Masters of Imitation How Hackers and Art Forgers Perfect the Art of Deception
Masters of Imitation: How Hackers and Art Forgers Perfect the Art of Deception
Cyberattackers, equipped with AI, are mastering the art of imitating the familiar, posing as trusted users and masking their activity within legitimate processes and ordinary network traffic. Mimicry is the new normal, with 81% of attacks now malware-free. Agentic AI is helping attackers hide more effectively within innocent network traffic and behaviors. CrowdStrike’s 2026 Global Threat Report states that 81% of attacks are now malware-free, relying instead on legitimate tools and techniques, which is the hallmark of Living-off-the-Land (LotL) tactics. Spotting these fakes quickly isn’t just an option: it’s one of the best chances to disrupt an attack before it causes real harm. 🚀
Agentic AI-assisted actors are autonomous or semi-autonomous, generating fake identities, code, and mimicking behaviors at scale. These aren’t just used to forge believable identities to conduct fraud, but are now used to produce exploit code to exfiltrate secrets and scripts to infect endpoints, forming the basis of a larger-scale attack. Sophisticated, self-learning agents observe network behavior and continuously tune their own traffic, mirroring their patterns to fool anomaly detections. They shift C2 traffic into bursts that coincide with legitimate spikes and manipulate their signals just enough to avoid standing out. Additionally, attackers use malicious AI agents to create a layer of complexity for software supply chains. The agents substitute malicious software and masquerade this code as just another benign update, making the exploit origins and root causes harder to figure out. This is what Microsoft researchers found with the Shai Hulud v2 worm, where attackers modified hundreds of software packages to provide a coordinated ecosystem to harvest developer credentials and API secrets, then boosted its potency by propagating through trusted internal network shares, all while impersonating legitimate software updates.
Today’s attackers also cloak their network conversations using IP tunnels to hide malicious activity inside legitimate-looking traffic. Another cloaking mechanism uses purposely mismatched requests and replies, such as requesting confidential web data from a previously unknown destination to evade detection. Furthermore, cyberattackers employ a similar strategy, spinning up lookalike servers, domains, and services under their control that impersonate trusted infrastructure. Recent Microsoft research shows threat actors luring users with fake Teams meeting messages that led to credential harvesting sites disguised as legitimate login pages. And fakery lies at the heart of any phishing campaign, using fake email addresses that appear to be part of your domain but are part of homoglyph or homograph attacks.
Network detection and response (NDR) can catch attackers by watching for behavioral patterns and anomalies that betray what’s really happening on the network. NDR helps expose malicious activity by detecting behavioral anomalies, identifying deviations from established network baselines such as unusual login times, atypical data transfers, or unexpected lateral movement. It also reveals protocol and metadata inconsistencies, spotting mismatches such as odd protocol combinations, traffic to newly registered or homograph domains, or encrypted sessions with suspicious certificate details. Providing context, NDR enriches raw traffic with metadata that explains the wider picture, so analysts can quickly separate real threats from noise. As attackers grow more sophisticated and leverage AI to scale their deception, defenders need tools that can see through the noise.