Is your new hire an AI clone? Microsoft says North Korean hackers are using AI to impersonate job seekers and steal company secrets

North Korean threat groups are using AI to ramp up efforts to infiltrate western companies with fake employees, according to new research.

Analysis from Microsoft’s Threat Intelligence Team shows three groups – Jasper Sleet, Sapphire Sleet, and Coral Sleet (formerly Storm-1877) – are using voice-changing software during remote interviews to disguise their accents and make their cover stories more convincing.

They're also using the AI app Face Swap to place their faces in stolen identity documents and generate convincing headshots for CVs.

"Threat actors are using AI to shortcut the reconnaissance process that informs the development of convincing digital personas tailored to specific job markets and roles," Microsoft warned in a blog post.

"Jasper Sleet leverages generative AI platforms to streamline the development of fraudulent digital personas. For example, Jasper Sleet actors have prompted AI platforms to generate culturally appropriate name lists and email address formats to match specific identity profiles."

The groups are also using AI to search job postings on jobs platforms such as Upwork, then using AI to make their applications meet the jobs' skill requirements.

This includes generating realistic names, email formats, and social media handles using AI prompts, writing AI-assisted resumes and cover letters, creating fake developer portfolios using AI-generated content, and using AI-enhanced images to create professional-looking profile photos and forged identity documents.

Microsoft noted that these personas are used across multiple job applications and platforms.

Voice cloning and agentic AI are in vogue

Elsewhere, Microsoft warned threat groups are using AI-generated voice cloning to impersonate executives or trusted individuals in vishing and business email compromise (BEC) scams

Once the fake workers are inside an organization, they use AI-enabled communications to support daily tasks and fit in with role expectations.

"For example, Jasper Sleet uses AI to help sustain long-term employment by reducing language barriers, improving responsiveness, and enabling workers to meet day-to-day performance expectations in legitimate corporate environments," Microsoft noted.

"Threat actors are leveraging generative AI in a way that many employees are using it in their daily work, with prompts such as 'help me respond to this email', but the intent behind their use of these platforms is to deceive the recipient into believing that a fake identity is real."

With the advent of agentic AI, Microsoft warned threat actors are also flocking to powerful new tools.

The tech giant’s threat intelligence team observed groups using agents to create semi‑autonomous workflows that help refine phishing campaigns, test and adapt infrastructure, maintain persistence, or monitor open source intelligence for new opportunities.

North Korean hackers are prolific

The problem of North Korean fake workers just won't seem to go away. While this trend primarily affected US companies, Google warned last summer that threat groups are now expanding campaigns to target European organizations.

Last month, Security Alliance (SEAL) warned that North Korean hackers are hijacking genuine LinkedIn profiles to apply for remote jobs and infiltrate enterprises.

Hackers typically use real identities, leveraging verified workplace emails and identity badges, and constructing credible employment histories to pass background checks.

Organizations are advised to tighten up their identity verification processes, including document checks and, wherever possible, in-person interviews.

FOLLOW US ON SOCIAL MEDIA

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.