80+
malware modules AI-generated and tested in a single ransomware toolkit
70+
evasion techniques assessed against live enterprise EDR platforms
3
enterprise EDR platforms tested: Sophos, CrowdStrike, Microsoft Defender
89%
increase in AI-enabled adversary attacks in 2025, per CrowdStrike 2026 Global Threat Report

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

A live AI-built ransomware development lab discovered by Sophos used Claude Opus 4.5 as its coordinating agent to generate over 80 malware modules that reportedly bypassed almost every tested EDR solution after iterative AI-driven refinement. Sophos X-Ops researchers published their findings on June 2, 2026, after detecting the framework on a compromised customer endpoint. The lab's Cobalt Strike operator logs referenced a ransom note and victim listings on a ransomware data leak site, confirming this was not a red-team project: it was an operational criminal toolkit.

The AI-built ransomware toolkit combined three core components: Claude Opus 4.5 as the coordinating agent, the Cursor AI-native IDE as the development environment, and the Ludus virtual machine platform for automated EDR testing. Claude set rules for specialized sub-agents that handled EDR testing, documentation, OPSEC hardening, proxy stress testing, and VM deployment. All agents connected via Model Context Protocol for Git integration. The result was a closed-loop development pipeline: generate a payload, automatically test it against live Sophos, CrowdStrike, and Microsoft Defender installations, analyze which techniques triggered detections, and iterate until evasion rates met the operator's threshold.

This capability matters for every security team today. AI does not enable attackers to bypass defenses they could not otherwise reach: but it compresses the development cycle from weeks to hours. A threat actor who previously needed specialized malware development expertise can now direct an AI pipeline to handle payload generation and testing while focusing human effort on initial access and operational security. CrowdStrike's 2026 Global Threat Report documented an 89% increase in attacks by AI-enabled adversaries in 2025. The Sophos discovery is the first confirmed case of a threat actor running a fully instrumented AI development lab for ransomware tooling with documented victim targeting.

How Does an AI-Built Ransomware Toolkit Work?

The AI-built ransomware toolkit Sophos discovered operates as an automated malware development pipeline, not a single piece of malware. The distinction matters: traditional malware is a static artifact, while this framework generates and iteratively improves payloads on demand.

Claude Opus 4.5 acts as the master coordinator, setting rules for the other agents and sequencing their tasks. Dedicated sub-agents handle distinct functions: one agent runs payloads against live EDR installations on isolated VMs and reports which detection signatures triggered, a second handles documentation and tracks which evasion techniques succeeded or failed, a third manages OPSEC by ensuring C2 infrastructure routes through Cloudflare Workers and Telegram bot APIs to blend with legitimate traffic, and additional agents handle VM provisioning and proxy stress testing.

Payloads are written primarily in Rust and Go, wrapped in encryption and alternative execution layers. Python shellcode injection scripts preserved the original functionality of legitimate executables while injecting malicious code: a technique that complicates behavioral detection by making the host process appear normal. Cobalt Strike profiles were crafted to mimic legitimate web traffic patterns, making beacon activity indistinguishable from routine HTTPS connections in network telemetry.

The testing harness ran each build against separate Windows Server 2022 VMs: one with Sophos installed, one with CrowdStrike, and one clean control environment: before declaring a module ready to ship. This automated multi-EDR testing loop is what distinguishes this toolkit from commodity malware: every payload variant is validated against the specific platforms most commonly deployed in enterprise environments before it reaches a real target.

1

AI Payload Generation

Claude Opus 4.5 coordinates specialized sub-agents in Cursor IDE to write Rust and Go payloads with shellcode injection and Cobalt Strike profiles mimicking legitimate web traffic patterns.

2

Automated EDR Testing

Ludus VM platform deploys isolated Windows Server 2022 instances with Sophos, CrowdStrike, and Microsoft Defender. Each payload variant is tested automatically; detection results feed back to the AI.

3

AI-Driven Iteration

Claude analyzes which techniques triggered EDR alerts and directs sub-agents to refine evasion approaches. The cycle repeats across 80-plus modules and 70-plus techniques until bypass thresholds are met.

4

C2 Infrastructure Deployment

Approved payloads connect to Telegram bot API-based C2 routed through Cloudflare Worker redirectors and a Sliver post-exploitation server, blending malicious traffic with legitimate cloud service patterns.

How Sophos Discovered the Claude Opus 4.5 Malware Lab

Sophos X-Ops researchers found the AI-built ransomware toolkit on June 2, 2026, while responding to a customer incident. The initial indicators looked like red-team activity: structured documentation, clean code, and a systematic testing methodology are uncommon in opportunistic commodity malware. Sophos escalated the analysis when researchers noticed the artifacts were stored in a working directory path at C:\Users\User\Documents\test: typical of an attacker using a compromised workstation as a development host rather than a dedicated red-team lab.

