Full Report
Crims 'will do what gets them their objective easiest and fastest,' Microsoft threat intel boss tells The Reg interview AI agents allow cybercriminals and nation-state hackers to outsource the "janitorial-type work" needed to plan and carry out cyberattacks, according to Sherrod DeGrippo, Microsoft's GM of global threat intelligence. North Korea is taking advantage.…
Analysis Summary
# Threat Actor: Coral Sleet
## Attribution & Identity
* **Actor Name:** Coral Sleet
* **Origin:** North Korea (Democratic People's Republic of Korea - DPRK)
* **Known Associations:** Identified as one of the primary crews involved in the high-profile 3CX supply chain attack.
* **Affiliation:** State-sponsored nation-state hacker group.
## Activity Summary
* **Agentic AI Integration (2025/2026):** Leveraging AI agents to automate "janitorial-type work," specifically reconnaissance and infrastructure management.
* **Rapid Infrastructure Staging:** Using development platforms to quickly create, test, and manage attack infrastructure at scale.
* **Campaign Management:** Utilizing natural language interfaces to communicate with malicious infrastructure, allowing for faster transition from planning to execution.
## Tactics, Techniques & Procedures
* **Automated Reconnaissance:** Using AI agents to scan specific net blocks, identify target systems, and perform "agentic" discovery on compromised hosts.
* **Infrastructure-as-Code (AI-Enabled):** Automating the setup of C2 (Command and Control) operations and purchasing/managing accounts via AI prompts.
* **Natural Language C2 Interaction:** Controlling malicious infrastructure through natural language commands rather than manual scripting.
* **Malware Development:** Integrating AI libraries and functions directly into malware code to enhance sophisticated behaviors.
* **Efficiency Scaling:** Outsourcing repetitive, time-consuming tasks to AI to increase the speed and volume of attacks (MITRE T0853 or similar AI-resource utilization).
## Targeting
* **Sectors:** Technology (supply chain), Software Development, Financial (implied by North Korean motivations), and entities with large "net blocks."
* **Geography:** Global (implied by the nature of net block scanning and previous 3CX campaigns).
* **Victims:** Software providers (e.g., 3CX) and targeted organizations identified through AI-driven reconnaissance.
## Tools & Infrastructure
* **AI Agents:** Used for automated "janitorial" tasks and reconnaissance.
* **Development Platforms:** Utilized for rapid scaling and staging of campaigns.
* **C2 Infrastructure:** Automated through AI-managed accounts and natural language interfaces.
* **Malware:** AI-enabled malware featuring distinct "hallmarks" of machine-generated code and the ability to call various AI functions/libraries.
## Implications
* **Increased Attack Velocity:** AI reduces the time required for the "drudge work" of a cyberattack, allowing actors to move from reconnaissance to exploitation much faster.
* **Lowered Entry Barrier:** AI agents allow less technically skilled operators to perform complex infrastructure management and reconnaissance tasks.
* **Scale and Volume:** The automation of infrastructure setup allows North Korean actors to maintain a much larger footprint of disposable command-and-control nodes.
* **Code Evolution:** While AI-generated code currently has detectable "hallmarks," the integration of AI libraries into malware signals a shift toward more autonomous and adaptive threats.
## Mitigations
* **Network Monitoring:** Enhanced focus on "agentic" automated reconnaissance patterns (unusually fast or repetitive scanning of net blocks).
* **Infrastructure Detection:** Defenders must look for signs of rapidly staged, AI-managed infrastructure that may lack the manual configuration signatures of human attackers.
* **Behavioral Analysis:** Prioritize the detection of malware that makes calls to AI functions or libraries, which Sherrod DeGrippo identifies as a "sophisticated" new use case.
* **Threat Hunting:** Focus on identifying compromised legitimate infrastructure that may be being "managed" via new automated development tools.