Microsoft observed two North Korean nation-state actors, Diamond Sleet and Onyx Sleet, exploiting CVE-2023-42793 in JetBrains TeamCity servers from early October 2023. Diamond Sleet used compromised infrastructure and PowerShell to deploy ForestTiger, staged configuration data under C:\ProgramData, established persistence with a scheduled task, dumped LSASS credentials, and also used DLL search-order hijacking chains involving RollSling and FeedLoad. Onyx Sleet created a deceptive local administrator account named krtbgt, performed system discovery, deployed the HazyLoad proxy payload from attacker-controlled infrastructure, used RDP, stopped the TeamCity service, and collected credentials from LSASS and browsers. The report highlights risk to CI/CD environments because North Korean actors have previously used build-environment access for software supply-chain activity, while these TeamCity intrusions can provide persistent access to development infrastructure.