* Figure 8: AI generated LinkedIn Profile
When recruiters engage with these profiles, the operatives avoid face-to-face interaction for as
long as possible. If an interview requires video, some operatives use deepfake technology to
pass initial screenings without exposure.
Once they land the job, operatives weaponize onboarding and “IT troubleshooting” to establish
persistent remote access, often by persuading hiring teams to install remote-access tools like
AnyDesk.
This step is critical because it connects corporate laptops to their “laptop farms,” remote
locations that house multiple devices, enabling full network access even before they’re fully
onboarded. This allows the operatives to map the network and exfiltrate data even if the HR
process later falls through.
A Day in the Life of a North Korean Insider
As for the operatives’ day-to-day, our data indicates a factory-like operating model where
operatives trade shifts to maintain productivity. This means organizations aren't hiring 1
freelancer, they’re effectively hiring a seat in a state-run facility where multiple operators
work under a single "employee" persona to keep access and output high.
To maintain this façade, operatives use industrial-scale infrastructure like commercial VPNs
(such as Astrill) to hide their true location, but their operational security isn’t perfect.
When a VPN drops or they forget to activate it, the mask slips.
Our investigations revealed this slip clearly when we observed IP addresses belonging to Russian
and Chinese internet service providers (ISPs) in remote management and monitoring (RMM)
activity. This suggests North Korean insiders rely on RMM sessions to access devices in laptop
farms and are authenticating from their own territory before routing traffic through US nodes.
In some cases, activity linked to both ISPs appeared within a short timeframe for the same user.
This indicates either one worker using both ISPs or multiple attackers all sharing a single
“employee” identity to pull off the deception.
Once an organization is flagged as viable (likely due to gaps in their hiring process), the
regime swarms it with candidates. We found multiple insiders authenticating from the same
fixed-line IP address, and in one extreme case, a single company identified 10 separate North
Korean insiders in a rolling wave of infiltration attempts over just 6 months.
We also observed VPS IP addresses tracing back to Russia and the US that weren’t associated with
commercial VPN providers. We found open ports on these endpoints containing AnyDesk
certificates, suggesting RMM tool abuse to facilitate remote control. Attackers are moving away
from easily blacklisted commercial VPNs toward custom, private infrastructure. By routing
traffic through US-based VPS nodes, operatives can bypass standard geo-blocking policies and
appear to be working from within the US.
For defenders, a single anomalous location or remote-access indicator may be the only visible
thread that can unravel an entire network of insider threats.
Bypassing Defenses with Commercial IP-KVM Hardware
When software-based stealth isn’t enough, operatives turn to hardware. IP-KVM devices are
low-cost, customizable solutions that provide remote access to a computer’s console (keyboard,
video, mouse) over the internet.
Their superpower is that they operate externally. Because the device acts as a physical
peripheral plugged into USB and HDMI ports, it bypasses standard EDR agents. To the operating
system, the malicious remote control looks identical to a legitimate employee sitting at their
desk, typing on a wired keyboard.
However, the invisibility isn’t perfect. Even stealthy IP-KVMs leave behind artifacts, but
detecting them requires granular device monitoring that many security teams don’t have. This is
one reason why North Korean workers prefer environments where endpoint visibility is limited,
such as those with BYOD policies, where monitoring may be constrained by policy or privacy.
