{"id":15949,"date":"2026-03-12T09:02:30","date_gmt":"2026-03-12T09:02:30","guid":{"rendered":"https:\/\/newestek.com\/?p=15949"},"modified":"2026-03-12T09:02:30","modified_gmt":"2026-03-12T09:02:30","slug":"north-korean-fake-it-worker-tradecraft-exposed","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15949","title":{"rendered":"North Korean fake IT worker tradecraft exposed"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Research from GitLab has exposed the latest tradecraft behind North Korean fake IT worker scams<\/a>.<\/p>\n

GitLab banned 131 North Korean-attributed accounts last year, most of which involved JavaScript repositories that acted as resources in the so-called Contagious Interview campaign.<\/p>\n

In most cases, GitLab projects acted as obfuscated loaders for malware payloads \u2014 such as BeaverTail and Ottercookie \u2014 hosted outside the code repository platform.<\/p>\n

Contagious Interview<\/h2>\n

The Contagious Interview campaign<\/a> revolves around North Korean threat actors posing as recruiters or hiring managers in order to trick software developers into executing malicious code projects<\/a> under the pretence of technical interviews.<\/p>\n

Operators typically used consumer VPNs when interacting with GitLab, however some occasionally routed their access via dedicated virtual private server (VPS) infrastructures or laptop farms.<\/p>\n

GitLab disrupted these operations by banning suspect repositories.<\/p>\n

Opportunistic and broadly targeted<\/h2>\n

These suspect code silos were abused in a variety of illicit projects split between targeting job-seeking programmers and fake IT worker operations.<\/p>\n

\u201cBased on our visibility, malware operations targeting individual developers seeking employment are most common,\u201d Oliver Smith, senior threat intelligence engineer at GitLab, told CSO. \u201cThreat actors appear to have a preference for US-based developers and the fintech sector, but are opportunistic and target broadly.\u201d<\/p>\n

Smith continued: \u201cFor fake IT worker operations, threat actors commonly find employment at smaller organizations seeking contract software developers, particularly through freelancing platforms.\u201d<\/p>\n

Larger organizations are also being targeted by the ongoing scams, which began in earnest in 2022 and started as early as 2019.<\/p>\n

Evolving tradecraft<\/h2>\n

Scammers\u2019 tradecraft evolved last year through use of malicious NPM package manager dependencies, sandbox detection, and increasing reliance on invite-only private projects.<\/p>\n

North Korean actors also made greater reliance of AI technologies to develop custom obfuscators and through automating the creation of synthetic identities, spun up to generate professional connections and contact leads at scale, GitLab explains in a technical blog post<\/a>.<\/p>\n

One IT worker controlled 21 unique personas, put together by adding their own image to stolen scans of US identity documents.<\/p>\n

Some of the banned repositories contained personnel dossiers, passport scans, banking records at multiple Chinese banks and structured quarterly performance spreadsheets.<\/p>\n

Inside a fake IT worker boiler room<\/h2>\n

GitLab explains how one repository reveals detailed financial and personnel records for one likely Beijing-based North Korean IT worker cell that made more than $1.64 million between Q1 2022 and Q3 2025.<\/p>\n

The eight-person cell of North Korean nationals pulled in revenue through freelance web and mobile software development while posing under false identities.<\/p>\n

Earnings slipped last year but still exceeded $11K per member in Q3 2025, according to the group\u2019s own records.<\/p>\n

The private project also contained performance reviews for cell members, dated 2020. These performance reviews include comments about members\u2019 earning and skills development alongside remarks about contributions to household chores among the physically co-located team \u2014 including doing laundry, providing haircuts, and purchasing shared food and drink \u2014 as well as an assessment of \u201cinterpersonal values and adherence to party values.\u201d<\/p>\n

Another private code repository was abused by a North Korean fake IT worker likely operating from central Moscow. \u201cThe threat actor was focused on cultivation of a smaller group of more detailed personas and progressed from freelance work to full-time employment,\u201d according to GitLab.<\/p>\n

GitLab concludes that multiple DPRK teams are operating in parallel with limited coordination but similar tradecraft.<\/p>\n

Weaponizing trust<\/h2>\n

Dray Agha, senior security operations manager at Huntress, said the managed detection and response services firm has observed similar tradecraft across 2025 and early 2026.<\/p>\n

\u201cNorth Korean threat actors are weaponizing the trust inherent in the tech recruitment process, tricking developers into executing malicious payloads under the guise of technical assessments,\u201d Agha said. \u201cBy targeting highly privileged developers in lucrative sectors like cryptocurrency and finance, these actors are effectively bypassing traditional perimeter defences to establish immediate footholds.\u201d<\/p>\n

DPRK threat actors are adopting generative AI to scale their operations.<\/p>\n

\u201cFrom using AI tools to refine malware obfuscation and bypass security safeguards, to automating the creation of synthetic personas, North Korean groups are rapidly modernizing their tradecraft,\u201d Agha noted. \u201cThis demonstrates that AI is actively lowering the barrier for threat actors to execute convincing, large-scale deception.\u201d<\/p>\n

Hannah Baumgaertner, head of research at Silobreaker, said that the overall methods deployed by North Korean fake IT worker groups have remained broadly similar though an \u201cincrease in the use of AI and other infection methods like ClickFix have been observed in the past year.\u201d<\/p>\n

\u201cThe types of platforms being abused as part of the scheme also appear to be expanding, with Visual Studio Code now also frequently used for initial access,\u201d Baumgaertner added.<\/p>\n

North Korean fake IT worker fraud is a cross-industry issue. GitLab hopes its detailed research, which includes more than 600 indicators of compromise associated with the case studies detailed during its research, will help empower defenders across the industry.<\/p>\n

\u201cWe hope our report helps the entire industry strengthen defenses and contributes to more transparency around these threat actors\u2019 tactics and operations,\u201d GitLab\u2019s Smith concluded.<\/p>\n

An overview of the myriad tactics in play during North Korean fake IT worker scams \u2014 alongside advice on thwarting such scams \u2014 can be found in an earlier feature<\/a> on the problem by CSO.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Research from GitLab has exposed the latest tradecraft behind North Korean fake IT worker scams. GitLab banned 131 North Korean-attributed accounts last year, most of which involved JavaScript repositories that acted as resources in the so-called Contagious Interview campaign. In most cases, GitLab projects acted as obfuscated loaders for malware payloads \u2014 such as BeaverTail and Ottercookie \u2014 hosted outside the code repository platform. Contagious… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15949","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15949","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15949"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15949\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15949"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15949"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15949"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}