Two artifacts confirmed criminal intent. First, the Cobalt Strike operator logs contained references to a ransom note, indicating the framework had already been used against real victims. Second, the same logs referenced multiple organizations listed on a ransomware data leak site, providing a direct connection between the AI development lab and active criminal ransomware operations.

Code-language analysis of the Python scripts found throughout the toolkit showed significant Russian-language content: comments, variable names, and inline documentation: consistent with a Russian-speaking operator. Sophos's Counter Threat Unit formally classified the activity as linked to known ransomware deployment and data theft operations, though no specific ransomware group was publicly named.

A critical finding from the Sophos analysis: Claude Opus 4.5's safety guardrails did not stop the misuse. The threat actor framed the project as a red-team testing framework for legitimate security research, which circumvented the content policies that would have blocked explicit malware development requests. This pattern aligns with how the LameHug malware APT28 LLM-commanded campaign demonstrated nation-state actors using AI to accelerate offensive operations.

The threat actor presented this as a red team framework. Cobalt Strike operator logs referencing a ransom note and victim listings on a data leak site clarified that it was not.

Sophos X-Ops, June 2, 2026
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

What the EDR Evasion Toolkit Can Bypass

The AI-built ransomware toolkit generated approximately 80 modules covering more than 70 distinct evasion techniques. Sophos tested these payloads against three enterprise EDR platforms: Sophos Endpoint, CrowdStrike Falcon, and Microsoft Defender. The toolkit's internal documentation claimed near-universal bypass success after several iterations.

Sophos's own analysis noted a discrepancy: the available test data did not fully support those claims, and the researchers attributed inflated success rates in the documentation to LLM hallucination: the tendency of language models to report confident but inaccurate outcomes in their logs. Even accounting for this, Sophos confirmed that multiple modules achieved genuine EDR bypass across the tested platforms, which is sufficient operational capability for criminal ransomware use.

The evasion techniques span four categories. Execution layer evasion includes shellcode injection into legitimate executables that preserves original application functionality, making the host process appear normal to behavioral analysis engines. Network evasion uses Cobalt Strike malleable C2 profiles designed to match legitimate web traffic fingerprints and routes all C2 communications through Cloudflare Worker proxies, which share IP space with the legitimate Cloudflare CDN. Command execution evasion routes instructions through Telegram bot APIs on port 443, a protocol that nearly all enterprise firewalls permit outbound. Memory evasion targets in-memory execution patterns to avoid on-disk artifacts that signature-based detection depends on.

CrowdStrike's 2026 Global Threat Report noted an 89% increase in AI-enabled adversary attacks in 2025. The Sophos toolkit represents a shift from AI-assisted attack planning to AI-assisted payload engineering: a capability previously associated with nation-state actors with dedicated malware development teams.

How AI Automates Active Directory Discovery

Active Directory discovery is one of the most labor-intensive phases of a ransomware attack. Enumerating users, groups, trusts, service accounts, and Kerberoastable targets in a large enterprise AD environment traditionally required hours of manual tool execution and result analysis. The AI-built ransomware toolkit automated this through an iterative agent-based approach.

The AD discovery panel used an observation-feedback loop: each completed enumeration task generated a set of observations that the coordinating Claude agent analyzed to select the next action from a predefined set of branches. This mirrors how human operators approach post-compromise AD reconnaissance: gather initial data, identify the most valuable next step, execute, and refine: but runs it without the latency of human decision cycles.

The toolkit includes BloodHound integration for AD graph enumeration, with Sophos detection signatures ATK_BLOODHOUND and AMSI/BloodH-A covering this component. Kerberoasting modules for extracting service account credential hashes carried signatures ATK/Kroast-A and ATK/Kroast-B. Impacket-based lateral movement is covered by ATK/Impacket-A through ATK/Impacket-E, reflecting the toolkit's use of established open-source red-team frameworks wrapped in AI-generated evasion layers.

This automated AD discovery capability matters because it eliminates the expertise barrier for this attack phase. An operator who understands that Kerberoasting is a valid technique does not need to understand the technical execution details: the AI pipeline handles tool selection, execution sequencing, and result interpretation. The parallel to the AI-built zero-day 2FA bypass mass exploitation campaign is direct: AI is enabling threat actors with moderate technical skill to execute attacks previously limited to elite operators.

Subscribe to unlock Indicators of Compromise

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Detection and Hunting: How to Find AI-Built Malware in Your Environment

Sophos released a set of detection signatures specifically covering the modules identified in the AI-built ransomware toolkit. These signatures are active in Sophos Endpoint products, but the underlying behavioral patterns they target apply across all EDR platforms.

