BSides Perth 2025

Since at least 2018, North Korea-based threat actor Black Ara (a.k.a. DPRK IT Workers) has operated under the guise of legitimate remote contractors, subcontractors, and full-time employees. These actors pose as freelance developers and IT professionals, often using fake identities and AI-generated profile pictures to secure employment. Their activities form part of a broader North Korean strategy to generate revenue for the regime and gain access to organisations of strategic interest.

In this presentation, we'll take a deeper look at the tools, techniques, and procedures (TTPs) used by Black Ara, including the creation of fake companies, social media profiles, and resumes to support employment fraud. The talk will highlight how these actors use VPNs, facilitators, and laptop farms to obscure their true locations and identities. We will also explore how Black Ara has successfully embedded IT Workers in companies across Australia, the US, the UK, India, and Kenya, targeting roles such as software engineers, UI/UX designers, and data scientists.

Understanding Black Ara is critical for both technical analysts and executive decision-makers. For analysts, this session provides actionable insights into detection, attribution, and mitigation strategies against a threat actor that blends social engineering with operational stealth. For executives, it highlights the strategic risks of inadvertently hiring sanctioned actors and the broader implications for corporate security, compliance, and reputation. By providing this in-depth analysis of Black Ara, enriched with real-world insights from PwC Global Threat Intelligence's experience, this presentation will equip attendees with the knowledge to identify, respond to, and prevent such intrusions.