples, shared infrastructure, and historical context. Together, these capabilities help security teams detect threats earlier, understand attacker behavior, and respond with greater confidence.
The ANY.RUN team
ANYRUN FZCO
+1 657-366-5050
email us here
Visit us on social media:
LinkedIn
YouTube
X
Legal Disclaimer:
EIN Presswire provides this news content "as is" without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the author above.
