Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: edr-evasion (1 article)Clear

AI-built ransomware toolkit uses Cursor and Claude Opus agents to automate EDR evasion and Active Directory discovery, Sophos finds

Sophos has detailed a threat actor using an AI-assisted ransomware toolkit that automates Active Directory discovery and EDR evasion. Tool and payload development was aided by Cursor and Claude Opus agents across coding, analysis, and revision, with some agents tasked to scrape security-research posts for fresh bypass techniques; resulting malware was tested in VMs against Sophos, CrowdStrike, and Microsoft EDR. The framework includes Cobalt Strike profiles mimicking legitimate web traffic, a Telegram-bot C2, Python shellcode injectors preserving host-binary functionality, and a Cloudflare Worker front-end redirector. Despite the AI orchestration, the workflow is entirely human-driven. Operator logs and a ransomware-leak-site reference confirmed criminal, not red-team, use.

Check
Hunt endpoints for payloads under C:\Users\*\Documents\test, Telegram-bot C2 traffic, and Cobalt Strike beacons fronted by Cloudflare Workers. Apply Sophos IoCs across EDR-monitored hosts.
Affected
Organizations relying on EDR signatures alone. This toolkit was AI-tuned specifically to bypass Sophos, CrowdStrike, and Microsoft EDR, and routes C2 through Telegram and Cloudflare Workers to blend in.
Fix
Layer behavioral detection and AD-tiering on top of EDR. Block unauthorized Telegram API and anomalous Cloudflare Worker egress. Monitor for AD-discovery patterns and shellcode injection into signed binaries.