cta-nk-2025-0213.pdf (2 MB)

Recorded Future describes North Korean IT-worker operations that use false identities and remote employment to generate regime revenue while creating insider risk for international companies. Insikt Group links the broader threat to PurpleBravo activity overlapping Contagious Interview, including BeaverTail, InvisibleFerret, and OtterCookie malware against cryptocurrency-sector software developers, and says at least three crypto-adjacent organizations were targeted in late 2024. The report also identifies TAG-121 as a separate cluster running front companies in China that spoof legitimate IT firms in several countries. Recommended defenses center on stricter identity checks, remote-work monitoring, limits on remote desktop software, port review, and controls that can detect unauthorized access or suspicious worker locations.