Back

AI-Driven Malware Framework Automates EDR Evasion Tactics

Severity: High (Score: 70.2)

Sources: News.Sophos, specterops.io, Gbhackers, Letsdatascience, Infosecurity-Magazine

Published: 2026-06-02 · Updated: 2026-06-03

Keywords: threat, actor, detection, evasion, tools, observed, using

Summary

Sophos X-Ops analysts uncovered a threat actor utilizing AI technologies to develop a malware-testing framework aimed at evading endpoint detection and response (EDR) systems. The activity was detected on June 2, 2026, when alerts were triggered by suspicious payloads in a testing directory on a customer endpoint. The framework included multiple virtual machines running Windows Server 2022, testing against EDR solutions from Sophos, CrowdStrike, and Microsoft. The attacker employed AI tools such as Cursor and Claude Opus to automate Active Directory discovery and malware development processes. Despite the use of AI, the workflow remained human-driven, with significant reliance on human review and iteration. The investigation revealed that the malware was part of a broader cybercriminal operation, rather than a legitimate red team exercise. The malicious components were primarily Python scripts, many of which were AI-generated and written in Russian. The framework's sophistication raises concerns about the evolving capabilities of threat actors leveraging AI technologies. Key Points: • Sophos detected AI-driven malware development aimed at evading EDR systems. • The framework utilized multiple VMs to test against Sophos, CrowdStrike, and Microsoft EDRs. • AI tools were used to automate processes, but human oversight remained crucial.

Detailed Analysis

**Impact** The threat actor targeted enterprise environments using a sophisticated malware-testing framework to develop ransomware and data theft tools with enhanced EDR evasion capabilities. The activity was detected in at least one customer environment, with malicious payloads linked to ransomware operations affecting multiple organizations. The attack framework focused on post-exploitation activities including automated Active Directory discovery, potentially exposing sensitive credentials and network configurations. Specific sectors, geographies, and exact numbers of impacted entities were not disclosed. **Technical Details** The attacker used AI-assisted development tools, including the Cursor AI-native IDE and Claude Opus 4.5 agents, to automate malware creation, testing, and refinement against EDR solutions from Sophos, CrowdStrike, and Microsoft Defender. The framework operated within multiple Windows Server 2022 VMs and an Ubuntu VM running Sliver C2, employing a Python-based modular payload loader generating Rust and Go executables with layered encryption and evasion techniques. The AI agents mined public security research, mapped techniques to MITRE ATT&CK, and iteratively tested over 70 evasion techniques. No CVEs or zero-days were specifically mentioned. Indicators include payloads stored in `C:\Users\User\Documents\test` and Git repositories containing Russian-language Python scripts and AI-generated commits via Model Context Protocol (MCP). **Recommended Response** Organizations should maintain defense-in-depth strategies including timely patching, multi-factor authentication, and broad deployment of updated EDR solutions capable of detecting advanced evasion techniques. Monitoring for anomalous file activity in user document directories and unusual endpoint behavior is advised. Security teams should review logs for payloads resembling those generated by modular loaders and investigate any use of Cobalt Strike or Sliver frameworks. No specific CVE patches were identified; focus should be on behavioral detection and restricting lateral movement through hardened Active Directory configurations.

Source articles (9)

  • Pointing a Cursor at evading detection — News.Sophos · 2026-06-02
    Sophos X-Ops analysts observed a threat actor using artificial intelligence (AI) technologies to test endpoint detection and response (EDR) evasion tactics in a “red team” post-exploitation framework.…
  • Sophos uncovers AI — Feeds2.Feedburner · 2026-06-02
    A threat actor used AI technologies to build a malware-testing framework for developing and refining endpoint detection and response (EDR) evasion techniques, according to Sophos. The investigation be…
  • Threat Actor Uses AI to Build EDR Evasion Tools — Infosecurity-Magazine · 2026-06-02
    A threat actor has been observed using AI coding tools to develop and refine malware designed to slip past endpoint detection and response (EDR) software, in what was presented as a red team project.…
  • Blog — specterops.io · 2026-06-02
    TL;DR : An attacker could transfer StrongDM state files, which hold session authentication information, between hosts to provide authenticated sessions.… Research & Tradecraft TL;DR: Building a securi…
  • Threat actor uses AI agents to automate EDR evasion and malware testing — Feeds.4Sysops · 2026-06-02
    A threat actor has developed a sophisticated malware-testing framework that utilizes AI agents to automate the evasion of endpoint detection and response (EDR) software. The operation was discovered a…
  • Pointing a Cursor at evading detection — News.Sophos · 2026-06-02
    Sophos X-Ops analysts observed a threat actor using artificial intelligence (AI) technologies to test endpoint detection and response (EDR) evasion tactics in a “red team” post-exploitation framework.…
  • AI-built ransomware toolkit automates EDR evasion, AD discovery — Bleepingcomputer · 2026-06-02
    A threat actor is using an AI-built ransomware attack toolkit that automates Active Directory discovery and helps evade endpoint detection and response (EDR) solutions. Tool and payload development wa…
  • Hackers Leverage AI — Gbhackers · 2026-06-03
    A threat campaign in which attackers leveraged AI-powered tools to streamline Active Directory (AD) compromise and accelerate endpoint detection and response (EDR) evasion testing. The activity, obser…
  • Attackers Use AI Tools to Automate Active Directory Attacks | Let's Data Science — Letsdatascience · 2026-06-03
    Researchers at Sophos detected, on June 2, 2026, a modular post-exploitation framework that used AI-assisted development and automated Active Directory discovery, Sophos told BleepingComputer. Reporti…

Timeline

  • 2026-06-02 — AI-driven malware framework discovered: Sophos X-Ops detected suspicious activity linked to AI tools used for EDR evasion in a customer environment.
  • 2026-06-02 — Malicious payloads identified: Alerts were triggered by malicious files found in C:\Users\User\Documents\test, indicating a broader attack framework.
  • 2026-06-02 — Framework linked to cybercriminal activity: Further investigation revealed the framework was used for ransomware operations, not legitimate red teaming.

Related entities

  • Malware (Attack Type)
  • Phishing (Attack Type)
  • Ransomware (Attack Type)
  • CWE-78 - OS Command Injection (Cwe)
  • Cobalt Strike (Malware)
  • Sliver (Malware)
  • T1027 - Obfuscated Files Or Information (Mitre Attack)
  • T1055 - Process Injection (Mitre Attack)
  • T1059.001 - PowerShell (Mitre Attack)
  • T1059.006 - Python (Mitre Attack)
  • T1069.002 - Domain Groups (Mitre Attack)
  • T1069 - Permission Groups Discovery (Mitre Attack)
  • T1071.001 - Web Protocols (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1562 - Impair Defenses (Mitre Attack)
  • T1566 - Phishing (Mitre Attack)
  • Active Directory (Platform)
  • CrowdStrike EDR (Platform)
  • Microsoft EDR (Platform)
  • Sophos EDR (Platform)
  • Telegram (Platform)
  • Windows (Platform)
  • Windows Server 2022 (Platform)
  • Ubuntu (Company)
  • Cursor (Company)
  • Bloodhound (Tool)
  • Claude Opus (Tool)
  • Claude Opus 4.5 (Tool)
  • Git (Tool)
  • Python (Tool)
  • Telegram Bot API (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed