Jasper Sleet

Jasper Sleet is a North Korean threat cluster tracked by Microsoft, formerly known as Storm-0287, associated with the DPRK remote IT worker scheme. Reported aliases include Storm-0287, PurpleDelta, Wagemole, Nickel Tapestry, and UNC5267. Microsoft has tracked this activity since at least early 2020. The operation centers on North Korean operatives posing as remote IT workers using stolen, rented, or fabricated identities to obtain employment at legitimate companies, historically with emphasis on U.S. organizations and technology-related roles, but with reported expansion globally. The scheme is described as a revenue-generation operation for the DPRK regime and weapons programs, while also enabling espionage, theft of sensitive information, and in some cases extortion. Reporting states these workers have infiltrated companies across multiple industries and may steal intellectual property, source code, trade secrets, credentials, and other sensitive records. Tradecraft described in the content includes creation of fraudulent digital personas using fake names, email addresses, social media profiles, GitHub and LinkedIn accounts, forged or altered identity documents, and professional-looking headshots. Microsoft observed Jasper Sleet using generative AI to research job postings on platforms such as Upwork, extract required skills, generate culturally appropriate names and email formats, tailor resumes and cover letters, and build reusable personas aligned to targeted roles. Microsoft also observed use of the Faceswap application to insert workers’ faces into stolen identity documents and generate polished resume photos, and use of voice-changing software during remote interviews to disguise accents. After gaining employment, Jasper Sleet reportedly uses AI-enabled communications to maintain cover, draft professional responses, answer technical questions in unfamiliar environments, generate code snippets, reduce language barriers, and sustain long-term fraudulent employment. The content also states that AI is used across the attack lifecycle to get hired, stay hired, and misuse access at scale. Microsoft further reported that North Korean actors including Jasper Sleet use AI to accelerate post-compromise tasks such as analyzing victim environments, identifying lateral movement paths, escalating privileges, locating credentials and sensitive data, and minimizing detection risk. Operational infrastructure and concealment methods mentioned in the content include VPNs, VPSs, proxy services, remote management tools, facilitator-operated laptop farms, and assistance from facilitators who validate identities, forward company hardware, and support freelance platform accounts. Tools and services specifically cited include Astrill VPN, JumpConnect, TinyPilot, Rust Desk, TeamViewer, AnyViewer, and AnyDesk. Microsoft reported disrupting this activity by suspending 3,000 Outlook/Hotmail accounts linked to the operation and implementing detections in Microsoft Entra ID Protection and Microsoft Defender XDR. The content also notes overlap with broader DPRK activity and references related clusters such as Coral Sleet, Sapphire Sleet, Moonstone Sleet, and general remote IT worker activity tracked by Microsoft under Storm-0287.