{ "id": "938e5fab-2a62-4c0f-be6e-c3456977a1a2", "created_at": "2026-04-06T00:11:14.028276Z", "updated_at": "2026-04-10T13:11:22.268278Z", "deleted_at": null, "sha1_hash": "70997291b3a9034e297d1b43118ed3c2cc1d8735", "title": "Fake North Korean IT Worker Linked to BeaverTail Video Conference App Phishing Attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1861648, "plain_text": "Fake North Korean IT Worker Linked to BeaverTail Video\r\nConference App Phishing Attack\r\nBy Unit 42\r\nPublished: 2024-11-14 · Archived: 2026-04-05 16:46:19 UTC\r\nExecutive Summary\r\nUnit 42 researchers identified a North Korean IT worker activity cluster that we track as CL-STA-0237. This\r\ncluster was involved in recent phishing attacks using malware-infected video conference apps. It likely operates\r\nfrom Laos, using Lao IP addresses and identities.\r\nCL-STA-0237 exploited a U.S.-based, small-and-medium-sized business (SMB) IT services company to apply for\r\nother jobs. In 2022, CL-STA-0237 secured a position at a major tech company.\r\nWe believe CL-STA-0237 is another cluster of a broader network of North Korean IT workers supporting the\r\nnation's illicit activities, including weapons of mass destruction (WMD) and ballistic missile programs. This\r\narticle highlights the IT workers’ shift from stable income-seeking activities to involvement in more aggressive\r\nmalware campaigns. Additionally, the article illustrates the global reach of North Korean IT workers.\r\nTo address these risks, organizations should perform the following activities:\r\nStrengthening their hiring screening processes\r\nImplementing robust monitoring to identify insider threats\r\nThoroughly evaluating outsourced services\r\nEnsuring that employees do not use corporate machines for personal activities\r\nPalo Alto Networks customers receive better protection from malware discussed in this article through Cortex\r\nXDR and XSIAM and Prisma Cloud. Advanced URL Filtering and Advanced DNS Security identify known URLs\r\nand domains associated with this activity as malicious.\r\nIf you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response\r\nteam.\r\nUpdated Contagious Interview Campaign Tactics\r\nIn a previous article, we covered the Contagious Interview campaign where North Korean threat actors posed as\r\nfake employers reaching out to IT developers with fictitious job offers and conducted technical interviews. During\r\nthese interviews, attackers delivered npm (a package manager for the JavaScript programming language) projects\r\nwith malicious content, which led to BeaverTail malware infections. Attackers then deployed InvisibleFerret\r\nmalware, which includes additional remote access Trojan (RAT) features.\r\nhttps://unit42.paloaltonetworks.com/fake-north-korean-it-worker-activity-cluster/\r\nPage 1 of 7\n\nIn addition to the recently published reports from The Object-See Foundation and GROUP-IB on the Contagious\r\nInterview campaign’s updated TTPs, Unit 42 has released a new report that highlights the latest developments\r\nsurrounding the BeaverTail malware. These reports delve into how threat actors set up fake video conferencing\r\nwebsites imitating MiroTalk and FreeConference. Attackers lured targets into downloading conference call\r\ninstallers embedded with BeaverTail malware.\r\nThis new approach differs from previous tactics in that malware delivery occurs at the start of the job interview,\r\nusing installer packages. This method allows attackers to target a broader range of job seekers, rather than only\r\nthose with npm JavaScript development expertise and specific machine configurations.\r\nOur investigation into this updated campaign led to the identification of the fake North Korean IT worker cluster\r\nwe are focusing on in this research. This is the second instance where we have observed connections between the\r\nContagious Interview malware campaign and North Korean IT worker activities, also known as the Wagemole\r\ncampaign. In the Wagemole campaign, North Korean IT workers pose as job seekers, often freelance developers,\r\nand they seek remote IT jobs using stolen identities.