{ "id": "0d2c72f2-3b87-43cb-b4a9-9058edc2fa6f", "created_at": "2026-04-06T00:11:08.269203Z", "updated_at": "2026-04-10T13:12:05.676149Z", "deleted_at": null, "sha1_hash": "07903033ef75b650ea70292c2965f30d53daf103", "title": "Staying a Step Ahead: Mitigating the DPRK IT Worker Threat", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 615912, "plain_text": "Staying a Step Ahead: Mitigating the DPRK IT Worker Threat\r\nBy Mandiant\r\nPublished: 2024-09-23 · Archived: 2026-04-05 13:33:41 UTC\r\nWritten by: Codi Starks, Michael Barnhart, Taylor Long, Mike Lombardi, Joseph Pisano, Alice Revelli\r\nStrategic Overview of IT Workers\r\nSince 2022, Mandiant has tracked and reported on IT workers operating on behalf of the Democratic People's\r\nRepublic of Korea (DPRK). These workers pose as non-North Korean nationals to gain employment with\r\norganizations across a wide range of industries in order to generate revenue for the North Korean regime,\r\nparticularly to evade sanctions and fund its weapons of mass destruction (WMD) and ballistic missile programs. A\r\nU.S. government advisory in 2022 noted that these workers have also leveraged privileged access obtained\r\nthrough their employment in order to enable malicious cyber intrusions, an observation corroborated by Mandiant\r\nand other organizations.\r\nIT workers employ various methods for evading detection. We have observed the operators leverage front\r\ncompanies to disguise their true identities; additionally, U.S. government indictments show that non-North Korean\r\nindividuals, known as “facilitators,” play a crucial role in enabling these IT workers in their efforts to seek and\r\nmaintain employment. These individuals provide essential services that include, but are not limited to, laundering\r\nmoney and/or cryptocurrency, receiving and hosting company laptops at their residences, using stolen identities\r\nfor employment verification, and accessing international financial systems. \r\nThis report aims to increase awareness of the DPRK's efforts to obtain employment as IT workers and shed light\r\non their operational tactics for obtaining employment and maintaining access to corporate systems. Understanding\r\nthese methods can help organizations better detect these sorts of suspicious behaviors earlier in the hiring process.\r\nIn this blog post we’ve included a sampling of the types of behaviors identified during our incident response\r\nengagements, and strategies for the detection and disruption of DPRK IT worker activity.\r\nUNC5267\r\nMandiant tracks IT worker operations we have identified in various environments as UNC5267. UNC5267\r\nremains highly active in the present day, posing an ongoing threat. Some sources suggest that the origins of these\r\noperations can be traced back to 2018. Importantly, UNC5267 is not a traditional, centralized threat group. IT\r\nworkers consist of individuals sent by the North Korean government to live primarily in China and Russia, with\r\nsmaller numbers in Africa and Southeast Asia. Their mission is to secure lucrative jobs within Western companies,\r\nespecially those in the U.S. tech sector.\r\nUNC5267 gains initial access through the use of stolen identities to apply for various positions or are brought in as\r\na contractor. UNC5267 operators have primarily applied for positions that offer 100% remote work. Mandiant\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/mitigating-dprk-it-worker-threat/\r\nPage 1 of 11\n\nobserved the operators engaging in work of varying complexity and difficulty spanning disparate fields and\r\nsectors. It is not uncommon for a DPRK IT worker to be working multiple jobs at once, pulling in multiple\r\nsalaries on a monthly basis. One American facilitator working with the IT workers compromised more than 60\r\nidentities of U.S. persons, impacted more than 300 U.S. companies, and resulted in at least $6.8 million of revenue\r\nto be generated for the overseas IT workers from in or around October 2020 until October 2023.