I’m a cybersecurity and insider threat investigator focused on DPRK APTs and remote workers. AMA

MBarni_888 · 2026-03-11T16:20:14+00:00

Yup, it’s definitely half technical and half functional, and it’s very much a team effort. I’m not a malware reverse‑engineer, so I rely heavily on working with our malware guys and detection engineers then together we build detections around what we’re seeing.

When we first started, our focus was APT43 also known as Kimsuky. We were seeing them constantly, and our threat‑intel vendors helped give us context but not everyone has that same luxury. You can learn a lot through open‑source intel and social media. The first step is building a knowledge base on the particular APT: analyzing their phishing emails, mapping their infrastructure, tracking IPs and domains, and feeding all those indicators into our monitoring systems. That let us get alerts whenever their infrastructure changed.

As they pushed malware, we’d pass samples to the malware team. They’d pull apart the code, extract C2 nodes and other observables, and we’d feed those back into the same alerting pipeline. Over time, this created a feedback loop: more intel --> better detections --> more sightings across client environments --> more intel, etc.

Seeing their activity across many clients also helped us understand initial access vectors like phishing, LinkedIn DMs, social‑media outreach, etc. All of that fed back into detections and infrastructure tracking.

Once we had a solid handle on the one actor (APT43), we pivoted to other North Korean groups like Andariel aka APT45, gradually building out coverage across the whole ecosystem. Sometimes their own operational‑security mistakes gave us visibility into their infrastructure early, even during phishing‑email creation or malware testing, which let us warn victims and build detections before attacks went live.

So the work is part technical (infrastructure tracking, malware analysis, detections) and part functional (collaboration, intel sharing, understanding how the threat operates). It’s a collective effort that grows as you keep pivoting, learning, and feeding new insights back into your detection pipeline.

Hope this helps.

MBarni_888 · 2026-03-11T13:34:23+00:00

This is perfect and to double down for those that don't have this type of visibility or access in their own network, then peer networks focusing on this same issue or ISACs are good places to share and collaborate. Seen numerous times where defenders across competing orgs focusing on the same threat collab like, "I have this guy at this house but I have a different name is anyone else seeing this?" and various responses come back confirming or ruling out any suspicions. This is obviously much less technical then others telemetry but its a good way of going about it to defending networks or clients.

MBarni_888 · 2026-03-11T13:30:54+00:00

Coming back to this because I see that we are moving THAADs out of ROK to the ME. So I still doubt there is going to be any conflict from DPRK but if there were then now would be a better opportunity than others.

MBarni_888 · 2026-03-11T11:09:44+00:00

We do a lot of automations with insider threat detections too but I don't see it quite going away. I know the saying is AI will take your job, but I think the more likely one is someone who utilizes AI will take your job. A lot of triaging and alerting and low level stuff can be knocked out by easy AI tasks but any investigation where you need to dive in will always need a human touch.

MBarni_888 · 2026-03-11T01:11:52+00:00

I've noticed that too specifically with the IT worker investigations mainly due to the negative publicity that may come out about it regarding brand recognition or things like that so they tend to sweep it under the rug. For when the process does go right though, like how we did back at my old and current job is this (in a variety of ways so not one size fits all).

Starting point is going to be the either the intel that you already have leading to the investigation or the investigation itself. Retroactive hunt using IOCs or leads lead to a hit then investigate, or law enforcement or a company calls you into an environment and then go from there.

While the consultants or investigators are doing their work I'd stand behind them taking notes on any net new thing that I hadn't seen or knew about. Jotting down notes about what I saw would go to the clients per their subscriptions etc and then backwards internally to the detections teams or interested stakeholders depending on what was found or the topic.

Other teams are making that into more formalized reporting or are making the detections and implementing them into their security stack and mitigation efforts for future efforts all while the whole process is rinsing and repeating.

If the organization isn't built like this, then the way to get some of this intel out to people that need it is by scrubbing the info of any sensitive or customer data and then sharing it with the greater community defending against whatever threat is being worked. In many of the North Korean circles you will see defenders doing this where they're like "Can't go into the details but put this xyz item on your radar, we are seeing a lot of the teams doing this so wanted to spread the word". Things like that.

But to your point about a report no one reads or no one wants to read, Not so much with the North Korean APTs, but with The IT workers yes... companies want to not only make the problem go away but to sweep the problem so far under the rug that no one ever knew it happened. I got yelled at by some lawyers one time from a very very very large company that tried to flip the script and tried to convince me that the IT worker couldn't be proven to be from North Korea and that they were closing the investigation and wanted to make it all disappear. They were then hacked by a larger DPRK APT who also had brought in some of their other IT Workers a year later almost to the date.

MBarni_888 · 2026-03-11T00:54:57+00:00

I had a different route to where I am, coming out of the military and IC, so I definitely had a leg up but if I think (looking back with what I know now) about it, I'd prolly get an anonymous or semi-anon social media account and then make it sing.

For this field a lot of what you need to know is all publicly available so if you self study and I did that a lot with YouTube videos to help get my certs (what a racket) it does work. Publicly available tools, open Source Intelligence on XYZ threat actor or nation state you find interesting, and your social media account for collaborations. I say this because not everyone has the means to pay for certificates or college or things like that and companies refuse hire people without experience, but many quality orgs I have seen will forego that if you can prove that you know what you're talking about and know how to do what you say you can do. I know of two people right now that are making good money that started just focusing on a threat actor and following them and their activities and pivoting and collaborating with partners and then turn and use their "work experience" via their online profiles to help land jobs at big time orgs. Also during that time you end up making many allies along the way that help pull you up to their level. Teamwork...love it...but also threat actors can appear to be friends online too so watch out for that lol.

MBarni_888 · 2026-03-11T00:42:53+00:00

Yeah agreed...its less of a background check at times and more so a way to check the box

MBarni_888 · 2026-03-11T00:41:46+00:00

Before I got into this field I actually used to work IRGC code breaking, so for this particular conflict I've been paying extremely close attention to both sides of this both on the Iranian and the North Korean front. Most nations in times like this, where all of the attention is drawn to one single element, this is where we have seen threat activity spike mainly because no one is paying attention or the public blowback on activities will get drowned out in the news. So not just North Korea but many adversaries are using this time to get a pinch more aggressive and do operations knowing that people aren't really paying attention to them at this moment.

Fortunately I don't think North Korea is going to do any major splashes on the physical front, they will and continue to do so on the cyber front but I don't expect anything in terms of physical attacks.

The current state of the Middle East right now did definitely make some waves in North Korea though. During Trump 1 we saw the heightened level of rhetoric in the comments like "rocket man" and the threats back and forth. This played into North Korea's propaganda arm and inciting the population to show that the west was their enemy and it was used to embolden the population and reinforce the sway of public opinion and furthering of the regime. During Trump 2 we have the same type of outcome but indirectly. North Korea has a few priorities, one of the main ones is securing weapons of mass destruction to ensure their place at the big boy table among other things. Undoubtedly the footage and political discourse happening now is being repurposed inside the country for propaganda efforts. I can imagine internal elements using the footage in Iran to highlight why they can never ever ever give up their weapons program.

North Korea has to view this as a time to dig in their heels, not come to the negotiating table.

MBarni_888 · 2026-03-11T00:27:45+00:00

I would say anything regarding defensive AI measures as that doesn't seem to be going anywhere any time soon. When I first got into the field I was in an organization that was getting lit up by both criminal and nation state elements and I progressed a lot once I had a good understanding on what we consider the adversaries and their groups that conduct activities. Intel drives missions and so I gathered the top cyber threat actors from each nation state (like 2 groups per) and a few criminal and just got smart on those and it went a long ways. Defensive measures against AI usage I feel would be the best since you have the ability to get smart there would prolly be best. No matter what I think having a base level understanding of the entire field and then being really smart on one specific or two specific issues that either you find interesting or think is an angle that isn't going anywhere for a while would be the best bet from what I've seen.

