
DPRK Fake IT Worker: Insider Access and Exfiltration
A fraudulent remote software engineer embedded under a stolen identity gains network access on their first day and immediately begins collecting source code, architecture documentation and cloud secrets. The session originates entirely from a single hosting-range ASN, persists through AnyDesk and ngrok tunnels, and ends with a dual-channel exfiltration via Rclone and AzCopy. Reconstruct the full chain from Azure AD audit events, VPN and endpoint telemetry.
Launches in 5 days
Tuesday, July 14, 2026 at 9:00 AM
Pro unlocks this operation at launch.
Training Tools
What you'll investigate
9 objectives unlock when this operation goes live.
Be first when it launches
Create your account and grab Pro before launch. The moment this operation goes live on Jul 14, 2026, you can jump straight in.
Get Started FreeNo credit card required — free forever