Microsoft has revealed that North Korea-linked state-sponsored cyber actors have begun to use artificial intelligence (AI) to make their operations more effective and efficient.

“They are learning to use tools powered by AI large language models (LLM) to make their operations more efficient and effective,” the tech giant said in its latest report on East Asia hacking groups.

The company specifically highlighted a group named Emerald Sleet (aka Kimusky or TA427), which has been observed using LLMs to bolster spear-phishing efforts aimed at Korean Peninsula experts.

The adversary is also said to have relied on the latest advancements in AI to research vulnerabilities and conduct reconnaissance on organizations and experts focused on North Korea, joining hacking crews from China, who have turned to AI-generated content for influence operations.

It further employed LLMs to troubleshoot technical issues, conduct basic scripting tasks, and draft content for spear-phishing messages, Redmond said, adding it worked with OpenAI to disable accounts and assets associated with the threat actor.

According to a report published by enterprise security firm Proofpoint last week, the group “engages in benign conversation starter campaigns to establish contact with targets for long-term exchanges of information on topics of strategic importance to the North Korean regime.”

Kimsuky’s modus operandi involves leveraging think tank and non-governmental organization-related personas to legitimize its emails and increase the likelihood of success of the attack.

In recent months, however, the nation-state actor has begun to abuse lax Domain-based Message Authentication, Reporting, and Conformance (DMARC) policies to spoof various personas and incorporate web beacons (i.e., tracking pixels) for target profiling, indicating its “agility in adjusting its tactics.”

“The web beacons are likely intended as initial reconnaissance to validate targeted emails are active and to gain fundamental information about the recipients’ network environments, including externally visible IP addresses, User-Agent of the host, and time the user opened the email,” Proofpoint said.

The development comes as North Korean hacking groups are continuing to engage in cryptocurrency heists and supply chain attacks, with a threat actor dubbed Jade Sleet linked to the theft of at least $35 million from an Estonian crypto firm in June 2023 and over $125 million from a Singapore-based cryptocurrency platform a month later.

Jade Sleet, which overlaps with clusters tracked as TraderTraitor and UNC4899, has also been observed attacking online cryptocurrency casinos in August 2023, not to mention leveraging bogus GitHub repos and weaponized npm packages to single out employees of cryptocurrency and technology organizations.

In another instance, a Germany-based IT company was compromised by Diamond Sleet (aka Lazarus Group) in August 2023 and weaponized an application from a Taiwan-based IT firm to conduct a supply chain attack in November 2023.

“This is likely to generate revenue, principally for its weapons program, in addition to collecting intelligence on the United States, South Korea, and Japan,” Clint Watts, general manager of the Microsoft Threat Analysis Center (MTAC), said.

The Lazarus Group is also notable for employing intricate methods like Windows Phantom DLL Hijacking and Transparency, Consent, and Control (TCC) database manipulation in Windows and macOS, respectively, to undermine security protections and deploy malware, contributing to its sophistication and elusive nature, per Interpres Security.

The findings come against the backdrop of a new campaign orchestrated by the Konni (aka Vedalia) group that uses Windows shortcut (LNK) files to deliver malicious payloads.

“The threat actor utilized double extensions to conceal the original .lnk extension, with the LNK files observed containing excessive whitespace to obscure the malicious command lines,” Symantec said. “As part of the attack vector, the command line script searched for PowerShell to bypass detection and locate embedded files and the malicious payload.”