Cyber attackers are following new tactics: Sophos

Cyber attackers are following new tactics: Sophos

Sophos recently shared information about the ongoing fraudulent IT worker schemes by North Korean state actors. These activities are carried out by threat groups that Sophos Counter Threat Unit (CTU) named NICKEL TAPESTRY.
In 2025, the Counter Threat Unit (CTU) witnessed an evolution in Nickel Tapestry operations that includes: Expanding target scope: Following increased awareness in the U.S., European and Japanese organizations are now primary targets. Fraudulent applicants are impersonating various nationalities to gain employment in a wide range of industries, including cyber security.
Dual threat objective: While salary acquisition for the North Korean government remains the primary goal, these actors are increasingly engaging in data theft for extortion. Evolving tactics: These threat actors are employing increasingly advanced methods to evade detection, including AI-generated content for resumes and profiles, sophisticated remote access tools, and techniques to bypass security controls. They are also increasing the use of female personas.
Some common signs corporations have witnessed after accidentally hiring these fraudulent workers include the following: Installation of multiple remote monitoring and management (RMM) tools on a single system. The use of long (more than 8 hours) Zoom calls for screen sharing. An insistence from the new employee that they be allowed to use a personal rather than corporate computer.