AI-Powered Ransomware Toolkit Evades EDR Detection in Sophisticated Cybercrime Campaign
Researchers at Sophos have uncovered a threat actor leveraging an AI-assisted ransomware attack toolkit designed to automate Active Directory (AD) discovery and bypass endpoint detection and response (EDR) solutions from Sophos, CrowdStrike, and Microsoft. The toolkit, developed with the aid of AI agents like Cursor and Claude Opus, streamlines malware creation, testing, and evasion techniques though the workflow remains human-driven.
The framework was detected in a customer environment after malicious payloads triggered alerts in a test directory. Key components included:
- Cobalt Strike profiles mimicking legitimate web traffic to evade detection.
- A Telegram bot API for command-and-control (C2) communications, routing traffic through Telegram’s infrastructure.
- Python-based scripts for injecting shellcode into legitimate Windows executables while preserving functionality.
- A Cloudflare Worker acting as a redirector to conceal the true C2 server.
While initially resembling a red team tool, forensic analysis including ransom notes and victim listings on data leak sites confirmed its use in cybercriminal ransomware operations.
The toolkit employs multiple AI agents, each assigned distinct roles, such as coordinating R&D (via Claude Opus 4.5), testing, OPSEC hardening, and VM deployment. Agents scraped bypass techniques from security research by Kaspersky, Palo Alto Networks, and others, mapping them to MITRE ATT&CK and iteratively refining payloads. A Python-based generator produced nearly 80 modular payloads in Rust and Go, layered with encryption and evasion tactics to resist sandboxing and EDR detection.
Despite initial high failure rates, the framework achieved near-total EDR bypass after multiple iterations though Sophos noted discrepancies between test results and internal reporting. Notably, AI was not embedded in deployed malware but used to accelerate development, reducing the time between offensive research publication and threat actor adoption.
The discovery highlights how AI tools are lowering the barrier for cybercriminals to operationalize advanced evasion techniques at scale.
Sophos TPRM report: https://www.rankiteo.com/company/sophos
"id": "sop1780431821",
"linkid": "sophos",
"type": "Ransomware",
"date": "6/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'attack_vector': 'AI-assisted toolkit, Cobalt Strike, Telegram bot API, '
'Python-based scripts',
'data_breach': {'data_encryption': 'Yes'},
'description': 'Researchers at Sophos uncovered a threat actor leveraging an '
'AI-assisted ransomware attack toolkit designed to automate '
'Active Directory (AD) discovery and bypass endpoint detection '
'and response (EDR) solutions from Sophos, CrowdStrike, and '
'Microsoft. The toolkit, developed with AI agents like Cursor '
'and Claude Opus, streamlines malware creation, testing, and '
'evasion techniques. The framework was detected in a customer '
'environment after malicious payloads triggered alerts in a '
'test directory. Key components included Cobalt Strike '
'profiles, a Telegram bot API for C2 communications, '
'Python-based scripts for shellcode injection, and a '
'Cloudflare Worker as a redirector. The toolkit employs '
'multiple AI agents for R&D, testing, OPSEC hardening, and VM '
'deployment, producing modular payloads in Rust and Go with '
'encryption and evasion tactics.',
'lessons_learned': 'AI tools are lowering the barrier for cybercriminals to '
'operationalize advanced evasion techniques at scale.',
'motivation': 'Cybercriminal ransomware operations',
'post_incident_analysis': {'root_causes': 'AI-assisted toolkit development, '
'evasion of EDR solutions, modular '
'payload generation'},
'ransomware': {'data_encryption': 'Yes'},
'references': [{'source': 'Sophos'}],
'title': 'AI-Powered Ransomware Toolkit Evades EDR Detection in Sophisticated '
'Cybercrime Campaign',
'type': 'Ransomware'}