{ "id": "20a9a474-8d24-4945-850e-d05dec7857f0", "created_at": "2026-04-06T00:11:10.938656Z", "updated_at": "2026-04-10T03:36:17.172301Z", "deleted_at": null, "sha1_hash": "3ed830709d642d67b2c99b7743cd8c0abd9e8352", "title": "Jasper Sleet: North Korean remote IT workers’ evolving tactics to infiltrate organizations", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2407584, "plain_text": "Jasper Sleet: North Korean remote IT workers’ evolving tactics to\r\ninfiltrate organizations\r\nBy Microsoft Threat Intelligence\r\nPublished: 2025-06-30 · Archived: 2026-04-05 22:41:08 UTC\r\nSince 2024, Microsoft Threat Intelligence has observed remote information technology (IT) workers deployed by\r\nNorth Korea leveraging AI to improve the scale and sophistication of their operations, steal data, and generate\r\nrevenue for the Democratic People’s Republic of Korea (DPRK). Among the changes noted in the North Korean\r\nremote IT worker tactics, techniques, and procedures (TTPs) include the use of AI tools to replace images in\r\nstolen employment and identity documents and enhance North Korean IT worker photos to make them appear\r\nmore professional. We’ve also observed that they’ve been utilizing voice-changing software.\r\nNorth Korea has deployed thousands of remote IT workers to assume jobs in software and web development as\r\npart of a revenue generation scheme for the North Korean government. These highly skilled workers are most\r\noften located in North Korea, China, and Russia, and use tools such as virtual private networks (VPNs) and\r\nremote monitoring and management (RMM) tools together with witting accomplices to conceal their locations and\r\nidentities.\r\nHistorically, North Korea’s fraudulent remote worker scheme has focused on targeting United States (US)\r\ncompanies in the technology, critical manufacturing, and transportation sectors. However, we’ve observed North\r\nKorean remote workers evolving to broaden their scope to target various industries globally that offer technology-related roles. Since 2020, the US government and cybersecurity community have identified thousands of North\r\nKorean workers infiltrating companies across various industries.\r\nOrganizations can protect themselves from this threat by implementing stricter pre-employment vetting measures\r\nand creating policies to block unapproved IT management tools. For example, when evaluating potential\r\nemployees, employers and recruiters should ensure that the candidates’ social media and professional accounts are\r\nunique and verify their contact information and digital footprint. Organizations should also be particularly\r\ncautious with staffing company employees, check for consistency in resumes, and use video calls to confirm a\r\nworker’s identity.\r\nMicrosoft Threat Intelligence tracks North Korean IT remote worker activity as Jasper Sleet (formerly known as\r\nStorm-0287). We also track several other North Korean activity clusters that pursue fraudulent employment using\r\nsimilar techniques and tools, including Storm-1877 and Moonstone Sleet. To disrupt this activity and protect our\r\ncustomers, we’ve suspended 3,000 known Microsoft consumer accounts (Outlook/Hotmail) created by North\r\nKorean IT workers. We have also implemented several detections to alert our customers of this activity through\r\nMicrosoft Entra ID Protection and Microsoft Defender XDR as noted at the end of this blog. As with any observed\r\nnation-state threat actor activity, Microsoft has directly notified targeted or compromised customers, providing\r\nthem with important information needed to secure their environments. As we continue to observe more attempts\r\nhttps://www.microsoft.com/en-us/security/blog/2025/06/30/jasper-sleet-north-korean-remote-it-workers-evolving-tactics-to-infiltrate-organizations/\r\nPage 1 of 15\n\nby threat actors to leverage AI, not only do we report on them, but we also have principles in place to take action\r\nagainst them.\r\nThis blog provides additional information on the North Korean remote IT worker operations we published\r\npreviously, including Jasper Sleet’s usual TTPs to secure employment, such as using fraudulent identities and\r\nfacilitators. We also provide recent observations regarding their use of AI tools. Finally, we share detailed\r\nguidance on how to investigate, monitor, and remediate possible North Korean remote IT worker activity, as well\r\nas detections and hunting capabilities to surface this threat.