\r\nUNC5267’s objectives include:\r\nFinancial gain through illicit salary withdrawals from compromised companies\r\nMaintaining long-term access to victim networks for potential future financial exploitation\r\nPotential use of access for espionage or disruptive activity (though this hasn't been definitively observed)\r\nIncident Response Observations\r\nMandiant's incident response engagements to date have primarily observed DPRK IT workers functioning within\r\nthe scope of their job responsibilities. However, the remote workers often gain elevated access to modify code and\r\nadminister network systems. This heightened level of access granted to fraudulent employees presents a\r\nsignificant security risk.\r\nMandiant has identified a substantial number of DPRK IT worker resumes used to apply for remote positions. In\r\none resume from a suspected IT worker, the email address—previously observed in IT worker-related activities—\r\nwas also linked to a fabricated software engineer profile hosted on Netlify, a platform often used for quickly\r\ncreating and deploying websites. The profile claimed proficiency in multiple programming languages and\r\nincluded fake testimonials with stolen images from high-ranking professionals, likely stolen from CEOs, directors,\r\nand other software engineers’ LinkedIn profiles.\r\nFigure 1: Observed image of threat actor resume (likely altered)\r\nWithin the suspected DPRK IT worker's Netlify page, we discovered a resume accompanied by a link to another\r\nresume hosted on Google Docs, presenting a different identity. The linked resume featured a different name,\r\nphone number, and email address compared to the information on the Netlify page. Further discrepancies between\r\nthe Netlify page and the linked resume included differing universities and years of attendance, as well as\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/mitigating-dprk-it-worker-threat/\r\nPage 2 of 11\n\nvariations in past job titles and company work history. However, both of the resumes included a slight variation of\r\nthe phrase “I'm less about seeing myself, I'm more about the others rely on me.”\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/mitigating-dprk-it-worker-threat/\r\nPage 3 of 11\n\nThese two resumes are a small sampling of the total amount of fraudulent resumes identified by Mandiant.\r\nHowever, the resumes provide evidence of the DPRK IT workers utilizing multiple personas in attempts to gain\r\nemployment across multiple organizations.\r\nA recurring characteristic of resumes utilized by UNC5267 is the use of addresses based in the United States\r\ncoupled with education credentials from universities outside of North America, frequently in countries such as\r\nSingapore, Japan, or Hong Kong. While possible, Mandiant noted that the acceptance rate for foreign students at\r\nmany of the universities is low. This discrepancy may serve to hinder potential North American employers from\r\nverifying or contacting these overseas institutions regarding the applicant. Mandiant has also observed that the\r\nuniversities listed on the background check may not align with the candidate’s education background stated in\r\ntheir resume, including time of enrollment and completed degree programs. Furthermore, UNC5267's resumes\r\noften exhibit significant overlap with publicly available resumes or are heavily reused across multiple UNC5267\r\npersonas.  \r\nTo accomplish their duties, UNC5267 often remotely accesses victim company laptops situated within a laptop\r\nfarm. These laptop farms are typically staffed with a single facilitator who is paid monthly to host numerous\r\ndevices in one location. Mandiant has identified evidence that these laptops are often connected to an IP-based\r\nKeyboard Video Mouse (KVM) device, although a recurring theme across these incidents is the installation of\r\nmultiple remote management tools on victim corporate laptops immediately following shipment to the farm.