βΌοΈπ°π΅ Meet North Korean recruiter 'Aaron,' who infiltrates Western companies by using AI and posing as a remote IT worker using stolen or rented identities.
He was lured into a sandbox by researchers, who observed the wild APT in a controlled setting to see what he would do.
VIDEO
He wanders around the web sending messages to people like "Iβd like to offer your an opportunity that I think could be interesting.".. Turns out @MauroEldritch likes opportunities.

Aaron then asks the "legit" worker to download AnyDesk.
VIDEO
Aaron then discusses the "legit" worker's setup.
VIDEO
In record time, AnyRun provided Mauro with a special version of their sandbox that mimics a developer's machine as closely as possible.

The first thing he does is run DxDiag (DirectX Diagnostic Tool) to get a full report on the machineβs hardware.

Aaron tried to determine the location, so Mauro introduced multiple system crashes to delay him.

He then left a note for Mauro⦠how very romantic.

Aaron then logged into his Google account and turned on the sync feature in Chrome.

This opened up the North Korean toolset, which includes multiple AI tools like Simplify Copilot (to autofill job applications), AiApply (to automate job seeking), Final Round AI (which provides answers for your interview questions in real time), Saved Prompts for GPT (to bookmark LLM prompts), the OTP[.]ee extension (or Authenticator[.]cc, an OTP generator), and last but not least, Google Remote Desktop.

Generated by Thread Navigator
Press β + S to quick-export
