From North Korean IT Workers to IT recruiters
Contents
Executive summary
Recent monitoring of activity on GitHub and freelance platforms such as Upwork has revealed a significant shift in the behavior of certain IT workers — from merely seeking employment to adopting more deceptive and intrusive tactics.
This marks the emergence of a second, more scalable phase in their operations. Increasingly, DPRK-linked IT workers are acting as recruiters, orchestrating coordinated campaigns to enlist collaborators through platforms like Upwork and Freelancer. These recruiters approach targets with a scripted pitch, requesting “collaborators” to help bid on and deliver projects. They provide step-by-step instructions for account registration, identity verification, and credential sharing.
In many cases, victims ultimately surrender full access to their freelance accounts or install remote-access tools such as AnyDesk or Chrome Remote Desktop. This enables the threat actor to operate under the victim’s verified identity and IP address, allowing them to bypass platform verification controls and conduct illicit activity undetected
Operational Hypothesis: Two Roles …
Recent monitoring of activity on GitHub and freelance platforms such as Upwork has revealed a significant shift in the behavior of certain IT workers — from merely seeking employment to adopting more deceptive and intrusive tactics.
This marks the emergence of a second, more scalable phase in their operations. Increasingly, DPRK-linked IT workers are acting as recruiters, orchestrating coordinated campaigns to enlist collaborators through platforms like Upwork and Freelancer. These recruiters approach targets with a scripted pitch, requesting “collaborators” to help bid on and deliver projects. They provide step-by-step instructions for account registration, identity verification, and credential sharing.
In many cases, victims ultimately surrender full access to their freelance accounts or install remote-access tools such as AnyDesk or Chrome Remote Desktop. This enables the threat actor to operate under the victim’s verified identity and IP address, allowing them to bypass platform verification controls and conduct illicit activity undetected
Operational Hypothesis: Two Roles …
IoC
https://sms.usmobilenumbers.com
https://www.codecademy.com
https://vps2day.com
https://www.kaggle.com
https://www.hinative.com
https://www.codingame.com
https://polyglotclub.fr
https://envato.com
https://www.freelancer.com
https://www.myprepaidcenter.com
https://rizzlysms.com
https://vuemastery.com
https://ablehere.com
https://www.wappalyzer.com
https://jasonsavard.com
https://kadrof.ru
https://www.creative-tim.com
https://smsbower.com
https://www.randstadusa.com
https://go.screenpal.com/watch/cT6rXCnbpSy
https://smspva.com
https://www.skymavis.com
http://monster.com
https://mobirise.com
https://cloudzy.com
https://latium.org/groups
https://www.bestbuddies.org
https://discord.com
https://dashboardpack.com
https://proxy6.net
https://www.postman.com
https://www.devwares.com
https://www.hellotalk.com
https://www.openstreetmap.org
https://poe.com
https://mastodon.social
https://us.bold.pro
https://usavps.com
https://iproyal.com
https://www.sendgb.com
https://www.axcrypt.net
https://themewagon.com
https://www.freelancermap.com
https://mailtrack.io
https://follow.it
https://pdfguru.com
https://cwallet.com
https://www.dreamstime.com
https://codedthemes.com
https://www.openai.com
https://nanogames.io
https://interpals.net
https://temp-number.org
https://designrevision.com
https://www.golance.com
https://coinsbee.com
https://www.informer.com
https://www.pixtastock.com
https://slack.com
https://hiringneartalent.com
https://xdevs.ltd
https://spaceproxy.net
https://www.codecademy.com
https://vps2day.com
https://www.kaggle.com
https://www.hinative.com
https://www.codingame.com
https://polyglotclub.fr
https://envato.com
https://www.freelancer.com
https://www.myprepaidcenter.com
https://rizzlysms.com
https://vuemastery.com
https://ablehere.com
https://www.wappalyzer.com
https://jasonsavard.com
https://kadrof.ru
https://www.creative-tim.com
https://smsbower.com
https://www.randstadusa.com
https://go.screenpal.com/watch/cT6rXCnbpSy
https://smspva.com
https://www.skymavis.com
http://monster.com
https://mobirise.com
https://cloudzy.com
https://latium.org/groups
https://www.bestbuddies.org
https://discord.com
https://dashboardpack.com
https://proxy6.net
https://www.postman.com
https://www.devwares.com
https://www.hellotalk.com
https://www.openstreetmap.org
https://poe.com
https://mastodon.social
https://us.bold.pro
https://usavps.com
https://iproyal.com
https://www.sendgb.com
https://www.axcrypt.net
https://themewagon.com
https://www.freelancermap.com
https://mailtrack.io
https://follow.it
https://pdfguru.com
https://cwallet.com
https://www.dreamstime.com
https://codedthemes.com
https://www.openai.com
https://nanogames.io
https://interpals.net
https://temp-number.org
https://designrevision.com
https://www.golance.com
https://coinsbee.com
https://www.informer.com
https://www.pixtastock.com
https://slack.com
https://hiringneartalent.com
https://xdevs.ltd
https://spaceproxy.net