\r\nThese indicate that the individual is connecting to their corporate system remotely via the internet, and may not be\r\ngeographically located in the city, state, or even country in which they report to reside. The following is a list of\r\nremote administration tools identified during Mandiant engagements:\r\nGoToRemote / LogMeIn\r\nGoToMeeting\r\nChrome Remote Desktop \r\nAnyDesk \r\nTeamViewer\r\nRustDesk\r\nConnections to these remote management solutions primarily originated from IP addresses associated with Astrill\r\nVPN, likely originating from China or North Korea. Lastly, feedback from team members and managers who\r\nspoke with Mandiant during investigations consistently highlighted behavior patterns, such as reluctance to\r\nengage in video communication and below-average work quality exhibited by the DPRK IT worker remotely\r\noperating the laptops. \r\nAnother common characteristic identified across Mandiant’s engagements was that DPRK IT workers typically\r\nclaimed to live in one location, but requested laptop shipment to another location (laptop farm or outside\r\nenablement entity). We have observed the DPRK IT workers using the location associated with the stolen identity\r\nused for employment, including the stolen driver’s license, which often doesn’t match the location where the\r\nlaptop is ultimately shipped and stored. \r\nhttps://cloud.google.com/blog/topics/threat-intelligence/mitigating-dprk-it-worker-threat/\r\nPage 4 of 11\n\nDetection Methods\r\nMandiant highlights a number of strategies that organizations can use to identify and hinder DPRK IT worker\r\noperations based on information from trusted sources and government advisories. Countering the threat posed by\r\nNorth Korean cyber actors requires a multifaceted approach that combines technical defenses, user awareness\r\ntraining, and proactive threat hunting. Key recommendations include:\r\nVetting of Job Candidates\r\nRequiring stringent background checks, including the collection of biometric information for comparison\r\nagainst known identities via specialized background checking services, may deter the use of forgeries. \r\nImplementing careful interview processes, such as requiring cameras to be used during interviews to ensure\r\nvisual appearance matches online profiles, checking that the interviewee matches the provided\r\nidentification, and asking questions to establish the consistency of a candidate's responses in line with their\r\npurported background.  \r\nU.S. government advisories and trusted third parties have additionally noted IT workers’ reluctance\r\nto turn on cameras and their use of fake backgrounds during interviews. \r\nTraining human resources departments to spot inconsistencies broadly and learn IT worker tactics,\r\ntechniques, and procedures ( TTPs).\r\nMonitoring for the use of artificial intelligence (AI) to modify employment profile pictures.\r\nMandiant has observed multiple instances in which DPRK IT workers utilized AI to modify profile\r\npictures. \r\nImpacted organizations have leveraged open-source tooling to determine if the image was created\r\nusing AI.\r\nRequire notarized proof of identity prior to employment.\r\nObservations of Potential Technical Indicators\r\nVerify phone numbers to identify Voice over Internet Protocol (VoIP) phone numbers. The use of VoIP\r\nphone numbers is a common tactic used by UNC5267. \r\nVerify that the corporate laptop is shipped to and subsequently geolocated where the individual reports to\r\nreside during onboarding.\r\nMandiant has observed instances where the deployed corporate laptop was never geolocated in the\r\nlocation that the individual reported to reside.\r\nMonitor and restrict the use and installation of remote administration tools:\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/mitigating-dprk-it-worker-threat/\r\nPage 5 of 11\n\nPrevent any remote connections to company-issued computers that could subsequently access the\r\ncorporate network.\r\nMonitor for uncommon remote admin tools. \r\nMonitor for multiple remote admin tools installed on one system.\r\nMonitor for the use of VPN services to connect to corporate infrastructure. IP addresses associated with\r\nVPN services, such as Astrill VPN, should be further reviewed.\r\nMonitor for the use of “mouse jiggling” software. \r\nMandiant has observed instances of DPRK IT workers using the Caffeine mouse jiggling software\r\nto remain active across several laptops and profiles. This allows for ease of use at facilitator\r\nlocations, where keeping laptops on and running are key and for the DPRK IT workers who often\r\nhold many jobs at once and need to appear online.\r\nRequest verification of the laptop serial number at the time of IT onboarding. This information should be\r\nreadily available for anyone with physical possession of their corporate device. \r\nUtilize a hardware based multi-factor for multi-factor authentication to enforce physical access to corporate\r\ndevices.