Digital Parasites

Amazon blocked 1,800 fake IT worker applications last year. All traced back to North Korea.

These weren't sloppy attempts. We’re talking stolen identities, fabricated work histories, polished LinkedIn profiles with verified badges - the important material you need to play mole.

DPRK operatives are applying for remote developer jobs at Western companies - then drawing salaries, accessing codebases, and exfiltrating data for months before anyone even noticed.

Over 300 U.S. companies have unknowingly hired them. Hundreds of Fortune 500 names on the list.

The scheme has evolved. The FBI recently warned that these operatives now exfiltrate proprietary code and hold it hostage, demanding ransom from former employers. When victims refuse to pay, the data gets leaked.

Think about what that means. Your new remote developer aces the technical interview. Passes the background check. Ships clean code for weeks.

Meanwhile, they're copying your repositories to personal cloud accounts, harvesting credentials, and mapping your infrastructure - all while collecting a paycheck that funds weapons programs.

When the insider threat is the entire point of the employment, what exactly are you screening for?

Picus Labs dropped their Red Report 2026 recently. They analyzed over 1.1 million malware samples and mapped 15.5 million adversarial actions from 2025.

The headline finding sounds like good news: Ransomware encryption dropped 38% from 2024 to 2025.

Look closer and the picture darkens. Attackers aren't encrypting less because they're losing. They're encrypting less because they found something better.

Credential theft from password stores now appears in 23.49% of all attacks. 80% of top techniques focus on stealth, persistence, and evasion.

Picus calls this new breed "Digital Parasites." They don't detonate. They don't announce themselves. They move in, feed on credentials and access, and remain invisible for as long as possible.

Taylor Monahan, security researcher at MetaMask who tracks DPRK operations obsessively, put it simply: "To date, we have never seen DPRK do, like, a real exploit. It's always: social engineering, and then compromise the device, and then compromise the private keys."

No code exploits required. Just patience, deception, and time.

If the most dangerous attackers have stopped trying to break your systems and started trying to become them, what does defense even look like anymore?

The Residents

In January 2024, Former FBI Director Christopher Wray told Congress that Chinese cyber operations represented "the defining threat of our generation."

He wasn't talking about ransomware. He was talking about ghosts.

Volt Typhoon – a Chinese state‑sponsored operation that quietly embedded itself in U.S. critical infrastructure networks for years before being exposed.

Utility networks, communications, transportation systems and many more systems. All compromised.

The attackers relied on built‑in administrative tools already present on their targets - such as PowerShell, WMI, and standard command‑line utilities, to blend in with normal activity and minimize detectable malicious behavior.

They supplemented this with custom backdoors like SockDetour, designed to maintain persistence as a backup if their primary access was removed. They proxied traffic through compromised home routers and targeted end-of-life devices that vendors stopped patching years ago.

Living off the land. Invisible by design.

CISA's advisory made the intent clear: Volt Typhoon wasn't stealing secrets. They were pre-positioning - embedding themselves deep enough to disrupt operations whenever Beijing decided the time was right.

Then came Salt Typhoon. At least nine U.S. telecom providers breached, including AT&T, Verizon, T-Mobile, and Lumen.

The attackers exploited CALEA systems - the wiretapping infrastructure that law enforcement agencies rely on.

They intercepted calls and texts from targets including members of both presidential campaigns. Eighty countries affected. The FBI notified over 600 organizations.

Senator Maria Cantwell's post-mortem landed like an indictment: investigators found routers with security patches available for seven years that were never applied.

As of February 2026, experts believe the attack still hasn't been fully remediated - and reports indicate Salt Typhoon hackers may still be inside U.S. telecommunications networks.

Five years of access. Zero detection. The only reason we know about Volt Typhoon is because someone finally looked.

Nation-states perfected the art of digital residency.

China optimizes for geopolitical leverage. Other nation-states optimize for something simpler - money.

If they can live inside power grids and telecom networks for years undetected - what makes you think your treasury is any different?

They Could Be on Your Payroll

DPRK figured out something elegant: why hack systems when you can just get hired?

They're not just getting hired by you. They're hiring you.

Contagious Interview has been running since 2023. DPRK operatives pose as recruiters from legitimate crypto companies, reach out on LinkedIn with dream job offers, and walk candidates through fake interview processes.

One interview round requires a technical assessment. Clone this GitHub repo. Run npm install.

The repo contains BeaverTail or InvisibleFerret - malware that opens a backdoor, steals browser credentials, and drains any crypto wallets it can find. Candidates execute the payload themselves, eager to impress an interviewer who doesn't exist.

