SecTor 2025 | Unmasking a North Korean IT Farm

This session exposes a real-world covert remote-control system developed by a North Korean IT worker operating undetected within a legitimate organization. The forensic investigation revealed a sophisticated ecosystem that leveraged Address Resolution Protocol (ARP)-based payload delivery, WebSockets for stealthy command and control, and Zoom for covert persistence and remote access.

Through technical analysis and a live attack demo, we’ll unpack how the attacker:
-Built an advanced C2 infrastructure using WebSockets to control infected machines.
-Used ARP packets as a payload transport mechanism, embedding commands inside network traffic to execute commands without traditional TCP/IP communication.
-Weaponized Zoom as a Remote Access Trojan (RAT), launching meetings without user interaction and auto-approving remote-control access via HID injection techniques.
-Covertly executed commands through a Python script, allowing keystroke and mouse movement emulation, bypassing endpoint logging.
-Enabled remote execution through a command client, which persistently reconnected to the C2 when the user was active.

By reverse-engineering the threat actor’s toolkit, the investigation uncovered previously undocumented techniques for network protocol abuse and application-layer persistence.

In this session, we’ll not only highlight how these tactics were deployed but also how defenders can detect and disrupt them before they escalate into full-scale espionage. Attendees will leave with a deeper understanding of offensive tradecraft and practical strategies for detection, threat hunting, and forensic response.

By: Avi Sambira | Director, Client Leadership, Sygnia

Full Presentation Materials Available at:
https://blackhat.com/sector/2025/briefings/schedule/?#unmasking-a-north-korean-it-farm-exposing-the-tradecraft-behind-their-global-disguise-47136Black HatRead More