\r\nMonitor and restrict the use of IP-based KVM devices. IP-based KVMs are frequently utilized by DPRK\r\nIT workers to maintain persistent remote access to corporate devices.\r\nOngoing Mitigation Strategies\r\nConsider utilizing periodic mandatory spot checks where remote employees are required to go on camera. \r\nOffer continuous education for users and employees on current threats and trends, which is critical for\r\nidentifying potentially malicious activity. Provide additional training on reporting suspicious activity. \r\nCollaborate with information-sharing communities and security vendors to stay abreast of the latest threats\r\nand mitigation strategies.\r\nRequire the use of U.S. banks for financial transactions to hinder IT worker efforts, as the acquisition of\r\nU.S. bank accounts is more difficult and entails stricter identity verification than those in many other\r\ncountries. \r\nFor Google SecOps Enterprise+ customers, the IOCs listed in this blog post are available for prioritization with\r\nApplied Threat Intelligence.\r\nMandiant also offers intelligence-led human-driven Custom Threat Hunt services to reveal ongoing or past threat\r\nactor activity in both cloud and on-premise environments. The service includes analysis tailored to the particulars\r\nof your tech stack and the threats targeting you. Learn more about Mandiant Custom Threat Hunt services.\r\nOutlook and Implications \r\nhttps://cloud.google.com/blog/topics/threat-intelligence/mitigating-dprk-it-worker-threat/\r\nPage 6 of 11\n\nNorth Korea's IT workforce, despite operating under significant constraints, presents a persistent and escalating\r\ncyber threat. The dual motivations behind their activities—fulfilling state objectives and pursuing personal\r\nfinancial gains—make them particularly dangerous. Their technical proficiency, coupled with sophisticated\r\nevasion tactics, poses a formidable challenge, especially for HR and recruiting teams tasked with identifying\r\npotential threats during the hiring process.\r\nGiven their past successes and the DPRK regime's reliance on cyber operations for revenue and strategic goals, we\r\nanticipate a continued surge in sophisticated attacks and intrusions targeting businesses globally. The IT workers\r\ncontinue to be particularly impactful to Western organizations, with a growing number of European organizations\r\ntargeted. These attacks can lead to data breaches, financial losses, intellectual property theft, and disruption of\r\ncritical services.\r\nThe activities of North Korea's IT workforce underscore the need for sustained vigilance and a proactive\r\ncybersecurity posture. While the threat is complex, a combination of robust security measures, employee\r\nawareness, and collaborative efforts can significantly enhance an organization's resilience against these malicious\r\nactors. Additionally, leveraging advanced threat detection tools and maintaining robust incident response plans are\r\ncrucial for minimizing the impact of potential breaches. Collaboration with industry peers and cybersecurity\r\nagencies to share threat intelligence can further strengthen defenses against this evolving threat.\r\nMandiant successfully operates in this effort by leveraging partnerships either publicly or privately with key\r\norganizations and victims alike. If your organization has been affected or you have information regarding DPRK\r\ncyber operations, we can help get the information to the people that need to be protected or informed. We are all in\r\nthis together.\r\nNetwork IOCs\r\nIndicator ASN NetBlock Service Location\r\n103.244.174.154 9541 Cybernet   (PK)\r\n104.129.55.3 8100 QuadraNet   (US)\r\n104.206.40.138 62904 Eonix Corporation AstrillVPN (US)\r\n104.223.97.2 8100 QuadraNet   (US)\r\n104.223.98.2 8100 QuadraNet   (US)\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/mitigating-dprk-it-worker-threat/\r\nPage 7 of 11\n\n104.243.33.74 23470 ReliableSite.Net LLC   (US)\r\n104.250.148.58 53850 GorillaServers AstrillVPN (US)\r\n109.82.113.75 35819 Mobily   (SA)\r\n113.227.237.46 4837 China Unicom   (CN)\r\n119.155.190.202 56167 Ufone   (PK)\r\n123.190.56.214 4837 China Unicom   (CN)\r\n155.94.255.2 8100 QuadraNet   (US)\r\n174.128.251.99 