Cybersecurity researchers continue to observe rapid changes in adversary behavior as offensive uses of artificial intelligence reshape how digital attacks are designed and executed. Recent reporting from Google’s Threat Intelligence Group highlights how threat actors are increasingly using large language models to conceal malicious code and generate scripts dynamically during attacks. This capability allows malware to change its behavior in real time, reducing the effectiveness of traditional signature based detection and complicating incident response. Researchers say these developments point to a broader pattern of deception and automation that is altering how intrusions unfold across enterprise environments.
Evidence of this shift emerged in November 2025, when Anthropic disclosed what it described as the first documented AI orchestrated cyber espionage campaign. In that operation, artificial intelligence was embedded across nearly every stage of the intrusion, from initial access to data exfiltration, with much of the activity executed autonomously. Around the same period, analysts began documenting a rise in ClickFix related attacks that relied on steganography techniques, hiding malicious code within image files that appeared harmless to security scanners. These lures often took the form of fake software update prompts or CAPTCHA screens, persuading users to unknowingly install remote access trojans, information stealers, and other payloads. At the same time, attackers have been observed manipulating anti virus exclusion rules through social engineering, attack in the middle methods, and SIM swapping. Microsoft researchers reported in October 2025 that a threat actor tracked as Octo Tempest successfully convinced victims to disable security products and suppress alert notifications, enabling malware to spread laterally across enterprise networks without triggering endpoint alarms.
Security teams note that while these techniques differ in execution, they share a common ability to evade legacy endpoint detection and response systems when deployed in isolation. Many of the newer attacks are designed to operate at speeds and scales that older endpoint focused tools were not built to handle. Network detection and response technologies have gained renewed attention in this context because they monitor traffic across the environment and can identify behavioral anomalies that endpoints alone may miss. Analysts say that combining endpoint telemetry with continuous network visibility provides defenders with a more complete picture, especially as modern attacks span identity systems, cloud platforms, and on premises infrastructure. Threat actors frequently exploit this complexity by moving between domains, using different tools and roles to increase their reach while masking malicious activity within normal operational traffic.
Several recent campaigns illustrate how mixed domain attacks benefit from layered detection. Blockade Spider, active since April 2024, has been linked to ransomware operations that begin with access to unmanaged systems before moving laterally to locate valuable file collections for encryption. Investigators reported that the full scope of these intrusions only became clear after network level visibility revealed suspicious activity in virtual systems and cloud assets, followed by endpoint alerts once the attack reached managed devices. Similar patterns were observed in the Volt Typhoon activity attributed to China aligned actors and disclosed by Microsoft in 2023. In that case, attackers relied on living off the land techniques and compromised unmanaged network edge devices such as small office routers and IoT hardware. By altering packet origins to mimic domestic cable modem traffic, they avoided endpoint based detection. Variations in traffic volume and behavior detected at the network layer ultimately exposed the activity, underscoring the value of network level monitoring as a safety net.
Remote work has further expanded the attack surface, increasing reliance on VPN connections that can obscure malicious movement. A compromised endpoint connecting through a trusted VPN can introduce threats into an enterprise environment if malware goes undetected locally. Researchers have also linked recent Salesforce supply chain breaches to AI assisted credential harvesting, where OAuth tokens were abused to access customer accounts. In these cases, network visibility helped identify weak entry points and abnormal access patterns, while endpoint data provided confirmation of compromised accounts being used as pivot points. Security vendors report growing interest from SOC teams in platforms that correlate endpoint and network signals to detect emerging attack techniques, including those driven by AI. Analysts say this combined approach is becoming central to identifying subtle threats that bypass single layer defenses and to responding more effectively as adversary capabilities continue to evolve.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
