Unmasking a North Korean IT Farm: Exposing the Tradecraft Behind Their Global Disguise
Contents
A NORTH KOREAN
CYBER OPERATION:
Exposing ARP-based Covert C2s,
WebSocket Malware, and Video
Conference Software Abuse
SecTor 2025
OCTOBER 1, 2025
A NORTH KOREAN CYBER OPERATION
WHO ARE WE?
Avi Sambira
Director,
N. AMERICA, CA
2
A NORTH KOREAN CYBER OPERATION
AGENDA
Background
Tool Breakdown
Recommendations
Last Thoughts
Demonstration
3
BACKGROUND
A NORTH KOREAN CYBER OPERATION
REAL-WORLD IMPACT
Key Milestones in North Korean Cyber Operations (May 2022–February 2025)
May 2022
North Korean IT workers
identified as major
infection vector
August 2024 –
February 2025
September 2024 –
February 2025
January 2025
February 2025
21 command and control
servers linked to operations
At least seven
organizations in six
countries targeted
North Korean IT workers
begin extorting former
employers
$1.5 billion stolen in single
cryptocurrency attack
5
A NORTH KOREAN CYBER OPERATION
TIMELINE OF EVENTS
Early January 2025
Discovery of tooling
on seized laptop
December 2024
February 2025
North Korean IT
worker hired as senior
DevOps engineer
Laptop returned to client
and analyzed by Sygnia
January to
February 2025
Threat hunt
performed
in client
environment
jn
NOVEMBER
DECEMBER
JANUARY
FEBRUARY
MARCH
7
A NORTH KOREAN CYBER OPERATION
NO MALWARE NEEDED: JUST PYTHON, ARP, AND ZOOM
Scripts enable
control without
malware installation.
Scripts
WebSocket
facilitates remote
command and
control.
WebSocket
ARP packets
rebroadcast
commands locally.
ARP Packets
Zoom Automation
simulates remote
desktop control.
Zoom Automation
Evasion operates
below traditional
logging thresholds.
Evasion
Covert Device
Control
8
TOOL
BREAKDOWN
A NORTH KOREAN CYBER OPERATION
COVERT …
CYBER OPERATION:
Exposing ARP-based Covert C2s,
WebSocket Malware, and Video
Conference Software Abuse
SecTor 2025
OCTOBER 1, 2025
A NORTH KOREAN CYBER OPERATION
WHO ARE WE?
Avi Sambira
Director,
N. AMERICA, CA
2
A NORTH KOREAN CYBER OPERATION
AGENDA
Background
Tool Breakdown
Recommendations
Last Thoughts
Demonstration
3
BACKGROUND
A NORTH KOREAN CYBER OPERATION
REAL-WORLD IMPACT
Key Milestones in North Korean Cyber Operations (May 2022–February 2025)
May 2022
North Korean IT workers
identified as major
infection vector
August 2024 –
February 2025
September 2024 –
February 2025
January 2025
February 2025
21 command and control
servers linked to operations
At least seven
organizations in six
countries targeted
North Korean IT workers
begin extorting former
employers
$1.5 billion stolen in single
cryptocurrency attack
5
A NORTH KOREAN CYBER OPERATION
TIMELINE OF EVENTS
Early January 2025
Discovery of tooling
on seized laptop
December 2024
February 2025
North Korean IT
worker hired as senior
DevOps engineer
Laptop returned to client
and analyzed by Sygnia
January to
February 2025
Threat hunt
performed
in client
environment
jn
NOVEMBER
DECEMBER
JANUARY
FEBRUARY
MARCH
7
A NORTH KOREAN CYBER OPERATION
NO MALWARE NEEDED: JUST PYTHON, ARP, AND ZOOM
Scripts enable
control without
malware installation.
Scripts
WebSocket
facilitates remote
command and
control.
WebSocket
ARP packets
rebroadcast
commands locally.
ARP Packets
Zoom Automation
simulates remote
desktop control.
Zoom Automation
Evasion operates
below traditional
logging thresholds.
Evasion
Covert Device
Control
8
TOOL
BREAKDOWN
A NORTH KOREAN CYBER OPERATION
COVERT …