Tools of the Trade: Infrastructure Behind DPRK IT Workers

This talk explores the infrastructure, tools, and tactics behind North Korean IT workers and threat groups such as Contagious Interview and TraderTraitor, with a focus on real world campaigns targeting cryptocurrency platforms, developers, and financial organizations. The session begins by detailing the setup process used by these actors, including the creation of convincing personas and the use of proxy networks, VPNs, and static IP infrastructure to mask their origin. It also highlights how these personas engage in social engineering to gain employment or freelance work, making use of AI generated content, public resume builders, and shared internal documents designed to help them navigate interviews and hiring platforms.

We then examine infrastructure reuse, metadata overlaps, and unique patterns across malware hosting domains to illustrate how these campaigns can be tracked and clustered. Additional attention is given to software linked to DPRK actors and used internally to monitor or support IT workers, providing defenders with signals that may indicate ongoing or past compromise.

Attendees will leave with a deeper understanding of how DPRK IT operations function, along with actionable intelligence for identifying, tracking, and mitigating associated risks across both technical and human layers.

Drawing on recent examples, the session examines infrastructure reuse, metadata overlaps, and indicators from malware hosting domains. Additional software linked to DPRK actors used internally to support these workers is also highlighted to help identify potential ITW activity.

Attendees will leave with actionable intelligence for detecting, tracking, and mitigating risks posed by DPRK IT operations and their associated tooling and infrastructure.

‍