top of page
Search

AI-Built Ransomware Toolkit Tested Payloads Against EDR

  • Jun 3
  • 6 min read

Sophos researchers uncovered a ransomware-linked threat actor using AI agents, including Claude Opus 4.5 and the Cursor coding tool, to build malware and test it against Sophos, CrowdStrike, and Microsoft Defender in a private lab.


Cursor coding tool

What did Sophos find?


Sophos found a complete malware research and development operation run by an active, ransomware-linked threat actor. The investigation started when payloads in a test directory on a customer endpoint triggered alerts. Behind that single alert sat a Git repository containing an automated Active Directory discovery panel and a virtual lab built to test malware against three major endpoint detection and response (EDR) products.


The supporting infrastructure was professional-grade. Sophos identified Cobalt Strike profiles configured to disguise command traffic as ordinary web requests, a command-and-control channel hidden inside Telegram, shellcode injection tools, and a Cloudflare Worker used to conceal the backend. A separate Ubuntu virtual machine ran a Sliver command-and-control server. Many of the Python scripts on the compromised host were written in Russian and appeared partially AI-generated.


This was not research for its own sake. Sophos connected the activity to ransom notes and to organizations listed on a ransomware data leak site. “We are not disclosing the ransomware group at this time due to ongoing active investigations related to this threat actor. However, it is a group that is currently active and impacting organisations globally, including in the United States,” Rafe Pilling, Director of Threat Intelligence at Sophos, told Help Net Security.


How did the threat actor use AI agents to build malware?


The threat actor assigned specialized AI agents to different stages of malware development, the way a software company assigns engineers to a product team. A Claude Opus 4.5 agent coordinated the work and set rules for the other agents. Separate agents handled EDR testing, documentation, operational security hardening, and virtual machine deployment, connected to Git repositories through the Model Context Protocol (MCP), an open standard that lets AI assistants interact with external tools.


Development ran through Cursor, an AI-native coding environment, and the lab itself was provisioned with Ludus, a platform for deploying virtualized security test environments. Dedicated Windows Server 2022 machines tested payloads against Sophos and CrowdStrike, while a third machine ran no EDR at all as a control group. According to Sophos, a Python-based generation tool supported nearly 80 modules used to test more than 70 evasion techniques.


The agents also did the reading. Sophos researchers wrote that “artifacts within the Git repository suggest that the threat actor identified potential bypass techniques from research blogs published by organizations such as Kaspersky, Palo Alto Networks, and Bishop Fox.” The agents extracted attack techniques from that public research, mapped them to the MITRE ATT&CK framework, and reproduced them in the lab.


One more detail matters for anyone building an AI governance program: the actor appears to have framed the entire project as red-team work to get past the AI model's safeguards. Sophos noted that benign framing of malicious prompts has appeared in several recent attacks, and said it has been in contact with Anthropic, the maker of Claude, about its observations.


Why this matters to your business


The practical takeaway is uncomfortable: the endpoint product your company treats as its safety net is something attackers now rehearse against before they ever touch your network. This actor maintained a dedicated test machine per major EDR vendor. By the time a payload reached a real victim, it had already been run against the same defenses many times.


That changes the math for any business whose security program amounts to “we bought a good EDR.” Detection tools still matter, but they cannot carry the whole program alone. The activity this toolkit automated, systematic Active Directory reconnaissance, remains observable behavior inside a network. Catching it requires someone, or some service, actually watching.


The second shift is speed. Defenders publish bypass and detection research so other defenders can improve. This actor pointed AI agents at those same publications and converted them into tested attack modules. The window between a technique appearing in a public blog post and appearing in a working toolkit used to be measured in months; AI-assisted development compresses it to days or weeks. That puts pressure on patching cadence and detection-rule updates alike, and it is why AI security governance is becoming an operational discipline rather than a board talking point. The same agent-and-MCP plumbing this actor used offensively is what many companies are now wiring into their own operations, often without controls.


