Skip to main content
Mallory
Back to threat actors
North Korea🇰🇵 KP1 malware family

Coral Sleet

Also known asCoral Sleet

Coral Sleet is a North Korean state threat actor tracked by Microsoft, also referred to as Storm-1877 and additionally tracked by some teams as PurpleDelta and Wagemole. Microsoft describes Coral Sleet as one of the groups behind the DPRK fake IT worker scam, a long-running operation in which North Korean operatives use stolen or fabricated identities, fake credentials, tailored resumes, voice-changing software, and other deception to obtain remote employment at foreign companies, particularly in the United States and Europe. Reporting in the provided content states that this activity supports revenue generation for the North Korean regime and has also provided opportunities to exploit insider access; since late 2024, associated operators have also been reported stealing sensitive data and source code from employers and attempting extortion. Microsoft reporting in the provided content says Coral Sleet uses AI extensively as a force multiplier across this activity. Observed uses include rapidly creating digital personas for specific job markets and roles; supporting social engineering; and sustaining misuse of legitimate access. Microsoft also observed Coral Sleet using development platforms to quickly create and manage attack infrastructure at scale, including convincing high-trust web infrastructure, enabling faster campaign staging, testing, and command-and-control operations. Additional reporting in the content states Coral Sleet uses AI to quickly develop web infrastructure, generate and refine malware, and in some cases jailbreak AI tools. Microsoft also observed Coral Sleet demonstrating rapid capability growth through AI-assisted iterative development, including use of AI coding tools to generate, refine, and reimplement malware components. The content further states that Coral Sleet has experimented with agentic AI. Reported uses include semi-automated or automated workflows for creating fake company websites, remotely provisioning infrastructure, testing and deploying malicious payloads, refining phishing or lure development, maintaining persistence, and monitoring for opportunities. Microsoft notes in the provided content that large-scale operational use of agentic AI has not yet been observed due to reliability and operational constraints. Coral Sleet has also been cited alongside Jasper Sleet and Sapphire Sleet as a North Korean cluster using AI to shorten persona creation and support long-term persistence at low cost.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they're from

Attributed origin per open-source reporting.

  • KP
MITRE ATT&CK

Tradecraft

20 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

10 of 15 tactics23 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
3 techniques
T1589
Gather Victim Identity Information
T1595
Active Scanning
T1598
Phishing for Information
TA0042
Resource Development
3 techniques
T1583×2
Acquire Infrastructure
T1585
Establish Accounts
T1587
Develop Capabilities
T1587.001×2
Malware
TA0001
Initial Access
3 techniques
T1078×5
Valid Accounts
T1199
Trusted Relationship
T1566×3
Phishing
T1566.001
Spearphishing Attachment
T1566.002
Spearphishing Link
TA0002
Execution
1 technique
T1059
Command and Scripting Interpreter
TA0003
Persistence
1 technique
T1078×5
Valid Accounts
TA0004
Privilege Escalation
1 technique
T1078×5
Valid Accounts
TA0005
Stealth
2 techniques
T1036×4
Masquerading
T1078×5
Valid Accounts
TA0011
Command and Control
2 techniques
T1071
Application Layer Protocol
T1090
Proxy
T1090.002
External Proxy
T1090.003
Multi-hop Proxy
TA0010
Exfiltration
1 technique
T1537
Transfer Data to Cloud Account
TA0040
Impact
1 technique
T1486
Data Encrypted for Impact
ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen
OtterCookieFigure 3. Example of emoji use in Coral Sleet AI-assisted payload snippet for the OtterCookie malware1Apr 18, 2026
IOCS

Observables

3 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

3 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app
cyber security newsNews
Apr 23, 2026
North Korean Hackers Use Fake IT Worker Scheme to Infiltrate Companies and Evade Sanctions

North Korean state-sponsored operatives posing as remote IT workers to obtain employment at foreign companies, funnel salaries to the DPRK regime, and more recently steal sensitive data and source code for extortion.

Read more
itproNews
Mar 24, 2026
Observability will be key to agentic AI safety, says Microsoft Security exec | IT Pro

Uses AI to enhance tradecraft, including sustained large-scale misuse of legitimate access, identity fabrication through social engineering, and long-term persistence at low cost.

Read more
itproNews
Mar 9, 2026
Is your new hire an AI clone? Microsoft says North Korean hackers are using AI to impersonate job seekers and steal company secrets | IT Pro

Identified as one of the North Korean groups using AI to enhance fake-worker schemes aimed at infiltrating western companies through remote hiring processes.

Read more
register securityNews
Mar 8, 2026
Manage attack infrastructure? AI agents can now help • The Register

North Korea-linked activity cluster observed using development platforms (and, per the broader article theme, agentic/automated AI assistance) to rapidly stand up, manage, and scale attack infrastructure, improving campaign staging, testing, and C2 operations; also referenced as being involved in the 'fake IT worker' scam.

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping20

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables3

Domains, IPs, and hashes tied to this actor, refreshed continuously.