Adversarial Oracles: LLM-Guided EDR Signature Reduction

This post explains an automated workflow that leverages large language models and VirusTotal as an oracle to iteratively modify Go-based offensive tools (examples: Goffloader, Sliver) to reduce AV/EDR detections. It describes triage of detection types, hypothesis-driven single-variable rebuilds, creation of 'ghost profiles' to mimic benign Go symbol tables, fixes for YARA-style signature triggers, operational caveats around VirusTotal OPSEC, and an outer Go loader that embeds a WASM-compiled payload as a disguise.