Microsoft Threat Intelligence released a report on March 6, 2026, documenting how North Korean state-sponsored threat groups are using artificial intelligence across the entire cyberattack lifecycle to infiltrate Western companies through fraudulent remote IT worker schemes[1][4]. The groups—primarily Jasper Sleet (formerly Storm-0287), along with Coral Sleet, Sapphire Sleet, Storm-1877, and Moonstone Sleet—leverage AI as a "force multiplier" to automate and scale their operations, from initial identity fraud to post-compromise activities[1][2][4].
Who's Involved and What They're Doing
The North Korean groups use AI to create convincing fake personas with AI-generated profile pictures, manipulated identity documents, and voice-changing software to secure genuine remote IT positions at global companies[2][3]. Once hired, operatives use AI tools to write code, answer technical questions, and craft professional communications to maintain employment while stealing sensitive data and generating revenue for the North Korean government[1][3]. Microsoft has responded by suspending 3,000 known accounts created by North Korean IT workers and developing machine learning solutions to identify and disrupt these operations[3][4].
Why It's Newsworthy Now
This represents an escalation of a long-running North Korean employment fraud scheme that has now become significantly more sophisticated and scalable through AI integration[1][2]. Microsoft's report is particularly significant because it documents the shift from basic social engineering to AI-enabled "agentic AI" systems that could enable semi-autonomous workflows—meaning threat actors are experimenting with AI systems that make independent decisions about refining phishing campaigns, testing infrastructure, and maintaining persistence[1][4]. This demonstrates how legitimate AI tools are being weaponized for espionage at industrial scale, marking a critical inflection point in state-sponsored cyber operations[5].