The safety filters that AI companies spent billions building? North Korean hackers are treating them like a minor inconvenience.
Microsoft Threat Intelligence published two reports in March and April 2026 documenting how state-sponsored threat actors — particularly North Korean groups tracked as Coral Sleet and Jasper Sleet — have moved beyond using AI as a convenience tool. They’re now running fully AI-enabled attack workflows: jailbreaking language models to generate malware, building fake corporate infrastructure with agentic AI tools, and iterating on exploit code faster than defenders can patch.
This isn’t a hypothetical risk paper. It’s field evidence from active operations.
How They Jailbreak
The techniques won’t surprise anyone who follows LLM security research. But seeing them deployed by nation-state operators in production attacks hits different than reading about them in a conference paper.
Microsoft documented several jailbreak methods in active use. The most common: role-based prompt manipulation. Threat actors instruct the model to assume a trusted role — “Respond as a cybersecurity analyst” or “You are a penetration testing expert performing authorized testing” — to establish a context where generating exploit code seems legitimate. The model’s safety training, designed to refuse malicious requests, gets confused by the framing. It’s not being asked to write malware. It’s being asked to help a security professional.
Other techniques include chaining instructions across multiple interactions (splitting the malicious request into seemingly innocent pieces), misusing system-level prompts to override safety guidelines, and reframing prompts to transform prohibited outputs into permitted ones.
None of these are novel. They’ve been documented in academic papers for years. The difference is that someone is now using them at scale to compromise real systems.
The OtterCookie Problem
Coral Sleet’s OtterCookie payload is the clearest example of what AI-assisted malware development looks like in practice. Microsoft identified telltale signatures of AI-generated code: emojis used as visual markers in the code path (green checkmarks for successful requests, red crosses for errors), conversational inline comments that read like a developer explaining their thought process to an AI assistant, and over-engineered modular structures consistent with AI coding patterns.
The malware itself wasn’t the product of a single jailbreak session. Coral Sleet used AI coding tools iteratively — generating components, testing them, refining the output, and reimplementing parts that didn’t work. The development cycle that might have taken a skilled malware author weeks was compressed into days.
And this is the group that also built fully AI-enabled lure operations: fake company websites, spoofed interview processes, and social engineering campaigns designed to extract credentials from targets in government, defense, and technology sectors.
The Entire Attack Chain, Automated
The April 2 report describes something more alarming than individual jailbreaks: threat actors are now using AI across every phase of the cyberattack lifecycle.
Reconnaissance: AI accelerates infrastructure discovery, identifying vulnerable targets and mapping attack surfaces faster than manual enumeration.
Resource development: Threat actors use AI to forge documents, create convincing identities, generate deepfakes and voice clones, and build entire fake corporate presences.
Initial access: AI-crafted phishing lures are dramatically more effective. Microsoft’s research documents that AI-generated phishing content produces measurably higher click-through rates. Social engineering messages are better written, more personalized, and harder to distinguish from legitimate communication.
Persistence and evasion: AI helps scale fake identity creation and maintain long-term access by generating contextually appropriate responses when challenged.
Post-compromise: In one case, AI was used to adapt tooling to the specific victim environment and automate ransom negotiation — the AI handling back-and-forth with the victim while operators focused on exfiltration.
Humans still make the key decisions. But AI is reducing friction at every step. The barrier to entry for sophisticated cyberattacks is dropping, and the speed of operations is increasing.
Why the Safety Filters Failed
Every major AI lab claims their models refuse to generate malware, assist in cyberattacks, or help with social engineering. And in straightforward tests, they do. Ask Claude to write a ransomware payload and it’ll decline. Ask GPT to draft a phishing email and it’ll refuse.
But safety training optimizes for a specific threat model: a naive user making an obvious request. It doesn’t hold up against a sophisticated adversary with domain expertise, patience, and the ability to decompose a malicious task into individually innocuous steps.
Role-based jailbreaks work because safety training relies heavily on intent classification. If the model believes the user has legitimate reasons for their request, the safety filter relaxes. A nation-state operator with knowledge of penetration testing terminology can construct prompts that are technically indistinguishable from legitimate security work.
This is the gap that AI safety teams have been unable to close. The same knowledge that makes a model useful for legitimate cybersecurity work makes it useful for malicious cybersecurity work. The only difference is intent, and intent is precisely what language models are worst at determining.
What This Means
The AI industry’s response to weaponization has been reactive: detect new jailbreaks, patch them, wait for the next one. It’s the same whack-a-mole strategy that failed in every previous cybersecurity context.
Meanwhile, the capability gap is widening. Each generation of models gets better at coding, more capable of understanding complex technical requests, and more useful as an attack tool. Safety filters get marginally better. But as Microsoft’s evidence shows, they’re not keeping pace with adversary adaptation.
The uncomfortable question isn’t whether AI can be weaponized — that’s been answered. It’s whether the current approach to AI safety, built around refusal training and content filters, is fundamentally inadequate against determined, well-resourced adversaries.
Microsoft’s reports suggest the answer is yes. The evidence isn’t a conference paper or a red team exercise. It’s an active North Korean operation, running today, using your AI tools against you.