Microsoft Threat Intelligence issued a report on March 6, 2026, entitled, “AI as tradecraft: How threat actors operationalize AI,” which outlines how threat actors, including those from North Korea, are “operationalizing AI along the cyberattack lifecycle…to bypass safeguards and perform malicious activity.” The threat actors are adopting AI “as operational enablers, embedding AI into their workflows to increase the speed, scale, and resilience of cyber operations.”
The report details how North Korean remote IT worker schemes dubbed Jasper Sleet and Coral Sleet provides the threat actors with “sustained, large-scale misuse of legitimate access through identity fabrication, social engineering, and long-term operational persistence at low cost.” The threat actors are also toying with the agentic AI use, which could “complicate detection and response.”
The report outlines how the threat actors have incorporated automation into their schemes across the attack lifecycle to ensure North Korean threat actors are “hired, stay hired, and misuse access at scale” at global companies.
The report is a must read for any company that has been hit before by the North Korean tech worker scheme, or those who have not yet been hit, but recruit remote workers for technology positions.