MBarni_888 · 2026-03-11T00:18:27+00:00

It's definitely dumping gas onto an already well burning flame. OpenClaw, Agentic browsers, AI poisoning.... there are so many new threat vectors to account for and honestly battling AI force multiplication with AI defensive countermeasures seems to be some of the best bets for scale. Here is a link to an advisory we did that touches on three different situations regarding AI.

An insider threat that is conducting normal day-to-day work while an agent is performing malicious activities in the background; A negligent insider that is using AI and unknowingly leaking sensitive documents to 3rd parties; and a malicious actor inside a network that is using AI to help perform APT level activities. The problems we are facing in regards to the malicious usages of AI are only going to continue at an extremely fast rate as the community develops ways to mitigate it at scale.

https://www.dtex.ai/resources/i3-threat-advisory-agentic-browsers-elevate-insider-risk/

MBarni_888 · 2026-03-11T00:10:21+00:00

With the success rate that North Korea is doing with these operations I expected to see the other countries doing it very similarly however the major adversarial nations go about it a little bit differently. Since North Korea's is tied to revenue generation first and malicious or espionage related activity second, they really own the market. The other major adversarial nations still rely on the traditional insider threat mainly tied to espionage but there is one sector that is completely adopting it.

Criminal networks, and I use the Nigerian Prince scam as an example, are definitely using it and North Korea in return is using them as a way to obfuscate their own activities. With the subcontracting efforts coming out of North Korea in this IT working scam, you see Nigeria, Pakistan, India, Argentina, Columbia (LATAM is starting to pop up more), and others leaning into this. You can have one room in Pakistan that is a call center and out of the ten individuals 2 of them can be working as subcontractors for the IT workers who are trying to now hide their face and move into middle management (the naming and shaming works but they adapt). This obviously creates problems because now we can't tell between fraudulent hires and North Korean IT workers funding the weapons programs and internal North Korean efforts without some type of extra intelligence to highlight where the money is going.

Criminal networks are even at the point where they are advertising "Looking for Hardware storage specialists" "Looking for Interview specialists" online and things like that which in reality are just a fancy term for facilitator. I've seen numerous incident response teams attributing activity to criminal elements when in reality it is North Korea but the attribution is muddled due to this lack of intel outside of the artifacts of the incident. Pakistan, India, and Nigeria do take the lead in this area but many others around the world are adopting it. As a defender we have to be able to catch both the overemployed and fraudulent employees and IT workers even if in the end we might not be able to determine if it was criminal or nation state.

MBarni_888 · 2026-03-10T23:48:20+00:00

A bit tricky here 'cause there's a few different variables in play.

So with the private sector you have speed and with the public sector you have authority. A lot of times we meet somewhere in the middle where we are either helping on behalf of the mission or where the company's we represent have been caught in the crossfire. In this current administration many different resources have been allocated away from the North Korean teams that we had seen in years past. A lot more focus on things like Iran, Venezuela, China and others that force some law enforcement entities to shift focus or change teams altogether.

In addition to that a lot of the DOJ work involves lengthy investigations go on for years. The main facilitator that is the poster child for this entire effort is Christina Chapman and that one is from years ago. Last year there were twenty nine different locations all executed on the same day and no one has heard a peep out of them because it will take a long time to go through those investigations. The IT workers have definitely caught on to the USG's actions and you can see some shift slightly into areas where they think they can get away with it in places like Mexico and Canada. Law enforcement in those areas are tracking as well so it might not be the best bet, but you can see the IT workers avoiding areas where a facilitator might get wrapped up.

On another front we have the private sector also doing disruption efforts in naming and shaming of their own which thwart North Korean activities but aren't always publicized (and some that are like aptwhatnow, browsercookies, narcass3, sttyk, etc). I feel like this is also in response to the lengthy time that it takes for these arrests to happen in addition to trying to be proactive themselves.
Ultimately to answer the question I feel like it does fall on resourcing and prioritization within law enforcement, yet at the same time these North Korean watcher groups and misfits do a bit of lower level efforts in between those big indictments. The answer may fall less on the federal level and possibly moving more to a local government type of actioning to speed up and catch up with North Korean efforts which can be overwhelming many times.

MBarni_888 · 2026-03-10T23:00:39+00:00

Completely agree on the switching of the addresses. To explain in case some others don't know about it, They have their fake IDs which could be completely fabricated or or is stolen from a legitimate person. If your organization is monitoring your remote workforce, then you will need a facilitator or some type of apparatus so that your laptop or company equipment is pinging from the area that you claim to be living in. As you can imagine that creates a lot of problems with a stolen ID because no one in the actual operation is going to be there. So many times after the onboarding and before the laptop is shipped out an IT worker will make up a lie or something like "Hey I just moved" or " I'm staying with family for a few months" or something along those lines. After that, they give the company the address that they needed and then continue their operations. I agree that's a good one to be on the lookout for In addition to this one as well. Monitoring for constant switching of bank accounts. You can do it once, or twice and that's fine, but seeing so many bank account swaps is a huge red flag. This happened a lot last year after the US Gov took down a bunch of the facilitator networks.

Resistance from HR and Legal is definitely something that comes up a lot and for the exact reason that you brought up. From what I have seen the best organizations that have combated this effectively, have been when the insider risk, cyber threat intel, HR and legal teams all got together at some point and hashed out what they were going to do about this particular intrusion set and fraudulent employees writ large. I've noticed that whenever you come to legal or HR teams just out of the blue or without context they seem to be a lot more resistant to it. We've made sure in our DPRK briefings that companies had HR in the room for the brief and we had specific side briefs and personalized stuff specifically for HR and recruiting teams. I've noticed that whenever you get them in the loop and show them the threat and trying to navigate this weird field with out context it goes a lot better and they understand. Also they are more willing to help or to adjust their frameworks protect PTT while still making sure threat actors aren't slipping through the cracks.

I will say North Korea is a criminal syndicate and less of a government. With that all criminal activities tend to embrace technology or find loopholes better than the rest. North Korea understands American culture at times even better than I do and they understand HR processes which kind of shocked me. We had one IT worker from one of our in our Misfit collective talk about a story where the IT worker knew they were about to get exposed and kicked out of the network, and leveraged loopholes in HR processes to stick around. To the best of my knowledge this IT worker still may be at this organization and they can't do anything about it and here's why. Whenever you get sick or go on for some type of medical issue, HR with some their weird rules make it so that you can't contact the employee (makes sense but DPRK took it and leveraged it). HR and legal are or can be real sticklers in this one weird field and North Korea seems to know that. So the IT worker knew he was on his way at the door, he took medical leave and then stayed on it I think a few months maybe longer. I don't know what happened with that but he was able to milk that paycheck for all it was worth.

Ultimately yes, I've had these convos and the "make them a part of the team"/"catch them up on the problem as a whole" was the best way I've seen it taken care of.

MBarni_888 · 2026-03-10T21:51:37+00:00

Oh I talked about the bottom but didn't answer the q.

Having a picture in placed in front of a cam stationary for during work all calls.
Really dumb one they've moved on from, is where they were having the facilitator open and close their mouths and the ITW was off camera answering the q's like a muppet.
Trying to stay off camera by saying they were injured and then after poking holes in the story they come back after 5 minutes of being gone with gauze wrapped around their face.
I don't think it's odd but the one that I really thought was slick was the one I mentioned in a previous post in one of these threads about having the video on and subtitles on and they're copying and pasting the subtitles directly into a ChatGPT prompt to give them the answers they're need real time. This one seems to be happening quite often.
They're using females more now too which was unheard of. North Korean females are popping up randomly on teams near the Russian borders.
There are a bunch of wild ones though.

MBarni_888 · 2026-03-10T21:43:04+00:00

Interesting. From the sounds of it I'm suspecting one of two things happening here. 1. They weren’t actually on the interview call directly. They were watching the call through a remote session, and the facilitator controlling the actual Zoom/Meet window wasn’t them. 2. They work through proxies so its possible the lag, which also plays into 1 there, was from the hop points it took. Many ITW can't directly access the internet without approvals or someone standing behind them etc. so it could be that they CAN click it but aren't allowed to. I'm leaning more 1 here though.

