North Korean threat groups are using artificial intelligence tools to accelerate and expand the country’s long-running scheme to get remote technical workers hired at global companies for longer durations, Microsoft Threat Intelligence said in a report Friday.
AI services are empowering North Korean operatives across the attack lifecycle. Attackers have turned AI into a “force multiplier” that bolsters and automates their efforts to conduct research on targets, develop malicious resources, achieve and maintain access, evade detection, and weaponize tools for attacks and post-compromise activities, researchers said.
Microsoft said a trio of groups it tracks as Coral Sleet, Sapphire Sleet and Jasper Sleet are using AI to shorten the time it takes to create digital personas for specific job markets and roles. These groups frequently leverage financial opportunities or interview-themed lures to gain initial access.
Jasper Sleet is using generative AI tools to research job postings on platforms such as Upwork, and identify in-demand skills or experience requirements to align fake personas with targeted roles, Microsoft said in the report.
Researchers warned that threat groups are also “significantly improving the scale and sophistication of their social engineering and initial access operations” with AI-driven media creation for impersonations and real-time voice modulation.
North Korean threat groups have used AI services to generate lures that mimic internal communications in multiple languages with native fluency.
“These technologies enable threat actors to craft highly tailored, convincing lures and personas at unprecedented speed and volume, which lowers the barrier for complex attacks to take place and increases the likelihood of successful compromise,” researchers wrote in the report.
Microsoft has observed Jasper Sleet using the AI application Faceswap to insert North Korean IT workers’ faces into stolen identity documents, in some cases reusing the same AI-generated photo across multiple personas.
Jasper Sleet is also leaning on AI-enabled communications after an operative is successfully hired by a victim organization to evade detection and sustain long-term employment. Microsoft has observed North Korean remote IT workers prompting AI tools to craft professional responses, answer technical questions or generate snippets of code to meet performance expectations in unfamiliar environments.
North Korean threat groups are using AI to refine previously observed post-compromise activities, reducing the time and expertise required for decision-making, Microsoft said. These AI-powered tasks accelerate analysis of unfamiliar compromised environments, identify viable paths for lateral movement and enable operatives to blend in with legitimate activity.
North Korean threat groups are also using AI to escalate privileges, locate and steal sensitive records or credentials, and minimize risk of detection by analyzing security controls.
Generative AI composes most threat activity involving AI, but Microsoft said a transition to agentic AI is underway.
“For threat actors, this shift could represent a meaningful change in tradecraft by enabling semi‑autonomous workflows that continuously refine phishing campaigns, test and adapt infrastructure, maintain persistence, or monitor open‑source intelligence for new opportunities,” researchers wrote in the report.
“Microsoft has not yet observed large-scale use of agentic AI by threat actors, largely due to ongoing reliability and operational constraints,” researchers added. Yet, Microsoft warned, experiments illustrate the potential agentic AI systems pose for more advanced and damaging activity.
The post Microsoft warns North Korean threat groups are scaling up fake worker schemes with generative AI appeared first on CyberScoop.
–
Read More – CyberScoop
