AI-Built Ransomware Toolkit Automates EDR Evasion and Active Directory Reconnaissance

Cybersecurity researchers have uncovered a sophisticated ransomware attack toolkit developed with assistance from artificial intelligence, highlighting how threat actors are increasingly using AI to accelerate malware development and improve evasion capabilities.

According to researchers at Sophos, the toolkit automates Active Directory (AD) discovery, streamlines malware testing, and helps attackers bypass endpoint detection and response (EDR) security solutions.

AI-Assisted Malware Development

The framework was reportedly developed using AI tools including Cursor and Claude Opus, which assisted with coding, malware analysis, testing, and iterative improvements.

Researchers found evidence that AI agents were also tasked with reviewing publicly available security research and social media posts to identify techniques for bypassing security products and avoiding detection.

Despite the extensive use of AI throughout the development process, Sophos emphasized that the operation remained human-directed, with attackers controlling the overall workflow and decision-making.

Discovery of the Toolkit

Sophos researchers discovered traces of the framework during an investigation involving suspicious files stored on a compromised system.

Analysis revealed several components commonly associated with advanced cybercrime operations, including:

• Customized Cobalt Strike profiles designed to make malicious traffic appear legitimate
• A command-and-control infrastructure that communicates through Telegram’s API
• Python-based tools capable of injecting malicious shellcode into legitimate Windows applications
• Cloudflare Worker redirectors used to conceal the location of backend command-and-control servers

Although some of the tooling resembled legitimate red-team or penetration-testing frameworks, further investigation linked the activity to ransomware operations.

Researchers identified references to ransom notes and organizations listed on ransomware leak sites, confirming the framework’s criminal purpose.

Automated Active Directory Discovery

One of the framework’s key capabilities is an automated Active Directory reconnaissance system.

The system gathers information from completed tasks, evaluates the results, and automatically determines the next action to perform. Tasks are delegated to remote AI-driven agents, which return findings for further analysis and decision-making.

This allows attackers to rapidly map enterprise environments and identify valuable targets with minimal manual effort.

Multi-Agent AI Architecture

The framework employs multiple specialized AI agents, each assigned a specific role.

Researchers found agents responsible for:

• Research and development coordination
• Malware testing and validation
• Operational security improvements
• Documentation generation
• Proxy and infrastructure stress testing
• Virtual machine deployment and management

A Claude Opus-based agent reportedly acted as the central coordinator, overseeing the broader development process.

Learning From Security Research

Researchers found that some AI agents actively analyzed public research from major cybersecurity organizations and security experts.

The agents extracted information about detection bypass methods, mapped those techniques to the MITRE ATT&CK framework, identified reproduction requirements, built testing environments, executed experiments, and documented the results.

This allowed the attackers to rapidly evaluate and refine techniques designed to evade modern security defenses.

Payload Generation and EDR Evasion

At the core of the toolkit is a Python-based payload generator capable of producing malware written primarily in Rust and Go.