Skip to main content
DPRK Fake IT Worker: Insider Access and Exfiltration operation cover
COMING SOONAdvancedPRO

DPRK Fake IT Worker: Insider Access and Exfiltration

A fraudulent remote software engineer embedded under a stolen identity gains network access on their first day and immediately begins collecting source code, architecture documentation and cloud secrets. The session originates entirely from a single hosting-range ASN, persists through AnyDesk and ngrok tunnels, and ends with a dual-channel exfiltration via Rclone and AzCopy. Reconstruct the full chain from Azure AD audit events, VPN and endpoint telemetry.

1h 25m
9 tasks
150 points
Pro

Launches in 5 days

Jul 14, 2026

Tuesday, July 14, 2026 at 9:00 AM

View Pro plans

Pro unlocks this operation at launch.

Training Tools

SIEMCloudXDR

What you'll investigate

9 objectives unlock when this operation goes live.

1Map the access origin
2Name the identity pivot
3Track the remote-access implant
4Find the exfiltration endpoint
5Identify the cloud staging account
6Hash the exfil binary
7Correlate the impossible travel
8Expose the persistence tunnel
9Reconstruct the exfil path

Be first when it launches

Create your account and grab Pro before launch. The moment this operation goes live on Jul 14, 2026, you can jump straight in.

Get Started Free

No credit card required — free forever