If there’s one constant in cybersecurity, it’s that adversaries are constantly innovating. The rise of aggressive AI is changing attack strategies and making attacks harder to detect. Google’s Threat Intelligence Group recently reported that attackers are using large language models (LLMs) to hide code, generate malicious scripts on the fly, and change the shape of malware in real time to evade traditional defenses. A closer look at these new attacks reveals both unprecedented sophistication and deception.
In November 2025, Anthropic reported on what it described as the first known “AI-orchestrated cyber espionage operation.” This operation integrated AI throughout the entire attack phase, from initial access to exfiltration, and was executed almost autonomously by the AI itself.
Another recent trend concerns ClickFix-related attacks that use steganography techniques (hiding malware within image files) to bypass signature-based scans. These attacks cleverly disguise themselves as legitimate software update screens or CAPTCHAs to trick users into deploying remote access Trojans (RATs), information theft, or other malware payloads onto their devices.
Attackers are also leveraging a combination of social engineering, man-in-the-middle attacks, and SIM swapping techniques to trigger and compromise antivirus (AV) exclusion rules. According to an October 2025 Microsoft Threat Team investigation, an attacker called Octo Tempest convinced victims to disable various security products and automatically delete email notifications. These steps allowed the malware to spread throughout the corporate network without triggering endpoint alerts. Additionally, attackers are easily deploying dynamic and adaptive tools specifically designed to detect and disable AV software on endpoints.
All these technologies have something in common. It is the ability to bypass traditional defenses such as endpoint detection and response (EDR) that reveals the limitations of relying solely on EDR. Their success shows that EDRs acting alone without additional defenses can be vulnerable. These are new attacks in every sense of the word, leveraging AI automation and intelligence to disrupt digital defenses. This moment marks a fundamental shift in the cyber threat landscape, and defensive strategies are rapidly changing.
Integration of NDR and EDR
Network detection and response (NDR) and EDR both offer different protection benefits. While EDR by its nature focuses on what is happening within each specific endpoint, NDR continuously monitors the network environment and detects threats as they pass through the organization. It detects what EDR cannot and excels at identifying behavioral anomalies and deviations from typical network patterns.
In the age of AI-based threats, both types of systems need to work together, especially as these attacks can be executed faster and at greater scale. Some EDR systems were not designed with the speed and scale of AI-powered attacks in mind. NDR can leverage the additional protection that this complementary technology can provide to detect these network anomalies to strengthen defenses and gain deeper insights from this network data.
Exacerbating the challenge is today’s expanding and more complex attack surface. Sophisticated threat actors combine threats that move across different domains, creating lethal combinations to compromise identities, endpoints, cloud, and on-premises infrastructure. This means security systems for each of these focus areas must work together and share metadata and other signals to discover and stop these threats. Attackers hide behind this complexity to maximize range, extend blast radius, and provide cover while assuming different roles and focusing on different intermediate targets using different hacking tools.
Blockade Spider is a group that has been active since April 2024 and uses these mixed domains for ransomware attacks. After locating and gaining access to an unmanaged system, it moves laterally within the network, searching for file collections to encrypt and attempting to extract the ransom. Using NDR to gain visibility into the properties of virtual systems and clouds, and EDR as soon as an attack crosses the network and reaches managed endpoints, their approach is clear.
One of the more notorious variants is the one used in the Volt Typhoon attack observed by Microsoft in 2023. This is believed to be a LoTL (Living Off the Land) technique that helps Chinese state-sponsored attackers evade endpoint detection. Its target was unmanaged network edge devices such as SOHO routers and other Internet of Things (IoT) hardware. The attackers were able to modify the outgoing packets to appear as if they were coming from a cable modem in Texas, rather than a direct link to an IP address in China. It was the network traffic that killed the game. Although we were successful in evading EDR, changes in the amount of network traffic detected by NDR indicated that the originating cable modem traffic was actually hiding something far more malicious. In this case, NDR served as a security safety net by detecting malicious activity that slipped through the EDR system.
Increased remote work also increases vulnerabilities. VPNs have become widely used to support remote workers, creating new opportunities for abuse. Lack of visibility on remote networks means that a compromised endpoint on a trusted connection can cause harm to an organization’s environment. If EDR does not detect that the local machine running the VPN is already infected with malware, the malware can easily spread throughout the enterprise once that machine connects to the corporate network. A compromised VPN may also hide within common network operations and management tools to hide lateral movement of the network. For example, two recent breaches of the Salesforce supply chain were accomplished by using AI to harvest OAuth credentials and gain unauthorized access to various customer accounts. NDR helps identify vulnerable entry and transit points and identify the highest-risk areas to remediate first. EDR can also share evidence of compromised accounts being used as pivot points.
These and other exploits highlight the benefits of continuous monitoring, where EDR and NDR work in tandem, allowing defenders to discover innovative adversary techniques and respond quickly and decisively to emerging threats. As adversaries become more capable as AI evolves, this combined approach will be essential to reducing risk and improving an organization’s ability to respond quickly and decisively.
Corelight’s Open NDR platform enables SOCs to detect new types of attacks, including those that leverage AI techniques. Its multi-layered detection approach includes behavioral and anomaly detection that can identify a range of unique and anomalous network activities. As adversaries develop new ways to circumvent EDR systems, security teams deploying NDR can strengthen their enterprise defense strategies. For more information, visit corelight.com/elitedefense.
Source link
