Threat Hunting the DPRK's Remote Workers
Unmasking North Korea’s Stealthy Remote‑Access Tradecraft
Remote work was supposed to liberate us from the daily commute and embrace flexibility. Instead, it dissolved the corporate perimeter and handed adversaries a gift: home routers, personal VPNs, and that smart doorbell nobody patched since 2019. North Korean APT groups have been exploiting these gaps since 2020, and their tactics keep getting slicker.
When Politico starts posting write-ups about a challenge, you know that a security issue has gone mainstream. What was anecdotal has become pervasive, and (in particular) the US tech industry has a North Korean remote worker problem.
Since we’ve been on a bit of an actionable threat hunting kick recently, let’s go hunting again. This week’s write up will first tee-up our adversary (some history and context never hurt), then run through five different threat hunting scenarios that you and your team can take to heart.
North Korea's Playbook Evolution (2020-2025)
The Early Days: Credential Drip Campaigns (2020-21)
DPRK actors figured out that hammering login portals with brute-force attacks was like using a sledgehammer in a library; it’s effective, but everyone notices. Instead, they switched to "credential dripping": just a few VPN login attempts per day, staying under lockout thresholds.
They paired this with MFA-fatigue attacks, bombarding users with push notifications until someone finally clicked "approve" just to make it stop. Once inside, they lived quietly off PsExec and PowerShell, tools admins use every day. This is an effective playbook that blends in well with existing enterprise behavior and uses Windows sysinternals to great effect.
Living Off the Land (2022-23)
As VPN portals hardened, they adapted. Compromise a workstation through phishing, then spin up persistent RDP tunnels using legitimate service accounts. These sessions looked like routine admin work unless you had forensic-level logging on every RDP connection, which most companies didn't.
The beauty (from their perspective) was the signal-to-noise ratio (we’ve talked about this before). Legitimate RDP traffic is everywhere in enterprise environments. Finding the malicious needles in that haystack requires careful detection engineering and a keen eye for anomalous behavior.
Supply Chain & Crypto Pivot (2024-25)
Here's where things got interesting. North Korea have been no strangers to crypto theft (as discussed previously in this substack). In February 2025, North Korean hackers stole approximately $1.5 billion in cryptocurrency from the Bybit exchange, the largest crypto theft in history.
And they beat their own record. According to blockchain analysis firm Chainalysis, North Korean hackers stole $1.34 billion across 47 incidents in 2024, an over 100% increase from 2023's ~$660 million. The dynamism and elegance of these compromises needs to be recognized. This is nation-state tradecraft at its most nefarious. Subtle, direct and effective. Authenticated sessions, signed binaries, legitimate admin tools...signature-based defenses are essentially useless here, and I'd be willing to guess a lot of modern tooling would struggle as well.
Five Splunk Hunts for DPRK Remote-Access Tactics
Since we’ve been on a bit of a hunting kick recently on this Substack…what better thing to do than fire up a few threat hunts that target common behaviors observed in DPRK campaigns?
Today, we're going hunting for DPRK-like activity in our environments. Note that all of these hunts will most likely require tuning for your environment and field name adjustments. These are all example hunts in Splunk's Processing Language (SPL).
Prerequisites really quick: You'll need VPN logs (Palo Alto or equivalent), Windows Security events with process auditing turned on, RDP logon events, MFA logs from Okta or similar, and endpoint detection with file creation events. Oh, and you'll need to maintain a service account inventory CSV file…more on that below. Most importantly, don't just fire these off blindly. Build baselines first or you'll drown in false positives.
Don’t have Splunk? Not worries! Take the hypotheses, reality checks and why each of these hunts matter sections and apply to your own tech stack. The whole point of these is to inspire action and harden your organization.
Ok, disclaimers aside...let's go hunting!
1. VPN Heartbeat Beaconing
Hypothesis: Legitimate users don't connect to VPNs in perfect 10-15 minute intervals like a metronome. Legitimate users are more random and sporadic (dareisay impatient?).
Query:
index=vpn_logs sourcetype="pan:log" action="session_start"
| eval bucket=round(_time/900)*900
| stats count by src_ip, user, bucket
| eventstats avg(count) as avg_count stdev(count) as stdev_count by src_ip, user
| where count > (avg_count + 2*stdev_count) AND count < 10
| timechart span=15m count by src_ip
Why this matters: DPRK actors use automated tools to maintain persistent VPN presence without triggering daily login limits. This beaconing pattern is how they keep one foot in your door 24/7 without detection. Once you tune out the noise, this hunt reveals accounts that aren't just compromised, they're being actively managed by threat actors who need constant access for ongoing operations.
Reality check: You'll get false positives from monitoring tools and automation. Build a baseline first, then tune thresholds. Consider excluding known service IPs.
2. Off-Hours PowerShell Activity
Hypothesis: Normal users aren't running reconnaissance scripts at 3 AM.
Query:
index=security sourcetype="WinEventLog:Security" EventCode=4688
(CommandLine="*powershell.exe*" OR CommandLine="*cmd.exe*")
| eval hour=tonumber(strftime(_time,"%H"))
| where hour<6 OR hour>22
| stats count values(CommandLine) as commands by Account_Name, ComputerName
|where count>3
Why this matters: When DPRK actors gain initial access, they immediately start reconnaissance to understand your environment. They do this during off-hours when SOC staffing is minimal and activity is less likely to be noticed. This hunt catches them mapping your network topology, enumerating privileges, and identifying high-value targets before they move laterally. It's your early warning system before the real damage begins.
