AhnLab’s December APT trends describe North Korean state-backed groups increasingly using fake IT employment schemes, legitimate hiring platforms, fabricated identities, and remote-work infrastructure to enter corporate environments. Famous Chollima targeted U.S. and Western organizations across finance, technology, cryptocurrency/Web3, fintech, healthcare, engineering, and IT by using GitHub pull-request outreach, remote IT worker lures, identity theft, AI interview tools, VPNs, AnyDesk, and Google Remote Desktop. Another Famous Chollima case used PiKVM hardware after successful employment impersonation, giving operators hardware-level remote control that could bypass EDR and preserve covert access to internal networks, with Microsoft Incident Response linking the activity to Jasper Sleet. The report also says Lazarus distributed a Pharos-Automation-Bot RAR exploiting CVE-2025-8088 in WinRAR to create a startup BAT file, launch a Python loader, and deploy Blank Grabber for browser, messenger, and cryptocurrency wallet theft.