Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors

north_korean_it_workers

Also known asnorth_korean_it_workers

North Korean IT workers are described as a highly organized, state-backed network extending beyond traditional IT roles. According to the provided content, they are seeking remote jobs in industrial design and architecture in addition to IT-related positions. Their involvement is assessed to pose risks including espionage, sanctions evasion, safety concerns, and access to sensitive infrastructure designs. The content also notes links to Bells Inter Trading Limited and VPN apps. Known alias in the provided content: north_korean_it_workers.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

31 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

13 of 15 tactics39 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
2 techniques
T1589×3
Gather Victim Identity Information
T1598×3
Phishing for Information
TA0042
Resource Development
4 techniques
T1583
Acquire Infrastructure
T1583.001
Domains
T1583.006
Web Services
T1583.007
Serverless
T1584
Compromise Infrastructure
T1585×4
Establish Accounts
T1585.001×3
Social Media Accounts
T1586×4
Compromise Accounts
TA0001
Initial Access
3 techniques
T1078×10
Valid Accounts
T1199
Trusted Relationship
T1566
Phishing
TA0003
Persistence
2 techniques
T1078×10
Valid Accounts
T1546
Event Triggered Execution
TA0004
Privilege Escalation
2 techniques
T1078×10
Valid Accounts
T1546
Event Triggered Execution
TA0005
Stealth
3 techniques
T1036×9
Masquerading
T1078×10
Valid Accounts
T1497
Virtualization/Sandbox Evasion
T1497.001
System Checks
TA0006
Credential Access
2 techniques
T1056
Input Capture
T1649
Steal or Forge Authentication Certificates
TA0007
Discovery
1 technique
T1497
Virtualization/Sandbox Evasion
T1497.001
System Checks
TA0008
Lateral Movement
2 techniques
T1021×5
Remote Services
T1550
Use Alternate Authentication Material
TA0009
Collection
2 techniques
T1056
Input Capture
T1213
Data from Information Repositories
TA0011
Command and Control
4 techniques
T1090×7
Proxy
T1102
Web Service
T1219×3
Remote Access Tools
T1572×2
Protocol Tunneling
TA0010
Exfiltration
3 techniques
T1020
Automated Exfiltration
T1041
Exfiltration Over C2 Channel
T1537
Transfer Data to Cloud Account
TA0040
Impact
3 techniques
T1486
Data Encrypted for Impact
T1496
Resource Hijacking
T1657
Financial Theft
IOCS

Observables

23 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

23 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping31

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables23

Domains, IPs, and hashes tied to this actor, refreshed continuously.