Another day, another DPRK infiltration attempt.

It’s Friday, so I won’t bore you with a sermon about threat actors’ tactics, techniques and procedures or indicators of veterancy, but I’ll allow myself to echo my words from our last article regarding the Kim Boys:

And if we are all together here today (once again) it means two things:

1. The previous pony-heads messed up bad.

2. A new pony-head tried to play hero. And messed up too.

There’s something bluntly kommissar-esque about this (and here I am, talking about TTPs again), as I interpret this badly-planned insistence not as persistence (like an APT) but rather as the frustration of someone higher up constantly sending one after another until someone could claim the prize. This someone wasn’t “Sebastian”… that’s for sure.

Who’s “Sebastian”? Our friend here, a “Colombian” “software engineer” “from Pereira”.

He likes doing typical colombian things like not speaking Spanish, as seen in this interview with our Talent Acquisition Specialist (who now leads the scoreboard in Whack-a-Chollima Online):

During the interview, he mumbles some passable Spanish (we’ve seen this before) but once again becomes easily cornered by his interviewer who, in real time, checked his LinkedIn profile just to find it was gone (along with his hopes of getting the job).

This is a typical behaviour I described in our last article: delete everything and run when they feel threatened or discovered.

In this economy, losing your professional profile can hit hard, so we did a good thing today by grabbing a copy of his profile before it got swept under the internet’s rug forever!

We also managed to back up his Klimb profile, just in case he ever wants to resume job hunting. We’re here to validate his skills or serve as a reference should the time come!

It was a surprise to find that he claims to speak Spanish at “native level”.

I think he overstated his capabilities, but who are we to judge?

Just looking around, we also found that he’s a loyal customer of AstrillVPN, which came as no surprise, to be honest.

We’ve also added him as a contact just in case we hear about any openings that could be a good fit.

He looks quite different on camera. Don’t worry, that happens to some people, like engineers who work a lot… and those who abuse visual filters to look like someone else…

We wanted to let him know we had his back, so we sent someone behind the enemy lines a colleague messaged him “mistakenly”.

He apologised for the out of the blue message and in no time our friend Sebastian showed him that fate works in mysterious ways, and that sometimes dialling the wrong number could take you on a new path in life, like getting offered your dream job.

He asks a couple of routine questions and whether our colleague knows anything about software development.

He proceeded to explain his plan: he has a company of 10 developers massively taking remote positions.

My colleague would have to attend job interviews and get an offer, which would ultimately be filled by one of those 10 “ghost developers”, getting him a 35% cut of the final payment and being able to make up to $8,000 per month.

Just for attending interviews and posing as Mr Charming.

Sounds too good to be true, right? For me it sounds exactly like a cornered villain explaining his evil plot just minutes before being defeated.

Or even better, like a North Korean agent explaining the villainous Famous Chollima international plot just before going viral all over the internet.

So you wanted to be a Famous Chollima? Wish granted.

You won’t be remembered as someone who mastered Cervantes’ tongue, but hey, we’ll get you a lot of views on LinkedIn!

Say hi to your next job!

Lessons Learned

If you’ve been following this series, or even if this is your first time reading it, you’ll definitely get a sense of how far this threat goes.

If you’re a developer, helping these guys out could earn you a free metal wrist from the FBI, and it’s not worth it.

If you own a company, startup, or any organisation actively looking for software engineers, be on high alert. Exercise caution, check IDs at the door, and conduct rigorous background checks.

Also, it pays to subscribe to this kind of newsletter. We worry because it’s our job to do so, and by publishing this research, you can spend more time building (doing your job) instead of worrying.

Some people may think that threat intelligence isn’t a priority, until something hits you and you don’t know where to start to understand what happened.

We are the Quetzal Team. We put the “Famous” in “Famous Chollima.”

Until next time (we know it’ll happen again).

IOCs

URL:https://linkedin.com/in/sebastian-tamayo-pro
URL:https://www.klimbup.com/perfiles/sebastian-tamayo