Sygnia’s investigation found a North Korean IT worker, hired under a false identity by a Western organization, using a covert remote-control setup on a company-issued laptop. The tooling combined lightweight Python scripts, persistent WebSocket command-and-control, ARP-based command rebroadcasting on the local network, HID keyboard and mouse simulation, and Zoom automation to enable remote interaction while blending into normal development and collaboration workflows. The activity was linked to a suspected laptop farm uncovered by U.S. law enforcement, with persistence configured through login or startup shell scripts and commands timed around user presence. No confirmed data exfiltration or Zoom prompt bypass was observed, but the case shows how DPRK IT-worker operations can abuse trusted SaaS tools, remote work processes, and low-level network signaling to create insider-risk access that traditional malware-centric controls may miss.