\r\nFake North Korean IT Worker CL-STA-0237 Linked to the Phishing Attack\r\nOur internal telemetry identified newly registered domains resolving to a known IP address, 167.88.36[.]13, which\r\nis associated with the MiroTalk fake job campaign from July 2024 discussed above. Further investigation revealed\r\nthat the CL-STA-0237 activity cluster, which registered these domains, used information from a U.S.-based SMB\r\nIT services company.\r\nCL-STA-0237 not only exploited the company’s information but also controlled multiple IT infrastructure and\r\nmanagement accounts that belonged to the company. CL-STA-0237 listed the company as its employer, citing\r\nemployment since 2019 in some of its fake resumes. It also managed email accounts that mimicked the company’s\r\nowner, using them to apply for other jobs.\r\nWe could not fully verify the connections between CL-STA-0237 and the exploited company. Our hypothesis\r\nsuggests two potential scenarios:\r\nCL-STA-0237 stole the company’s access credentials and is now posing as the company to secure new IT\r\njobs or target job seekers with malware infections.\r\nCL-STA-0237 was either hired by or had an outsourcing partnership with the IT services company, which\r\nallowed it to gain access to the company’s infrastructure.\r\nFake Resumes Created by the Actor\r\nIn the Wagemole campaign, North Korean IT workers commonly managed multiple personas using fake or stolen\r\nidentities from around the world. Figure 1 shows fake resumes created by CL-STA-0237.\r\nhttps://unit42.paloaltonetworks.com/fake-north-korean-it-worker-activity-cluster/\r\nPage 2 of 7\n\nFigure 1. Fake resumes created by CL-STA-0237.\r\nAlthough the headshot photos differ slightly, they appear to be different pictures of the same individual. With\r\nmoderate confidence, we believe these headshots belong to a real member of CL-STA-0237, as they are likely\r\nrequired to show their face during video conference calls with employers or clients.\r\nPossible Physical Presence in Laos\r\nTracing CL-STA-0237's activities revealed the use of multiple Lao residential IP addresses. Criminals commonly\r\nuse residential proxy services, so the use of such IP addresses alone does not provide strong evidence of physical\r\npresence.\r\nHowever, we were able to verify that one of the threat actor’s headshot photos in Figure 2 was taken at a shopping\r\nmall in Vientiane, Laos, between late 2020 and mid-2021.\r\nFigure 2. Tracing the geolocation and timeframe of CL-STA-0237.\r\nThe A and B sections of the background of the IT worker's headshot photo in Figure 2 strongly indicated that it\r\nwas taken in a shopping mall. Additionally, an advertisement for a phone model released in late 2020 suggested\r\nthe time frame in which the picture was taken.\r\nhttps://unit42.paloaltonetworks.com/fake-north-korean-it-worker-activity-cluster/\r\nPage 3 of 7\n\nConsidering these factors, along with Laos being one of the countries where North Korean IT workers have been\r\ndispatched, it is plausible that CL-STA-0237 may have had a physical presence in Laos. In contrast, previous\r\nWagemole campaign clusters were primarily linked to IP infrastructures based in China and Russia.\r\nSecuring a Job at a Major Tech Company\r\nThe intelligence we gathered on CL-STA-0237 suggests that it secured multiple short-term and long-term jobs\r\nfrom companies of various sizes. We believe, with moderate confidence, that CL-STA-0237 secured a position in\r\nat least one major tech company in 2022.\r\nCL-STA-0237 had access to the company's single sign-on (SSO) system, with an account created under the\r\ncompany’s domain. We believe this account was created for the North Korean IT worker rather than stolen, as the\r\nusername corresponds to one of the fake identities CL-STA-0237 has been using in its fake IT worker operation.