Sophos X-Ops: underground AI adoption is cautious but concrete — LLM-assisted packers, LLM C2 orchestration, NLP-triaged leak markets [SINGLE-SOURCE]

Sophos Counter Threat Unit's underground-forum monitoring paints a nuanced picture of criminal AI adoption rather than the hype-or-nothing framing common elsewhere (Sophos X-Ops, 2026-06-17). Concrete operational uses they observed: an open-source polymorphic PE packer (PolyEngine) that uses an LLM for code refinement to defeat static detection; a modified Cobalt Strike build integrating an LLM via an MCP interface for C2 orchestration; a stolen-data exchange ("Leak Bazaar") applying NLP to auto-triage and categorise stolen datasets for buyers; and advertised AI voice-bots for vishing. At the same time, scepticism persists among skilled actors who doubt practical gains and fear AI will erode the market rate for manual services. [SINGLE-SOURCE] — the specific forum-actor claims derive solely from Sophos CTU's own monitoring and cannot be independently corroborated, though the broader trend is consistent with multiple concurrent reports. Why it matters to us: the defender-relevant signal is that AI-assisted packing and obfuscation are weakening static signature matching faster, and AI-quality language lowers the cost and raises the success rate of vishing. Supplement signature-only detection with behavioural controls and update social-engineering awareness training to assume fluent, localised lures.