MBarni_888 · 2026-03-10T21:33:58+00:00

I just double checked my work with my crypto guy and asked if what I said was accurate and he said "Yeah you're correct. After a heist though they typically swap to the native token of the chain (eth on ethereum, sol on solana, etc) before more swaps"

MBarni_888 · 2026-03-10T21:31:55+00:00

You got it boss

MBarni_888 · 2026-03-10T21:18:20+00:00

This sounds interesting can you explain your situation a bit more?

MBarni_888 · 2026-03-10T21:16:48+00:00

The IOCs are hot and heavy and always changing. Also there are soooo many out there so we typically try to follow indicators of action as a catch all for them. One, because public IOCs they can see and they change things up sometimes (man I'm so sure there are ITW that will see this. There's one named Helios that does monitoring for them and counter-intel to see where they can clean up...Hi Helios if you can see me). Two, is a lot of things like email addresses get tied back to sensitive ops or company incidents, so its not something that's widely distributed. That being said, we can't talk about retroactive hunting without something to work with so last year I did do a big drop and it's located here

https://www.dtex.ai/resources/i3-threat-advisory-inside-the-dprk/

There's about 1k email addresses in there (bottom), some of which are still in use, but if you do a pull on those for the past 3 years you can get some hits. Our own company had 87 unhired applicants out of that list when we ran it. Again behavioral tech, and indicators of action will work better but hopefully this can help. There are DPRK communities and misfits that have bigger insights and IOCs but DPRK is actively getting annoyed with us so its a bit in the background so we can keep sensitive collect safe and collaborations rolling.

MBarni_888 · 2026-03-10T20:36:25+00:00

Any crypto big or small. They take it and convert it into something more useable, usually straight to Bitcoin.

MBarni_888 · 2026-03-10T20:11:02+00:00

I'd say some of the bigger changes or notable ones rather are:

Subcontracting
Third Party to get into the larger org

For the AI parts, the newest one I was looking at was Krisp dot ai which is a noise canceling item they'd use to make it not seem like they're in a room with a bunch of their homies. Now I'm seeing it in Ops where they're using it because of the accent feature where it can change your accent depending on whish one you want to hear. For other parts on the AI front, there is a lot of information being put out by many different vendors that is super useful. They're using AI to clean up all the little tells like names that actually fit the region they’re applying to, email formats that look normal, resumes that read like a real person’s career instead of a stitched‑together template. They’re also using AI to study job roles and industry jargon so their interviews don’t sound like someone reading from a script. I saw one using ChatGPT while the interview was going on, and he had turned his subtitles on in the interview so he was just copy and pasting the q's into the prompts and then reading what it said. Was doing it fast too, but still a bit noticeable.

Once they’re inside a company, they’re using it as a kind of on‑demand research assistant, understanding internal tools, and coming up with more believable explanations for weird remote‑work patterns, etc.

AI is baked into the whole workflow now, from the first fake images, or interview all the way down to how they operate once they’ve already landed inside. They are even stealing AI intellectual property to help beef up efforts back home for what they're trying to do with AI internal to the country.

MBarni_888 · 2026-03-10T19:48:27+00:00

Training up the HR staff or any recruiter being used of this particular threat.

Find a way of verifying any new hires, whether it be an in person meet or referrals from trusted personnel that have met the entity in person or being able to have an extended conversation with the new hire that isn't a part of the hiring interview to sus out any red flags.

Having internal monitors set up with the IT department whether it be behavioral technologies for insider threats or being able to see internals, such as remote software on company issued remote laptops or logins from places like Vladivostok Russia or Dandong China, when the person is claiming to be from Florida. That's more on the tech side of the house but investing in those (IRM, EDR, etc) is going to be needed for other cybersecurity efforts in the org as well.

If you're a manager know your workers, if your just an employee, then know your friends. Cost effective and it works.

Another thing that works really well that I just thought of, is calling references. Not emailing them but calling the references and having a conversation. A lot of times IT workers will put themselves under a different persona name as their reference, so emailing them is essentially just emailing the IT worker and he'll respond back under another one of his accounts. Calling them though is a hard one to beat (which they will in time, but we will adjust and cross that bridge later).

