Summary
As of 2025, North Korea-linked threat actors are emerging not only through financial fraud but also through cyber infiltration strategies involving remote recruitment.
In this case, the Lazarus threat actor’s sub-group “Famous Chollima” attempted to secure a position at a Western tech company using fake resumes and AI-based facial filters.
The company’s recruiting team detected the incident early on by detecting artificial movements and inconsistencies during the interview.
This initiative demonstrates that North Korea’s long-standing “IT Worker Operations” program has now evolved into sophisticated deepfake-based human resources attacks.
Threat Actor Profile
| Feature | Information |
|---|---|
| Name | Famous Chollima (Subunit of Lazarus) |
| Relation | Democratic People’s Republic of Korea (DPRK) |
| Purpose | Corporate espionage, revenue generation, sanctions evasion |
| Tactics | Remote hiring, deepfake identities, fake resumes, VPN tunneling |
| Target Sectors | Finance, Crypto/Web3, Engineering, Architecture, Software |
Famous Chollima is a less technical faction within the Lazarus ecosystem, specializing in social engineering.
The group gains long-term access by infiltrating companies under the guise of “legitimate employees,” allowing them to:
- Access sensitive corporate information,
- Infiltrate code repositories or internal systems,
- Indirectly circumvent sanctions through salaries or consulting payments.
Detailed Summary of the Incident
First Attempt – “Mateo”
A candidate named “Mateo” applied for a senior software engineer position, claiming to be from Jalisco (Mexico).
He started the call with the camera off, and when he was asked to turn it on, the AI-based face filter was activated:
- Facial features were unnatural,
- Lip-voice synchrony was impaired,
- There was a discrepancy between the teeth and jaw movement and the voice.
The candidate’s lack of Spanish was noteworthy; his resume indicated he had studied engineering in Mexico.
Shortly after the interview, his LinkedIn profile was completely deleted. (IoC (URL): https://www.linkedin.com/in/mateo-jimenez-aaa304379/)
The analysis revealed that the information used had been stolen from a real engineer’s resume.
Second Attempt – “Alfredo”
Two days later, a similar candidate (Alfredo) applied.
This time the filtering looked more natural; there was masking in the style of “subtle AI filtering” (face smoothing).
He also claimed to be of Mexican origin but had no knowledge of the local language.
The interview was recorded; behavioral analysis revealed excessive excitement, repetitive gestures, and lack of eye contact.
This candidate’s LinkedIn profile was also deleted after the interview. (IoC (URL): https://www.linkedin.com/in/alfredo-solares-garcia/)
Investigation revealed that this profile was also a copy of an ID belonging to a real Latin American engineer.
Technical Findings and Infrastructure Traces
| Finding | Description |
|---|---|
| VPN Usage | Astrill VPN (popular with Chinese and North Korean IT professionals) |
| IP Geolocation | Apparently Europe, but the tunnel is via a host in the USA |
| Network Structure | “Laptop farm” – proxy network where multiple devices are managed remotely |
| Access Tool | Session redirection via popular Remote Desktop software |
| Data Source | Stolen resume, education, and credentials (LinkedIn, job boards) |
| Purpose | Gain access to corporate networks and generate income by working remotely |
These indicators confirm that the operation was carried out by an organized and institutionalized infiltration network, not an individual.
Astrill VPN‘s use was previously identified by the US Department of the Treasury in North Korean IT Worker schemes.
Strategic Insights
The Evolution of Social Engineering: Infiltration of Human Resources
Instead of traditional phishing and spearphishing, actors are now directly infiltrating recruiting processes.
This method provides not only information but also legitimate revenue.
So the target is no longer just the systems, but the companies’ recruitment security chain.
Operational Use of Deepfake Technology
Deepfakes have moved from being a propaganda tool to an operational infiltration tool.
In this case, facial filters manipulated the image in real time to support the fake identity.
This represents a new level of risk beyond traditional identity verification mechanisms (e.g., passport scanning).
Overcoming Sanctions: The IT Employee Economy
Hundreds of North Korea’s IT personnel, disguised as “freelancers,” receive salaries from US and European companies, but these revenues are collected by the state and funneled into the national economy. In other words, such cases have not only cybersecurity implications but also geopolitical and financial ones.
The Human Factor: Awareness is the Strongest Defense
The only reason these two cases were detected early was because the recruitment team was informed about such threats in advance.
| Domain | Suggestion |
|---|---|
| Recruitment Process | Record conversations; strengthen identity verification procedures. |
| Compliance | Clarify legal permission processes for call recordings. |
| Threat Intelligence | Follow the alert lists containing VPN and IP blocks used by Lazarus and its subgroups. |
| Behavioral Analysis | Observe lip-voice synchrony, eye contact, and gesture inconsistencies during the interview. |
| Policy Update | Implement an identity verification before access policy for remote employees. |
| Awareness Training | Provide regular training to HR and technical teams on deepfake/social engineering. |
Conclusion
- This incident demonstrates that AI-enabled identity manipulation has become a part of the real-world cyber threat ecosystem.
- North Korea has expanded its cyberattack vector to the human resources level by combining techniques such as deepfakes, VPN chains, and identity theft.
- Threat actors are now infiltrating human processes, not systems.
- This trend is predicted to extend beyond technology companies and into sectors such as healthcare, construction, engineering, and defense.
- Organizations should no longer consider their recruitment processes solely as “human resources management” but as an extension of their cybersecurity pipeline.
Resources
quetzal.bitso.com
