North Korean Front Companies Impersonate U.S. IT Firms to Fund Missile Programs
Threat actors with ties to the Democratic People's Republic of Korea (DPRK) are impersonating U.S.-based software and technology consulting businesses in order to further their financial objectives as part of a broader information technology (IT) worker scheme.
"Front companies, often based in China, Russia, Southeast Asia, and Africa, play a key role in masking the workers' true origins and managing payments," SentinelOne security researchers Tom Hegel and Dakota Cary said in a report shared with The Hacker News.
North Korea's network of IT workers, both in an individual capacity and under the cover of front companies, is seen as a technique to evade international sanctions imposed on the country and generate illicit revenues.
The global campaign, which is also tracked as Wagemole by Palo Alto Networks Unit 42, entails using forged identities to obtain employment at various companies in the U.S. and elsewhere, and send back a huge portion of their wages back to the Hermit Kingdom in an attempt to finance its weapons of mass destruction (WMD) and ballistic missile programs.
In October 2023, the U.S. government said it seized 17 websites that masqueraded as U.S.-based IT services companies in order to defraud businesses in the country and abroad by allowing IT workers to conceal their true identities and location when applying online to do remote work across the world.
The IT workers were found to be working for two companies based in China and Russia, namely Yanbian Silverstar Network Technology Co. Ltd. and Volasys Silver Star.
"These IT workers funneled income from their fraudulent IT work back to the DPRK through the use of online payment services and Chinese bank accounts," the U.S. Department of Justice (DoJ) noted at the time.
SentinelOne, which analyzed four new DPRK IT Worker front companies, said they were all registered through NameCheap and claimed to be development outsourcing, consulting, and software businesses, while copying their content from legitimate companies -
- Independent Lab LLC (inditechlab[.]com), which copied its website format from a U.S.-based company called Kitrum
- Shenyang Tonywang Technology L TD (tonywangtech[.]com), which copied its website format from a U.S.-based company called Urolime
- Tony WKJ LLC (wkjllc[.]com), which copied its website format from an India-based company called ArohaTech IT Services
- HopanaTech (hopanatech[.]com), which copied its website format from a U.S.-based company called ITechArt
While all the aforementioned sites have since been seized by the U.S. government as of October 10, 2024, SentinelOne said it traced them back to a broader, active network of front companies originating from China.
Furthermore, it identified another company named Shenyang Huguo Technology Ltd (huguotechltd[.]com) exhibiting similar characteristics, including using copied content and logos from another Indian software firm TatvaSoft. The domain was registered via NameCheap in October 2023.
"These tactics highlight a deliberate and evolving strategy that leverages the global digital economy to fund state activities, including weapons development," the researchers said.
"Organizations are urged to implement robust vetting processes, including careful scrutiny of potential contractors and suppliers, to mitigate risks and prevent inadvertent support of such illicit operations."
The disclosure follows findings from Unit 42 that a North Korean IT worker activity cluster it's calling CL-STA-0237 "was involved in recent phishing attacks using malware-infected video conference apps" to deliver the BeaverTail malware, indicating connections between Wagemole and another intrusion set known as Contagious Interview.
"CL-STA-0237 exploited a U.S.-based, small-and-medium-sized business (SMB) IT services company to apply for other jobs," the company said. "In 2022, CL-STA-0237 secured a position at a major tech company."
While the exact nature of the relationship between the threat actor and the exploited company is unclear, it's believed that CL-STA-0237 either stole the company's credentials or was hired as outsourced employee, and is now posing as the company to secure IT jobs and target potential job seekers with malware under the pretext of conducting an interview.
"North Korean threat actors have been highly successful in generating revenue to fund their nation's illicit activities," Unit 42 said, pointing out that the cluster likely operates from Laos.
"They began by posing as fake IT workers to secure consistent income streams, but they have begun transitioning into more aggressive roles, including participating in insider threats and malware attacks."
CVE-2024-20439 Cisco Smart Licensing Utility Static Credential Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2019-9874 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2019-9875 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2025-30154 reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability
CVE-2025-1316 Edimax IC-7100 IP Camera OS Command Injection Vulnerability
CVE-2024-48248 NAKIVO Backup and Replication Absolute Path Traversal Vulnerability
CVE-2017-12637 SAP NetWeaver Directory Traversal Vulnerability
CVE-2025-24472 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
LowInsufficient Site Isolation Against Spectre Vulnerability
MediumVulnerable JS Library
MediumInsecure HTTP Method
MediumProxy Disclosure
HighSpring4Shell
InformationalBase64 Disclosure
HighPII Disclosure
InformationalCORS Header
Free online web security scanner
