● Dark Reading 📅 06/03/2026 à 18:49

North Korean APTs Use AI to Enhance IT Worker Scams

Cybersécurité 👤 Nate Nelson
Illustration
Threat IntelligenceCyber RiskCybersecurity OperationsVulnerabilities & ThreatsNewsNorth Korean APTs Use AI to Enhance IT Worker ScamsDPRK worker scams are old hat, but they're still working, thanks to AI tools that help with everything from face swapping to daily emails.Nate Nelson,Contributing WriterMarch 6, 20264 Min ReadSource: Kittipong Jirasukhanont via Alamy Stock PhotoWhile threat actors across the board struggle to meaningfully upgrade their cyberattacks with artificial intelligence (AI), North Korean threat actors are making more practical use of the same technology to perpetuate their classic IT worker scams.In a new report, Microsoft's threat intelligence team described how two clusters of malicious actors tied to the Democratic People's Republic of Korea (DPRK) — "Jasper Sleet" and "Coral Sleet" — use AI in a variety of ways to improve the scale and precision of their fraudulent campaigns, enabling "sustained, large-scale misuse of legitimate access" to organizations that don't know better. They're using it to more effectively fabricate their identities, maintain those identities, and socially engineer their prospective employers in all kinds of small but meaningful ways.None of the tactics, techniques, and procedures (TTPs) described in the report are novel. Still, they're useful for organizations to know about, as the same old shtick has continued to bring the bad guys success for years now, despite more widespread awareness and law enforcement counteraction.Related:Inside Olympic Cybersecurity: Lessons From Paris 2024 to Milan Cortina 2026How AI Helps Fake IT Workers Apply for JobsThere's no stage of an IT worker scam that isn't touched by — if not entirely enabled by — AI technology.Long before a company receives a fake résumé and cover letter in its inbox, threat actors use AI tools to research the jobs they want to target on platforms like Upwork, and how to most effectively apply for them. They use them to extract useful terminology from job postings, and identify the requirements that might make a fake application look good, such as certifications, skills, or tools applicants are expected to possess.Working with a linguistic and cultural gap, the threat actors within a group like Jasper Sleet will then prompt large language model (LLM) chatbots for fake names, email addresses, and social media handles that might appear convincing to their intended victims. It goes without saying that they also use chatbots to write their résumés and cover letters.Finally, threat actors bring all of this information together to create convincing digital personas mimicking IT talent. These personas can be used repeatedly to apply for various jobs across different employers.Sometimes these personas are AI-generated, from the details of a résumé through the polished headshot used at the top. In other cases, Jasper Sleet has used a commercial face swapping app called Faceswap to insert their own chosen faces into real individuals' stolen identity documents. And in interviews with prospective employers, it supplements fake visuals with voice-changing software.Related:Attackers Abuse LiveChat to Phish Credit Card, Personal DataHow AI Helps Fake IT Workers Do their JobsSecuring a gig is just phase one of the attack. AI remains essential when fake IT workers actually have to do their jobs.Part of it is about keeping up the ruse. Having initially presented as a certain kind of person, with certain qualifications and a certain character of speech, the threat actors then have to perform the actions and maintain the tone of voice their employer expects. That could mean successfully fulfilling tasks handed to them by their employer, or presenting consistently across email and chat platforms used for daily communication.In a lot of ways, though their intent is different, DPRK threat actors also use AI just like your average business user. They ask it to help them respond to emails, generate snippets of code, and carry out any number of other little tasks. And like those users, Microsoft has also observed threat actors experimenting with agentic AI. "Although not yet observed at scale and limited by reliability and operational risk, these efforts point to a potential shift toward more adaptive threat actor tradecraft that could complicate detection and response," the researchers wrote.Related:The Data Gap: Why Nonprofit Cyber Incidents Go UnderreportedThough revenue generation for Kim Jong-Un's regime is the first goal of any IT worker scam, exploiting insider access to Western organizations is always a nice bonus. Beyond doing their jobs, actors like Coral Sleet use AI — and sometimes jailbreak it — to quickly develop Web infrastructure, generate and refine malware, and, of course, assist with social engineering. Coral Sleet also uses agentic AI to string together a fully automated cyberattack workflow: to create fake company websites, remotely provision infrastructure, test and deploy malicious payloads, and more.Brian Hussey, senior vice president of Cyber Fusion at Cyderes, argues that attackers will have to continue upgrading their IT worker scams with AI because organizations are catching onto their longstanding tricks."Increased awareness among hiring teams is clearly making a difference. Many organizations are now incorporating verification questions during remote interviews, such as asking applicants about local landmarks or activities in the city they claim to live in. Some even ask cultural or political questions that a covert North Korean operator would be hesitant to answer candidly. These approaches are not foolproof, but they demonstrate that organizations are becoming more vigilant," he says.Anecdotally, he adds, "We have seen fewer investigations related to this activity over the past six months. That may not fully reflect the broader threat landscape, but it could suggest a temporary slowdown or a shift in tactics."About the AuthorNate NelsonContributing WriterNate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost.See more from Nate NelsonMore InsightsIndustry ReportsFrost Radar™: Non-human Identity Solutions2026 CISO AI Risk ReportThe ROI of AI in SecurityCybersecurity Forecast 2026ThreatLabz 2025 Ransomware ReportAccess More ResearchWebinarsBuilding a Robust SOC in a Post-AI WorldRetail Security: Protecting Customer Data and Payment SystemsRethinking SSE: When Unified SASE Delivers the Flexibility Enterprises NeedSecuring Remote and Hybrid Work Forecast: Beyond the VPNAI-Powered Threat Detection: Beyond Traditional Security ModelsMore Webinars2026 Security Trends & OutlooksThreat IntelligenceCybersecurity Predictions for 2026: Navigating the Future of Digital ThreatsJan 2, 2026Cyber RiskNavigating Privacy and Cybersecurity Laws in 2026 Will Prove DifficultJan 12, 2026|7 Min ReadEndpoint SecurityCISOs Face a Tighter Insurance Market in 2026Jan 5, 2026|7 Min ReadThreat Intelligence2026: The Year Agentic AI Becomes the Attack-Surface Poster ChildJan 30, 2026|8 Min ReadDownload the CollectionKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsBuilding a Robust SOC in a Post-AI WorldThurs, March 19, 2026 at 1pm ESTRetail Security: Protecting Customer Data and Payment SystemsThurs, April 2, 2026 at 1pm ESTRethinking SSE: When Unified SASE Delivers the Flexibility Enterprises NeedWed, April 1, 2026 at 1pm ESTSecuring Remote and Hybrid Work Forecast: Beyond the VPNTues, March 10, 2026 at 1pm ESTAI-Powered Threat Detection: Beyond Traditional Security ModelsWed, March 25, 2026 at 1pm ESTMore WebinarsWhite PapersAutonomous Pentesting at Machine Speed, Without False PositivesFixing Organizations' Identity Security PostureBest practices for incident response planningIndustry Report: AI, SOC, and Modernizing CybersecurityThe Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks.Explore More White PapersGISEC GLOBAL 2026GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills.📌 Book Your Space
← Retour