Overview
- BCA LTD, NorthScan and ANY.RUN disclosed Dec. 2–3 that they recorded Famous Chollima operators working inside long‑running sandbox VMs disguised as U.S. developer machines.
- A recruiter using the aliases Aaron and Blaze pushed targets to surrender SSN, ID, LinkedIn and Gmail access along with 24/7 control of a laptop to place North Korean IT workers in Western companies.
- Captured sessions showed AI job‑automation tools, browser‑based OTP services, Astrill VPN routing and Google Remote Desktop configured via PowerShell with a fixed PIN for persistent control.
- Operators focused on full identity and workstation takeover rather than malware, even leaving a Notepad request for ID, SSN and banking details on the host machine.
- Researchers urge tighter remote‑hiring verification across finance, crypto, healthcare and engineering, as industry reporting also cites DOJ seizures tied to these IT schemes and extensive crypto theft losses.