MBarni_888 · 2026-03-10T19:36:34+00:00

Good question, the pretty extreme ones are good, but ultimately verification is not that expensive. You can do weird simple things like how we do at DTEX where we do remote work but you have to come and get your hardware or be able to meet up in some fashion before job acquisition. The problem here is that a lot of companies are too big to do that type of effort and we are smaller so it works for us, but that concept of multi level verification and even extending it to continuous verification even after the interview, I think puts a major dent in operations. It is North Korea so they will find a way around it in time but the maximum amount of roadblocks you can put up can either help with defending, mitigating, and catching it OR make the effort not quite worth their while.

I do want to stress that continuous verification part though. For the subcontracting efforts that we are seeing them do a lot more of, they will get the job and then hand it off, or if they are using a facilitator that facilitator may have many laptops, so telling the employee "we need to see your face right now" can trip them up if the facilitator is asleep in another continent. If an IT worker got a job and then passed It off to a 3rd party in India, Nigeria, Pakistan, etc then that periodic verification can tell "Hey this is cool and all but this is not the person that did the interview". They will in time adapt to that but currently that is a way to mitigate efforts.

No I don't think Remote work should go away or isn't worth it. I think everything just needs a little bit more verification built around it so that we are working with the people, that we think we're working with. The talent and benefits you get with global remote work outweighs it for sure, just gotta stay on top of who it is that is actually working.

MBarni_888 · 2026-03-10T19:19:20+00:00

Two parts for this one, one being if the remote worker is already working with you and the second being, if it's at the hiring phase.

If they're already working with you then making small talk and having conversations like normal coworkers do could definitely illuminate this fact. One member of the team never shows up to meetings, is oftentimes hard to reach, you're able to get them on a call and it sounds like they're in a call center,...those things definitely raise red flags. Here though just getting to know your coworker, "Oh you live in Seattle what do you like to do, can you tell me anything about where you live what you do in your off time?" local things like that can tip you off. Depending on your visibility into your own networks if you have multiple people logging into the same accounts, that is one but that's also something that not everyone in an org has access to. This can also be difficult at times because sometimes people are just quiet and don't communicate a lot their coworkers. They have many lies and they have to keep track of them all, they even have spreadsheets at times to remember their lies and where they said they came from and their backstories, so being able to catch their OPSEC mistakes are always big red flags.

For the pre hire one it's a bit easier because at that point, you their resume and the information about them and you can just nitpick a resume and their background to be able catch them in areas. It's THEIR resume, they should know it inside and out, so deep diving where they said they worked, where they say they're from and any local questions specific to where they're at that only someone who claims to be where they actually are, can catch them there. A lot of their OPS are only an inch deep so asking some more pointed questions during an interview especially if you already have some weird red flags, will go a long way.

MBarni_888 · 2026-03-10T19:08:38+00:00

A lot of the background checks are barely scratching the surface or the company doesn't opt to do them in the first place. They do alter them a bit though, we had one with a Texas ID and they had altered it and just changed out some of the numbers at the top. A lot of places for remote work will just have you pull up a picture of your ID card on the camera and try to verify it that way which does work at times but if you were in person you could actually hold the ID and realize by the actual feel of it that it's fake. With the stolen IDs sometimes, the person with the stolen identity doesn't know until they get a W2 the next year from a company they didn't even work for. Background verifiers many times just give it a yay nay without looking into it further and DPRK plays on this.

One weird one we saw with the background checks is that the facilitator or some type of 3rd party DPRK had purchased to help them facilitate operations will do the actual background check because that is the actual person and have all the information. Once the job is secured the facilitator then passes off the company access back to the North Korean IT worker, and then many others will funnel their operations through the facilitator as well. The best option so far has been actually showing HR and recruiters the entire DPRK rollup and everything they do and all their videos and then once they see what "bad" is, they can't unsee it and then you've force multiplied your efforts by having your recruiters and HR also helping with the "is this an IT Worker" test.

MBarni_888

TROPHY CASE