The Glasshouse

The world is already transparent. We report what the light reveals. A podcast companion to High Table.

001

North Korean Recruiters, MeshCentral Masquerades, and Video Malware

Jun 11, 2026 6 min

North Korean actors impersonate web3 recruiters to steal credentials and source code. MeshCentral agents masquerading as Azure endpoints used in education sector attacks. Short-form video platforms become a new vector for infostealer distribution.

Show Notes

Social engineering continues to dominate the threat landscape, with adversaries leveraging impersonation across recruitment, cloud management tools, and social media platforms. This episode covers three notable developments: North Korean threat actors targeting web3 and AI firms through fake hiring processes, the abuse of legitimate remote management tools like MeshCentral disguised as Azure endpoints for lateral movement, and the emergence of short-form video platforms as a distribution channel for infostealers. The common thread is credential theft and infrastructure access, with adversaries adapting their tradecraft to exploit trust in familiar platforms and workflows.

In this episode we cover:

  • North Korean threat groups impersonate recruiters for web3 and AI firms to steal credentials, source code, and VPN/SSO access.
  • MeshCentral agents masquerading as Azure endpoints were used in education sector attacks, deploying a custom lateral movement script. Investigators should note that searching for MeshCentral instances without proper OPSEC can expose their own infrastructure, and the report does not specify whether the agents were signed with valid certificates.
  • Short-form video platforms like TikTok and Instagram Reels are exploited to trick users into running PowerShell commands or visiting malicious download sites.
  • The UNK_DeadDrop campaign targets developers via malicious GitHub repositories, with multi-OS payloads attributed to North Korea.
  • Court-documented recruitment tradecraft reveals fake identities, cryptocurrency payments, and pressure to share insider reports.
  • Service desk compromise is highlighted as a common first step in ransomware attacks, with M&S losing £3.8M daily during a five-day outage.
  • Over 20,000 Instagram accounts are stolen in a Meta AI support hack, demonstrating real-world abuse of AI customer-facing systems.

← back to The Glasshouse on ryanlabouve.com