SpiderLabs describes a North Korea-linked remote IT worker attempt in which an organization hired a suspected operative who was detected and terminated within ten days. Cybereason XDR first flagged anomalous Entra ID activity when the new hire logged in from a Dallas IP on an unmanaged device after a baseline of logins from China, and LevelBlue OTX later matched a Los Angeles login to Astrill VPN infrastructure associated with North Korean actors. The report frames the legitimate hiring process and Entra ID access as valid-account and external-remote-service initial access, with Astrill VPN used as a multi-hop proxy to mask origin. Follow-up investigation reviewed interactions, group chat additions, accessed resources, persistence mechanisms, and remote access tooling, finding no residual access, backdoors, or malicious artifacts. The case matters because it shows how threat intelligence plus behavioral analytics can detect DPRK IT worker infiltration before the actor gains durable access or exfiltrates data.