Threat Research

Smile, You’re on Camera: A Live Stream from Inside Lazarus Group’s IT Workers Scheme 

AnyRun
Smile, You’re on Camera: A Live Stream from Inside Lazarus Group’s IT Workers Scheme 

North Korean APT Lazarus, specifically the Famous Chollima division, ran a large-scale social-engineering campaign recruiting remote IT workers to infiltrate U.S. finance, crypto/Web3, and other sectors for corporate espionage and regime funding. BCA LTD, NorthScan and ANY.RUN exposed the operation by engaging a recruiter, trapping operators in extended ANY.RUN sandboxes, and recording their use of tools like AnyDesk, Google Remote Desktop and AstrillVPN to collect IOCs and reveal TTPs. #FamousChollima #Lazarus

Keypoints

  • Famous Chollima (Lazarus) recruits remote IT workers by mass outreach (GitHub spam, Telegram) and identity theft to place operatives or rent identities inside target companies.
  • Operators rely primarily on social engineering, convincing narratives, pressure, and identity fraud rather than sophisticated malware.
  • Investigators engaged a recruiter, impersonated a candidate, and used extended ANY.RUN sandbox instances to monitor live sessions and capture every action in real time.
  • The toolkit observed included AnyDesk, Google Remote Desktop, AstrillVPN, AI-based interview helpers (Final Round AI, Simplify Copilot), OTP extensions, and common developer tooling.
  • Victims are pressured to provide full identity data (SSN, bank details, device access) and to keep machines available 24/7 for remote access by operators.
  • Shared infrastructure (AstrillVPN) and repeated operational mistakes revealed poor OPSEC and overlapping roles between operatives (e.g., Blaze and Assassin).
  • Controlled crashes and resets by researchers prevented real-world harm while allowing prolonged observation and collection of IOCs, behavioral patterns, and communication links.

MITRE Techniques

  • [T1593.002 ] Search Open Websites/Domains – Mass search for developers on GitHub to harvest candidates and contact information (‘Mass search for developers on GitHub’).
  • [T1566 ] Phishing – Mass phishing via GitHub pull requests and messages to lure developers into the recruitment pipeline (‘Mass phishing via GitHub pull requests targeting developers’).
  • [T1090 ] Proxy – Use of AstrillVPN to obfuscate origin and appear to operate from preferred geolocations (‘Use of AstrillVPN to hide real location’).
  • [T1082 ] System Information Discovery – Use of DxDiag and systeminfo to enumerate hardware and system configuration of victim machines (‘Use of DXDIAG to obtain system information’; ‘Use of systeminfo to obtain system information’).
  • [T1016 ] System Network Configuration Discovery – Queries and tools to determine network configuration and connectivity (netspeedtest, Google searches like ‘where is my ip’) (‘Use of netspeedtest’; ‘Google searches for “where is my location”, “where is my ip”‘).
  • [T1614 ] System Location Discovery – Using network tests and web searches to determine perceived geolocation of the remote host (‘Use of netspeedtest’; ‘Google searches for “where is my location”, “where is my ip”‘).
  • [T1219 ] Remote Access Software – Deployment and setup of remote access tools (AnyDesk, Google Remote Desktop) to maintain persistent access to rented/compromised laptops (‘Use of AnyDesk’; ‘Use of Google Remote Desktop’).

Indicators of Compromise

  • [IPv4 ] recruitment/infrastructure IP – 194.33.45.162
  • [URL/Domain ] recruiter profiles, messaging and tooling endpoints – https[:]//t[.]me/peregrine423f, https[:]//github[.]com/7codewizard, and 9 more URLs
  • [Email ] contact addresses used by operators – kamaunjoroge296[@]gmail[.]com, jacksonkidd216[@]gmail[.]com
  • [AnyDeskID ] remote-access identifiers observed during sessions – AnyDeskID:1686564829, AnyDeskID:1291915543
  • [Credentials/Passwords ] passwords either suggested or observed in setup – 123qwe!”#QWE, 123456
  • [Nicknames/Aliases ] operator aliases used in communications – Blaze, Assassin
  • [Search/Behavioral ] reconnaissance/search queries indicating network/location checks – “where is my location”, “where is my ip”
  • [Tools/Software ] identified operator toolset and extensions – AstrillVPN, Google Remote Desktop, and other tools/extensions (Simplify Copilot, Final Round AI, Authenticator[.]cc/otp[.]ee)

Read more: https://any.run/cybersecurity-blog/cybersecurity-blog/lazarus-group-it-workers-investigation/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint