North Korean threat actors leverage AI for cyberattacks

Saying the quiet part out loud: threat actors are increasingly operationalizing AI to accelerate tradecraft, reduce technical friction, and sustain malicious operations at scale. In a new report, Microsoft Threat Intelligence details activity ranging from large‑scale identity fabrication and long‑term access misuse to AI‑assisted phishing and impersonation, rapid infrastructure creation, early experimentation with agentic AI, and attempts to bypass AI safety controls. While many of these techniques mirror existing tradecraft, AI dramatically increases speed, scale, and persistence—reinforcing the need to harden identity defenses, treat long‑term access misuse as an insider‑risk scenario, and secure AI systems themselves. Read the full report and mitigation guidance here: https://msft.it/6048Qgt9M

Want Smarter Mice? Build smarter traps.. Sometimes I do not enjoy reading articles, and not because they are poorly written. It’s the information this time, because of the implications. This is one of those cases where I realized that Microsoft Threat Intelligence encapsulated the operationalization or IT Service Model for using AI to attack and subvert victims. The description of the techniques and how they advance from one method to the next is worth noting. The potential embedding of a model inside malware was interesting. Beyond just noting that things are going to get wilder soon, I wish my resume and profile looked as good as some of the fake ones created by these AI prompts. Take care, bring a light - stepping on a Lego piece in the darkness is unpleasant, and remember to call for help when you need it.

If you have questions about how Threat actors are using AI, this is the blog you have been waiting for. Expect to see more from MSFT OCISO in the coming months on this important topic!⚡️⚡️⚡️⚡️⚡️

This also connects to something I shared earlier this week about how CTI teams should be using AI. If threat actors are accelerating their operations using AI, from reconnaissance to social engineering, defenders must evolve just as quickly. For CTI teams this means leveraging AI to scale analysis, automate enrichment, and identify patterns across campaigns faster than traditional methods allow. Interestingly, I recently completed a LinkedIn Learning course on Leveraging AI for Threat Intelligence which reinforces how AI can support intelligence teams in processing large volumes of data, identifying signals in noise, and shortening the time from intelligence to defensive action. AI is not just reshaping the threat landscape — it is reshaping how CTI teams need to operate.

Move fast, stay low. State actors are adopting AI automation to accelerate their attack cycles and refine their cyber tradecraft for dominance in cyberspace. The pace of change is accelerating further as multiple conflicts ignite worldwide. Boards must urgently adapt to the rapid pace of evolving cyber tradecraft employed by threat actors, particularly those utilising AI automation. The insider threat - Boards focus when adopting AI automation is of efficiency and not safety and security. Just as the physical battleground is now using air, land and sea robots to dominate the ground and win the firefight. Nations are employing AI-enhanced tools ( Bots) as part of their cyber statecraft and national security strategies to inflict destruction and chaos on a enemies national infrastructure and supply chain capabilities. We have seen both Russia and Iran recruiting proxy human resourced intelligence and sabotage cells using the UKs criminal networks to carry out greyzone operations on the UK mainland. This article explains how proxy criminal organisations are enhancing a nations asymmetric cyberwar capabilities through AI automation. State-attributed hostile surveillance and cyber attacks on the UK are being conducted by these proxy organisations. Since cyber space knows no borders they have a global network to recruit from. This allows them to “stay low and move fast” against slower reactive defensive strategies used by businesses who fail to understand the threat. Boards must be horizon scanning and risk assessing how they are going to operate in conflict zones both physically at home and in cyber space. Boards - War gaming is now a reality. State-sponsored attacks and AI automated cyber tradecraft scenarios are real. National security and public safety are now real concerns. Supply chain protection and resilience are being threatened. Foresight over hindsight is now a strategic priority. The security orchestration, automation, and response (SOAR) market is experiencing notable advancements in AI-driven solutions and machine learning integration. These technologies enable automated threat detection, response, and mitigation, reducing human error and operational downtime. Real-time threat intelligence sharing, enhanced through advanced APIs, empowers organisations to build dynamic, interconnected active defense systems.

Adversaries are leveraging AI to automate reconnaissance and create hyper-personalized phishing attacks at scale. Coupled with their ability to launch campaigns from newly spun-up infrastructure, organizations that rely on threat intelligence, sandboxing, and rule-based email protections are left blind to these novel attacks. Abnormal was founded in 2018 as an AI-native cybersecurity company to address the gap organizations face when blocking novel email attacks. We’ve had the benefit of training our models on billions of emails over the past eight years. This has equipped Abnormal with the unique ability to detect AI-generated, email-based attacks with the highest precision — without requiring any tuning. If you’ll be at RSA this year, stop by our meeting hub at Golden Eye Social on the corner of Folsom and 3rd Streets to connect with fellow experts and explore how you can lead cybersecurity’s AI transformation. #rsa #cybersecurity #emailsecurity #ai #abnormal.ai

