Microsoft summarized CYBERWARCON research on DPRK operators that steal cryptocurrency, collect intelligence on weapons systems and sanctions policy, and place North Korean IT workers abroad to generate regime revenue. Sapphire Sleet was described as using venture-capital and recruiter personas to reach targets, then sending macOS .scpt or Windows .vbs meeting-fix scripts or skills-assessment downloads that install malware and help steal cryptocurrency wallets and credentials. Ruby Sleet was reported to have improved its phishing tradecraft by signing malware with compromised certificates, distributing backdoored VPN clients and installers, and tailoring capabilities to victim environments. Microsoft also cited a December 2023 Ruby Sleet supply-chain compromise of a Korean construction company that replaced legitimate VeraPort software with a version communicating with Ruby Sleet infrastructure.