Imagine onboarding a new remote IT employee—fully vetted, technically skilled, and ready to contribute.
Now imagine that employee is actually a state-sponsored threat actor.
That’s exactly what Jasper Sleet, a North Korea-linked group, is doing—leveraging fake identities to infiltrate organizations from the inside.
This isn’t a traditional cyberattack.
It’s human-based intrusion combined with cloud compromise.
In this article, you’ll learn how this campaign works, why it’s so dangerous, and how to defend your organization before it’s too late.
What Is the Jasper Sleet Threat?
Jasper Sleet is an advanced persistent threat (APT) group that uses:
- Fake professional identities
- Stolen personal data
- AI-generated personas
…to secure legitimate remote IT jobs within target organizations.
Why this is different
Unlike phishing or malware attacks:
❌ No initial exploit required
❌ No vulnerability scanning
❌ No brute-force entry
✔ Attackers are invited in through hiring processes
How the Attack Works
Phase 1: Reconnaissance
The group scans:
- Company career pages
- Job postings
- Hiring platforms like Workday
Using AI tools, they:
- Analyze job descriptions
- Extract required skills
- Build tailored fake profiles
Phase 2: Identity Fabrication
Attackers create:
- Fake resumes
- LinkedIn-style profiles
- Stolen or synthetic identities
These personas are designed to:
✔ Pass background checks
✔ Match job requirements
✔ Blend into hiring pipelines
Phase 3: Recruitment & Hiring
Jasper Sleet interacts with companies via:
- Video interviews (Zoom, Teams, Webex)
They often:
- Avoid video verification
- Provide scripted responses
- Show high technical competence
Phase 4: Onboarding & Access
Once hired, attackers gain access to:
- Microsoft Teams
- SharePoint
- OneDrive
- Exchange Online
They also:
- Set up payroll accounts
- Integrate into workflows
- Establish persistence
Phase 5: Post-Access Activity
After onboarding:
- Access sensitive data
- Move laterally in cloud environments
- Exfiltrate information
- Potentially initiate extortion
Exploiting HR Platforms: A New Attack Surface
A key innovation in this campaign is abusing HR systems like Workday.
Suspicious Behavior Identified:
- Repeated API calls to recruiting endpoints
- Automated scraping of job listings
- Multiple accounts accessing identical data
Why this matters:
HR platforms are now part of the attack surface
Security teams often overlook:
- Recruitment workflows
- Applicant tracking systems
- External career portals
Indicators of Compromise (IoCs)
Security teams should watch for:
🚩 During Hiring
- Candidates avoiding camera use
- Inconsistent personal details
- Unusual urgency in onboarding
🚩 Post-Onboarding
- Impossible travel alerts
- Logins from multiple geographies
- Access from anonymous proxies
🚩 Technical Signals
- Repeated API queries
- Abnormal Workday activity
- Suspicious IP addresses
Real-World Impact
Potential Risks:
- Data exfiltration
- Insider threats
- Intellectual property theft
- Financial fraud
Why it’s dangerous:
This attack bypasses:
- Firewalls
- Endpoint protection
- Traditional threat detection
Because the attacker is a “trusted employee”
Common Mistakes Organizations Make
❌ Treating HR and security separately
❌ Lack of identity verification in remote hiring
❌ Ignoring cloud access monitoring
❌ Delayed anomaly detection
Best Practices to Defend Against This Threat
1. Strengthen Identity Verification
- Enforce strict KYC-like checks
- Use identity validation tools
- Require live video verification
2. Monitor Cloud Activity
Implement:
- Impossible travel detection
- Behavioral analytics
- Session monitoring
3. Secure HR Platforms
- Monitor API usage
- Enable logging and alerts
- Restrict external access
4. Cross-Team Collaboration
Security + HR must:
- Share intelligence
- Investigate suspicious candidates
- Align on risk policies
5. Use Security Tools
Deploy:
- Microsoft Defender for Cloud Apps
- SIEM solutions
- Threat intelligence feeds
Frameworks & Standards to Apply
Organizations should align with:
- Zero Trust Architecture
- NIST Insider Threat Guidelines
- MITRE ATT&CK (Insider Threat techniques)
Expert Insight: The Rise of “Human-Based Attacks”
This campaign signals a major shift:
Attackers are no longer breaking in—they’re logging in
Key trend:
- AI-driven social engineering
- Identity-based attacks
- Cloud-native infiltration
FAQs
What is Jasper Sleet?
A North Korea-linked threat group using fake identities to infiltrate companies.
How do they gain access?
By getting hired as remote IT workers.
What systems do they target?
Cloud platforms like Microsoft 365 and HR tools like Workday.
What are key warning signs?
Impossible travel alerts, suspicious API activity, and inconsistent candidate behavior.
Can this affect all companies?
Yes—especially those hiring remote workers.
What’s the best defense?
Strong identity verification + continuous monitoring.
Conclusion: Trust Is the New Attack Vector
The Jasper Sleet campaign highlights a dangerous reality:
Your hiring process is now part of your security perimeter
Key Takeaways:
- Fake IT workers are a real cyber threat
- HR platforms are now attack surfaces
- AI is enabling more convincing attacks
- Early detection is critical
Final Thought
If your organization hires remotely and uses cloud tools:
👉 You are a target.
Now is the time to reassess your hiring security posture.
