SecTor 2025 | Unmasking a North Korean IT Farm

This session exposes a real-world covert remote-control system developed by a North Korean IT worker operating undetected within a legitimate organization. The forensic investigation revealed a sophisticated ecosystem that leveraged Address Resolution Protocol (ARP)-based payload delivery, WebSockets for stealthy command and control, and Zoom for covert persistence and remote access. Through technical analysis and a live attack demo, we'll unpack how the attacker: -Built an advanced C2 infrastructure using WebSockets to control infected machines. -Used ARP packets as a payload transport mechanism, embedding commands inside network traffic to execute commands without traditional TCP/IP communication. -Weaponized Zoom as a Remote Access Trojan (RAT), launching meetings without user interaction and auto-approving remote-control access via HID injection techniques. -Covertly executed commands through a Python script, allowing keystroke and mouse movement emulation, bypassing endpoint logging. -Enabled remote execution through a command client, which persistently reconnected to the C2 when the user was active. By reverse-engineering the threat actor's toolkit, the investigation uncovered previously undocumented techniques for network protocol abuse and application-layer persistence. In this session, we'll not only highlight how these tactics were deployed but also how defenders can detect and disrupt them before they escalate into full-scale espionage. Attendees will leave with a deeper understanding of offensive tradecraft and practical strategies for detection, threat hunting, and forensic response. By: Avi Sambira | Director, Client Leadership, Sygnia Full Presentation Materials Available at: https://ift.tt/oNFdtXM

source https://www.youtube.com/watch?v=wUQJ5pjZDgo