Where the AI hype ends


The toolkit's own records overstated how well it worked. Documentation generated inside the framework claimed the evasion modules grew steadily more successful with each round of testing. When Sophos reviewed the actual test data, it did not support those claims.


“We don't have the data to fully account for the discrepancies, but it's likely that common large language model issues, such as hallucinations, played a role in the differences observed,” Pilling said.


That detail deserves as much attention as the headline. AI is accelerating attacker research and development, but it has not produced unstoppable malware, and the attackers' own tooling misled them about its success. Sophos was direct on this point: the defensive fundamentals remain unchanged, including patching, multi-factor authentication, passkeys, and endpoint protection. Businesses that respond to this story by panic-buying an “AI defense” product are answering the wrong question.


What should businesses do?


Treat this story as a prompt to test assumptions, not to buy tools. The question for your leadership team is simple: if your EDR misses, what catches the intrusion? For many mid-market companies the honest answer is nothing, and that is the gap to close first.


•       Confirm someone is watching. An EDR alert at 2 a.m. with nobody monitoring it is the same as no alert. If you run a single EDR with no around-the-clock monitoring behind it, in-house or managed, closing that gap outranks every other security purchase this year.

•       Watch for reconnaissance behavior. This toolkit automated Active Directory discovery. Ask your IT lead or provider whether unusual AD enumeration would generate an alert today, and who would receive it.

•       Tighten patch timelines. AI-assisted development shortens the gap between published research and working exploits. If your standard window for critical vulnerabilities is 30 days, revisit it.

•       Add this scenario to your next tabletop. Run an exercise that assumes the EDR stayed quiet, and walk through how the intrusion would be found, contained, and reported. Confirm your incident response retainer covers an intrusion that begins with valid-looking activity rather than a malware detection.

•       Put AI on both sides of your risk register. Attackers using AI is one entry. Your own teams wiring AI agents into business systems without oversight is another, and this case shows how capable that plumbing already is.


None of this requires new products. It requires an honest map of which detection and response capabilities your company actually has, as opposed to which products it owns. That mapping exercise is where a fractional CISO engagement typically starts, and it is usually where the most expensive assumptions surface.


Frequently asked questions


Did AI write this ransomware on its own?

No. Sophos described the workflow as entirely human-driven. AI agents accelerated coding, research, and testing, but a person directed every stage, and no AI was embedded in the deployed malware itself. The risk this case demonstrates is faster, cheaper attacker development, not autonomous malware.


Which EDR products did the attackers test against?

The lab contained dedicated Windows Server 2022 virtual machines for testing against Sophos and CrowdStrike protections, testing against Microsoft Defender, and a control machine running no EDR. That does not mean these products failed in real attacks. It means attackers rehearse against widely deployed tools before using payloads in the wild.


Does this mean EDR is no longer worth the investment?

No. EDR remains a baseline control, and Sophos found the toolkit's claimed bypass success was not supported by its own test data. The lesson is that EDR should not be your only detection layer. Behavior such as automated Active Directory enumeration remains observable even when an individual payload slips past an endpoint agent.


How did the attacker get a commercial AI model to help build malware?

By framing the project as legitimate red-team research. Sophos said this kind of benign framing to bypass model safeguards has appeared in multiple recent attacks, including activity targeting government entities in Mexico, and confirmed it has been in contact with Anthropic about its observations.


If your team wants a second set of eyes on whether your defenses would hold against an adversary who rehearses, Purple Shield Security can help. Our AI security services cover both sides of this problem: assessing your exposure to AI-assisted attackers and putting governance around the AI tools your own business is adopting. Start the conversation at purpleshieldsecurity.com/aisecurity.


By Yonatan Hoorizadeh — CISSP, CISM, CRISC, AAISM

Published By: Purple Shield Security

Published: June 3, 2026

Last updated: June 3, 2026

 
 
bottom of page