TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources THREAT INTELLIGENCE CYBER RISK CYBERSECURITY OPERATIONS VULNERABILITIES & THREATS NEWS North Korean APTs Use AI to Enhance IT Worker Scams DPRK worker scams are old hat, but they're still working, thanks to AI tools that help with everything from face swapping to daily emails. Nate Nelson,Contributing Writer March 6, 2026 4 Min Read SOURCE: KITTIPONG JIRASUKHANONT VIA ALAMY STOCK PHOTO While threat actors across the board struggle to meaningfully upgrade their cyberattacks with artificial intelligence (AI), North Korean threat actors are making more practical use of the same technology to perpetuate their classic IT worker scams. In a new report, Microsoft's threat intelligence team described how two clusters of malicious actors tied to the Democratic People's Republic of Korea (DPRK) — "Jasper Sleet" and "Coral Sleet" — use AI in a variety of ways to improve the scale and precision of their fraudulent campaigns, enabling "sustained, large-scale misuse of legitimate access" to organizations that don't know better. They're using it to more effectively fabricate their identities, maintain those identities, and socially engineer their prospective employers in all kinds of small but meaningful ways. None of the tactics, techniques and procedures (TTPs) described in the report are novel. Still, they're useful for organizations to know about, as the same old shtick has continued to bring the bad guys success for years now, despite more widespread awareness and law enforcement counteraction. Related:Iran's Cyber-Kinetic War Doctrine Takes Shape How AI Helps Fake IT Workers Apply for Jobs There's no stage of an IT worker scam that isn't touched by — if not entirely enabled by — AI technology. Long before a company receives a fake resume and cover letter in its inbox, threat actors use AI tools to research the jobs they want to target on platforms like Upwork, and how to most effectively apply for them. They use them to extract useful terminology from job postings, and identify the requirements that might make a fake application look good, such as certifications, skills, or tools applicants are expected to possess. Working with a linguistic and cultural gap, the threat actors within a group like Jasper Sleet will then prompt large language model (LLM) chatbots for fake names, email addresses, and social media handles that might appear convincing to their intended victims. It goes without saying that they also use chatbots to write their resumes and cover letters. Finally, threat actors bring all of this information together to create convincing digital personas mimicking IT talent. These personas can be used repeatedly to apply for various jobs across different employers. Sometimes these personas are AI-generated, from the details of a resume through the polished headshot used at the top. In other cases, Jasper Sleet has used a commercial face swapping app called Faceswap to insert their own chosen faces into real individuals' stolen identity documents. And in interviews with prospective employers, it supplements fake visuals with voice-changing software. Related:Tycoon 2FA Goes Boom as Europol, Vendors Bust Phishing Platform How AI Helps Fake IT Workers Do their Jobs Securing a gig is just phase one of the attack. AI remains essential when fake IT workers actually have to do their jobs. Part of it is about keeping up the ruse. Having initially presented as a certain kind of person, with certain qualifications and a certain character of speech, the threat actors then have to perform the actions and maintain the tone of voice their employer expects. That could mean successfully fulfilling tasks handed to them by their employer, or presenting consistently across email and chat platforms used for daily communication. In a lot of ways, though their intent is different, DPRK threat actors also use AI just like your average business user. They ask it to help them respond to emails, generate snippets of code, and carry out any number of other little tasks. And like those users, Microsoft has also observed threat actors experimenting with agentic AI. "Although not yet observed at scale and limited by reliability and operational risk, these efforts point to a potential shift toward more adaptive threat actor tradecraft that could complicate detection and response," the researchers wrote. Related:LatAm Now Faces 2x More Cyberattacks Than US Though revenue generation for Kim Jong-Un's regime is the first goal of any IT worker scam, exploiting insider access to Western organizations is always a nice bonus. Beyond doing their jobs, actors like Coral Sleet use AI — and sometimes jailbreak it — to quickly develop Web infrastructure, generate and refine malware, and, of course, assist with social engineering. Coral Sleet also uses agentic AI to string together a fully automated cyberattack workflow: to create fake company websites, remotely provision infrastructure, test and deploy malicious payloads, and more. Brian Hussey, senior vice president of Cyber Fusion at Cyderes, argues that attackers will have to continue upgrading their IT worker scams with AI because organizations are catching onto their longstanding tricks. "Increased awareness among hiring teams is clearly making a difference. Many organizations are now incorporating verification questions during remote interviews, such as asking applicants about local landmarks or activities in the city they claim to live in. Some even ask cultural or political questions that a covert North Korean operator would be hesitant to answer candidly. These approaches are not foolproof, but they demonstrate that organizations are becoming more vigilant," he says. Anecdotally, he adds, "We have seen fewer investigations related to this activity over the past six months. That may not fully reflect the broader threat landscape, but it could suggest a temporary slowdown or a shift in tactics." About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. More Insights Industry Reports ThreatLabz 2025 Ransomware Report The Total Economic Impact™ Of Zscaler Private Access (ZPA) Zscaler ThreatLabz 2025 VPN Risk Report GigaOm Radar for CNAPP The Total Economic Impact™ of Google SecOps Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like THREAT INTELLIGENCE React2Shell Exploits Flood the Internet as Attacks Continue by Rob Wright DEC 12, 2025 THREAT INTELLIGENCE Iran Exploits Cyber Domain to Aid Kinetic Strikes by Robert Lemos, Contributing Writer NOV 26, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 THREAT INTELLIGENCE MITRE EMB3D for OT & ICS Threat Modeling Takes Flight by Robert Lemos, Contributing Writer MAR 07, 2025 Editor's Choice THREAT INTELLIGENCE As War Continues, Pro-Iranian Actors Launch Barrage of Cyberattacks byElizabeth Montalbano MAR 3, 2026 6 MIN READ ICS/OT SECURITY Vehicle Tire Pressure Sensors Enable Silent Tracking byJai Vijayan MAR 3, 2026 3 MIN READ СLOUD SECURITY AI Agent Overload: How to Solve the Workload Identity Crisis byAlexander Culafi MAR 3, 2026 4 MIN READ 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Assessing Security Architectures: Zero Trust vs. Network-Centric Models 5 Steps to Stop Ransomware With Zero Trust 10 Ways a Zero Trust Architecture Protects Against Ransomware Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE Discover More Black Hat Omdia Working With Us About Us Advertise Reprints Join Us NEWSLETTER SIGN-UP Follow Us Copyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright r