Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to threat actors
🇰🇵 KP4 malware familiesExploits CVEs in the wild

WageMole

Also known asDPRK IT Worker Activitydprk it worker networkDPRK IT Worker OperationsDPRK IT Worker ProgramDPRK IT Worker Schemesdprk_it_workersitwNorth Korean IT Worker SchemesWageMole

WageMole is a North Korea-linked, state-sponsored threat activity cluster associated with the DPRK IT worker scheme. It is tracked as WageMole by ESET, and overlapping activity is also labeled UNC5267 and Jasper Sleet by other researchers. The activity involves operators posing as job seekers and using stolen, fabricated, or synthetic identities to obtain remote employment, particularly at Western companies, including organizations in the U.S. and Europe. Reported objectives include generating revenue for the DPRK regime and gaining footholds inside victim organizations. The cluster uses social engineering and fraudulent recruiting tradecraft, including forged resumes, fake LinkedIn and GitHub profiles, fabricated references, stolen personal data, fake passports and driver’s licenses, and AI-assisted or deepfake-enabled interviews. Reported recruitment and employment platforms include Upwork, Indeed, Freelancer, Telegram, and other job sites. Facilitators have been reported to help with account creation, bank accounts, mobile numbers or SIM cards, identity verification, and laptop farms in the victim’s country, while operators conceal location through VPNs, proxies, RMM tools, and VPS infrastructure. WageMole has been linked to fake front companies used to support recruitment lures and malicious GitHub activity, including DredSoftLabs, MetaMint Studio, MegaMint Studio, and JSoft Labs. Reporting cited in the content attributes DredSoftLabs to WageMole with high confidence and ties the activity to malicious GitHub repositories used in fake coding tests or interview tasks that ultimately deliver BeaverTail or OtterCookie malware. The content also states that WageMole overlaps with the related North Korea-linked activity cluster DeceptiveDevelopment, with ESET reporting that DeceptiveDevelopment appears to hand off stolen victim information to WageMole. Unit 42 distinguishes WageMole from Contagious Interview, describing the latter as malware delivery through fake interviews while WageMole focuses on fraudulent job-seeking and employment infiltration. Targets mentioned in the content include small to mid-sized businesses, Western companies, the U.S. tech sector, and in Europe particularly defense industrial base and government organizations. Reported risks include insider access, sensitive data theft, extortion by recently fired workers, and use of corporate access for further malicious activity.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Software & Services
  • Financial Services

Where they're from

Attributed origin per open-source reporting.