\r\nFrom North Korea to the world: The remote IT workforce\r\nSince at least early 2020, Microsoft has tracked a global operation conducted by North Korea in which skilled IT\r\nworkers apply for remote job opportunities to generate revenue and support state interests. These workers present\r\nthemselves as foreign (non-North Korean) or domestic-based teleworkers and use a variety of fraudulent means to\r\nbypass employment verification controls.\r\nNorth Korea’s fraudulent remote worker scheme has since evolved, establishing itself as a well-developed\r\noperation that has allowed North Korean remote workers to infiltrate technology-related roles across various\r\nindustries. In some cases, victim organizations have even reported that remote IT workers were some of their most\r\ntalented employees. Historically, this operation has focused on applying for IT, software development, and\r\nadministrator positions in the technology sector. Such positions provide North Korean threat actors access to\r\nhighly sensitive information to conduct information theft and extortion, among other operations.\r\nNorth Korean IT workers are a multifaceted threat because not only do they generate revenue for the North\r\nKorean regime, which violates international sanctions, they also use their access to steal sensitive intellectual\r\nproperty, source code, or trade secrets. In some cases, these North Korean workers even extort their employer into\r\npaying them in exchange for not publicly disclosing the company’s data.\r\nBetween 2020 and 2022, the US government found that over 300 US companies in multiple industries, including\r\nseveral Fortune 500 companies, had unknowingly employed these workers, indicating the magnitude of this threat.\r\nThe workers also attempted to gain access to information at two government agencies. Since then, the\r\ncybersecurity community has continued to detect thousands of North Korean workers. On January 3, 2025, the\r\nJustice Department released an indictment identifying two North Korean nationals and three facilitators\r\nresponsible for conducting fraudulent work between 2018 and 2024. The indicted individuals generated a revenue\r\nof at least US$866,255 from only ten of the at least 64 infiltrated US companies.\r\nNorth Korean threat actors are evolving across the threat landscape to incorporate more sophisticated tactics and\r\ntools to conduct malicious employment-related activity, including the use of custom and AI-enabled software.\r\nTactics and techniques\r\nThe tactics and techniques employed by North Korean remote IT workers involve a sophisticated ecosystem of\r\ncrafting fake personas, performing remote work, and securing payments. North Korean IT workers apply for\r\nremote roles, in various sectors, at organizations across the globe.\r\nhttps://www.microsoft.com/en-us/security/blog/2025/06/30/jasper-sleet-north-korean-remote-it-workers-evolving-tactics-to-infiltrate-organizations/\r\nPage 2 of 15\n\nThey create, rent, or procure stolen identities that match the geo-location of their target organizations (for\r\nexample, they would establish a US-based identity to apply for roles at US-based companies), create email\r\naccounts and social media profiles, and establish legitimacy through fake portfolios and profiles on developer\r\nplatforms like GitHub and LinkedIn. Additionally, they leverage AI tools to enhance their operations, including\r\nimage creation and voice-changing software. Facilitators play a crucial role in validating fraudulent identities and\r\nmanaging logistics, such as forwarding company hardware and creating accounts on freelance job websites. To\r\nevade detection, these workers use VPNs, virtual private servers (VPSs), and proxy services as well as RMM tools\r\nto connect to a device housed at a facilitator’s laptop farm located in the country of the job.\r\nFigure 1. The North Korean IT worker ecosystem\r\nCrafting fake personas and profiles\r\nThe North Korean remote IT worker fraud scheme begins with the procurement of identities for the workers.\r\nThese identities, which can be stolen or “rented” from witting individuals, include names, national identification\r\nnumbers, and dates of birth. The workers might also leverage services that generate fraudulent identities, complete\r\nwith seemingly legitimate documentation, to fabricate their personas. They then create email accounts and social\r\nmedia pages they use to apply for jobs, often indirectly through staffing or contracting companies. They also apply\r\nfor freelance opportunities through freelancer sites as an additional avenue for revenue generation. Notably, they\r\noften use the same names/profiles repeatedly rather than creating unique personas for each successful infiltration.\r\nAdditionally, the North Korean IT workers have used fake profiles on LinkedIn to communicate with recruiters\r\nand apply for jobs.