In the past 24 hours, the security environment has experienced a convergence of digital tradecraft and physical outcomes. We are tracking two major developments: DPRK-aligned threat actors are applying artificial intelligence to scale fraudulent employment schemes, and Iranian-aligned groups have integrated digital surveillance into their physical military doctrine. For security teams, this confirms that the boundary between digital and physical domains requires immediate, cross-functional defensive strategies.
A new analysis from Microsoft’s threat intelligence team details how North Korean clusters, specifically those identified as Jasper Sleet and Coral Sleet—incorporate large language models (LLMs) and generated media into their operational workflows. These actors are attempting to gain inside access by securing formal employment. By using AI to generate cohesive digital personas, they bypass standard hiring verifications to establish sustained insider access. This evolution of the fraudulent IT worker scheme uses AI to navigate linguistic and cultural barriers that historically alerted hiring managers to irregularities.
The lifecycle of these operations starts with AI-assisted reconnaissance. Threat actors use LLMs to analyze job postings on platforms like Upwork, extracting technical terminology and cultural context to build tailored resumes and cover letters. To support these personas, they apply commercial face-swapping applications to superimpose fabricated faces onto compromised identification documents and publish AI-generated headshots across social media profiles. During interviews, operators have used voice-altering software to match their audio to the fabricated persona. Once hired, these individuals use AI as a productivity tool, generating code and drafting professional communications to maintain employment while fulfilling their primary objective: generating revenue for the DPRK regime.
While revenue generation remains the primary driver, secondary risks associated with this insider access are emerging. The Coral Sleet cluster has used AI to rapidly develop web infrastructure and refine unauthorized code. Operations occasionally attempt to use agentic AI, systems capable of iterative decision-making—to automate the provisioning of remote infrastructure. This shift toward automation indicates that detection will become more difficult as operators reduce their direct, manual interactions with the compromised systems.
Simultaneously, the threat environment in the Middle East has shifted toward a cyber-kinetic model, where digital operations act as sensory extensions for physical military actions. Following the kinetic activity involving Iran on February 28, threat intelligence shows Iranian operators intensifying unauthorized access campaigns against IP cameras across the region. Check Point Research reports these operations target devices in Israel, Qatar, Bahrain, Kuwait, the UAE, and Cyprus. Regions experiencing recent missile activity. The timing indicates these cameras are being used for real-time assessment and targeting correction.
For defenders, the technical details of these camera compromises are critical. Iranian operators are currently prioritizing authentication and command-related vulnerabilities in edge devices from two major manufacturers. Security teams must prioritize patching Hikvision devices against CVE-2017-7921, CVE-2021-36260, CVE-2023-6895, and CVE-2025-34067. Dahua equipment is also being actively targeted via CVE-2021-33044. In the current environment, an exposed camera facing a critical facility provides intelligence that can guide physical military operations.
This integrated strategy sequences digital operations, psychological operations, and physical actions to impose costs across multiple domains. Beyond surveillance equipment, these operators maintain pressure through logistics disruptions—such as a recent phishing-based access incident at the Jordan Silos and Supply General Company, and distributed denial-of-service (DDoS) campaigns against government entities in the UAE and Bahrain. While some current activity is limited in scope, there is a clear trend of pro-Iranian, Russian-aligned groups shifting focus toward U.S.-based industrial control systems (ICS), SCADA networks, and CCTV systems.
Our defensive response to these threats must be as integrated as the operations themselves. To counter the DPRK’s AI-enhanced hiring fraud, organizations must bridge the gap between human resources and security teams. Standard background checks frequently fail to identify AI-generated personas and compromised identities. We recommend implementing localized verification questions during remote interviews—asking about local landmarks or cultural nuances that an operator, even one using an LLM, would struggle to answer naturally. This human-centric verification provides a necessary layer in the identity validation stack.
Regarding edge devices and infrastructure, the priority remains aggressive patch management and network segmentation. Because these compromised cameras support physical military activity, the reasoning behind patching a 2017 or 2021 vulnerability has shifted. The goal is to mitigate unauthorized reconnaissance on your own infrastructure. Security teams should also monitor for retaliatory digital operations that may escalate into destructive events as geopolitical tensions persist.
The developments of the last few days indicate an era of hybrid tactics where traditional boundaries are dissolving. Digital operations provide a scalable method for state-sponsored financial gain and a low-cost mechanism to shape the physical environment. Whether addressing an AI-generated IT worker or an exposed street camera, security programs must pivot including a purely data-centric view of risk and one that accounts for broader physical and operational implications.
While the security community has mapped the TTPs of Jasper Sleet and the targeting patterns of Iranian-aligned actors, significant unknowns remain. The full extent of agentic AI usage in operational environments is still being measured, and the degree of direct coordination between proxy groups and state military organs remains under investigation. We advise defenders to monitor for shifts in these methodologies as threat actors refine their automated tooling.