  • KP
MITRE ATT&CK

Tradecraft

52 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

14 of 15 tactics60 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
2 techniques
T1589
Gather Victim Identity Information
T1589.001
Credentials
T1598×6
Phishing for Information
TA0042
Resource Development
4 techniques
T1583
Acquire Infrastructure
T1583.001
Domains
T1583.006
Web Services
T1584
Compromise Infrastructure
T1584.001
Domains
T1585×5
Establish Accounts
T1586×2
Compromise Accounts
TA0001
Initial Access
6 techniques
T1078×12
Valid Accounts
T1133
External Remote Services
T1189
Drive-by Compromise
T1195
Supply Chain Compromise
T1195.001
Compromise Software Dependencies and Development Tools
T1199×2
Trusted Relationship
T1566
Phishing
T1566.001
Spearphishing Attachment
T1566.002
Spearphishing Link
T1566.003×3
Spearphishing via Service
TA0002
Execution
2 techniques
T1059
Command and Scripting Interpreter
T1059.001
PowerShell
T1059.005
Visual Basic
T1059.006
Python
T1059.007
JavaScript
T1204
User Execution
T1204.002
Malicious File
TA0003
Persistence
3 techniques
T1078×12
Valid Accounts
T1133
External Remote Services
T1547
Boot or Logon Autostart Execution
T1547.001
Registry Run Keys / Startup Folder
TA0004
Privilege Escalation
3 techniques
T1078×12
Valid Accounts
T1547
Boot or Logon Autostart Execution
T1547.001
Registry Run Keys / Startup Folder
T1611
Escape to Host
TA0005
Stealth
3 techniques
T1027×2
Obfuscated Files or Information
T1036×12
Masquerading
T1078×12
Valid Accounts
TA0006
Credential Access
3 techniques
T1539
Steal Web Session Cookie
T1555
Credentials from Password Stores
T1649
Steal or Forge Authentication Certificates
TA0007
Discovery
2 techniques
T1082
System Information Discovery
T1083
File and Directory Discovery
TA0008
Lateral Movement
3 techniques
T1021×4
Remote Services
T1210
Exploitation of Remote Services
T1534
Internal Spearphishing
TA0009
Collection
2 techniques
T1005
Data from Local System
T1560
Archive Collected Data
TA0011
Command and Control
5 techniques
T1071×2
Application Layer Protocol
T1071.001
Web Protocols
T1090×2
Proxy
T1090.002
External Proxy
T1090.003×2
Multi-hop Proxy
T1105×2
Ingress Tool Transfer
T1219×2
Remote Access Tools
T1572
Protocol Tunneling
TA0010
Exfiltration
2 techniques
T1041
Exfiltration Over C2 Channel
T1537
Transfer Data to Cloud Account
TA0040
Impact
2 techniques
T1486×4
Data Encrypted for Impact
T1657
Financial Theft
ARSENAL

Associated malware families

4 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
BeaverTailThis will eventually to either Ottercookie / Beavertail malware. Running the entire repository ultimately leads to an infection.1Jun 25, 2026
GolangGhostToward the end of the year, researchers documented Famous Chollima’s remote access trojan (RAT) called “GolangGhost” in its source code format, which was frequently used as the final payload in the threat actor’s ClickFix campaigns.1Jun 14, 2026
OtterCookieThis will eventually to either Ottercookie / Beavertail malware. Running the entire repository ultimately leads to an infection.1Jun 25, 2026
PylangGhostIn May 2025, Cisco Talos identified a Python-based remote access trojan (RAT) we call “PylangGhost,” used exclusively by a North Korean-aligned threat actor.1Jun 14, 2026
WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2025-55182React2Shell RCE in React Server Components Flight ProtocolIn the wildEvidence1

"A critical remote code execution (RCE) vulnerability, identified as CVE-2025-55182 and dubbed React2Shell, exists within the React Server Components (RSC) architecture, allowing unauthenticated attackers to execute arbitrary code..."

IOCS

Observables

233 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

233 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
bleeping computerNews
Mar 9, 2026
Google: Cloud attacks exploit flaws more than weak credentials

North Korean IT worker activity using fraudulent identities to obtain employment and generate revenue for the government.

Read more
detection engineering netNews
Feb 25, 2026
DEW #146 - The logs are lying, my latest post on Agentic Security & re-tooling security for speed

North Korea-linked activity cluster referenced alongside Contagious Interview as abusing GitLab infrastructure; specific TTP details are not provided in this newsletter excerpt beyond platform abuse and association with DPRK tradecraft.

Read more
huntio blogNews
Jan 1, 2026
Geopatriation Is Coming: Sovereign Clouds Will Break Your Telemetry First

DPRK IT Worker Schemes involve North Korean operators infiltrating software supply chains via front-company IT staffing, embedding themselves in development and DevOps roles to abuse code-signing and maintain persistence.

Read more
f5 communityNews
Dec 30, 2025
F5 Threat Report - December 31st, 2025 | DevCentral

Named in an aggregated list of actors associated with React2Shell (CVE-2025-55182) exploitation activity (UNC-style naming suggests an uncategorized cluster).

Read more
+18 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping52

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal4

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables233

Domains, IPs, and hashes tied to this actor, refreshed continuously.

WageMole | Mallory