Threat actors are operationalizing AI across the cyberattack lifecycle to accelerate tradecraft, reduce technical friction, and sustain malicious operations at scale. Microsoft has observed threat actors embedding generative AI into workflows for reconnaissance, social engineering, malware and infrastructure development, and post‑compromise activity—while retaining human control over objectives and targeting. https://msft.it/6048Qgt9M Observed activity includes large‑scale identity fabrication and long‑term access misuse by North Korean threat actors such as Jasper Sleet and Coral Sleet, AI‑assisted phishing and impersonation, rapid infrastructure creation, and malware development accelerated through AI‑enabled coding and debugging. Microsoft has also observed threat actors actively bypassing AI safety controls through jailbreaking techniques, as well as early experimentation with agentic AI and AI‑enabled malware that could complicate detection and response over time. While many techniques mirror existing tradecraft, AI increases speed, scale, and persistence, amplifying risk for defenders even when behaviors are not fundamentally new. At the same time, these trends surface new detection opportunities and reinforce the importance of treating long‑term access misuse as an insider‑risk scenario, hardening identity and phishing defenses, and securing AI systems themselves. Learn more about how threat actors are operationalizing AI and get detection and mitigation guidance from this Microsoft Threat Intelligence blog post.

AI is now a weapon in cybercrime allowing hacking groups to build fake identities ultra-fast. Cybercriminals are turning AI into a force multiplier. Microsoft Threat Intelligence reports that North Korean-linked groups like Jasper Sleet and Coral Sleet are using AI to research vulnerabilities, craft convincing fake personas, automate phishing, and even generate malware with built‑in jokes and emojis in the code. AI accelerates every stage of their operations, from reconnaissance to maintaining long‑term access, by speeding up tasks like writing phishing emails, debugging malware, and mimicking legitimate communications to stay under the radar. AI-driven tactics include bypassing model safeguards with clever prompts, using GANs to create near‑legit phishing domains, and generating native‑tone lures in multiple languages. Voice‑modulation and deepfake tools now enable real‑time impersonation in interviews, while AI helps post‑compromise by mapping network layouts and identifying targets. Surprisingly AI isn’t just a tool, it is becoming an active partner in attack workflows, sometimes even operating autonomously in code creation and testing. On the defensive side Microsoft has already shut down thousands of fraudulent IT accounts, implemented AI‑powered detections in Microsoft Defender, and is working with industry to tighten model safety. The blog underscores that while AI greatly lowers the bar for attackers it also empowers defenders when applied responsibly and at scale. The key message is clear AI is reshaping cyber tradecraft and organisations need to catch up fast or risk being left behind. What are your thoughts on AI’s role in cyber conflict? https://lnkd.in/dtkjHgSN #AIThreats #Cybersecurity #MicrosoftDefender #ThreatIntel #AITradecraft

It would make sense for threat actors to use this technology to improve their processes. But wait, implementing #cybersecurity best practices and practicing good cyber hygiene can better protect you?? I am shocked (obvious sarcasm). It may be time to dust off that incident response plan (update it too) and start doing tabletop exercises. The “I hope xyz works” strategy will not end well. "#Microsoft Threat Intelligence has observed that most malicious use of AI today centers on using language models for producing text, code, or media. Threat actors use generative AI to draft phishing lures, translate content, summarize stolen data, generate or debug malware, and scaffold scripts or infrastructure," warns Microsoft. "For these uses, AI functions as a force multiplier that reduces technical friction and accelerates execution, while human operators retain control over objectives, targeting, and deployment decisions…” In addition to generative AI use, Microsoft researchers have begun to see threat actors experiment with agentic AI to perform tasks autonomously and adapt to results. However, Microsoft says AI is currently used primarily for decision-making rather than for autonomous attacks… Furthermore, as these #AI-powered attacks mirror conventional cyberattacks, defenders should focus on detecting abnormal credential use, hardening identity systems against #phishing, and securing AI systems that may become targets in future attacks… #News #BleepingComputer #infosec #informationsecurity #InformationTechnology #IT #Artificialintelligence https://lnkd.in/gSr2MuB6

The article explains how threat actors are increasingly using AI as part of their everyday operations to move faster and scale their attacks. Instead of experimenting, these groups are putting AI to work in practical ways that help them improve social engineering, develop malware, and adapt their techniques more quickly. Recent activity linked to North Korean groups like Jasper Sleet and Coral Sleet shows how AI is becoming a real force multiplier that raises the pressure on defenders. The post also highlights why this shift matters for security teams, since AI driven tradecraft can make attacks harder to spot and respond to. To get the full picture and learn more about the examples and insights behind this trend, take some time to read the full post on the Microsoft Security Blog. #msftadvocate #Security