Sector-25-Sambira-Unmasking-a-North-Koren-IT-Farm.pdf (11 MB)

The SecTor 2025 slide deck presents a North Korean cyber operation involving tooling found after a North Korean IT worker was hired as a senior DevOps engineer and the returned laptop was analyzed. The described control system avoided conventional malware installation by combining Python scripts, WebSocket command and control, ARP packet rebroadcasting, HID-style input simulation, and Zoom automation. The Zoom module could receive commands such as open, create, admit, and hide, launch sessions via Apple Scripting or Zoom protocol handlers, capture screenshots to locate the admit button, and approve remote-control requests without user interaction. The deck highlights hunting opportunities around anomalous ARP broadcasts, spoofed MAC addresses, persistent connections, HID interface use, and Zoom protocol triggers, emphasizing protocol behavior and workflow abuse as detection priorities.