46844 Sharktech AstrillVPN (US)\r\n18.144.99.240 16509 Amazon.com   (US)\r\n184.12.141.109 5650 Frontier Communications   (US)\r\n192.119.10.67 55081 24 Shells AstrillVPN (US)\r\n192.119.11.250 55081 24 Shells AstrillVPN (US)\r\n192.74.247.161 54600 Peg Tech AstrillVPN (US)\r\n198.135.49.154 396073 Majestic Hosting Solutions, LLC AstrillVPN (US)\r\n198.2.228.20 54600 Peg Tech AstrillVPN (US)\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/mitigating-dprk-it-worker-threat/\r\nPage 8 of 11\n\n198.23.148.18 36352 ColoCrossing   (US)\r\n199.115.99.34 46844 Sharktech AstrillVPN (US)\r\n204.188.232.195 46844 Sharktech AstrillVPN (US)\r\n207.126.89.11 6939 Hurricane Electric   (US)\r\n208.68.173.244 29838 Atlantic Metro Communications   (US)\r\n23.105.155.2 396362 Leaseweb New York   (US)\r\n23.237.32.34 174 Fdcservers   (US)\r\n3.15.4.158 16509 Amazon.com   (US)\r\n37.19.199.133 212238 Datacamp Limited   (US)\r\n37.19.221.228 212238 Datacamp Limited   (US)\r\n37.43.225.43 35819 Mobily   (SA)\r\n38.140.49.92 174 Cogent Communications AstrillVPN (US)\r\n38.42.94.148 27611 Starry   (US)\r\n42.84.228.232 4837 China Unicom   (CN)\r\n5.244.93.199 35819 Mobily   (SA)\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/mitigating-dprk-it-worker-threat/\r\nPage 9 of 11\n\n50.39.182.185 27017 Ziply Fiber   (US)\r\n51.39.228.134 43766 Zain Saudi Arabia   (SA)\r\n54.200.217.128 16509 Amazon.com   (US)\r\n60.20.1.234 4837 China Unicom   (CN)\r\n66.115.157.242 46562 Performive   (US)\r\n67.129.13.170 209 CenturyLink   (US)\r\n67.82.9.140 6128 Optimum Online   (US)\r\n68.197.75.194 6128 Optimum Online   (US)\r\n70.39.103.3 46844 Sharktech AstrillVPN (US)\r\n71.112.196.114 701 Verizon Fios Business   (US)\r\n71.112.196.115 701 Verizon Fios Business   (US)\r\n72.193.13.228 22773 Cox Communications   (US)\r\n74.222.20.18 74.222.20.18 Perfect International AstrillVPN (US)\r\n74.63.233.50 46475 Limestone Networks AstrillVPN (US)\r\n98.179.96.75 22773 Cox Communications   (US)\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/mitigating-dprk-it-worker-threat/\r\nPage 10 of 11\n\nURLs\r\nURL\r\nhxxps://daniel-ayala[.]netlify[.]app\r\nPosted in\r\nThreat Intelligence\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/mitigating-dprk-it-worker-threat/\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/mitigating-dprk-it-worker-threat/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE" ], "origins": [ "web" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/mitigating-dprk-it-worker-threat/" ], "report_names": [ "mitigating-dprk-it-worker-threat" ], "threat_actors": [ { "id": "7187a642-699d-44b2-9c69-498c80bce81f", "created_at": "2025-08-07T02:03:25.105688Z", "updated_at": "2026-04-10T02:00:03.78394Z", "deleted_at": null, "main_name": "NICKEL TAPESTRY", "aliases": [ "CL-STA-0237 ", "CL-STA-0241 ", "DPRK IT Workers", "Famous Chollima ", "Jasper Sleet Microsoft", "Purpledelta Recorded Future", "Storm-0287 ", "UNC5267 ", "Wagemole " ], "source_name": "Secureworks:NICKEL TAPESTRY", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "d05e8567-9517-4bd8-a952-5e8d66f68923", "created_at": "2024-11-13T13:15:31.114471Z", "updated_at": "2026-04-10T02:00:03.761535Z", "deleted_at": null, "main_name": "WageMole", "aliases": [ "Void Dokkaebi", "WaterPlum", "PurpleBravo", "Famous Chollima", "UNC5267", "Wagemole", "Nickel Tapestry", "Storm-1877" ], "source_name": "MISPGALAXY:WageMole", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ef59a0d9-c556-4448-8553-ed28f315d352", "created_at": "2025-06-29T02:01:57.047978Z", "updated_at": "2026-04-10T02:00:04.744218Z", "deleted_at": null, "main_name": "Operation Contagious Interview", "aliases": [ "Jasper Sleet", "Nickel Tapestry", "Operation Contagious Interview", "PurpleBravo", "Storm-0287", "Tenacious Pungsan", "UNC5267", "Wagemole", "WaterPlum" ], "source_name": "ETDA:Operation Contagious Interview", "tools": [ "BeaverTail", "InvisibleFerret", "OtterCookie", "PylangGhost" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434268, "ts_updated_at": 1775826725, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/07903033ef75b650ea70292c2965f30d53daf103.pdf", "text": "https://archive.orkl.eu/07903033ef75b650ea70292c2965f30d53daf103.txt", "img": "https://archive.orkl.eu/07903033ef75b650ea70292c2965f30d53daf103.jpg" } }