Sygnia describes a covert remote-control system developed by a North Korean IT worker operating inside a legitimate organization. The toolkit used WebSockets for command and control, ARP packets as a payload transport mechanism, and Zoom as a covert remote-access channel. The attack chain included Python-based command execution, keystroke and mouse emulation, HID injection, automatic approval of Zoom remote-control access, and a command client that persistently reconnected when the user was active. Sygnia says the investigation exposed previously undocumented techniques for network protocol abuse and application-layer persistence, with detection and forensic implications for DPRK IT-worker intrusions.