AI-Built Ransomware Toolkit Turns EDR Evasion Into a Faster Cybercrime Workflow
A ransomware-focused threat actor adopted an AI-built toolkit for Active Directory discovery and endpoint detection and response evasion. Sophos found Cursor and Claude Opus agents assisted development, with close to 80 modules tested against more than 70 techniques. The practical test is whether defenders can shorten validation cycles as AI accelerates the move from offensive research to working malware components.
AI-Assisted Malware Development Moves Into Ransomware Tooling
A ransomware-focused threat actor has adopted an AI-built toolkit for Active Directory discovery and evasion of endpoint detection and response (EDR) systems.
Sophos researchers detected the activity in a customer environment after alerts were triggered by payloads stored under `C:\Users\User\Documents\test`.
The toolkit points to a practical shift in cybercrime operations.
Cursor and Claude Opus agents assisted tool and payload development across initial coding, analysis and revisioning, while other agents checked security research posts for bypass techniques.
Some malware created through the workflow was tested in virtual environments against EDR tools from Sophos, CrowdStrike and Microsoft.
Sophos said humans still directed the process, and investigators did not find AI running inside deployed malware or acting on its own in victim environments.
The risk signal is different: AI tools appear to be compressing the time required to convert offensive research into working malware components.
EDR Evasion Becomes the Development Target
The files found by Sophos suggested an attack framework designed around detection evasion.
Components included Cobalt Strike profiles meant to make beacon traffic resemble legitimate web requests, a Telegram bot API-based command-and-control mechanism, Python scripts for injecting shellcode into legitimate Windows executables, and a Cloudflare Worker used as a front-end redirector to obscure the backend command-and-control server.
Sophos initially considered whether the activity could be part of a legitimate red-team engagement.
The assessment changed after investigators found artifacts indicating malicious and criminal activity, including Cobalt Strike operator logs referencing a ransom note and multiple organizations on a ransomware leak site.
The toolkit also included a Git repository with an automated Active Directory (AD) discovery panel and a lab for iterative malware testing against Sophos, CrowdStrike and Windows Defender EDR agents.
AD discovery collected observations from completed tasks, selected the next action from predefined choices and delegated steps to remote agents before reassessing the results.
The Watchpoint Is Research-to-Exploit Speed
The framework assigned separate roles to multiple AI agents.
A Claude Opus agent coordinated research and development, while other agents handled testing, OPSEC hardening, documentation, proxy stress testing, virtual-machine deployment and related tasks.
During development, agents documented bypass techniques from research by Kaspersky, Palo Alto Networks, Bishop Fox and SpecterOps, along with details from social media posts.
They extracted the techniques, mapped them to the MITRE ATT&CK knowledge base, identified reproduction requirements, prepared a test lab, executed the techniques and reported outcomes.
The main framework component was a Python tool that generated payloads, mostly in Rust and Go, based on evasion techniques.
Close to 80 modules were generated and tested against more than 70 techniques.
The agents first indicated many failures, but later iterations appeared to evade nearly every EDR product tested.
Sophos also found some mismatches between test output and the framework's own reporting.
The practical test is whether defenders can shorten their own validation cycles as quickly as threat actors use AI to turn published research into ransomware-ready tooling.