Reality check: Night shift workers and global teams will trigger this. Also, automatic Windows updates love to run PowerShell at weird hours. You'll need allow-lists.
3. Service Account RDP Anomalies
Hypothesis: Service accounts shouldn't be logging into workstations interactively.
Query:
index=wineventlog sourcetype="WinEventLog:Security" EventCode=4624 Logon_Type=10
| stats count dc(ComputerName) as unique_hosts by Account_Name
| where count>15 OR unique_hosts>5
| join Account_Name [| inputlookup service_accounts.csv]
|where isnull(service_account_flag)
Why this matters: This is how DPRK actors pivot through your environment after initial compromise. They steal service account credentials and use RDP to tunnel from system to system, maintaining persistence while moving toward high-value targets. Service accounts accessing multiple workstations interactively is almost never legitimate—it's a smoking gun for lateral movement that traditional network monitoring might miss.
Reality check: This hunt is only as good as your service account inventory. Maintain that CSV file religiously, or prepare for alert fatigue.
4. MFA Push Notification Spam
Hypothesis: Users getting bombarded with MFA prompts, then suddenly succeeding, suggests compromise.
Query:
index=auth sourcetype="okta:logs"
(eventType="user.authentication.auth_via_mfa" OR eventType="user.authentication.mfa_failure")
| eval result=if(match(eventType,"failure"),"fail","success")
| sort _time
| streamstats count(eval(result=="fail")) as fails reset_after="(result==\"success\")" by user
| where result=="success" AND fails>=3
|table _time user fails client.ipAddress
Why this matters: MFA fatigue attacks are DPRK's primary method for initial access when they can't find unpatched vulns. They've weaponized user psychology: bombard someone with 50+ push notifications and eventually they'll approve one just to make it stop. This hunt identifies the exact moment when a user caves to the pressure, giving you a precise timestamp for when the threat actor gained access.
Reality check: Some users are just forgetful with their phones. Consider setting the threshold at 5+ failed attempts before alerting.
5. Entropy Analysis for File Drops
Hypothesis: Packed or encrypted malware has noticeably higher entropy than normal files.
Query:
index=endpoint sourcetype="sysmon" EventCode=11
| eval file_entropy=if(isnull(entropy),0,entropy)
| where file_entropy>7.0
| stats count by TargetFilename, Image, ProcessGuid
|where count<5
Why this matters: DPRK actors are masters of evasion. They use custom packers, encryption, and obfuscation to hide their tools from signature-based (and 'next gen') detection. But the math doesn't lie. High entropy files are statistically rare in most environments, and this hunt catches their arsenal of custom malware before it can establish persistence or exfiltrate data. It's one of the few ways to detect unknown tools that haven't been seen by threat intel yet.
Real talk (and reality check): This one generates a lot of noise. Compressed files, encrypted documents, even some legitimate software updates will trigger it. Focus on executables and DLLs initially.
Beyond the Queries: Practical Considerations
These hunts are designed to get the ball rolling, but are by no means comprehensive, nor absolute. Operationalizing and implementing threat hunting takes time. My suggestions would be (in order of operations):
Build Baselines First: Don't just deploy these queries and expect magic. Run them in "monitoring only" mode for 2-4 weeks to understand your normal before hunting for abnormal.
Context Is Everything: A single anomaly means something, but it’s not typically conclusive.. Stack these hunts together: VPN anomaly + off-hours PowerShell + new service account activity = time to investigate.
Tune Aggressively: Start with loose thresholds, then tighten based on actual results. Better to have 10 real alerts than 1,000 false positives that train your team to ignore everything.
And now for a bonus round, some non-threat hunting related operations action items. All the fancy hunting in the world won't help if you don't patch systems, manage privileged accounts, or train users to recognize phishing. Advanced persistent threats exploit basic security failures.
When it comes to remote workers, vet them! The FBI has warned that North Korean IT workers are increasingly infiltrating US companies using false identities to steal data and extort victims. Consider enhanced identity verification for remote hires, including video interviews and background checks.
The Uncomfortable Truth
Alright so now that we've got hypotheses and hunts, the natural inclination is to run hard and fast at this problem. However, in many situations, it's better to measure twice and cut once (especially with your people's valuable time). Just in case, here’s a summary table of everything you need to know in one spot:
Quick references for best practices:
Start small: Pick one hunt, deploy it properly, tune it until it's useful, then move to the next.
Operationalize: Create operational dashboards, not pretty executive summaries that nobody checks.
Have a response plan: a hunt that triggers with no follow-up is security theater (and nightmare fuel).
Keep learning: these threat actors adapt constantly, so should your detection logic.
There's no silver bullet here. DPRK actors are patient, skilled, and well-resourced. They'll find new ways around whatever defenses you build. The best you can do is make it harder, costlier, and riskier for them to operate in your environment. And of course, when they find a way in, hunt them out.
Happy hunting and as always...
Stay secure and stay curious, my friends.
Damien