AI-Built Ransomware Toolkit Bypasses 70+ EDR Controls in Live Campaign

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Sophos Counter Threat Unit confirmed on June 2, 2026, that multiple organizations are already listed on ransomware data leak sites as victims of a campaign driven by an AI-orchestrated malware development lab that produced nearly 80 payload modules tested against Sophos, CrowdStrike, and Windows Defender before live deployment.
The AI ransomware toolkit EDR evasion campaign came to light when an anomalous endpoint registered alerts inside a Sophos customer tenant. The investigation revealed a complete attack infrastructure: a multi-agent AI system built around Claude Opus 4.5 as the primary coordinator, with specialized sub-agents handling EDR testing, OPSEC hardening, proxy stress testing, and virtual machine deployment. Cursor, an AI-native integrated development environment, served as the coding interface throughout payload development. The threat actor, assessed as Russian-speaking based on script analysis within the toolkit, had already transitioned from development into live operations by the time Sophos detected the activity.
The technical architecture treats EDR evasion as an engineering problem with an iterative solution. A Python-based payload generator produces executables in Rust and Go, wrapping shellcode in layered encryption, obfuscation, and alternative execution techniques. AI agents scrape published security research from Kaspersky, Palo Alto Networks, Bishop Fox, and SpecterOps, extract documented bypass methods, map each to a MITRE ATT&CK ID, and queue them for automated testing in an isolated four-VM lab with real EDR instances running. Failed attempts improve the next generation. Nearly 80 modules and over 70 distinct techniques resulted.
This campaign is active now. Cobalt Strike operator logs found during the investigation referenced ransom notes and confirmed victim organizations on data leak sites as of June 2, 2026. Any organization running Sophos Intercept X, CrowdStrike Falcon, or Microsoft Windows Defender needs to verify that behavioral detection is active today, because this AI ransomware toolkit EDR evasion approach targeted signature-based and scan-time detection specifically. Behavioral analysis is the primary remaining defense layer.
How Does the AI Ransomware Toolkit Work?
The AI ransomware toolkit is an automated malware development and validation pipeline, not a single executable. Sophos CTU identified a Git repository containing three core components: an Active Directory discovery panel, a modular payload generator, and a virtual machine testing lab, all coordinated by a multi-agent AI system using Claude Opus 4.5 as the primary orchestrator.
The payload generator, written in Python, produces executables in Rust and Go. Each generated payload wraps its shellcode in a different combination of encryption, obfuscation, and execution technique. One iteration might use process hollowing, another reflective DLL injection, and a third AMSI bypass via memory patching. Technique selection is not random: Claude Opus 4.5 agents actively read security research publications, extract documented bypass methods, map them to MITRE ATT&CK IDs, and queue them for testing in the automated lab environment.
Testing runs across four virtual machines: two running Windows Server 2022 (one with Sophos Intercept X, one with CrowdStrike Falcon), a control VM with no EDR for baseline comparison, and an Ubuntu machine hosting a Sliver command-and-control framework for callback testing. Each payload iteration executes in the lab. If the EDR detects it, the result returns to the AI coordinator, which selects a different technique and regenerates. Successful payloads enter the deployable module set. Nearly 80 modules testing over 70 distinct techniques resulted from this loop.
Cobalt Strike served as the primary offensive framework for live operations. The operator built custom Malleable C2 profiles that disguise beacon traffic as legitimate HTTPS requests, routing command-and-control through Telegram's bot API infrastructure with a Cloudflare Worker fronting the connection to prevent direct C2 attribution. BloodHound integrated into the toolkit handles automated Active Directory enumeration immediately after initial access, giving the operator a complete domain attack map without manual reconnaissance. This infrastructure architecture mirrors professional ransomware-as-a-service tradecraft.
Subscribe to unlock Indicators of Compromise
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
How Attackers Automate Active Directory Discovery
Active Directory automated discovery converts initial access into domain-wide compromise faster than manual reconnaissance by any measure. BloodHound, the open-source AD enumeration tool developed by SpecterOps and widely weaponized by ransomware operators, is the core discovery component in this toolkit.