\r\nhttps://www.microsoft.com/en-us/security/blog/2025/06/30/jasper-sleet-north-korean-remote-it-workers-evolving-tactics-to-infiltrate-organizations/\r\nPage 3 of 15\n\nFigure 2. An example of a North Korean IT worker LinkedIn profile that has since been taken down.\r\nThe workers tailor their fake resumes and profiles to match the requirements for specific remote IT positions, thus\r\nincreasing their chances of getting selected. Over time, we’ve observed these fake resumes and employee\r\ndocuments noticeably improving in quality, now appearing more polished and lacking grammatical errors\r\nfacilitated by AI.\r\nEstablishing digital footprint\r\nAfter creating their fake personas, the North Korean IT workers then attempt to establish legitimacy by creating\r\ndigital footprints for these fake personas. They typically leverage communication, networking, and developer\r\nplatforms, (for example, GitHub) to showcase their supposed portfolio of previous work samples:\r\nhttps://www.microsoft.com/en-us/security/blog/2025/06/30/jasper-sleet-north-korean-remote-it-workers-evolving-tactics-to-infiltrate-organizations/\r\nPage 4 of 15\n\nFigure 3. Example profile used by a North Korean IT worker that has since been taken down.\r\nUsing AI to improve operations\r\nMicrosoft Threat intelligence has observed North Korean remote IT workers leveraging AI to improve the quantity\r\nand quality of their operations. For example, in October 2024, we found a public repository containing actual and\r\nAI-enhanced images of suspected North Korean IT workers:\r\nFigure 4. Photos of potential North Korean IT workers\r\nThe repository also contained the resumes and email accounts used by the said workers, along with the following\r\ntools and resources they can use to secure employment and to do their work:\r\nVPS and VPN accounts, along with specific VPS IP addresses\r\nPlaybooks on conducting identity theft and creating and bidding jobs on freelancer websites\r\nWallet information and suspected payments made to facilitators\r\nhttps://www.microsoft.com/en-us/security/blog/2025/06/30/jasper-sleet-north-korean-remote-it-workers-evolving-tactics-to-infiltrate-organizations/\r\nPage 5 of 15\n\nLinkedIn, GitHub, Upwork, TeamViewer, Telegram, and Skype accounts\r\nTracking sheet of work performed, and payments received by the IT workers\r\nImage creation\r\nBased on our review of the repository mentioned previously, North Korean IT workers appear to conduct identity\r\ntheft and then use AI tools like Faceswap to move their pictures over to the stolen employment and identity\r\ndocuments. The attackers also use these AI tools to take pictures of the workers and move them to more\r\nprofessional looking settings. The workers then use these AI-generated pictures on one or more resumes or\r\nprofiles when applying for jobs.\r\nFigure 5. Use of AI apps to modify photos used for North Korean IT workers’ resumes and profiles\r\nFigure 6. Examples of resumes for North Korean IT workers. These two resumes use different\r\nversions of the same photo.\r\nCommunications\r\nhttps://www.microsoft.com/en-us/security/blog/2025/06/30/jasper-sleet-north-korean-remote-it-workers-evolving-tactics-to-infiltrate-organizations/\r\nPage 6 of 15\n\nMicrosoft Threat Intelligence has observed that North Korean IT workers are also experimenting with other AI\r\ntechnologies such as voice-changing software. While we haven’t observed threat actors using combined AI voice\r\nand video products as a tactic first hand, we do recognize that combining these technologies could allow future\r\nthreat actor campaigns to trick interviewers into thinking they aren’t communicating with a North Korean IT\r\nworker. If successful, this tactic could allow the North Korean IT workers to do interviews directly and no longer\r\nrely on facilitators standing in for them on interviews or selling them account access.\r\nFacilitators for initial access\r\nNorth Korean remote IT workers require assistance from a witting facilitator to help find jobs, pass the\r\nemployment verification process, and once hired, successfully work remotely. We’ve observed Jasper Sleet\r\nadvertising job opportunities for facilitator roles under the guise of partnering with a remote job candidate to help\r\nsecure an IT role in a competitive market:\r\nFigure 7. Example of a job opportunity for a facilitator role\r\nThe IT workers may have the facilitators assist in creating accounts on remote and freelance job websites. They\r\nmight also ask the facilitator to perform the following tasks as their relationship builds:\r\nCreate a bank account for the North Korean IT worker, or lend their (the facilitator’s) own account to the\r\nworker\r\nPurchase mobile phone numbers or SIM cards\r\nDuring the employment verification process, the witting accomplice helps the North Korean IT workers validate\r\nthe latter’s fraudulent identities using online background check service providers. The documents submitted by the\r\nworkers include fake or stolen drivers’ licenses, social security cards, passports, and permanent resident\r\nidentification cards. Workers train using interview scripts, which include a justification for why the employee\r\nmust work remotely.