North-Korean-Fake-Employees-Are-Everywhere-WP_EN-us.pdf (3 MB)

KnowBe4 describes a North Korean fake IT worker case in which a remote employee persona passed interviews and background checks using stolen U.S. identity details and an AI-enhanced profile photo. After receiving a company Mac, the actor attempted to install password-stealing malware and manipulate session history logs, first from USB media and then from a local-network server. Endpoint detection generated an immediate alert, the SOC challenged the user over Slack, and KnowBe4 isolated the laptop within 25 minutes of the first alert before sharing findings with Mandiant and the FBI. The source also describes supporting tradecraft around remote-only hiring, alternate laptop shipping addresses, limited initial access, and a Raspberry Pi OS device used as a KVM-style remote access path to avoid normal remote-access traffic patterns. The case matters because it shows DPRK workforce infiltration as both a sanctions and security risk, especially for organizations hiring remote technical staff.