In order to steal data and make money for their government, North Korean state-sponsored hackers are increasingly impersonating IT professionals in order to gain access to businesses across the globe This article explores hackers increasingly impersonating. . These operations, which have been connected to organizations such as Lazarus, use malware and social engineering to get around hiring screenings and gain access to private networks.

According to recent reports, they planted backdoors in victim systems and made millions of dollars from freelance work. GitLab exposed intricate schemes on their platform in 2025 by banning 131 accounts connected to these actors. Hackers frequently used Gmail or custom domains to create phony GitLab profiles that imitated developers from the US, Europe, and Asia. They lured job seekers with "technical interviews" that used JavaScript malware like BeaverTail and Ottercookie, targeting the real estate, finance, AI, and cryptocurrency industries.

Campaign Strategies and Development Direct infiltration of IT workers and "contagious interviews" are the two primary strategies used by threat actors. In Contagious Interview, phony recruiters on freelance websites or LinkedIn send coding tests that, when run in VS Code or a browser, launch loaders from Vercel or custom domains. These loaders use error handlers to avoid audits, retrieve payloads from base64-encoded URLs in.env files, and then steal credentials for lateral movement or crypto theft.

Distribution of staging infrastructure on GitLab.com for North Korean nation-state malware activity in 2025 (Source: gitlab) North Koreans use deepfakes, AI headshots, and stolen data to create fake identities for IT worker schemes.

According to one GitLab case, a Beijing-based cell headed by Kil-Nam Kang used spreadsheets on web/mobile development contracts to track $1.64 million in 2022–2025 earnings. Another operator managed 21 identities in five different countries, using Photoshop to alter US IDs with their photos; a third operator, based in Moscow, looked for full-time jobs in the US and the UK and hired locals to host laptops for remote access. Details of GitLab's report automation: one team used VerifTools to forge passports, scraped photos, switched faces on faceswapper.ai, and scripted LinkedIn outreach for over 135 personas.

Distribution of North Korean nation-state malware features and activity on GitLab.com in 2025 (Source: gitlab) They exfiltrated code and mirrored 48 private repos. Malicious NPM packages like passport-google-auth-token facilitated delivery, while IPs like 111.197.183.74 (Kang's) and VPNs concealed origins.

Important Compromise Type Note Indicators aleks.moleskimail.io Distribution of email malware httpsapi-server-mocha.vercel.appapiipcheck-encrypted823 URL JS malware dropper NPM package for passport-google-auth-token 111.197.183.74 is a malicious dependency. IP Manager of the IT cell These schemes use sanctions evasion to finance weapons, and despite declining earnings in 2025 due to awareness, cells meet quarterly targets. Fortune 500 companies are among the victims; 1,800 questionable apps were blocked by Amazon.

Actors gain access to Slack, codebases, and cryptocurrency wallets once they are inside. Employers should geolock IPs, check for IOCs, report fakes, and verify hires through video (live questions outperform deepfakes).