\r\nhttps://www.microsoft.com/en-us/security/blog/2025/06/30/jasper-sleet-north-korean-remote-it-workers-evolving-tactics-to-infiltrate-organizations/\r\nPage 7 of 15\n\nOnce hired, the remote workers direct company laptops and hardware to be sent to the address of the accomplice.\r\nThe accomplice then either runs a laptop farm that provides the laptops with an internet connection at the geo-location of the role or forwards the items internationally. For hardware that remain in the country of the role, the\r\naccomplice signs into the computers and installs software that enables the workers to connect remotely. Remote IT\r\nworkers might also access devices remotely using IP-based KVM devices, like PiKVM or TinyPilot.\r\nDefense evasion and persistence\r\nTo conceal their physical location as well as maintain persistence and blend into the target organization’s\r\nenvironment, the workers typically use VPNs (particularly Astrill VPN), VPSs, proxy services, and RMM tools.\r\nMicrosoft Threat Intelligence has observed the persistent use of JumpConnect, TinyPilot, Rust Desk, TeamViewer,\r\nAnyViewer, and Anydesk. When an in-person presence or face-to-face meeting is required, for example to confirm\r\nbanking information or attend a meeting, the workers have been known to pay accomplices to stand in for them.\r\nWhen possible, however, the workers eliminate all face-to-face contact, offering fraudulent excuses for why they\r\nare not on camera during video teleconferencing calls or speaking.\r\nAttribution\r\nMicrosoft Threat Intelligence uses the name Jasper Sleet (formerly known as Storm-0287) to represent activity\r\nassociated with North Korean’s remote IT worker program. These workers are primarily focused on revenue\r\ngeneration, use remote access tools, and likely fall under a particular leadership structure in North Korea. We also\r\ntrack several other North Korean activity clusters that pursue fraudulent employment using similar techniques and\r\ntools, including Storm-1877 and Moonstone Sleet.\r\nHow Microsoft disrupts North Korean remote IT worker operations with machine\r\nlearning\r\nMicrosoft has successfully scaled analyst tradecraft to accelerate the identification and disruption of North Korean\r\nIT workers in customer environments by developing a custom machine learning solution. This has been achieved\r\nby leveraging Microsoft’s existing threat intelligence and weak signals generated by monitoring for many of the\r\nred flags listed in this blog, among others. For example, this solution uses impossible time travel risk detections,\r\nmost commonly between a Western nation and China or Russia. The machine learning workflow uses these\r\nfeatures to surface suspect accounts most likely to be North Korean IT workers for assessment by Microsoft\r\nThreat Intelligence analysts.\r\nOnce Microsoft Threat Intelligence reviews and confirms that an account is indeed associated with a North\r\nKorean IT worker, customers are then notified with a Microsoft Entra ID Protection risk detection warning of a\r\nrisky sign-in based on Microsoft’s threat intelligence. Microsoft Defender XDR customers also receive the alert\r\nSign-in activity by a suspected North Korean entity in the Microsoft Defender portal.\r\nDefending against North Korean remote IT worker infiltration\r\nDefending against the threats from North Korean remote IT workers involves a threefold strategy:\r\nhttps://www.microsoft.com/en-us/security/blog/2025/06/30/jasper-sleet-north-korean-remote-it-workers-evolving-tactics-to-infiltrate-organizations/\r\nPage 8 of 15\n\nEnsuring a proper vetting approach is in place for freelance workers and vendors\r\nMonitoring for anomalous user activity\r\nResponding to suspected Jasper Sleet signals in close coordination with your insider risk team\r\nInvestigate\r\nHow can you identify a North Korean remote IT worker in the hiring process?