With this post, the X-Ops blog is thrilled to present research from our Sophos siblings newly joining us from Secureworks, of which CTU (the Counter Threat Unit™) is a crucial part.
North Korean IT workers remain a critical insider threat
Counter Threat Unit™ (CTU) researchers continue to investigate the NICKEL TAPESTRY threat group’s scheme involving fraudulent workers operating on behalf of North Korea (formally known as the Democratic People’s Republic of Korea).
The origins of this campaign, publicly tracked as Wagemole, have been traced back to 2018, although infrastructure links suggest that NICKEL TAPESTRY has been conducting money-making schemes since at least 2016. There has been an increase in targeting of European and Japanese organizations in this campaign, likely as a result of increased awareness among U.S.-based organizations and actions taken to combat the threat. Fraudulent applicants applying to positions based in Japan and the U.S. have impersonated Vietnamese, Japanese, and Singaporean professionals, in addition to ongoing impersonation of American professionals.
There is evidence suggesting that the threat actors adapt their personas over time to evade detections. The fraudulent workers have historically advertised web and blockchain software development skills but apply for roles in a wide range of industries, not just companies in the technology sector. In 2025, they expanded their focus to include cybersecurity roles, and they increased the use of female personas.
While the threat actors’ primary objective is to obtain a salary that can fund North Korean government interests, a secondary method of revenue generation is data theft extortion. Several attempts were reported in 2024 leading to a U.S. Federal Bureau of Investigation (FBI) advisory in January 2025. Extortion resulting from theft of source code and intellectual property is an ongoing threat from NICKEL TAPESTRY, especially after a fraudulent worker has been terminated. The theft of data may occur within days of being hired and only used for coercion after employment has ended.
Additionally, organizations are at risk of traditional insider threat activity from the North Korean fraudulent workers. This activity could include unauthorized access to cloud and API backends, as well as theft of credentials and institutional knowledge such as trade secrets. There is also the risk that access obtained by one of these IT workers could be used by other North Korean threat groups for malicious purposes.
Throughout the pre-employment phase, the threat actors often digitally manipulate photos for their falsified resumes and LinkedIn profiles, and to accompany prior work history or group project claims. They commonly use stock photos overlayed with real images of themselves. The threat actors have also increased usage of generative AI, including writing tools, image-editing tools, and resume builders.
Following placement at a company, the fraudulent workers have used mouse jiggler utilities, VPN software, workarounds to circumvent default system font and language settings, and KVM over IP (remote keyboard, video, and mouse control) for remote access. Impacted organizations also observed installation of multiple remote monitoring and management (RMM) tools on a single system and the use of long (more than eight hours) Zoom calls for screensharing. Some fraudulent workers have persistently pushed for permission to use a personal rather than corporate computer, thus avoiding the need for a facilitator to receive a laptop on their behalf. Personal devices typically have fewer corporate security controls in place.
Organizations should remain vigilant
Mitigation of this threat centers around human vigilance. CTU™ researchers recommend that organizations establish enhanced identity verification procedures as part of their interview process. Human resources staff and recruiters should be regularly updated on tactics used in these campaigns to help them identify potential fraudulent North Korean IT workers. Additionally, organizations should monitor for traditional insider threat activity, suspicious usage of legitimate tools, and impossible travel alerts to detect activity often associated with fraudulent workers.
During the interview process:
- Require verified proof of identity from applicants, ideally presented in person at least once.
- Review a candidate’s online presence for consistency in name, appearance, work history, and education.
- Monitor for multiple applicants using cloned resumes or the same phone numbers. Check for phone numbers that are linked to voice over IP (VoIP) services rather than cellular or landline services.
- Check work history via official channels rather than contacts provided by the candidate, and confirm that company addresses and phone numbers correspond to the official company websites.
- During interviews, ask casual background questions about the applicant’s location, work history, or educational background, listening for answers that indicate a lack of genuine experience or otherwise contradict their claims (e.g., not knowing the current weather in their purported location).
- Be wary of novice or intermediate English-language skills if a candidate claims to be a native speaker.
- Conduct in-person or video interviews, asking the candidate to at least temporarily disable virtual backgrounds and other digital filtering.
- Conduct background checks using a trusted authority.
During onboarding:
- Check that the identity of the onboarding employee matches the hired applicant.
- Be wary of last-minute requests to change the shipping address for corporate laptops, and instruct couriers not to allow redirection to a new address after dispatch.
- Be suspicious of insistence on using a personal device rather than a corporate system.
- Verify that the banking information does not route to a money transfer service.
- Scrutinize last-minute requests to change the employee’s payment information or repeated requests over a short time period to change bank account information.
- Refuse requests for prepayment.
Following employment:
- Restrict the use of unauthorized remote access tools.
- Limit access to non-essential systems.
- Be suspicious of refusals to turn on video during calls, unjustified concern surrounding in-person meetings, and background noise on voice calls that could suggest the employee is working from a call center or crowded room.
- Monitor the employee’s laptop using antivirus and endpoint detection and response (EDR) software. Correlate network connections via VPN services, particularly foreign residential VPN services or Astrill VPN.
Cybersecurity is a team sport, and other researchers have been investigating this threat as well. Spur and Google have published helpful resources covering Astrill VPN and other infrastructure used by NICKEL TAPESTRY.
