How LevelBlue OTX and Cybereason XDR Detected a North Korea-Linked Remote IT Worker

**Executive Summary:** SpiderLabs detected and blocked a suspected North Korea-linked infiltration in which an attacker obtained employment and accessed corporate resources using EntraID logins routed through Astrill VPN exit nodes; LevelBlue OTX threat intelligence correlated with Cybereason XDR behavioral analytics to flag anomalous geographic and unmanaged-device logins, leading to account revocation within ten days and no evidence of residual access or data exfiltration.