In a series of posts on X, Security Alliance (SEAL) stated, "These profiles often have verified workplace emails and identity badges, which DPRK operatives hope will make their fraudulent applications appear legitimate." North Koreans have long engaged in a scheme known as the "IT worker threat," in which they pretend to be remote workers in order to obtain employment in Western businesses and other locations using false or stolen identities. The larger cybersecurity community also monitors the threat using tools like Wagemole, PurpleDelta, and Jasper Sleet.

These initiatives ultimately aim to create a consistent flow of income to support the country's weapons programs, carry out espionage by stealing confidential information, and, in certain situations, go one step further by requesting ransoms to prevent the information from being leaked.

The DPRK remote worker program, according to cybersecurity firm Silent Push last month, is a "high-volume revenue engine" for the regime. It allows threat actors to establish living-off-the-land persistence within corporate infrastructure and obtain administrative access to sensitive codebases. It can execute arbitrary code, perform filesystem operations, transfer files, and run discovery instructions (like whoami) using 12 different commands.

Among the packages linked to the activity are env-workflow-test, sra-test-test, sra-testing-test, vg-medallia-digital, vg-ccc-client, and vg-dev-env. Security researcher Alessandra Rizzo stated that "The initial loader performs DNS-based execution gating and engagement date validation before downloading and spawning the RAT module as a detached process."

"Koalemos offers complete remote access capabilities, creates encrypted command-and-control communications, and carries out system fingerprinting." ## Labyrinth Chollima Divides into Operational Units for Specialization According to CrowdStrike, the well-known North Korean hacker collective Labyrinth Chollima has split into three distinct groups, each with its own goals and tactics: the main Labyrinth Chollima group, Golden Chollima (also known as AppleJeus, Citrine Sleet, and UNC4736), and Pressure Chollima (also known as Jade Sleet, TraderTraitor, and UNC4899). Notably, according to a DTEX assessment, Labyrinth Chollima, Andariel, and BlueNoroff are regarded as sub-clusters within the Lazarus Group (also known as Diamond Sleet and Hidden Cobra), with BlueNoroff splitting off into TraderTraitor and CryptoCore (also known as Sapphire Sleet).

However, Labyrinth Chollima's activities are driven by cyber espionage, employing stealth-enhancing tools such as the FudModule rootkit.