What happens when a newly hired remote worker isn't who they claim to be?

In August 2025, a suspected North Korea-linked IT worker passed standard hiring checks, completed onboarding, and began operating inside a customer's organization.

LevelBlue SpiderLabs identified anomalous behavior and initiated an investigation. Within one business day of the first suspicious activity, the account was terminated; with no evidence of data exfiltration, persistence, or residual access.

In this session, Tue Luu, Threat Detection Engineer with LevelBlue SpiderLabs, walks through the case: what triggered suspicion, how the investigation unfolded, and what it means for organizations relying on standard controls to catch threats that don't look like threats; until it's too late.

You’ll learn:

• A step-by-step breakdown of the activity; from onboarding through detection and response
• How LevelBlue OTX threat intelligence and Cybereason XDR behavioral analytics worked together to surface the threat
• The infrastructure and tradecraft used to present as a legitimate remote employee
• What to look for during hiring and onboarding before access is established
• Practical approaches to building integrated detection for this type of activity

Speaker: Tue Luu, Threat Detection Engineer 

Read the blog.

📅 Thursday, May 7,  2026 | 10:00am CST