CybersecurityDefense

SecTor 2025 | Unmasking a North Korean IT Farm

Black Hat
Black HatApr 19, 2026

Why It Matters

The case shows how North Korean groups can exploit trusted IT roles and everyday applications to conduct long‑term espionage and extortion, forcing enterprises to rethink insider‑threat controls and visibility into legitimate software usage.

Key Takeaways

  • North Korean actors impersonate IT staff to infiltrate global firms
  • FBI identified 21 C2 servers and seven compromised organizations
  • Attackers use Zoom, ARP packets, and websockets without malware
  • Scripts enable remote control, data exfiltration, and later extortion
  • Detection evaded by operating during business hours and normal tools

Summary

Signia’s director Abby Samira presented at SecTor 2025 a detailed case study of a North Korean‑run “IT farm,” where threat actors masquerade as legitimate IT employees to breach enterprises worldwide. The briefing linked the operation to recent FBI alerts that warned of such impersonation campaigns and highlighted the involvement of multiple U.S. and international organizations.

According to the FBI timeline, between August 2024 and February 2025 the agency uncovered 21 command‑and‑control servers supporting at least seven victim firms across six countries. Initially the actors collected salaries paid to the fake employees and wired the proceeds to Pyongyang; in January 2025 they escalated to extortion, threatening to release exfiltrated data from sectors such as finance, healthcare and defense.

Samira demonstrated the custom toolset used to stay invisible: Python scripts that leverage Zoom’s screen‑share functions, ARP‑packet payloads, and persistent websockets to issue commands without installing malware. A “user‑presence beacon” signals active work hours, while a “command rebroadcast relay” injects encrypted instructions into ARP traffic, allowing a single compromised laptop to control an entire local network of machines.

The episode underscores the growing sophistication of state‑sponsored financially motivated actors and the need for organizations to augment traditional HR vetting with continuous network‑behavior monitoring. Detecting low‑profile, business‑hour activity and scrutinizing legitimate tools for abuse are now critical components of any zero‑trust strategy.

Original Description

This session exposes a real-world covert remote-control system developed by a North Korean IT worker operating undetected within a legitimate organization. The forensic investigation revealed a sophisticated ecosystem that leveraged Address Resolution Protocol (ARP)-based payload delivery, WebSockets for stealthy command and control, and Zoom for covert persistence and remote access.
Through technical analysis and a live attack demo, we'll unpack how the attacker:
-Built an advanced C2 infrastructure using WebSockets to control infected machines.
-Used ARP packets as a payload transport mechanism, embedding commands inside network traffic to execute commands without traditional TCP/IP communication.
-Weaponized Zoom as a Remote Access Trojan (RAT), launching meetings without user interaction and auto-approving remote-control access via HID injection techniques.
-Covertly executed commands through a Python script, allowing keystroke and mouse movement emulation, bypassing endpoint logging.
-Enabled remote execution through a command client, which persistently reconnected to the C2 when the user was active.
By reverse-engineering the threat actor's toolkit, the investigation uncovered previously undocumented techniques for network protocol abuse and application-layer persistence.
In this session, we'll not only highlight how these tactics were deployed but also how defenders can detect and disrupt them before they escalate into full-scale espionage. Attendees will leave with a deeper understanding of offensive tradecraft and practical strategies for detection, threat hunting, and forensic response.
By: Avi Sambira | Director, Client Leadership, Sygnia
Full Presentation Materials Available at:

Comments

Want to join the conversation?

Loading comments...