We’ve seen long-standing ransomware gangs like Clop, BlackCat, Ryuk, and Royal deploy custom-built malware, not off the shelf kits. These groups run infrastructure, manage affiliates, and evolve their code in a software development like lifecycle.
AI is now lowering barriers: criminals are using LLMs and coding assistants to automate exploit creation, obfuscation, and evasion, making complex attacks easier even for actors without deep technical expertise.
Malware-as-a-service (RaaS) also separates roles: the people writing the code aren’t always the ones deploying it. Yet both roles involve engineering decisions, iteration, and tooling similar to legitimate software development.
The takeaway: criminal tooling is increasingly engineered, not opportunistic. Defenders need to rethink threat research, automation, and talent investment to keep pace proactively, not just reactively.
AI is now lowering barriers: criminals are using LLMs and coding assistants to automate exploit creation, obfuscation, and evasion, making complex attacks easier even for actors without deep technical expertise.
Malware-as-a-service (RaaS) also separates roles: the people writing the code aren’t always the ones deploying it. Yet both roles involve engineering decisions, iteration, and tooling similar to legitimate software development.
The takeaway: criminal tooling is increasingly engineered, not opportunistic. Defenders need to rethink threat research, automation, and talent investment to keep pace proactively, not just reactively.