\r\nTo protect your organization against a potential North Korean insider threat, it is important for your organization\r\nto prioritize a process for verifying employees to identify potential risks. The following can be used to assess\r\npotential employees:\r\nConfirm the potential employee has a digital footprint and look for signs of authenticity. This includes a\r\nreal phone number (not VoIP), a residential address, and social media accounts. Ensure the potential\r\nemployee’s social media/professional accounts are not highly similar to the accounts of other individuals.\r\nIn addition, check that the contact phone number listed on the potential employee’s account is unique and\r\nnot also used by other accounts.\r\nScrutinize resumes and background checks for consistency of names, addresses, and dates. Consider\r\ncontacting references by phone or video-teleconference rather than email only.\r\nExercise greater scrutiny for employees of staffing companies, since this is the easiest avenue for North\r\nKorean workers to infiltrate target companies.\r\nSearch whether a potential employee is employed at multiple companies using the same persona.\r\nEnsure the potential employee is seen on camera during multiple video telecommunication sessions. If the\r\npotential employee reports video and/or microphone issues that prohibit participation, this should be\r\nconsidered a red flag.\r\nDuring video verification, request individuals to physically hold driver’s licenses, passports, or identity\r\ndocuments up to camera.\r\nKeep records, including recordings of video interviews, of all interactions with potential employees.\r\nRequire notarized proof of identity.\r\nMonitor\r\nHow can your organization prevent falling victim to the North Korean remote IT worker technique?\r\nTo prevent the risks associated with North Korean insider threats, it’s vital to monitor for activity typically\r\nassociated with this fraudulent scheme.\r\nMonitor for identifiable characteristics of North Korean remote workers\r\nMicrosoft has identified the following characteristics of a North Korean remote worker. Note that not all the\r\ncriteria are necessarily required, and further, a positive identification of a remote worker doesn’t guarantee that the\r\nworker is North Korean.\r\nThe employee lists a Chinese phone number on social media accounts that is used by other accounts.\r\nhttps://www.microsoft.com/en-us/security/blog/2025/06/30/jasper-sleet-north-korean-remote-it-workers-evolving-tactics-to-infiltrate-organizations/\r\nPage 9 of 15\n\nThe worker’s work-issued laptop authenticates from an IP address of a known North Korean IT worker\r\nlaptop farm, or from foreign—most commonly Chinese or Russian—IP addresses even though the worker\r\nis supposed to have a different work location.\r\nThe worker is employed at multiple companies using the same persona. Employees of staffing companies\r\nrequire heightened scrutiny, given this is the easiest way for North Korean workers to infiltrate target\r\ncompanies.\r\nOnce a laptop is issued to the worker, RMM software is immediately downloaded onto it and used in\r\ncombination with a VPN.\r\nThe worker has never been seen on camera during a video telecommunication session or is only seen a few\r\ntimes. The worker may also report video and/or microphone issues that prohibit participation from the start.\r\nThe worker’s online activity doesn’t align with routine co-worker hours, with limited engagement across\r\napproved communication platforms.\r\nMonitor for activity associated with Jasper Sleet access\r\nIf RMM tools are used in your environment, enforce security settings where possible, to implement MFA:\r\nUse Windows Defender Application Control or AppLocker to create policies to block unapproved\r\nIT management tools. Consider hunting for unapproved RMM software installations and creating\r\ncustom detections (Investigation \u0026 response \u003e Hunting \u003e Advanced hunting \u003e Manage rules \u003e\r\nCreate custom detection) for any advanced hunting queries that are useful indicators of anomalous\r\nor unapproved activity in your environment.\r\nIf an unapproved installation is discovered, reset passwords for accounts used to install the RMM\r\nservices. If a system-level account was used to install the software, further investigation may be\r\nwarranted.\r\nMonitor for impossible travel—for example, a supposedly US-based employee signing in from China or\r\nRussia.\r\nMonitor for use of public VPNs such as Astrill. For example, IP addresses associated with VPNs known to\r\nbe used by Jasper Sleet can be added to Sentinel watchlists. Or, Microsoft Defender for Identity can\r\nintegrate with your VPN solution to provide more information about user activity, such as extra detection\r\nfor abnormal VPN connections.\r\nMonitor for signals of insider threats in your environment. Microsoft Purview Insider Risk Management\r\ncan help identify potentially malicious or inadvertent insider risks.