\r\nAttribution\r\nSince our previous report on the two job-related campaigns, some researchers have begun attributing the\r\nContagious Interview campaign to the well-known North Korean threat group, Lazarus. However, we are not\r\ncertain whether the IT workers led the attacks or simply assisted other hacking groups. Despite this uncertainty,\r\nwe continue to observe links between malware campaigns and North Korean IT workers, thus we track these\r\nactivities under our temporary cluster names.\r\nOn the other hand, there have been new developments regarding the attribution of the Wagemole campaign.\r\nEthereum wallets associated with one of the Wagemole clusters showed significant fund transfers to a wallet\r\nbelonging to Sang Man Kim.\r\nKim is a North Korean individual sanctioned by the U.S. Treasury for his role in supporting North Korea's illicit\r\nactivities, including its WMD and ballistic missile programs. Kim is specifically linked to managing the finances\r\nof overseas North Korean IT workers in Russia and Laos, providing a potential connection to the campaign's\r\nfinancial operations.\r\nConclusion\r\nNorth Korean threat actors have been highly successful in generating revenue to fund their nation’s illicit\r\nactivities. They began by posing as fake IT workers to secure consistent income streams, but they have begun\r\ntransitioning into more aggressive roles, including participating in insider threats and malware attacks.\r\nThe continuous discovery of such operations highlights the vast scale of the threat. Despite numerous reports,\r\nmedia coverage and law enforcement efforts, these campaigns have not diminished. We anticipate that North\r\nKorean job-related campaigns will likely persist and even escalate.\r\nTo mitigate these risks, organizations must enhance their screening processes for new hires. This includes the\r\nfollowing activities:\r\nBolstering monitoring to detect insider threats\r\nCarefully vetting outsourced services\r\nhttps://unit42.paloaltonetworks.com/fake-north-korean-it-worker-activity-cluster/\r\nPage 4 of 7\n\nEnsuring that employees do not use corporate machines for personal activities\r\nPalo Alto Networks customers are better protected from the threats discussed above through the following\r\nproducts:\r\nCortex XDR and XSIAM customers, users of both cloud and on-premises agents, receive protections out-of-the-box. Cortex’s XSIAM AI-assisted operations centralize data and SOC detection and response\r\ncapabilities, providing protections from the advanced threats described in this article.\r\nPrisma Cloud customers are protected out-of-the-box should the infection chains discussed within this\r\narticle expose cloud infrastructure. Prisma Cloud monitors CI/CD pipelines, Cloud Secret Managers,\r\nInfrastructure as Code (IaC) templates and Software Composition to ensure that malicious execution,\r\ncreation, modification or deletion of cloud resources are detected and remediated.\r\nAdvanced URL Filtering and Advanced DNS Security identify known URLs and domains associated with\r\nthis activity as malicious\r\nIf you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nPalo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA\r\nmembers use this intelligence to rapidly deploy protections to their customers and to systematically disrupt\r\nmalicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nDomains\r\neffertz-carroll[.]com\r\nregioncheck[.]net\r\nfreeconference[.]io\r\nipcheck[.]cloud\r\nmirotalk[.]io\r\nmirotalk[.]net\r\nftpserver0909[.]com\r\nIP Address\r\n167.88.36[.]13\r\nEmail Addresses\r\nadonis_eros@outlook[.]com\r\nhttps://unit42.paloaltonetworks.com/fake-north-korean-it-worker-activity-cluster/\r\nPage 5 of 