A collaborative investigation by Mauro Eldritch of BCA LTD, ANYRUN, and NorthScan has provided unprecedented visibility into how North Korean threat actors from the Lazarus Group recruit and operate against Western companies.
Researchers documented the complete attack cycle in real-time, capturing live footage of attackers using compromised systems. This breakthrough reveals the human side of one of the world’s most sophisticated cyber espionage operations.
The investigation began when Aaron, a Lazarus recruiter operating under the alias “Blaze,” approached researchers with an enticing proposal: operators would receive 35% of a salary in exchange for access to laptops to “work in,” a euphemism for infiltrating target organizations.
Rather than refuse, the security team provided ANYRUN sandboxed environments designed to mimic legitimate work computers while recording all activity.
Inside the Chollima Attack Pipeline
Over several months embedded within Lazarus’s fake hiring pipeline, researchers documented what they describe as the complete Famous Chollima attack cycle, the group’s multi-stage methodology for conducting cyber operations.
The recordings captured attackers actively working on provided systems, offering an intimate look at their tooling, operational tactics, and specific targeting patterns. This represents the first documented case of Lazarus operators being filmed conducting actual attack preparation activities.
The investigation revealed sophisticated operational security practices alongside the recruitment deception. Attackers demonstrated familiarity with common detection avoidance techniques and appeared aware of typical honeypot indicators, though the sandboxed environment successfully maintained their trust throughout the operation.
The Lazarus Group’s reliance on recruited insiders represents a critical evolution in their attack methodology. Rather than purely remote operations, the group actively seeks legitimate employment positions or partnerships to facilitate network access, a tactic that blurs traditional perimeter defense assumptions.
This recruitment approach suggests that North Korean operations are expanding beyond their traditionally documented focus on zero-day exploits and supply chain attacks.
Security researchers and enterprise defenders should recognize that job postings and recruitment outreach from unfamiliar technical positions warrant verification, particularly in sensitive sectors. The investigation underscores how threat actors leverage legitimate employment processes as attack vectors.
The collaborative research by BCA LTD, ANYRUN, and NorthScan (led by @0xfigo) represents a significant contribution to understanding the Lazarus Group’s infrastructure and methodology.
This is a developing story; the technical indicators from the investigation are expected to be released shortly.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
