How LevelBlue OTX and Cybereason XDR Detected a North Korea-Linked Remote IT Worker
Contents
Defending against cyber threats amid Israel-Iran geopolitical tensions. Learn More
Access immediate incident response support, available 24/7
Access immediate incident response support, available 24/7
Defending against cyber threats amid Israel-Iran geopolitical tensions. Learn More
Talk about dodging the insider threat from hell. From August 15 to 25, 2025, the SpiderLabs threat intel team, through the integration of LevelBlue OTX threat intelligence with Cybereason XDR behavioral analytics, detected a North Korea attempt to infiltrate an organization by replying to a help wanted ad.
Let’s take a look at how this organization, with LevelBlue’s help, was able to detect and block this sneaky infiltration attempt.
It took just 10 days for a nation-state threat actor to go from new hire to terminated employee. What appeared to be routine onboarding quickly unraveled when behavioral analytics flagged suspicious login patterns, and threat intelligence confirmed the worst: the organization had unknowingly hired a suspected North Korea-linked operative.
Our team flagged suspicious login …
Access immediate incident response support, available 24/7
Access immediate incident response support, available 24/7
Defending against cyber threats amid Israel-Iran geopolitical tensions. Learn More
Talk about dodging the insider threat from hell. From August 15 to 25, 2025, the SpiderLabs threat intel team, through the integration of LevelBlue OTX threat intelligence with Cybereason XDR behavioral analytics, detected a North Korea attempt to infiltrate an organization by replying to a help wanted ad.
Let’s take a look at how this organization, with LevelBlue’s help, was able to detect and block this sneaky infiltration attempt.
It took just 10 days for a nation-state threat actor to go from new hire to terminated employee. What appeared to be routine onboarding quickly unraveled when behavioral analytics flagged suspicious login patterns, and threat intelligence confirmed the worst: the organization had unknowingly hired a suspected North Korea-linked operative.
Our team flagged suspicious login …
IoC
155.94.199.59
142.214.202.2
142.214.202.2