Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Top 10 Next-Generation Firewall Solutions for 2026
July 6, 2026
Microsoft Device Code Phishing Attack Steals Tokens via Login Page
July 6, 2026
Critical Gemini Live Voice flaw lets attackers inject tools via misconfigured tokens
July 6, 2026
Home/Threats/Microsoft Warns Jasper Sleet Phishing Infiltrates Cloud Environments
Threats

Microsoft Warns Jasper Sleet Phishing Infiltrates Cloud Environments

Key Takeaways A North Korea-backed group, Jasper Sleet, is infiltrating organizations by securing legitimate remote IT positions. The threat actor crafts sophisticated fake personas, often using AI,...

Sarah simpson
Sarah simpson
April 22, 2026 4 Min Read
40 0

Key Takeaways

  • A North Korea-backed group, Jasper Sleet, is infiltrating organizations by securing legitimate remote IT positions.
  • The threat actor crafts sophisticated fake personas, often using AI, to pass recruitment screenings and gain access to cloud environments.
  • Once hired, Jasper Sleet leverages internal access to steal data or conduct extortion, posing a risk to any organization hiring remote workers and utilizing cloud-connected HR platforms.
  • Microsoft has provided detection strategies and recommends a joint effort between security and HR teams to mitigate this unique threat.

North Korean Threat Group Infiltrates Cloud Environments Through Fake Remote IT Worker Scheme

A sophisticated threat group, identified as Jasper Sleet and linked to North Korea, is actively compromising corporate cloud environments by exploiting the shift to remote work. This actor crafts elaborate fake professional identities to secure legitimate remote IT positions within target companies, subsequently gaining direct access to sensitive internal data and critical cloud infrastructure.

Table Of Content

  • Key Takeaways
  • North Korean Threat Group Infiltrates Cloud Environments Through Fake Remote IT Worker Scheme
  • Sophisticated Recruitment Exploitation
  • How Jasper Sleet Operates Inside HR Platforms
  • Pre-Recruitment Phase
  • Recruitment and Post-Onboarding
  • What You Should Do

The global pivot towards remote and hybrid work models, accelerated by the COVID-19 pandemic, fundamentally altered corporate hiring practices. Organizations increasingly rely on online interviews, digital onboarding processes, and remote access tools, inadvertently creating new vulnerabilities that Jasper Sleet has been quick to exploit.

Microsoft analysts and researchers have meticulously tracked Jasper Sleet’s operational tactics across various cloud environments and HR platforms. Their findings indicate a systematic approach where the group targets companies utilizing widely adopted HR software, such as Workday.

Sophisticated Recruitment Exploitation

According to Microsoft Threat Intelligence, Jasper Sleet’s method involves surveying open roles on external career sites. They then employ generative AI to analyze job postings, identify required skills, and construct highly convincing digital personas tailored to specific roles, designed to bypass initial recruitment screenings.

This is not a random attack strategy. The group conducts thorough research on target organizations, meticulously aligning their applications with the language and requirements of job listings, thereby submitting credible applications that effectively deceive hiring teams.

Upon successful hiring, Jasper Sleet proceeds through standard onboarding procedures, establishes payroll accounts, and gains access to essential internal tools like Microsoft Teams, SharePoint, OneDrive, and Exchange Online. Microsoft has observed a notable increase in “impossible travel” alerts among new hires during their initial months, a key indicator of suspicious remote IT worker activity linked to this group.

With unfettered access, the threat actor can then navigate the organization’s cloud environment, exfiltrate sensitive files, and in some instances, execute data theft or extortion schemes. The scope of this threat is broad, impacting any organization that employs remote workers and utilizes cloud-connected HR platforms. Microsoft has publicly shared its research to equip security and HR teams with the knowledge to identify and neutralize suspicious candidates before they gain internal access.

How Jasper Sleet Operates Inside HR Platforms

A distinctive feature of Jasper Sleet’s methodology is their precise exploitation of HR software workflows.

Pre-Recruitment Phase

During the pre-recruitment phase, Microsoft observed the group executing programmatic API calls to Workday’s Recruiting Web Service endpoints, which are accessible via external career sites. These calls allowed them to access data related to job postings, active applications, and questionnaires, revealing a pattern of suspicious API call activity originating from known Jasper Sleet infrastructure.

What differentiates this activity from a legitimate job seeker is its repetitive nature. Microsoft noted that the group utilized multiple external accounts to access the same API endpoints consistently and repeatedly, a behavior inconsistent with typical applicant interaction with hiring portals.

Recruitment and Post-Onboarding

In the recruitment phase, Jasper Sleet engages with hiring teams through email and video conferencing platforms, including Microsoft Teams, Zoom, and Cisco Webex. Following a successful hire, the threat actor logs into the newly created Workday account and updates payroll details from known Jasper Sleet infrastructure, capturing post-onboarding sign-in activity from flagged IP addresses.

What You Should Do

Microsoft advises organizations to implement several measures to mitigate exposure to this threat, emphasizing a collaborative approach between security and HR teams, as the campaign spans both functions.

  • Enable Cloud App Connectors: Integrate connectors in Microsoft Defender for Cloud Apps to enhance visibility into activities across Workday, DocuSign, Zoom, and Cisco Webex. This enables security teams to track API events, monitor external account activity, and cross-reference suspicious IP addresses against threat intelligence feeds.
  • Monitor Anomalous Login Behavior: Flag and promptly investigate any events associated with newly hired employees that originate from anonymous proxies or multiple disparate geographic locations.
  • Enhance Social Engineering Training: Provide comprehensive social engineering training for HR teams and all employees involved in the hiring process. This training should focus on recognizing suspicious interview behaviors, such as candidates avoiding camera use, providing inconsistent background details, or exhibiting unusual urgency regarding payroll setup.
  • Prioritize Early Detection: Emphasize early detection of red flags during the recruitment process, as identifying and addressing threats before a candidate is hired and granted access is significantly more effective than post-access detection.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Claude Mythos AI Uncovers 271 Zero-Days in Firefox

Next Post

Lotus Wiper Destroys Data in Energy Sector Attacks

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
OpenSSH 9.7 Fixes Critical Vulnerabilities, Adds New Features
July 6, 2026
Critical Microsoft Edge Bug (CVE-2024-XXXX) Lets Attackers Run Code Remotely
July 6, 2026
Windows 11 24H2, 25H2 Bug Triggers Black Screens, Start Menu Failure
July 6, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us