EDR Bypass Ransomware

AI-Built Ransomware Toolkit Automates EDR Evasion in 2026

by

AI-Built Ransomware Toolkit Automates EDR Evasion, Leverages Claude Agents for Attack Development

Researchers at Sophos have uncovered an active threat actor operating a fully functional, AI-built ransomware toolkit that automates Active Directory (AD) reconnaissance, systematically tests endpoint detection bypass techniques, and uses multiple AI agents, including one powered by Claude Opus 4.5, to build and refine malware at a pace no traditional development workflow could match. The discovery, published June 2, 2026, by the Sophos Counter Threat Unit (CTU), is a concrete demonstration of what AI-accelerated offensive operations look like in practice, and the implications reach directly into Canadian enterprise environments.

How Sophos Discovered the AI-Assisted Toolkit

The investigation began when an anomalous endpoint inside a customer environment triggered alerts for suspicious payloads stored at the local path C:\Users\User\Documents\test. That initial alert opened the door to something far more significant: a structured post-exploitation framework built with AI assistance at nearly every stage of development.

The compromised host contained a layered collection of offensive tools:

  • Cobalt Strike profiles engineered to disguise beacon traffic as legitimate web requests, blending malicious communications into normal network activity
  • A Telegram Bot API-based command-and-control (C2) channel, routing attacker communications through Telegram’s own infrastructure to avoid direct detection triggers
  • Python-based shellcode injection scripts capable of embedding malicious code into legitimate Windows executables while preserving their original functionality
  • A Cloudflare Worker deployed as a front-end redirector to conceal the actual backend C2 server from investigators and network monitoring tools

Multiple Python scripts on the device, several written in Russian, showed evidence of partial AI generation. Investigators then traced these back to a linked Git repository containing two primary components: an automated Active Directory discovery panel and a purpose-built malware testing laboratory.

The AI Agent Workflow Behind the Malware Lab

The framework’s development was orchestrated through Cursor, an AI-native integrated development environment, combined with a multi-agent AI setup. One primary agent using Claude Opus 4.5 was assigned the role of core coordinator, setting operational rules and directing the other agents in the workflow. Supporting agents were each given specialized responsibilities:

  • Dedicated EDR evasion testing and analysis
  • Operational security (OPSEC) hardening
  • Automated documentation generation
  • Proxy stress testing
  • Virtual machine deployment and management

All code commits, updates, and results were communicated back to the Git repository through the Model Context Protocol (MCP), an open standard that allows AI assistants to connect with external tools and data sources. The infrastructure itself was provisioned using Ludus, a platform built for the rapid deployment of virtualized security testing environments.

Claude-AI-Ransomware-Toolkit

The testing lab consisted of several Windows Server 2022 virtual machines, one configured to test payloads against Sophos protections, one against CrowdStrike, a third control environment with no EDR installed, and a fourth Ubuntu virtual machine hosting a Sliver command-and-control server.

AI Agents Fed Real Threat Research, Mapped to MITRE ATT&CK

The agents were not operating in isolation from the broader security research ecosystem. The threat actor directed AI agents to ingest published research from SpecterOps, Kaspersky, Palo Alto Networks, and Bishop Fox, extract offensive techniques from those publications, map each technique to the MITRE ATT&CK framework, and then reproduce and test those techniques inside the lab environment. Additional sourcing from X (formerly Twitter) and Telegram was also observed, though Sophos could not confirm whether those sources directly influenced tool development.

At the core of the framework was a Python-based payload generator producing custom Windows executables and DLL files, the majority written in Rust and Go. Each payload incorporated encryption, sandbox bypass techniques, and alternative execution methods. Close to 80 modules were developed using this generator, collectively testing more than 70 distinct evasion techniques.

Internal documentation from the framework suggested the evasion modules achieved high bypass success rates after iterative testing. Sophos researchers, however, found significant inconsistencies between those self-reported results and the actual test data reviewed during the investigation. Rafe Pilling, Director of Threat Intelligence at Sophos, noted that large language model hallucinations likely contributed to the inflated accuracy claims documented within the framework itself.

Red Team Pretext Used to Bypass Claude’s Safety Controls

Sophos researchers identified a deliberate pattern in how the threat actor framed requests to Claude: the entire project was presented as a legitimate red team testing environment. This framing was designed to circumvent the model’s built-in restrictions around malware development. Pilling confirmed that Sophos has been in direct contact with Anthropic regarding these observations, noting that the use of a red team pretext to bypass model safeguards has appeared in multiple threat cases over the past year.

