Cybersecurity researchers at Microsoft have warned that North Korean cyber threat groups are increasingly using generative artificial intelligence to scale up sophisticated schemes involving fake remote workers infiltrating global companies.
According to a new report from Microsoft Threat Intelligence, the technology is enabling operatives linked to North Korea to create convincing digital identities faster and conduct more complex cyber operations.
AI Becomes a “Force Multiplier” for Cyber Operations
Researchers say AI is now being used throughout the entire attack lifecycle, helping threat actors automate tasks that previously required significant time and expertise.
The report states that artificial intelligence is acting as a “force multiplier,” allowing attackers to:
- Research potential targets
- Create convincing fake identities
- Build malicious infrastructure
- Maintain long-term access to systems
- Avoid detection by security teams
This automation enables cyber operators to execute attacks more quickly and at a much larger scale than before.
Three Major North Korean Threat Groups Identified
Microsoft analysts identified three cyber groups believed to be linked to the North Korean government:
- Coral Sleet
- Sapphire Sleet
- Jasper Sleet
Among them, Jasper Sleet has been particularly active in using AI to impersonate skilled technology workers and gain employment with international companies.
The group reportedly analyzes job postings on freelance platforms such as Upwork to identify in-demand skills. Attackers then create AI-generated personas tailored to match those job requirements, increasing their chances of being hired.
AI Tools Used for Identity Fraud and Communication
Cybersecurity researchers found that attackers are using AI-powered tools to generate fake documentation and manipulate images.
For example, the AI application Faceswap has reportedly been used to insert photos of North Korean operatives into stolen identity documents. In some cases, the same AI-generated image was reused across multiple fake identities.
Threat actors are also relying on AI tools to assist with communication after they secure remote jobs. These tools help operatives:
- Write professional responses to colleagues
- Answer technical questions
- Generate code snippets
- Maintain the appearance of legitimate employees
Social Engineering Attacks Becoming More Convincing
The report warns that AI-generated media and voice technologies are significantly improving the effectiveness of social engineering attacks.
Threat groups are now capable of producing messages that mimic internal corporate communications in multiple languages, making them far more convincing.
Researchers say this level of realism lowers the barrier for complex cyberattacks and increases the likelihood that victims will fall for fraudulent requests or phishing attempts.
AI Accelerating Post-Breach Activities
Once attackers gain access to a company’s systems, AI tools are also being used to:
- Analyze compromised networks
- Identify opportunities for lateral movement
- Escalate user privileges
- Locate sensitive records or credentials
- Blend malicious activity with normal operations
This reduces the expertise required for attackers to operate effectively inside targeted systems.
Future Threat: Agentic AI
While most current cyber operations rely on generative AI, Microsoft researchers say a shift toward agentic AI systems could dramatically increase the threat.
Agentic AI refers to systems capable of running semi-autonomous workflows, potentially allowing cybercriminals to continuously refine phishing campaigns, monitor intelligence sources, and automatically adapt attack infrastructure.
Although large-scale deployment of these systems has not yet been observed, researchers say early experiments demonstrate the potential for more advanced and damaging cyber operations in the future