7\n\nbrightstar1116@outlook[.]com\r\nbuyerlao@outlook[.]com\r\ncasey_qadir@outlook[.]com\r\ncescernand@outlook[.]com\r\ndevstar1116@gmail[.]com\r\nebcappservices@gmail[.]com\r\nhakajakin@outlook[.]com\r\nideationbrand@gmail[.]com\r\nlegend_dev@outlook[.]com\r\nliko.sonexarth@gmail[.]com\r\nliko.sonexarth@hotmail[.]com\r\nlongines0924@gmail[.]com\r\nlujindane@outlook[.]com\r\nmatthewhall14541@gmail[.]com\r\nniko.sonexarth@gmail[.]com\r\nniko.sonexarth@hotmail[.]com\r\noscar.vetres127@europe[.]com\r\noscar.vetres127@gmail[.]com\r\npinefirst@outlook[.]com\r\nreply9998@gmail[.]com\r\nrichard.stewart.1202@gmail[.]com\r\nrichard.stewart.1202@outlook[.]com\r\nsniper_bruce@outlook[.]com\r\nstp.walsh33@gmail[.]com\r\ntechcare127@gmail[.]com\r\ntruepai415@gmail[.]com\r\ntruestar222@outlook[.]com\r\nvolodimir.work2020@gmail[.]com\r\nzhangming_k@yahoo[.]com\r\nzhuming1116@gmail[.]com\r\nlisettekolson8@gmail[.]com\r\n312011217@qq[.]com\r\nalhinglovena3000@gmail[.]com\r\njumphon2103@gmail[.]com\r\nmobilephetjum@gmail[.]com\r\nphetchamphone1998@gmail[.]com\r\nAdditional Resources\r\nGlobal Companies Are Unknowingly Paying North Koreans: Here’s How to Catch Them – Unit 42, Palo\r\nAlto Networks\r\nHacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North\r\nKorean Threat Actors – Unit 42, Palo Alto Networks\r\nhttps://unit42.paloaltonetworks.com/fake-north-korean-it-worker-activity-cluster/\r\nPage 6 of 7\n\nContagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of\r\nBeaverTail and InvisibleFerret Malware – Unit 42, Palo Alto Networks\r\nThis Meeting Should Have Been an Email - A DPRK stealer, dubbed BeaverTail, targets users via a\r\ntrojanized meeting app – Objective-See Foundation\r\nAPT Lazarus: Eager Crypto Beavers, Video calls and Games – GROUP-IB\r\nTreasury Targets DPRK Malicious Cyber and Illicit IT Worker Activities – Press release, U.S. Department\r\nof the Treasury\r\nSource: https://unit42.paloaltonetworks.com/fake-north-korean-it-worker-activity-cluster/\r\nhttps://unit42.paloaltonetworks.com/fake-north-korean-it-worker-activity-cluster/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://unit42.paloaltonetworks.com/fake-north-korean-it-worker-activity-cluster/" ], "report_names": [ "fake-north-korean-it-worker-activity-cluster" ], "threat_actors": [ { "id": "7187a642-699d-44b2-9c69-498c80bce81f", "created_at": "2025-08-07T02:03:25.105688Z", "updated_at": "2026-04-10T02:00:03.78394Z", "deleted_at": null, "main_name": "NICKEL TAPESTRY", "aliases": [ "CL-STA-0237 ", "CL-STA-0241 ", "DPRK IT Workers", "Famous Chollima ", "Jasper Sleet Microsoft", "Purpledelta Recorded Future", "Storm-0287 ", "UNC5267 ", "Wagemole " ], "source_name": "Secureworks:NICKEL TAPESTRY", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null }, { "id": "d05e8567-9517-4bd8-a952-5e8d66f68923", "created_at": "2024-11-13T13:15:31.114471Z", "updated_at": "2026-04-10T02:00:03.761535Z", "deleted_at": null, "main_name": "WageMole", "aliases": [ "Void Dokkaebi", "WaterPlum", "PurpleBravo", "Famous Chollima", "UNC5267", "Wagemole", "Nickel Tapestry", "Storm-1877" ], "source_name": "MISPGALAXY:WageMole", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ef59a0d9-c556-4448-8553-ed28f315d352", "created_at": "2025-06-29T02:01:57.047978Z", "updated_at": "2026-04-10T02:00:04.744218Z", "deleted_at": null, "main_name": "Operation Contagious Interview", "aliases": [ "Jasper Sleet", "Nickel Tapestry", "Operation Contagious Interview", "PurpleBravo", "Storm-0287", "Tenacious Pungsan", "UNC5267", "Wagemole", "WaterPlum" ], "source_name": "ETDA:Operation Contagious Interview", "tools": [ "BeaverTail", "InvisibleFerret", "OtterCookie", "PylangGhost" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434274, "ts_updated_at": 1775826682, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/70997291b3a9034e297d1b43118ed3c2cc1d8735.pdf", "text": "https://archive.orkl.eu/70997291b3a9034e297d1b43118ed3c2cc1d8735.txt", "img": "https://archive.orkl.eu/70997291b3a9034e297d1b43118ed3c2cc1d8735.jpg" } }