AI as Tradecraft: How Threat Actors Are Operationalizing AI [Microsoft Threat Intelligence Podcast]

Mar 12, 2026

Vlad Honyanyy, a threat intel analyst studying North Korean–linked cyber activity, and Greg Schlomer, a researcher on DPRK-aligned operations, discuss how AI is woven into attacker workflows. They cover AI-powered phishing and persona fabrication, accelerated malware development, autonomous agents building exploits, and how AI levels the playing field for less-skilled operators.

Ask episode

AI Snips

Chapters

Transcript

Episode notes

INSIGHT

AI Accelerates Rapid Iteration In Attacks

AI is being integrated across the attack lifecycle to accelerate iteration and scale operations.
Vlad Honyanyy observed rapid experimentation where groups test new vectors, expand on successes, and discard failures within months.

INSIGHT

AI Suits Decentralized Scrappy Operations

AI fits the scrappy, startup-like workflow of many DPRK-aligned operators, enabling fast iteration and experimentation.
Greg Schlomer noted decentralized cells use different tools and rapidly adopt AI to try new tactics without centralized approval.

INSIGHT

IT Worker Cells Lead AI Adoption

Early AI adopters among DPRK groups are large scale IT-worker operations like Jasper Sleet and Storm 1877, not the rigid intelligence bureaus.
Greg Schlomer explained bureaucratic intelligence units may be slower to adopt compared with flexible IT worker cells.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

In this episode of the Microsoft Threat Intelligence Podcast, host⁠ ⁠⁠Sherrod DeGrippo is joined by Greg Schlomer and Vlad Honyanyy to discuss new research on Jasper Sleet, a North Korean–aligned threat actor incorporating AI into active operations.

The conversation examines how AI is being integrated across the attack lifecycle — from highly tailored phishing lures and fabricated job applicant personas to accelerating malware development and refining operational workflows. Rather than treating AI as a novelty, Jasper Sleet is using it to increase speed, scale, and adaptability while reducing many of the friction points that once slowed campaigns.

They also explore what this shift means for defenders. As AI compresses iteration cycles and lowers barriers to entry, traditional attribution signals evolve, influence operations become more convincing, and defensive teams must tighten the loop between intelligence, detection, and response. This is less about experimentation and more about the operationalization of AI as part of modern tradecraft.

In this episode you’ll learn:

How AI is changing the speed at which cyber operations evolve

Why jailbreaking AI models is often trivial for motivated adversaries

The strategic implications of AI leveling the playing field between threat actors

Some questions we ask:

Is there resistance among experienced malware authors to adopting AI?

Are we seeing fully AI-written malware in the wild?

What stands out about Jasper Sleet’s use of AI?

Resources:

View Greg Schloemer on LinkedIn

View Sherrod DeGrippo on LinkedIn

Related Microsoft Podcasts:

Afternoon Cyber Tea with Ann Johnson

The BlueHat Podcast

Uncovering Hidden Risks

Discover and follow other Microsoft podcasts at microsoft.com/podcasts

Get the latest threat intelligence insights and guidance at Microsoft Security Insider

The Microsoft Threat Intelligence Podcast is produced by Microsoft, Hangar Studios and distributed as part of N2K media network.

Learn more about your ad choices. Visit megaphone.fm/adchoices