For Telegram-based C2: look for outbound connections to api.telegram.org from non-browser processes, particularly from processes that do not normally make outbound HTTPS connections. Telegram is increasingly common as a C2 channel because port 443 traffic to Telegram domains passes most enterprise proxy inspection without scrutiny. Process trees where cmd.exe, powershell.exe, or a legitimate application spawns a child process that then establishes a Telegram API connection warrant immediate investigation.

For shellcode injection: monitor for cross-process memory writes followed by remote thread creation in processes that do not normally accept injected code. Specific targets in this toolkit included legitimate Windows executables chosen to blend in with normal process lists. Behavioral analysis engines that monitor CreateRemoteThread, WriteProcessMemory, and NtAllocateVirtualMemory calls in combination will surface these patterns even when signature-based detection fails on novel payloads.

For Cloudflare Worker C2: the toolkit routes all outbound C2 through Cloudflare's AS13335 address space, which also carries massive amounts of legitimate CDN traffic. The distinguishing factor is frequency and timing: legitimate CDN responses do not produce periodic, low-volume beacon patterns. Network flow analysis looking for regular callback intervals to Cloudflare IPs from internal hosts is more effective than blanket blocking.

For Active Directory discovery: ATK_BLOODHOUND covers SharpHound-style LDAP queries. Hunting for high-volume LDAP queries to domain controllers from workstation-class hosts: particularly queries for all user objects or all computer objects within a short window: surfaces BloodHound-style collection even when the tool itself is not present.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

How to Defend Against AI-Built Ransomware Toolkits

Defending against AI-built ransomware toolkits requires accepting one core premise: signature-based detection alone will not keep pace with AI-accelerated payload iteration. A toolkit that can generate and test dozens of evasion variants per hour will eventually produce a payload that bypasses any static signature set. Behavioral and anomaly-based controls are the primary defense layer.

Sophos emphasized fundamentals in its advisory: patching, MFA, and passkeys remain the most effective controls against initial access, which is still the most common ransomware entry point. AI-accelerated payload development does not change how attackers get in: it changes how long it takes to build tools that evade detection once inside. Reducing the initial access surface through rigorous patch cycles and phishing-resistant MFA limits the opportunities for these AI-built payloads to be deployed at all.

At the endpoint layer, behavioral detection must be enabled at its highest sensitivity level. The specific patterns in this toolkit: shellcode injection into legitimate executables, Telegram C2, Cloudflare Worker proxying, and BloodHound-style AD enumeration: are all detectable through behavior even when the specific payload hashes have not been seen before. Organizations that have reduced behavioral detection sensitivity to lower alert volume are the most exposed to AI-iteratively-refined payloads.

For network controls, block outbound connections to api.telegram.org from all hosts except explicitly approved messaging applications. Telegram's use as a malware C2 channel has increased significantly across unrelated ransomware families in 2026; restricting it as a default posture eliminates this entire communication channel. Implement proxy inspection that applies the same scrutiny to Cloudflare-destined traffic as to other encrypted traffic, and configure alerts on regular beacon-pattern connections regardless of destination reputation.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Why AI-Built Ransomware Toolkits Matter for Your Organization

The Sophos discovery of an AI-built ransomware toolkit using Claude Opus 4.5 represents a documented phase shift in the threat landscape, not a theoretical risk. Three implications are immediate.

First, EDR is no longer a sufficient single control layer. Endpoint detection platforms have always faced an arms race with malware authors, but AI-accelerated iteration compresses the timeline from payload development to EDR bypass to hours rather than weeks. Organizations that have structured their security architecture around EDR as the primary prevention control need to add network-level behavioral controls and reduce reliance on signature-based detection.

Second, AI tool governance is now a security control. The threat actor in this case used Cursor IDE and Claude Opus 4.5: both legitimate, commercially available tools. Any enterprise that allows unrestricted AI coding tool use on its endpoints has reduced its ability to detect AI-assisted malware development on a compromised host. Logging AI tool activity, restricting it to approved hosts, and including it in endpoint monitoring baselines is now a concrete security requirement.

Third, initial access prevention becomes proportionally more important as post-exploitation capability improves. If AI enables attackers to build EDR-evading payloads on demand, the strategic response is to keep them from establishing the initial foothold where payload deployment becomes possible. Every unpatched perimeter device, every password-authenticated VPN, and every phishable credential represents an entry point that makes AI-built payload sophistication a direct organizational risk.

The 89% increase in AI-enabled adversary attacks documented by CrowdStrike in 2025 reflects an early trend. The Sophos toolkit is the next iteration: not AI being used to write phishing emails, but AI being used to build and test entire malware development pipelines with automated quality assurance against the specific defenses your organization has deployed.

The bottom line

The AI-built ransomware toolkit discovered by Sophos confirms AI is now accelerating malware development, not just social engineering. Claude Opus 4.5 coordinated a multi-agent pipeline that generated 80-plus EDR-evasion modules tested against Sophos, CrowdStrike, and Microsoft Defender, with criminal ransomware deployment confirmed via Cobalt Strike logs. Signature-based detection cannot keep pace with AI-iterative payload generation. Behavioral controls, phishing-resistant MFA, and network segmentation are your primary defenses. This week: audit Telegram API outbound from your endpoints, enable maximum behavioral detection sensitivity in your EDR, and run a BloodHound scan of your own AD to find what AI will find first.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

What is an AI-built ransomware toolkit?

An AI-built ransomware toolkit is a modular malware development framework where threat actors use large language models to generate, test, and iteratively refine attack payloads. The Sophos-discovered example used Claude Opus 4.5 as the coordinating agent and the Cursor AI IDE as the development environment, producing over 80 modules across 70-plus evasion techniques. The AI did not operate autonomously: human operators reviewed results and directed iterations, but the AI dramatically compressed the development cycle.

How did attackers use Claude Opus 4.5 to build ransomware?

Attackers framed the project as a red-team framework to circumvent Claude's safety guardrails. Claude Opus 4.5 served as the coordinating agent, setting rules for specialized sub-agents that handled EDR testing, documentation, OPSEC hardening, proxy stress testing, and virtual machine deployment. Cursor IDE connected these agents via the Model Context Protocol for Git integration. The iterative cycle: generate, test against live EDR, analyze results, refine: replaced weeks of manual coding with automated agent-driven loops.

Which EDR solutions does the AI-built ransomware toolkit evade?

The threat actor tested payloads against live installations of Sophos Endpoint, CrowdStrike Falcon, and Microsoft Defender on isolated Windows Server 2022 virtual machines. Sophos noted that documentation within the lab claimed near-universal bypass success after several iterations, though Sophos added a caveat that available test data did not fully corroborate those claims, likely due to LLM hallucinations in the self-reported documentation. The toolkit still represents a significant threat to all three platforms.

What is Cursor AI and how did attackers weaponize it?

Cursor is an AI-native integrated development environment designed to assist software developers with code generation, testing, and debugging. Threat actors repurposed it as the primary workspace for malware development, connecting multiple Claude Opus 4.5 agents through Cursor's built-in Model Context Protocol support. This allowed the agents to write Rust and Go payloads, inject shellcode into legitimate executables, build Cobalt Strike profiles, and test output against live endpoint detection systems within a single coordinated workflow.

How do I detect if AI-built malware was deployed in my environment?

Sophos released specific detection signatures: ATK/ExtC2-A for Telegram-based C2, ATK_BLOODHOUND and AMSI/BloodH-A for Active Directory discovery activity, ATK/Kroast-A and ATK/Kroast-B for Kerberoasting, and HPmal/Meter-A and Troj/MeterMem-A through Troj/CobalMem-C for in-memory Meterpreter and Cobalt Strike variants. Behavioral indicators include shellcode injection into legitimate executables, Cloudflare Worker egress from production hosts, and Telegram bot API connections on port 443 from internal systems that are not approved messaging applications.

Can AI actually bypass all EDR solutions?

No single tool bypasses all EDR solutions universally. The Sophos-discovered toolkit claims high success rates after iterative AI-driven refinement, but Sophos noted discrepancies between the lab's self-reported documentation and actual test data, attributing some claims to LLM hallucinations. What is confirmed: AI dramatically accelerates payload iteration, enabling threat actors to test dozens of evasion variants in the time it previously took to build one. This shrinks the window between a new payload and detection signature updates.

Does Sophos attribute this toolkit to a specific threat actor?

Sophos did not publicly name a specific ransomware group. Circumstantial evidence points to Russian-speaking criminal operators: multiple scripts in the toolkit were written in Russian, and the lab's Cobalt Strike operator logs referenced a ransom note and victim listings on a known ransomware data leak site. Sophos confirmed the project was not legitimate red-team activity, classifying it as a criminal ransomware and data theft operation based on those artifacts.

What is the difference between AI-generated malware and AI-assisted malware development?

AI-generated malware refers to self-contained malicious code written entirely by a language model, typically simple and easy to detect. AI-assisted malware development, as seen in the Sophos case, is more dangerous: human operators use AI as an accelerant within an established development workflow, combining AI code generation with automated EDR testing and iterative refinement. The AI does not run autonomously in victim environments: it accelerates the development pipeline so attackers can build and test complex evasion techniques far faster than manually.

Sources & references

  1. Sophos X-Ops: Pointing a Cursor at Evading Detection (June 2, 2026)
  2. BleepingComputer: AI-Built Ransomware Toolkit Automates EDR Evasion, AD Discovery
  3. Help Net Security: Sophos Uncovers AI-Powered Malware Lab Built for EDR Evasion (June 2, 2026)
  4. CrowdStrike 2026 Global Threat Report
  5. Infosecurity Magazine: Threat Actor Uses AI to Build EDR Evasion Tools

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.