BloodHound queries Active Directory for every user account, computer, Group Policy Object, and trust relationship visible to the compromised host. It constructs a graph database showing the shortest privilege escalation path from any compromised account to Domain Admin. The AI ransomware toolkit extends this with a custom dashboard built over BloodHound output that surfaces the most actionable attack paths automatically, without requiring the operator to analyze raw graph data. Affiliates with moderate skill levels can execute expert-level AD attacks using this interface.
Kerberoasting follows immediately after AD mapping. Service accounts with Service Principal Names configured (a common legacy setting in enterprises that have grown organically over years) are targeted for Kerberos ticket extraction. Those tickets are taken offline for password cracking, yielding plaintext credentials without triggering account lockout policies. Sophos detected this activity under the ATK/Kroast detection family, with multiple variants documented. The Impacket toolkit handles lateral movement once credentials are cracked, with Sophos signatures ATK/Impacket-A through ATK/Impacket-E covering the full range of Impacket-based techniques this operator deployed.
Detection is specific and actionable. Windows Event ID 4662 (object access with read property permissions on AD attributes including msDS-AllowedToDelegateTo and adminCount) fires during BloodHound collection runs. Large bursts of LDAP queries from workstations or application servers, typically hundreds per second for several minutes, are the network signature of SharpHound data collection. Any non-domain-controller host generating this query pattern warrants immediate investigation.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
EDR Evasion Modules: What 70 Techniques Look Like in Practice
The 70-plus EDR evasion techniques this toolkit tested span the full spectrum of Windows endpoint security controls: from AMSI bypass to process injection variants, from Cobalt Strike beacon profile obfuscation to LSASS credential dumping. Each technique targets a specific detection layer that EDR platforms use to identify malicious activity.
AMSI bypass ranks among the highest-priority evasion categories. AMSI is the Windows interface that security products use to inspect PowerShell, VBScript, and other scripted content at runtime. Bypassing AMSI means PowerShell-based post-exploitation tools execute without any security product visibility. The AI agents in this toolkit sourced AMSI bypass techniques from security research blogs, reproduced them in the payload generator, and iterated until they passed AMSI-enabled scanning in the test lab. Sophos detects successful AMSI bypass attempts via the AMSI/BloodH-A signature when BloodHound's PowerShell components are involved.
Cobalt Strike Malleable C2 profile generation is the network evasion layer. A Malleable C2 profile instructs a Cobalt Strike beacon how to format its HTTP and HTTPS requests so they resemble legitimate traffic. Custom profiles that mimic specific enterprise SaaS platforms, cloud storage APIs, or CDN traffic are near-impossible to block by signature without disrupting legitimate connectivity. The AI toolkit generated these profiles automatically, producing network signatures that proxy and web filtering tools will not flag without deep behavioral analysis baselines.
Credential dumping via LSASS memory access remains the most consistently targeted Windows security mechanism across all documented ransomware campaigns. ATK/SecDump-A detections indicate the operator attempted LSASS process memory reads to extract credential material for privilege escalation. Combined with Impacket-based lateral movement (ATK/Impacket-A through -E), the full post-access chain from initial foothold to domain controller completes within hours rather than days.
For context on parallel AI offensive capability development, see our earlier analysis of AI-built zero-day tooling in 2FA bypass campaigns, which documented structurally similar iterative AI development infrastructure across a different threat actor group, reinforcing that this is an emerging pattern rather than an isolated incident.
“Agents were tasked with reading security research published by Kaspersky, Palo Alto Networks, Bishop Fox, and SpecterOps, then mapping techniques to MITRE ATT&CK IDs and reproducing them in the payload generator. Every publicly documented bypass technique is now operationalized within days.”
Sophos Counter Threat Unit, June 2, 2026
Active Campaign Evidence: Confirmed Victims and Threat Actor Profile
Sophos CTU's attribution evidence places this campaign firmly in the criminal ransomware ecosystem. The discovery was not theoretical: when investigators analyzed the anomalous endpoint alerts, they found Cobalt Strike operator logs containing entries that reference ransom notes and details on multiple organizations confirmed on a ransomware data leak site. The campaign was already operational, not in development, at detection time.