The ransomware group behind this toolkit has not been publicly identified, as Sophos stated that active investigations are ongoing. The group is confirmed to be currently operational and targeting organizations globally, including across the United States.

Canadian Impact: Why This Matters for Organizations Across Canada

This threat carries specific weight for Canadian organizations. Ransomware remains the most disruptive cyber threat to Canadian businesses and institutions, according to guidance from the Canadian Centre for Cyber Security (CCCS), and this toolkit represents a meaningful escalation in attacker capability.

Canadian sectors most at risk from AI-accelerated ransomware operations include:

  • Healthcare: Hospital networks and provincial health authorities are high-value targets with limited IT security budgets and heavy reliance on connected systems
  • Financial services: Canadian banks and credit unions subject to OSFI guidelines face heightened exposure from AI-optimized lateral movement across Active Directory environments
  • Municipal and provincial government: Public sector organizations frequently operate legacy infrastructure with inconsistent EDR deployment

Organizations subject to PIPEDA (Personal Information Protection and Electronic Documents Act), or provincial equivalents such as Quebec’s Law 25, face direct breach notification obligations if a ransomware incident results in data exfiltration. This toolkit was specifically linked to data theft operations alongside ransomware deployment, making both notification timelines and regulatory penalties a real concern. Mandatory breach reporting to the Office of the Privacy Commissioner of Canada is required when there is a real risk of significant harm to affected individuals.

Canadian small and medium-sized businesses (SMBs) are particularly exposed here. Many still operate basic antivirus or unmanaged endpoints rather than modern EDR platforms, which is precisely the defensive gap this toolkit was built and tested to exploit.

Key Takeaways

  • A threat actor built and deployed an AI-built ransomware toolkit using Claude Opus 4.5 agents and the Cursor IDE to automate malware development, testing, and iteration at scale.
  • The toolkit automates Active Directory discovery, enabling rapid network enumeration and lateral movement once an attacker gains initial access to a target environment.
  • Nearly 80 payload modules were developed to test more than 70 EDR evasion techniques against Sophos, CrowdStrike, and Microsoft Defender in a dedicated virtual machine lab.
  • C2 communications were concealed through Telegram infrastructure and a Cloudflare Worker redirector, making outbound detection significantly harder with standard network monitoring tools.
  • The threat actor framed the project as a red team operation to bypass Claude’s safety guardrails, a technique Sophos has now formally flagged to Anthropic.
  • Canadian organizations in healthcare, financial services, and government face direct exposure; successful breaches tied to data exfiltration will trigger mandatory reporting under PIPEDA and provincial privacy legislation.
  • The identity of the responsible ransomware group remains undisclosed, with Sophos confirming active global operations are ongoing as of this report.

What You Should Do Now

  1. Audit your endpoint protection stack immediately. If your organization is running legacy antivirus without behavioral detection capabilities, prioritize upgrading to a modern EDR or XDR solution. This toolkit was specifically tested and refined to evade Sophos, CrowdStrike, and Microsoft Defender; unprotected or under-protected endpoints represent the highest-risk entry point.
  2. Enforce multi-factor authentication (MFA) and passkeys across all Active Directory-connected accounts. AI-assisted AD enumeration becomes far less operationally useful to an attacker when every account requires strong authentication. Prioritize privileged accounts, remote access tools, and service accounts first.
  3. Monitor for anomalous outbound traffic patterns. Specifically, look for Telegram API calls, Cloudflare-fronted connections from internal endpoints, and unexpected DNS queries. These are indicators of the C2 evasion techniques used in this toolkit.
  4. Apply security patches within CCCS-recommended timelines. The Canadian Centre for Cyber Security advises patching critical vulnerabilities within 48 hours of disclosure. AI-assisted attackers can iterate and move laterally quickly once inside a network, making a reduced attack surface critical.
  5. Review your AI tool governance and access controls. If your organization uses AI coding assistants, agentic frameworks, or tools that connect to internal repositories, audit what data those tools can access and what permissions they hold. Model Context Protocol integrations in particular should be reviewed.
  6. Test your PIPEDA breach response readiness. Run a tabletop exercise against a ransomware-plus-data-exfiltration scenario. Validate that you can detect, contain, and notify the Office of the Privacy Commissioner within required timeframes and that your incident response plan accounts for AI-accelerated attack timelines.
  7. Subscribe to CCCS threat advisories and bulletins. The Canadian Centre for Cyber Security publishes actionable threat intelligence at cyber.gc.ca relevant to Canadian organizations. Ensure your security team monitors these bulletins actively, particularly as AI-assisted threat actor activity continues to evolve in 2026.

Leave a Comment