Taylor Monahan has been tracking DPRK using a fake Zoom/Teams variant for months.

Attackers hijack a trusted Telegram account - often a VC or someone the target met at a conference - then use existing chat history to schedule a video call via a Calendly link.

The victim joins and sees what looks like live video of their contact.

It's looped footage pulled from real hack recordings or public sources like podcasts, not deepfakes. Low-tech, yet brutally effective.

When audio issues appear, the "interviewer" asks the victim to download a patch. That patch is the payload.

"They've stolen over $300 million via this method already," Monahan posted in December. "DPRK threat actors are still rekting way too many of you via their fake Zoom / fake Teams meets."

The tactics keep evolving. Kaspersky documented cases where DPRK operatives recorded victims' webcam footage during initial compromises, then reused that footage to deceive the next target - turning each victim into unwitting bait for the next.

The symmetry is almost elegant. They infiltrate your org by getting hired. They compromise individuals by offering to hire them. Both ends of the employment pipeline, weaponized.

When the attacker is on your payroll, what's left to screen for?

Ghost in the Wires

The malware is learning patience too.

LummaC2, one of 2025's most prevalent infostealers, now uses trigonometry to decide whether it's being watched.

The malware captures five mouse positions, calculates Euclidean vectors between them, and measures the angles. Humans move in curves. Sandbox automation moves in straight lines.

If any angle exceeds 45 degrees - too sharp, too mechanical - LummaC2 restarts its detection loop. It waits. It knows that doing nothing is the best way to survive analysis.

Inaction as evasion. Silence as strategy.

Bitdefender's analysis of 700,000 security incidents showed 84% of high-severity attacks involved living-off-the-land techniques. Attackers using your own tools against you, generating no alerts, triggering no signatures, looking exactly like legitimate administration.

The old threat model assumed attackers wanted to break things. Ransomware confirmed the breach. The locked screen was proof of compromise. Painful, expensive, but at least you knew.

Digital parasites offer no such clarity.

They want your credentials, your access, your trust. They want to become indistinguishable from normal operations. Volt Typhoon sat in power grids for five years. DPRK operatives draw salaries for months before pivoting to extortion. Lazarus Group spent seventeen days inside Safe{Wallet}'s infrastructure before extracting $1.5 billion.

None of them needed to announce themselves. They just needed time.

Detection is getting faster for the loud attacks. Median ransomware dwell time dropped to seven days.

But nation-state campaigns? Volt Typhoon measured dwell time in years, not days.

The parasite model works because it's quieter than every alarm we've built.

So what now?

The industry spent a decade perfecting smart contract audits.

Formal verification. Bug bounties with seven-figure payouts. We got very good at finding reentrancy vulnerabilities and flash loan attack vectors.

Meanwhile, DPRK kept walking through the front door wearing a fake mustache and a decent resume.

$6.75 billion stolen by the end of 2025. Not through code exploits - through people. Compromised developers, stolen credentials, patient social engineering, and remote workers who passed every technical interview. Seventy-six percent of all crypto service compromises in 2025 traced back to DPRK operations.

We armored the vault. We left the locksmith standing in an open field.

The parasites survive because they're quieter than every alarm we've built.

Somewhere right now, a developer at a company adjacent to a protocol you trust has already opened the wrong file. A contractor with a perfect GitHub history is already inside a team Slack.

A vendor's vendor's employee is already wondering why their AWS session tokens aren't working quite right.

The countdown started weeks ago. Nobody's noticed yet.

We obsessed over trustless systems and forgot that humans still build them. Code gets three audits. People get a LinkedIn check and a technical screen.

Digital parasites don't need to exploit your code. They just need us to keep hiring them, trusting them, and assuming the threat is somewhere out there instead of already inside.

Who's on your payroll right now that you've never actually met?

REKT sirve como plataforma pública para autores anónimos, nos deslindamos de la responsabilidad por las opiniones y contenidos alojados en REKT.

dona (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C

aviso legal:

REKT no es responsable ni culpable de ninguna manera por cualquier Contenido publicado en nuestro Sitio Web o en conexión con nuestros Servicios, sin importar si fueron publicados o causados por Autores ANÓN de nuestro Sitio Web, o por REKT. Aunque determinamos reglas para la conducta y publicaciones de los Autores ANÓN, no controlamos y no somos responsables por cualquier contenido ofensivo, inapropiado, obsceno, ilegal o de cualquier forma objetable, que se pudiera encontrar en nuestro Sitio Web o Servicios. REKT no es responsable por la conducta, en línea o fuera de línea, de cualquier usuario de nuestro Sitio Web o Servicios.