The threat actor profile is Russian-speaking, based on Cyrillic script analysis within the toolkit's configuration files and naming conventions consistent with Eastern European ransomware affiliate tradecraft. No specific ransomware group has been publicly named by Sophos for this campaign. The technical sophistication, including the multi-agent AI infrastructure, custom Cobalt Strike profiles, and automated AD discovery capability, places this actor above entry-level affiliate operations. Well-resourced ransomware-as-a-service affiliates or a closed criminal group with sustained cloud compute access are the most consistent attributions.
The AI development infrastructure itself creates forensic artifacts that traditional malware development does not. AI orchestration session logs, API call records, and Git repository histories leave traces that a hand-coded toolkit would not generate. Sophos found this toolkit because those artifacts were present on a customer endpoint. The threat actor used Cloudflare Workers and Telegram C2 to obscure network activity, but the development environment created the detection path.
Sectors with the highest current exposure share a common profile: legacy Active Directory environments, high concentrations of privileged service accounts, and endpoint environments where default EDR configurations have not been hardened toward behavioral detection. Financial services organizations running hybrid AD environments, healthcare providers with legacy Windows Server domain controllers, and manufacturing firms with OT-adjacent IT infrastructure represent the highest-risk profiles for this specific attack chain. The ShinyHunters SaaS extortion campaign documented parallel sector targeting of financial services and SaaS-dependent enterprises, consistent with the access patterns this toolkit enables.
Detection Indicators and 7 Immediate Defensive Steps
Sophos CTU published detection signatures identifying the specific components of this toolkit. Organizations running other EDR platforms should translate these into behavioral equivalents on their platform. The steps below address the specific attack chain Sophos documented, ordered by impact on reducing exposure.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Why AI Ransomware Toolkit EDR Evasion Matters for Your Organization
The Sophos CTU finding changes one core assumption defenders have relied on: that developing malware capable of bypassing enterprise-grade EDR requires rare expertise that limits the pool of capable threat actors. That assumption no longer holds after June 2, 2026.
Traditional ransomware payload development requires deep knowledge of Windows internals, EDR architecture, and software engineering. Operators who could build bypass-capable payloads from scratch numbered in the hundreds globally. The skills barrier meant that even well-funded criminal groups often depended on shared toolkits or purchased loaders, creating chokepoints where law enforcement could disrupt the supply chain. AI-orchestrated toolkit development removes that constraint. An operator with moderate technical skill and sustained cloud compute access can now build a custom, iteration-tested evasion framework in days rather than months.
The AI agent sourcing of public security research has an immediate operational implication. Every bypass technique that security researchers publish is now automatically harvested, mapped, and tested by adversary AI agents within days of publication. The gap between "researcher publishes a bypass" and "attacker deploys it operationally" has collapsed. Signature updates that vendors ship within 30 days of a bypass publication are already obsolete before they arrive in an endpoint's definition database.
Three sectors carry compounded exposure. Financial services organizations have the highest concentration of legacy service accounts with weak passwords and SPNs configured, the primary Kerberoasting targets in this toolkit. Healthcare providers typically run domain environments with minimal behavioral monitoring, where BloodHound enumeration can run undetected for extended periods. Manufacturing firms with OT-adjacent Active Directory environments often have the weakest lateral movement controls, allowing rapid spread once credentials are cracked.
Organizations that have invested primarily in signature-based defenses face structurally higher risk than those with behavioral analysis enabled. The minimum viable defensive posture against this specific threat requires three controls active simultaneously: behavioral EDR enforcement, Telegram API blocked at the perimeter, and SPN-bearing service accounts rotated. Any organization that cannot confirm all three by end of day today has an active exposure that this campaign is specifically designed to exploit.
The bottom line
The AI ransomware toolkit EDR evasion campaign confirmed by Sophos CTU on June 2, 2026, demonstrates that multi-agent AI systems now let threat actors build and validate signature-bypassing payloads in days rather than months. Three key takeaways: signature-only EDR is structurally insufficient against AI-iterated malware; BloodHound-based AD enumeration automation has lowered the domain-compromise skill floor to near zero; Telegram C2 channels are active in this campaign today. Confirm behavioral detection is enabled, block api.telegram.org outbound from all endpoints, and audit SPN-bearing service accounts before the end of business today.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
What is an AI ransomware toolkit?
