What happens when a newly hired remote worker isn't who they claim to be?
In August 2025, a suspected North Korea-linked IT worker passed standard hiring checks, completed onboarding, and began operating inside a customer's organization.
LevelBlue SpiderLabs identified anomalous behavior and initiated an investigation. Within one business day of the first suspicious activity, the account was terminated; with no evidence of data exfiltration, persistence, or residual access.
In this session, Tue Luu, Threat Detection Engineer with LevelBlue SpiderLabs, walks through the case: what triggered suspicion, how the investigation unfolded, and what it means for organizations relying on standard controls to catch threats that don't look like threats; until it's too late.
In this session, you’ll learn:
- A step-by-step breakdown of the activity; from onboarding through detection and response
- How LevelBlue OTX threat intelligence and XDR behavioral analytics worked together to surface the threat
- The infrastructure and tradecraft used to present as a legitimate remote employee
- What to look for during hiring and onboarding before access is established
- Practical approaches to building integrated detection for this type of activity
