Skip to content

Threat Intel Content Update: 7/8/2025

  • July 8, 2025

North Korean IT Worker Threats

Threat Content Highlights

“Trending & Emerging Threats” weekly update: North Korean IT Worker Threats

  • We added a new Campaign object based on recent Microsoft intelligence around North Korean workers who are believed to fraudulently gain employment with Western companies (activity that Microsoft tracks as “Jasper Sleet”). 

    • This is the second Campaign we’ve added around these schemes, and this week’s Threat Profile update includes both objects, weighted to emphasize recency.

    • These workers take many steps to trick employees into hiring them, and after they're onboarded, detection opportunities could be relatively limited and/or noisy (e.g. VPN or remote access tool usage).

  • A relatively unique characteristic of these schemes is use of IP-based keyboard/video/mouse devices (T1219.003 - Remote Access Hardware). 

  • Tidal Coverage Map Recommendations highlight an ATT&CK Analytic focused on a relevant implementation of this Sub-Technique:
North Korean IT Workers Threats

Data-Driven Threat-Informed Defense

Meet Tidal Enterprise Edition

Quickly and easily develop custom threat profiles and defensive stacks, see your coverage and identify gaps and redundancies, and get daily recommendations to improve your cybersecurity posture.