AI-Built Ransomware Toolkit Found Testing Evasion Against Top EDRs

Sophos researchers have discovered a ransomware development framework that uses AI agents to automate the creation and testing of evasion techniques against leading endpoint detection and response solutions.

The toolkit was found on a compromised customer system in a folder named C:\Users\User\Documents\test. While investigating the breach, researchers uncovered an elaborate infrastructure for iteratively developing and validating malware against Sophos, CrowdStrike, and Microsoft Defender.

AI-Powered Development Pipeline

The framework employs multiple AI agents working in concert. According to Sophos, Claude Opus 4.5 serves as the R&D coordinator, while Cursor and Claude Opus handle coding, analysis, and revision tasks. The agents research bypass techniques by analyzing public documentation from security vendors and monitoring social media discussions about detection methods.

This automated pipeline produced approximately 80 modules that were tested against more than 70 evasion techniques. The iterative approach means the toolkit can rapidly adapt to detection updates—when one technique gets caught, the AI agents research alternatives and generate new variants.

The discovery represents a significant evolution in how malware authors approach defensive evasion. Traditional malware development required manual research and testing cycles. AI acceleration compresses that timeline dramatically.

Technical Capabilities

The toolkit includes several concerning features:

EDR-specific evasion: Cobalt Strike profiles disguised beacon traffic as legitimate web requests. The profiles were customized based on analysis of how each EDR solution inspects network traffic.

Telegram-based C2: Command and control communications route through Telegram's bot API infrastructure, making traffic harder to distinguish from legitimate messaging activity.

Shellcode injection: Python scripts inject shellcode into Windows executables while preserving the original application's functionality—allowing malware to hide inside trusted programs.

Cloudflare fronting: Workers deployed on Cloudflare act as redirectors, obscuring the actual backend servers from network defenders.

Automated AD discovery: An Active Directory reconnaissance panel automates the mapping of domain resources that ransomware operators typically need to identify before encryption.

Attribution Uncertainty

Russian-language comments in the scripts suggest Eastern European involvement, but Sophos stops short of definitive attribution. The researchers note that AI-generated code often includes artifacts from training data that may not reflect the actual authors' origins.

The use of publicly available AI services also complicates attribution. Unlike custom malware families with distinctive coding patterns, AI-assisted development produces code that's harder to fingerprint. Similar challenges have emerged in tracking supply chain attacks where attackers use AI to generate varied payload signatures.

Implications for Defenders

The toolkit's test-driven approach mirrors legitimate software development practices—except the "tests" verify that malware evades detection rather than validating functionality. This methodology suggests ransomware operations are becoming more sophisticated in their quality assurance processes.

Security teams should recognize several implications:

1. Detection signatures have shorter lifespans when adversaries can rapidly iterate on evasion techniques
2. Behavioral detection becomes more important as AI-generated code varies more than manually written malware
3. AI model providers are now part of the threat landscape, whether their services are used directly or through jailbreaking techniques

For organizations concerned about ransomware threats, this development reinforces the importance of defense in depth. No single security control will stop adversaries who can systematically probe for weaknesses.

Why This Matters

The discovery confirms what many in the security industry suspected: AI tools are already being weaponized for malware development. The specific use of Claude Opus is notable given Anthropic's focus on AI safety, though it's unclear whether the attackers used the service directly or accessed capabilities through alternative means.

The broader trend matters more than any single toolkit. AI assistance lowers the barrier to entry for sophisticated attack development. Techniques that previously required deep expertise in EDR internals can now be developed by operators who understand the goal but not the implementation details.

This asymmetry—where attackers get AI-assisted offense while defenders still rely heavily on human analysis—represents a significant shift in the threat landscape. Security vendors are incorporating AI into their detection capabilities, but the offense-defense balance may favor attackers during this transition period.

Organizations should ensure their security strategies don't rely solely on detection. Assume that sufficiently motivated attackers will eventually evade endpoint tools, and invest accordingly in network segmentation, backup resilience, and incident response capabilities.