\r\nMonitor for consistent user activity outside of typical working hours.\r\nRemediate\r\nWhat are the next steps if you positively identify a North Korean remote IT worker employed at your company?\r\nBecause Jasper Sleet activity follows legitimate job offers and authorized access, Microsoft recommends\r\napproaching confirmed or suspected Jasper Sleet intrusions with an insider risk approach using your\r\norganization’s insider risk response plan or incident response provider like Microsoft Incident Response. Some\r\nsteps might include:\r\nhttps://www.microsoft.com/en-us/security/blog/2025/06/30/jasper-sleet-north-korean-remote-it-workers-evolving-tactics-to-infiltrate-organizations/\r\nPage 10 of 15\n\nRestrict response efforts to a small, trusted insider risk working group, trained in operational security\r\n(OPSEC) to avoid tipping off subjects and potential collaborators.\r\nRapidly evaluate the subject’s proximity to critical assets, such as:\r\nLeadership or sensitive teams\r\nDirect reports or vendor staff the subject has influence over\r\nSuppliers or vendors\r\nPeople/non-people accounts, production/pre-production environments, shared accounts, security\r\ngroups, third-party accounts, security groups, distribution groups, data clusters, and more\r\nConduct preliminary link analysis to:\r\nDetect relationships with potential collaborators, supporters, or other potential aliases operated by\r\nthe same actor\r\nIdentify shared indicators (for example, shared IP addresses, behavioral overlap)\r\nAvoid premature action that might alert other Jasper Sleet operators\r\nConduct a risk-based prioritization of efforts, informed by:\r\nPlacement and access to critical assets (not necessarily where you identified them)Stakeholder\r\ninsight from potentially impacted business units\r\nBusiness impact considerations of containment (which might support additional collection/analysis)\r\nor mitigation (for example, eviction)\r\nConduct open-source intelligence (OSINT) collection and analysis to:\r\nDetermine if the identity associated with the threat actor is associated with a real person. For\r\nexample, North Korean IT workers have leveraged stolen identities of real US persons to facilitate\r\ntheir fraud. Conduct OSINT on all available personally identifiable information (PII) provided by\r\nthe actor (name, date of birth, SSN, home of record, phone number, emergency contact, and others)\r\nand determine if these items are linked to additional North Korean actors, and/or real persons’\r\nidentities.\r\nGather all known external accounts operated by the alias/persona (for example, LinkedIn, GitHub,\r\nfreelance working sites, bug bounty programs).\r\nPerform analysis on account images using open-source tools such as FaceForensics++ to determine\r\nprevalence of AI-generated content. Detection opportunities within video and imagery include: \r\nTemporal consistency issues: Rapid movements cause noticeable artifacts in video\r\ndeepfakes as the tracking system struggles to maintain accurate landmark positioning. \r\nOcclusion handling: When objects pass over the AI-generated content such as the face,\r\ndeepfake systems tend to fail at properly reconstructing the partially obscured face.\r\nLighting adaptation: Changes in lighting conditions might reveal inconsistencies in the\r\nrendering of the face\r\nAudio-visual synchronization: Slight delays between lip movements and speech are\r\ndetectable under careful observation\r\nExaggerated facial expressions. \r\nDuplicative or improperly placed appendages.\r\nPixelation or tearing at edges of face, eyes, ears, and glasses.\r\nEngage counterintelligence or insider risk/threat teams to:\r\nUnderstand tradecraft and likely next steps\r\nhttps://www.microsoft.com/en-us/security/blog/2025/06/30/jasper-sleet-north-korean-remote-it-workers-evolving-tactics-to-infiltrate-organizations/\r\nPage 11 of 15\n\nGain national-level threat context, if applicable\r\nMake incremental, risk-based investigative and response decisions with the support of your insider threat\r\nworking group and your insider threat stakeholder group; one providing tactical feedback and the other\r\nproviding risk tolerance feedback.\r\nPreserve evidence and document findings.\r\nShare lessons learned and increase awareness.\r\nEducate employees on the risks associated with insider threats and provide regular security training for\r\nemployees to recognize and respond to threats, including a section on the unique threat posed by North\r\nKorean IT workers.\r\nAfter an insider risk response to Jasper Sleet, it might be necessary to also conduct a thorough forensic\r\ninvestigation of all systems that the employee had access to for indicators of persistence, such as RMM tools or\r\nsystem/resource modifications.