← Back to Daily Briefing

CrowdStrike identifies North Korean state-sponsored actors, primarily the FAMOUS CHOLLIMA cluster, as responsible for approximately 47% of all "hands-on-keyboard" operations targeting the U.S. technology sector [1]. The threat actors utilize fraudulent remote employment personas, augmented by AI-generated resumes and stolen PII, to circumvent remote KYC and background checks. To maintain stealthy persistence, operatives deploy U.S.-based "laptop farms" utilizing PiKVM hardware for BIOS-level control and Tailscale mesh VPNs for encrypted C2 communication [2]. These operations focus on high-value intellectual property exfiltration and cryptocurrency theft to finance DPRK weapons development.

  • Threat Actor Profile: FAMOUS CHOLLIMA

    • Identified as the most active DPRK unit targeting the tech sector via manual, human-led intrusions.
    • Operates alongside clusters such as LABYRINTH CHOLLIMA and STARDUST CHOLLIMA to target global firms.
    • Strategically targets high-salary remote software developer and AI architect roles to maximize financial yield.
  • Attack Vector: Identity Fraud and Social Engineering

    • Employs AI tools to mirror job descriptions in resumes and provide real-time answers during video interviews.
    • Utilizes stolen PII (Social Security numbers, passports) to bypass traditional pre-employment background checks.
    • Orchestrates large-scale application campaigns, with single cells submitting over 166,000 applications.
  • Technical Execution: Laptop Farms and Persistence

    • Employs U.S.-based facilitators to host "laptop farms," providing a domestic IP presence to bypass geographic access controls.
    • Deploys PiKVM (Pi Keyboard Video Mouse) hardware to control corporate laptops at the BIOS level, evading most EDR tools.
    • Utilizes Tailscale mesh VPNs and Astrill VPN to create encrypted, obfuscated tunnels between operative nodes.
  • Operational Objectives: Revenue and Espionage

    • Targets blockchain and cryptocurrency firms to facilitate direct theft of digital assets.
    • Conducts industrial espionage to exfiltrate sensitive source code for the Reconnaissance General Bureau (RGB).
    • Implements data extortion tactics, threatening to leak proprietary code following discovery.
  • Defensive Strategy: Mitigation and Detection

    • Implement Zero Trust Architecture (ZTA) and strict Principle of Least Privilege (PoLP) for all remote hires.
    • Enhance vetting through non-scripted "cultural" interviews and rigorous verification of hardware shipping addresses.
    • Monitor for anomalous network patterns, specifically unauthorized RDP or the presence of mesh VPN software.

Related posts

  1. techcrunch.com — North Koreans behind nearly half of US tech industry hacks, says CrowdStrike
  2. Cloud
  3. Youtube
  4. Prnewswire
  5. Thearabianpost
  6. Investorshangout
  7. Wired Security — The UK Will Scan Asylum-Seekers’ Faces for Age Checks—Despite Knowing the Tech Is Flawed
  8. Securityboulevard
  9. Infosecurity-magazine
  10. Prnewswire
  11. Fbi
  12. Fbi
  13. Ic3
  14. En
  15. Ic3
  16. Techtarget
  17. Crowdstrike
  18. Reddit
  19. Skadden
  20. Cyberscoop
  21. Blog
  22. Chosun
  23. Theguardian
  24. Crowell
  25. Bankinfosecurity
  26. techjacksolutions.com — Technology Sector Under Sustained Nation-State and Criminal Siege: China, DPRK, and eCrime Actors Converge on AI, IP, and Supply Chains
  27. techjacksolutions.com — Multi-Vector State and Criminal Campaign Targets Technology Sector: China, DPRK, and eCrime Groups Drive 2025-2026 Intrusion Surge

LINK COPIED TO CLIPBOARD