Exploits CVEs in the wild

WageMole

Also known asDPRK IT Worker Activitydprk it worker networkDPRK IT Worker OperationsDPRK IT Worker ProgramDPRK IT Worker Schemesdprk_it_workersitwNorth Korean IT Worker SchemesUNC5267WageMole

Wagemole is a North Korea-linked, state-sponsored threat activity cluster associated with the DPRK fraudulent IT worker program. It is also tracked as UNC5267 and referred to in reporting as DPRK IT worker activity, DPRK IT worker network/operations/program/schemes, DPRK IT workers, North Korean IT worker schemes, and ITW. Reporting describes Wagemole as a distinct but related cluster to Contagious Interview / DeceptiveDevelopment: DeceptiveDevelopment compromises developers through fake recruiter and interview lures, then appears to hand off stolen information and identities to Wagemole operators, who pose as job seekers. The core Wagemole tradecraft is employment fraud rather than conventional malware deployment. Operators use stolen, fabricated, or synthetic identities, forged resumes, fake references, LinkedIn profiles, and well-maintained GitHub accounts to obtain remote employment, especially at Western companies and particularly in the U.S. tech sector, though activity has expanded into Europe. GitHub repositories have been used to host resumes tied to forged identities impersonating multiple nationalities. Reporting also describes AI-assisted fake persona creation, proxy interviewing, use of facilitators, and schemes to defeat identity verification and receive funds. Facilitators in the U.S., U.K., and Europe have supported laptop access, identity verification bypass, and payment routing. Targets include technology companies and other organizations in the U.S. and Europe, with reporting specifically noting software development, Web3, blockchain infrastructure, and, in Europe, defense industrial base and government organizations. The objective is to generate illicit revenue for the DPRK regime and its weapons programs, while also creating insider access opportunities inside victim organizations. Multiple sources note the risk that embedded workers can steal proprietary data or source code, extort employers after termination, or provide a foothold for follow-on malicious activity such as malware deployment, cryptomining, or theft of secrets. Public reporting cited in the content states that Mandiant classified DPRK IT worker operations as UNC5267, and Google attributed 3% of analyzed intrusions in the second half of 2025 to North Korean IT workers using fraudulent identities to obtain employment and generate revenue. Additional reporting attributes a fake front company, DredSoftLabs, to Wagemole and notes abuse of GitLab infrastructure in tracking and response to Contagious Interview and Wagemole clusters.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

27 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

12 of 15 tactics32 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0043

Reconnaissance

2 techniques

T1589

Gather Victim Identity Information

T1589.001

Credentials

T1598×4

Phishing for Information

TA0042

Resource Development

2 techniques

T1584

Compromise Infrastructure

T1585×3

Establish Accounts

TA0001

Initial Access

3 techniques

T1078×11

Valid Accounts

T1133

External Remote Services

T1566

Phishing

T1566.003

Spearphishing via Service

TA0003

Persistence

2 techniques

T1078×11

Valid Accounts

T1133

External Remote Services

TA0004

Privilege Escalation

2 techniques

T1078×11

Valid Accounts

T1611

Escape to Host

TA0005

Stealth

3 techniques

T1036×7

Masquerading

T1078×11

Valid Accounts

T1564

Hide Artifacts

T1564.006

Run Virtual Instance

TA0006

Credential Access

1 technique

T1649

Steal or Forge Authentication Certificates

TA0008

Lateral Movement

3 techniques

T1021×5

Remote Services

T1210

Exploitation of Remote Services

T1534

Internal Spearphishing

TA0009

Collection

1 technique

T1005

Data from Local System

TA0011

Command and Control

4 techniques

T1071

Application Layer Protocol

T1090×2

Proxy

T1090.002

External Proxy

T1090.003×2

Multi-hop Proxy

T1219×2

Remote Access Tools

T1572

Protocol Tunneling

TA0010

Exfiltration

2 techniques

T1041

Exfiltration Over C2 Channel

T1537

Transfer Data to Cloud Account

TA0040

Impact

2 techniques

T1486×4

Data Encrypted for Impact

T1657

Financial Theft

WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2025-55182React2ShellIn the wildEvidence1

"A critical remote code execution (RCE) vulnerability, identified as CVE-2025-55182 and dubbed React2Shell, exists within the React Server Components (RSC) architecture, allowing unauthenticated attackers to execute arbitrary code..."

IOCS

Observables

52 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

52 IOCsView more in app

ip.v4

26 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+18

hash.sha256

25 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+17

Domains

1 total

••••••.com

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

bleeping computerNews

Mar 9, 2026

Google: Cloud attacks exploit flaws more than weak credentials

North Korean IT worker activity using fraudulent identities to obtain employment and generate revenue for the government.

detection engineering netNews

Feb 25, 2026

DEW #146 - The logs are lying, my latest post on Agentic Security & re-tooling security for speed

North Korea-linked activity cluster referenced alongside Contagious Interview as abusing GitLab infrastructure; specific TTP details are not provided in this newsletter excerpt beyond platform abuse and association with DPRK tradecraft.

huntio blogNews

Jan 1, 2026

Geopatriation Is Coming: Sovereign Clouds Will Break Your Telemetry First

DPRK IT Worker Schemes involve North Korean operators infiltrating software supply chains via front-company IT staffing, embedding themselves in development and DevOps roles to abuse code-signing and maintain persistence.

f5 communityNews

Dec 30, 2025

F5 Threat Report - December 31st, 2025 | DevCentral

Named in an aggregated list of actors associated with React2Shell (CVE-2025-55182) exploitation activity (UNC-style naming suggests an uncategorized cluster).

+14 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping27

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables52

Domains, IPs, and hashes tied to this actor, refreshed continuously.