An AI ransomware toolkit is a malware development framework where threat actors use large language model agents to automatically generate, test, and refine payloads and EDR evasion techniques. In the campaign Sophos documented on June 2, 2026, the operator used Claude Opus 4.5 as the orchestrating agent, with specialized sub-agents handling EDR testing, OPSEC review, and documentation. The framework produced nearly 80 modules testing over 70 distinct EDR bypass techniques before deploying validated payloads against real organizations that now appear on ransomware data leak sites.
How do attackers use AI to bypass EDR solutions?
Attackers feed known EDR bypass techniques from published security research into AI agents, which map them to MITRE ATT&CK IDs and generate payload variants that implement each technique. Those payloads run automatically in isolated virtual machine environments with real EDR software installed. If the EDR detects a payload, the result feeds back to the AI coordinator, which selects a different technique and regenerates. The loop continues until the payload passes detection. This campaign tested payloads against Sophos Intercept X, CrowdStrike Falcon, and Microsoft Windows Defender.
What is Active Directory automated discovery in ransomware attacks?
Active Directory automated discovery uses tools like BloodHound to map the entire AD environment immediately after gaining initial access. BloodHound queries AD for every user, computer, group policy, and trust relationship, then builds a graph showing the shortest path to Domain Admin privileges. In this campaign, Sophos found a custom dashboard built over BloodHound output that gave the operator an automated attack blueprint without manual analysis, reducing the expertise required for domain-wide compromise to a level accessible to mid-tier affiliates.
Can AI create malware that evades modern antivirus?
Yes, as confirmed by Sophos CTU on June 2, 2026. The AI ransomware toolkit documented in this campaign generated payloads that achieved near-universal evasion success against Sophos, CrowdStrike, and Windows Defender after multiple AI-guided iterations. The evasion specifically targeted signature-based and scan-time detection layers. Behavioral analysis, memory scanning of running processes, and network anomaly detection were less targeted and remain the most effective defense controls against AI-generated payloads.
What EDR solutions did the AI toolkit specifically target?
Sophos CTU identified three EDR platforms tested in the operator's isolated lab: Sophos Intercept X, CrowdStrike Falcon, and Microsoft Windows Defender. The lab included two Windows Server 2022 virtual machines each running a different EDR agent, a control VM with no EDR for baseline comparison, and an Ubuntu VM hosting a Sliver C2 framework for callback verification. These three platforms collectively protect the majority of enterprise environments globally.
How do I detect BloodHound enumeration in my environment?
BloodHound enumeration generates specific Windows event log signatures. Search for Event ID 4662 (object access with read property permissions on AD attributes including msDS-AllowedToDelegateTo and adminCount) and large bursts of LDAP queries from non-domain-controller hosts, typically hundreds of queries per second for several minutes. SharpHound, BloodHound's data collector, generates recognizable network traffic patterns when scanning AD. Sophos detects BloodHound execution as ATK_BLOODHOUND and AMSI/BloodH-A in its detection signature catalog.
What is Cobalt Strike with Telegram C2 and how does it work?
Cobalt Strike is a commercial penetration testing framework widely weaponized by ransomware operators for post-exploitation operations. In this campaign, the operator built custom Malleable C2 profiles for Cobalt Strike that disguised beacon traffic as legitimate HTTPS requests. Command-and-control instructions routed through Telegram's bot API, using Telegram's infrastructure as a relay instead of a direct attacker-controlled server. A Cloudflare Worker fronted the connection to further obscure backend C2 attribution. Blocking outbound access to api.telegram.org from endpoints directly severs this channel.
What are the three most important actions to take against AI ransomware toolkit threats?
First, confirm behavioral detection is active on every endpoint running Sophos, CrowdStrike, or Windows Defender, since this toolkit bypassed signature-based scanning specifically. Second, block outbound connections from all endpoints and servers to api.telegram.org and Telegram IP ranges 149.154.160.0/20 and 91.108.4.0/22 at your firewall, severing the primary C2 channel. Third, audit all service accounts with Service Principal Names configured and rotate passwords to 25-character random strings, because Kerberoasting is the primary credential extraction technique in this active campaign.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
