When it comes to cybersecurity, one thing remains constant: adversaries are always evolving. The emergence of offensive AI is revolutionizing attack techniques, making them more difficult to detect. Google’s Threat Intelligence Group recently highlighted how adversaries are utilizing Large Language Models (LLMs) to hide code and generate malicious scripts in real-time, allowing malware to constantly change and evade traditional defenses. These sophisticated and deceptive attacks signify a new era in cyber threats.
In November 2025, Anthropic uncovered what they termed as the first documented “AI-orchestrated cyber espionage campaign.” This operation showcased AI playing a key role in all stages of the attack process, from initial infiltration to data exfiltration, largely autonomously.
Recent trends also include ClickFix-related attacks employing steganography to hide malware within image files, bypassing signature-based scans. By masquerading as legitimate software updates or CAPTCHAs, these attacks trick users into unknowingly installing remote access trojans (RATs) and other malware payloads on their devices.
Adversaries are finding ways to exploit and compromise anti-virus (AV) exclusion rules through a combination of social engineering, man-in-the-middle attacks, and SIM swapping techniques. Research from Microsoft in October 2025 revealed that threat actors, like Octo Tempest, persuaded victims to disable security products and delete email notifications, allowing their malware to spread undetected within a network.
These tactics all have one thing in common: the ability to evade conventional defenses like endpoint detection and response (EDR), highlighting the limitations of relying solely on EDR. These AI-driven attacks represent a significant shift in the cybersecurity landscape, necessitating a reevaluation of defensive strategies.
The Importance of NDR and EDR Integration
Network detection and response (NDR) and EDR offer distinct protection advantages. While EDR focuses on individual endpoint activity, NDR continuously monitors network traffic, identifying threats as they move across the network. In the face of AI-driven threats, combining these systems is crucial, as attacks can operate at high speeds and scales that EDR alone may not effectively address.
In today’s complex threat landscape, attackers leverage multiple domains to compromise organizations, targeting identity, endpoints, cloud, and on-premises infrastructure. To combat these multifaceted attacks, security systems across these domains must collaborate, sharing data to detect and thwart threats effectively.
Groups like Blockade Spider have exploited mixed domains for ransomware attacks, moving laterally across networks to encrypt files. Utilizing NDR for network visibility and EDR for endpoint protection proved instrumental in disrupting these attacks.
In a notable incident, the Volt Typhoon attack, attributed to Chinese state-sponsored actors, used LoTL techniques to evade EDR. NDR’s ability to detect anomalies in network traffic helped uncover the malicious activity that slipped past EDR systems.
The shift towards remote work has introduced new vulnerabilities, especially with the widespread use of VPNs. Compromised endpoints on trusted connections can introduce malware to organizational networks, emphasizing the need for continuous monitoring with EDR and NDR working in tandem.
Corelight’s Open NDR Platform offers a comprehensive solution for detecting novel attack methods, including those leveraging AI. By combining behavioral and anomaly detections, Corelight enhances enterprise defenses against evolving threats.