\r\nFor additional resources, refer to CISA’s Insider Threat Mitigation Guide. If you suspect your organization is\r\nbeing targeted by nation-state cyber activity, report it to the appropriate national authority. For US-based\r\norganizations, the Federal Bureau of Investigation (FBI) recommends reporting North Korean remote IT worker\r\nactivity to the Internet Crime Complaint Center (IC3).\r\nMicrosoft Defender XDR detections\r\nMicrosoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR\r\ncoordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide\r\nintegrated protection against attacks like the threat discussed in this blog.\r\nCustomers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate\r\nand respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.\r\nMicrosoft Defender XDR\r\nAlerts with the following title in the security center can indicate threat activity on your network:\r\nSign-in activity by a suspected North Korean entity\r\nMicrosoft Defender for Endpoint\r\nAlerts with the following titles in the security center can indicate Jasper Sleet RMM activity on your network.\r\nThese alerts, however, can be triggered by unrelated threat activity.\r\nSuspicious usage of remote management software\r\nSuspicious connection to remote access software\r\nMicrosoft Defender for Identity\r\nAlerts with the following titles in the security center can indicate atypical identity access on your network. These\r\nalerts, however, can be triggered by unrelated threat activity.\r\nhttps://www.microsoft.com/en-us/security/blog/2025/06/30/jasper-sleet-north-korean-remote-it-workers-evolving-tactics-to-infiltrate-organizations/\r\nPage 12 of 15\n\nAtypical travel\r\nSuspicious behavior: Impossible travel activity\r\nMicrosoft Entra ID Protection\r\nMicrosoft Entra ID Protection risk detections inform Entra ID user risk events and can indicate associated threat\r\nactivity, including unusual user activity consistent with known patterns identified by Microsoft Threat Intelligence\r\nresearch. Note, however, that these alerts can be also triggered by unrelated threat activity.\r\nMicrosoft Entra threat intelligence (sign-in): (RiskEventType: investigationsThreatIntelligence)\r\nMicrosoft Defender for Cloud Apps\r\nAlerts with the following titles in the security center can indicate atypical identity access on your network. These\r\nalerts, however, can be triggered by unrelated threat activity.\r\nImpossible travel activity\r\nMicrosoft Security Copilot\r\nSecurity Copilot customers can use the standalone experience to create their own prompts or run the following\r\nprebuilt promptbooks to automate incident response or investigation tasks related to this threat:\r\nIncident investigation\r\nMicrosoft User analysis\r\nThreat actor profile\r\nNote that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or\r\nMicrosoft Sentinel.\r\nHunting queries\r\nMicrosoft Defender XDR\r\nBecause organizations might have legitimate and frequent uses for RMM software, we recommend using the\r\nMicrosoft Defender XDR advanced hunting queries available on GitHub to locate RMM software that hasn’t been\r\nendorsed by your organization for further investigation. In some cases, these results might include benign activity\r\nfrom legitimate users. Regardless of use case, all newly installed RMM instances should be scrutinized and\r\ninvestigated.\r\nIf any queries have high fidelity for discovering unsanctioned RMM instances in your environment, and don’t\r\ndetect benign activity, you can create a custom detection rule from the advanced hunting query in the Microsoft\r\nDefender portal. \r\nMicrosoft Sentinel\r\nhttps://www.microsoft.com/en-us/security/blog/2025/06/30/jasper-sleet-north-korean-remote-it-workers-evolving-tactics-to-infiltrate-organizations/\r\nPage 13 of 15\n\nThe alert Insider Risk Sensitive Data Access Outside Organizational Geo-locationjoins Azure Information\r\nProtection logs (InformationProtectionLogs_CL) with Microsoft Entra ID sign-in logs (SigninLogs) to provide a\r\ncorrelation of sensitive data access by geo-location. Results include:\r\nUser principal name\r\nLabel name\r\nActivity\r\nCity\r\nState\r\nCountry/Region\r\nTime generated\r\nThe recommended configuration is to include (or exclude) sign-in geo-locations (city, state, country and/or region)\r\nfor trusted organizational locations. There is an option for configuration of correlations against Microsoft Sentinel\r\nwatchlists. Accessing sensitive data from a new or unauthorized geo-location warrants further review.