In the summertime of 2025, a younger tech skilled named Trevor Roth* landed a distant job at cybersecurity vendor Exabeam.
Roth had aced his technical interview and check with flying colours. He additionally handed his video interview — though the hiring staff felt he might need leaned on generative AI instruments for actual time help — and Exabeam prolonged a proposal. After the usual pre-employment clearance course of, together with a background verify and I-9 validation, he acquired his laptop computer from IT and instantly set to work.
There was only one downside. “Trevor Roth” was truly a malicious international actor from North Korea, utilizing a stolen identification and cast paperwork. And he was now inside Exabeam’s personal community.
Malicious international actors from the Democratic Folks’s Republic of Korea, or DPRK, symbolize a pervasive and escalating risk to Fortune 500 corporations. The U.S. Division of the Treasury estimates hundreds are on American corporations’ payrolls and have entry to their company techniques. North Korean operatives’ objectives are twofold: first, to earn cash for his or her nation’s authoritarian regime, and second, to allow malicious intrusions. In current circumstances, American employers have been victims of cryptocurrency theft, delicate knowledge theft and knowledge extortion by the hands of malicious insiders from the DPRK.
Complicating detection efforts is the truth that such international risk actors usually goal to maintain their jobs for months, if not years, motivating them to maintain their heads down. “Usually, you are going to see these low-and-slow kinds of assaults, residing off the land, stuff that’s not tremendous apparent,” mentioned Exabeam Vice President of AI and Safety Analysis Steve Povolny, throughout a presentation at RSAC 2026. “You will see behaviors that fly underneath the radar, till they do not.”
Sadly for Exabeam’s new rent, his first day of employment was additionally his final — thanks partially to agentic AI.
To catch a malicious international risk actor
The primary time “Trevor Roth” signed into his Exabeam company account, the SOC’s risk intelligence feed flagged his username as excessive danger, noting that it had been related to North Korean risk actor exercise. Based mostly on that info, incident responders quietly accessed Roth’s laptop computer and remoted it from the remainder of the community.
Initially, the incident response staff was open to the chance that the risk intelligence was unsuitable, mentioned CISO Kevin Kirkwood, who introduced alongside Povolny at RSAC. “At first, we ascribed optimistic intent. This can be a brand-new consumer, and possibly we simply bought the unsuitable man,” he added.
On the identical time, the SIEM began producing scattered alerts on Roth’s exercise, which included the next:
Downloaded information from a malicious Zoom web site.
Tried to hook up with a third-party VPN.
Put in Soar Desktop software program.
Loaded a streaming service.
Taken individually and out of context — and with out the heads up from the risk intelligence feed — every alert may have amounted to little greater than noise, in keeping with Kirkwood. That is when AI entered the chat.
Exabeam Nova, the group’s investigative AI agent within the SOC, autonomously collected Roth’s scattered consumer and entity habits analytics (UEBA) knowledge and evaluated it within the context of his function and new-hire standing. Deciding a full investigation was warranted, Nova then analyzed the consumer’s habits and certain intent and introduced human operators with its conclusion:
“The sample of actions aligns with the ‘Malicious Software program’ risk vector, which is a precursor to a compromised insider state of affairs.”
Lastly, the AI assistant prompt SOC analysts take the next subsequent steps:
Isolate the affected host to stop additional compromise or lateral motion.
Provoke a full forensic evaluation of the affected host to determine the preliminary an infection vector and full scope of compromise.
Overview the consumer’s exercise, together with current emails and browser historical past, for potential phishing makes an attempt or unauthorized software program downloads that would have led to the malware execution.
Test for persistence mechanisms, together with scheduled duties and modified registry keys.
Analyze community site visitors for connections made by the affected host to suspicious exterior IPs or domains.
Replace endpoint safety, making certain endpoint detection and response and antivirus software program are updated, and carry out a full scan on the affected machine and different doubtlessly weak techniques.
An investigation that Kirkwood mentioned would have taken SOC analysts three to 4 hours took the AI agent seconds.
“That is actually the place the mixture of conventional UEBA and trendy AI capabilities turns into actually, actually highly effective — with the ability to take all that scattered, [seemingly] unrelated, nonsuspicious noise and switch it into indicators,” Povolny added. “The AI that we had deployed internally caught this very, in a short time.”
After quietly isolating the DPRK risk actor’s machine, Kirkwood and his incident response staff spent the following 5 hours observing his habits, which included putting in command-and-control software program and making an attempt to exfiltrate firm knowledge.
“It was a enjoyable 5 hours,” Kirkwood mentioned. “It was sort of like sitting again and watching the prize fights. You are ingesting beer and consuming peanuts and watching the blows land.”
It was sort of like sitting again and watching the prize fights. You are ingesting beer and consuming peanuts and watching the blows land. Kevin KirkwoodCISO, Exabeam
When the malicious international actor lastly realized he was being watched, he began making an attempt to delete his short-term information. That is when Kirkwood referred to as time, and the incident response staff bricked the machine. “It was a large piece of steel at that time — nothing extra,” he mentioned.
Subsequent, the Exabeam staff despatched the indications of compromise they’d collected to the FBI, together with the handle in Austin the place the risk actor had requested the corporate to ship his laptop computer.
“A few week after that, we noticed that the FBI had shut down a laptop computer farm within the Austin space,” Kirkwood mentioned.
Tips on how to mitigate the AI-enabled malicious international actor risk
North Korean IT staff started infiltrating American corporations in giant numbers in 2020, in the course of the distant work increase. Now, AI is making an already unhealthy downside worse. In line with researchers at CrowdStrike, DPRK-affiliated adversary group Well-known Chollima infiltrated greater than 320 corporations in 2025 — a 220% year-over-year improve. Researchers attributed the group’s current success to its use of GenAI all through the hiring and employment processes.
With AI, malicious actors can simply forge official paperwork and cheat on technical exams. Deepfake and voice cloning know-how lets them impersonate others in actual time. And in keeping with Kirkwood and Povolny, many job candidates — North Korean and in any other case — now use AI-powered interview copilots to optimize their solutions throughout distant job interviews. Many such instruments are designed to be invisible to 3rd events when customers share their screens, making detection tough.
To vet for unsanctioned AI use and attainable malicious international actor exercise throughout video interviews, the Exabeam executives prompt the next ways:
Deliberately under-specify issues to watch candidates’ clarification expertise.
Ask candidates to share private experiences that illustrate how they make choices.
Change technical issues mid-answer to check candidates’ adaptability.
Introduce off-topic or surprising prompts — e.g., how would you construct a bridge? — to see if the candidate responds with human confusion or AI confidence.
Ask job candidates to make use of exterior webcams that present their workspaces and displays, somewhat than share their screens.
Kirkwood and Povolny additionally urged CISOs to place all new hires on a SOC watchlist for enhanced monitoring, ideally with assist from agentic AI.
“When you’ve gotten 500 or 1,000 new staff, it’s best to have brokers which are able to understanding and prioritizing their behaviors, driving a cherry-picked handful to your human analysts, who stay within the loop,” Povolny mentioned. “These human analysts can then double-click on that worker and dig deeper to see if it is a risk.”
*Editor’s word: SearchSecurity has modified the identify that the risk actor fraudulently used to guard a possible sufferer of identification theft.
Alissa Irei is senior web site editor of Informa TechTarget Safety.
