Sophos finds AI‑built EDR evasion tooling

Sophos said on June 2 that its X-Ops researchers had found a threat actor using artificial intelligence tools to build and test malware aimed at slipping past endpoint detection and response software. The company said the activity surfaced after an anomalous endpoint inside a customer tenant triggered alerts tied to malicious files in a local testing directory. Those files led researchers to a broader framework that included evasion tooling, command-and-control infrastructure and an automated Active Directory discovery component. Sophos said the work appeared in part as a “red team” post-exploitation framework, but linked the activity to ransomware deployment and data theft operations. ### How did Sophos say it found the tooling? Sophos said the investigation began when payloads from `C:\Users\User\Documents\test` triggered alerts on an endpoint in a customer environment. The company said files on that device pointed to a larger setup built to evade detection, including Cobalt Strike profiles designed to resemble legitimate web requests, a Telegram bot API-based command-and-control channel, shellcode injection scripts and a Cloudflare Worker used to hide backend infrastructure. (sophos.com) Help Net Security reported that Sophos linked the activity to ransomware and data theft but did not name the group. “We are not disclosing the ransomware group at this time due to ongoing active investigations related to this threat actor,” Rafe Pilling, director of threat intelligence at Sophos, told the publication, adding that the group was active globally, including in the United States. (sophos.com) ### What exactly was AI doing in the workflow? Sophos said multiple Python scripts found on the device were partly AI-generated, and many were written in Russian. The company said a linked Git repository contained two main components: an automated Active Directory discovery panel and a lab used to iteratively develop and test malware against EDR products from Sophos, CrowdStrike and Microsoft Defender. (helpnetsecurity.com) Infosecurity Magazine reported that the actor worked inside Cursor, an AI-focused development environment, and assigned roles to several agents. One Claude Opus agent set rules for other agents, while others handled testing, operational security and documentation, according to the report. Help Net Security said Sophos found the setup used Model Context Protocol, or MCP, to connect agents to Git repositories and external tools. (sophos.com) ### Did Sophos say the malware itself was autonomous? Sophos said no autonomously reasoning large language model was running the operation. The company said the Active Directory discovery panel behaved like AI-driven automation, but followed predefined branches, dispatched work to remote agents and reevaluated returned results rather than reasoning independently. (infosecurity-magazine.com) Infosecurity Magazine said Sophos’s central finding was that AI accelerated a structured engineering cycle rather than replacing human operators. Sophos said the actual EDR-bypass path still depended on human review and iteration, and that no AI was embedded in the malware itself. ### What testing environment did the actor build? Sophos said the actor provisioned a virtual machine environment from Ludus and set up several Windows Server 2022 systems to test payloads. (sophos.com) One virtual machine was used against the Sophos agent, another against CrowdStrike, and a third served as a control environment without EDR software installed. Help Net Security said a fourth Ubuntu virtual machine hosted a Sliver command-and-control server. (infosecurity-magazine.com) Infosecurity Magazine reported that Sophos said nearly 80 modules covering more than 70 techniques were built through the framework. The publication added that Sophos said the agents reported those modules became almost universally effective after iteration, while noting the documented test output did not clearly support that claim. ### What did Sophos say comes next for defenders? (sophos.com) Sophos said artifacts in the Git repository suggested the threat actor drew on public research from organizations including Kaspersky, Palo Alto Networks and Bishop Fox, and also sourced information from X and Telegram. The company said the use of AI shortened and organized the build-test-refine cycle, but did not change the need for standard defensive controls. (infosecurity-magazine.com) On June 2, Sophos published its findings in a post titled “Pointing a Cursor at evading detection,” and outside coverage the same day added details from Rafe Pilling and Sophos’s Counter Threat Unit. Sophos said organizations should continue using timely patching, multi-factor authentication, passkeys and broad EDR deployment as the next line of defense. (sophos.com) (helpnetsecurity.com)