\r\nReferences\r\nhttps://www.justice.gov/opa/pr/two-north-korean-nationals-and-three-facilitators-indicted-multi-year-fraudulent-remote\r\nhttps://www.justice.gov/usao-dc/media/1352191/dl\r\nhttps://www.reuters.com/technology/north-koreans-use-fake-names-scripts-land-remote-it-work-cash-2023-11-21/\r\nhttps://github.com/jischell-msft/RemoteManagementMonitoringTools\r\nAcknowledgments\r\nFor more information on North Korean remote IT worker operations, we recommend reviewing DTEX’s in-depth\r\nanalysis in the report Exposing DPRK’s Cyber Syndicate and IT Workforce.\r\nLearn more\r\nMeet the experts behind Microsoft Threat Intelligence, Incident Response, and the Microsoft Security Response\r\nCenter at our VIP Mixer at Black Hat 2025. Discover how our end-to-end platform can help you strengthen\r\nresilience and elevate your security posture.\r\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat\r\nIntelligence Blog. \r\nTo get notified about new publications and to join discussions on social media, follow us on LinkedIn, X\r\n(formerly Twitter), and Bluesky. \r\nTo hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat\r\nlandscape, listen to the Microsoft Threat Intelligence podcast. \r\nhttps://www.microsoft.com/en-us/security/blog/2025/06/30/jasper-sleet-north-korean-remote-it-workers-evolving-tactics-to-infiltrate-organizations/\r\nPage 14 of 15\n\nSource: https://www.microsoft.com/en-us/security/blog/2025/06/30/jasper-sleet-north-korean-remote-it-workers-evolving-tactics-to-infiltrate-o\r\nrganizations/\r\nhttps://www.microsoft.com/en-us/security/blog/2025/06/30/jasper-sleet-north-korean-remote-it-workers-evolving-tactics-to-infiltrate-organizations/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2025/06/30/jasper-sleet-north-korean-remote-it-workers-evolving-tactics-to-infiltrate-organizations/" ], "report_names": [ "jasper-sleet-north-korean-remote-it-workers-evolving-tactics-to-infiltrate-organizations" ], "threat_actors": [ { "id": "32e2c6f9-a1f5-42bc-ac1d-5d9dc301cf0e", "created_at": "2025-08-07T02:03:25.078429Z", "updated_at": "2026-04-10T02:00:03.811418Z", "deleted_at": null, "main_name": "NICKEL ALLEY", "aliases": [ "CL-STA-0240 ", "Purplebravo Recorded Future", "Storm-1877 ", "Tenacious Pungsan " ], "source_name": "Secureworks:NICKEL ALLEY", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "7187a642-699d-44b2-9c69-498c80bce81f", "created_at": "2025-08-07T02:03:25.105688Z", "updated_at": "2026-04-10T02:00:03.78394Z", "deleted_at": null, "main_name": "NICKEL TAPESTRY", "aliases": [ "CL-STA-0237 ", "CL-STA-0241 ", "DPRK IT Workers", "Famous Chollima ", "Jasper Sleet Microsoft", "Purpledelta Recorded Future", "Storm-0287 ", "UNC5267 ", "Wagemole " ], "source_name": "Secureworks:NICKEL TAPESTRY", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "45e6e2b3-43fe-44cd-8025-aea18a7f488f", "created_at": "2024-06-20T02:02:09.897489Z", "updated_at": "2026-04-10T02:00:04.769917Z", "deleted_at": null, "main_name": "Moonstone Sleet", "aliases": [ "Storm-1789", "Stressed Pungsan" ], "source_name": "ETDA:Moonstone Sleet", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "28523c53-1944-4ff0-bbdc-89b06e4e3c84", "created_at": "2024-11-01T02:00:52.752463Z", "updated_at": "2026-04-10T02:00:05.359782Z", "deleted_at": null, "main_name": "Moonstone Sleet", "aliases": [ "Moonstone Sleet", "Storm-1789" ], "source_name": "MITRE:Moonstone Sleet", "tools": [ "Qilin" ], "source_id": "MITRE", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d05e8567-9517-4bd8-a952-5e8d66f68923", "created_at": "2024-11-13T13:15:31.114471Z", "updated_at": "2026-04-10T02:00:03.761535Z", "deleted_at": null, "main_name": "WageMole", "aliases": [ "Void Dokkaebi", "WaterPlum", "PurpleBravo", "Famous Chollima", "UNC5267", "Wagemole", "Nickel Tapestry", "Storm-1877" ], "source_name": "MISPGALAXY:WageMole", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ef59a0d9-c556-4448-8553-ed28f315d352", "created_at": "2025-06-29T02:01:57.047978Z", "updated_at": "2026-04-10T02:00:04.744218Z", "deleted_at": null, "main_name": "Operation Contagious Interview", "aliases": [ "Jasper Sleet", "Nickel Tapestry", "Operation Contagious Interview", "PurpleBravo", "Storm-0287", "Tenacious Pungsan", "UNC5267", "Wagemole", "WaterPlum" ], "source_name": "ETDA:Operation Contagious Interview", "tools": [ "BeaverTail", "InvisibleFerret", "OtterCookie", "PylangGhost" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434270, "ts_updated_at": 1775792177, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3ed830709d642d67b2c99b7743cd8c0abd9e8352.pdf", "text": "https://archive.orkl.eu/3ed830709d642d67b2c99b7743cd8c0abd9e8352.txt", "img": "https://archive.orkl.eu/3ed830709d642d67b2c99b7743cd8c0abd9e8352.jpg" } }