Network Analysis: North Korean Worker Threats and Activities

Key Chapter Title List

1. Executive Summary
2. Key Findings
3. Background
4. Threat Analysis
5. Mitigation Measures
6. Outlook
7. Appendix A: PurpleBravo Diamond Model
8. Appendix B: Indicators of Compromise
9. Appendix C: MITRE ATT&CK Techniques
10. Appendix D: TAG-121 Cover Companies

Document Introduction

In an era where remote work is increasingly normalized, the North Korean regime is exploiting this trend to generate revenue through fraudulent Information Technology (IT) employment. North Korean IT workers infiltrate international companies using false identities to secure remote positions. These actions not only violate international sanctions but also pose a serious cybersecurity threat, involving fraud, data theft, and potential disruption of business operations. Based on research by Insikt Group (Recorded Future's threat research division), this report systematically analyzes the operational patterns of this emerging threat, related malicious activity clusters, and their profound impact on the global supply chain.

The core of the report tracks a North Korea-linked malicious cluster known as PurpleBravo (formerly Threat Activity Group 120). This cluster overlaps with the "Contagious Interview" activity primarily targeting software developers in the cryptocurrency industry. PurpleBravo uses malware such as BeaverTail (an information stealer), InvisibleFerret (a cross-platform Python backdoor), and OtterCookie (a tool for establishing persistent access on infected systems). Between October and November 2024, PurpleBravo targeted at least three organizations in the cryptocurrency sector: a market-making company, an online casino, and a software development company. Furthermore, the cluster is active on at least three recruitment websites, Telegram, and GitHub, regularly posting job advertisements and updating code repositories.

The research also reveals the expansion of North Korean fraudulent activities into other domains, namely the establishment of cover companies that mimic legitimate IT firms. The report identifies another independent activity cluster, TAG-121, which operates a network of cover companies in China. These companies impersonate legitimate IT enterprises from China, India, Pakistan, Ukraine, and the United States by copying most of the content from the target companies' websites. Insikt Group has identified at least seven such suspected North Korea-linked cover companies. These entities increase the deniability of North Korean actors, make detection more difficult, and allow them to further embed themselves into the global IT supply chain.

The report provides a detailed analysis of PurpleBravo's Tactics, Techniques, and Procedures (TTPs), including the functionalities of the malware families it uses, its command and control (C2) server infrastructure (primarily using hosting service providers like Tier.Net), and evidence of management via Astrill VPN. Based on Recorded Future network intelligence, the report observed at least seven suspected victims between September 2024 and February 13, 2025, distributed across multiple countries including the United States, the United Arab Emirates, Costa Rica, India, Vietnam, Turkey, and South Korea.

To address this threat, the report synthesizes recommendations from multiple sources, including the U.S. Internet Crime Complaint Center (IC3), the U.S. Department of the Treasury, and the South Korean government, proposing comprehensive mitigation measures across various dimensions such as identity verification, background checks, technical measures, financial prevention, communication practices, and organizational policies. The report's outlook suggests that as international sanctions continue to tighten, North Korea's cyber operations are expected to grow in scale and complexity. Facing adversaries who use sophisticated means to circumvent traditional hiring processes, businesses and governments must adopt stricter identity verification, enhance remote work security, and strengthen international intelligence sharing to curb this expanding threat.