How LevelBlue OTX and Cybereason XDR Detected a North Korea-Linked Remote IT Worker

Talk about dodging the insider threat from hell. From August 15 to 25, 2025, the SpiderLabs threat intel team, through the integration of LevelBlue OTX threat intelligence with Cybereason XDR behavioral analytics, detected a North Korea attempt to infiltrate an organization by replying to a help wanted ad.

Let’s take a look at how this organization, with LevelBlue’s help, was able to detect and block this sneaky infiltration attempt.

It took just 10 days for a nation-state threat actor to go from new hire to terminated employee. What appeared to be routine onboarding quickly unraveled when behavioral analytics flagged suspicious login patterns, and threat intelligence confirmed the worst: the organization had unknowingly hired a suspected North Korea-linked operative.

Our team flagged suspicious login activity after an admin from the client’s organization activated the new hire’s EntraID account as part of the onboarding process. We observed that the new hire used an EntraID login from a Dallas, Texas IP address that deviated from his usual login regions (China). The login also originated from an unmanaged device.

The EntraID login originating from the unmanaged device used an IP address from the Astrill VPN. which was typically used by North Korea-linked IT workers.

The detection was made possible through the integration of LevelBlue OTX threat intelligence with Cybereason XDR behavioral analytics.

The Threat Landscape

North Korea-linked operatives have infiltrated hundreds of companies globally, generating an estimated $250 million to $600 million annually for the North Korean regime.

Risks of North Korean IT Worker Infiltration

Organizations face significant risks when unknowingly employing North Korean or Democratic People’s Republic of Korea (DPRK) operatives:

• Data Exfiltration: Theft of proprietary source code, trade secrets, and intellectual property via personal cloud accounts or code repositories.

• Extortion: Ransom demands following discovery, with threats to publicly release stolen data.

• Credential Harvesting: Collection of session tokens and credentials to maintain persistent unauthorized access.

• Sanctions Liability: Potential violations of US sanctions through salary payments that fund the DPRK regime.

Operational Base in China

These threat actors commonly operate from China rather than North Korea for two reasons: more reliable Internet infrastructure and the ability to leverage VPN services to conceal their true geographic origin.

Astrill VPN as DPRK Infrastructure

Astrill VPN is deeply embedded in North Korean cyber operations, primarily due to its proven ability to bypass China's Great Firewall. Lazarus Group’s subgroups, including Contagious Interview, rely on this capability to access the global Internet unrestricted, manage command-and-control infrastructure, and mask their true location. The VPN enables threat actors to tunnel traffic through US exit nodes, allowing them to masquerade as legitimate domestic employees. As a result, authentication events from known Astrill VPN IP ranges represent a high-fidelity indicator of compromise.

The Security Stack

LevelBlue OTX is a crowdsourced threat intelligence platform with 450,000+ participants sharing indicators of compromise (IoCs) and threat pulses in near real-time.

Cybereason XDR is an operation-centric detection and response platform that correlates security events into comprehensive attack narratives called MalOps across endpoints, cloud, networks, and identity providers.

Together, OTX threat pulses are automatically correlated against authentication logs monitored by the XDR platform.

Detection Timeline

1. August 15, 2025 (Fri) UTC – Onboarding: The threat actor was hired as a remote employee assigned to work on Salesforce data, and passed standard verification procedures.

2. August 15 to 20, 2025 (Fri to Wed) UTC - Baseline Learning: Cybereason XDR established behavioral baseline showing consistent logins from China.

3. August 21, 2025 (Thu) UTC - Anomaly Detected: A login from 142[.]214.202.2 (St. Louis, ASN 7393 CYBERCON) triggered a high-severity alert.

4. August 22, 2025 (Fri) UTC - Threat Intel Match: Login from 155[.]94.199.59 (Los Angeles, ASN 36352 HostPapa) matched OTX pulse for Astrill VPN infrastructure used by North Korean actors.

5. August 25, 2025 (Mon) UTC – Termination: The user’s account was revoked, and an extended investigation was initiated.

Investigation Findings

SpiderLabs investigated employee interactions, group chat additions, and all resources the threat actor accessed. Security teams analyzed for persistence mechanisms and remote access tools.

Result: No evidence of residual access, backdoors, or malicious artifacts. The rapid 10-day detection timeline significantly limited the threat actor's opportunity to cause damage.

MITRE ATT&CK Mapping

• Initial Access - T1078 Valid Accounts: Legitimate credentials via hiring process

• Initial Access - T1133 External Remote Services: Entra ID authentication for cloud resources

• Defense Evasion - T1090.003 Multi-hop Proxy: Astrill VPN to mask origin

Key Takeaways

• Threat intelligence integration enabled the identification of a North Korea-associated VPN infrastructure that would otherwise appear as routine activity.

• Behavioral analytics triggered the first alert through geographic anomaly detection before threat intelligence matching occurred.

• Rapid response limited exposure to ten days, preventing data exfiltration and persistent compromise.

• Comprehensive investigation confirmed no residual access remained in the environment.

Conclusion

This case demonstrates the power of combining crowdsourced threat intelligence with behavioral analytics. As North Korean remote worker schemes expand into Western markets, organizations must invest in integrated security solutions to detect these threats before significant damage occurs.