AI-assisted EDR-evasion malware development lab
Malware Activity
Summary
Hide ▲
Show ▼
A threat actor is using AI coding tools to build and refine EDR-evasion malware, accelerating the creation of custom loaders that can bypass endpoint defenses. The lab tested the tooling against Sophos, CrowdStrike and Microsoft EDR agents, showing a concrete focus on defender evasion rather than harmless experimentation. The activity raises the speed and scale of malware development and suggests the workflow may support stealthy post-exploitation operations.
Related Happenings
SKILLCLOAK and SKILLDETONATE expose AI coding-agent skill scanner evasion with runtime-packed malware
Technical Analysis
H score22
First: 06.07.2026 09:33
Last: 06.07.2026 09:33
Sources 1
About this happening:
SKILLCLOAK shows that malicious AI coding-agent skills can be rewritten to evade static scanners while still executing, exposing credentials, source code, and term...
SKILLCLOAK and SKILLDETONATE expose AI coding-agent skill scanner evasion with runtime-packed malware
Technical AnalysisAbout this happening: SKILLCLOAK shows that malicious AI coding-agent skills can be rewritten to evade static scanners while still executing, exposing credentials, source code, and term...
AI-built ransomware toolkit with AD discovery and EDR evasion
Malware Activity
H score36
First: 02.06.2026 23:01
Last: 02.06.2026 23:01
Sources 1
About this happening:
A customer-detected AI-built ransomware toolkit is automating Active Directory discovery and EDR evasion, increasing the chance that payloads slip past security contro...
AI-built ransomware toolkit with AD discovery and EDR evasion
Malware ActivityAbout this happening: A customer-detected AI-built ransomware toolkit is automating Active Directory discovery and EDR evasion, increasing the chance that payloads slip past security contro...
EDR killer BYOVD analysis finds 54 tools abusing 34 vulnerable drivers
Technical Analysis
H score24
First: 19.03.2026 20:52
Last: 19.03.2026 20:52
Sources 1
About this happening:
54 EDR killers were found abusing BYOVD through 34 vulnerable drivers, showing how ransomware operators can disable endpoint defenses before encryption. The findin...
EDR killer BYOVD analysis finds 54 tools abusing 34 vulnerable drivers
Technical AnalysisAbout this happening: 54 EDR killers were found abusing BYOVD through 34 vulnerable drivers, showing how ransomware operators can disable endpoint defenses before encryption. The findin...
A0Backdoor malware deployed through signed MSI sideloading and DNS MX C2
Malware Activity
H score22
First: 10.03.2026 00:50
Last: 10.03.2026 00:50
Sources 1
About this happening:
The A0Backdoor malware was deployed on Windows endpoints through digitally signed MSI installers and DLL sideloading, giving the operators a stealthier path to exe...
A0Backdoor malware deployed through signed MSI sideloading and DNS MX C2
Malware ActivityAbout this happening: The A0Backdoor malware was deployed on Windows endpoints through digitally signed MSI installers and DLL sideloading, giving the operators a stealthier path to exe...
ClickFix fake CAPTCHA campaign delivering Amatera
Campaign
H score35
First: 26.01.2026 23:42
Last: 26.01.2026 23:42
Sources 1
About this happening:
A ClickFix campaign now uses a fake CAPTCHA and a signed Microsoft App-V script to deliver Amatera to Windows victims, raising the risk of credential theft and...
ClickFix fake CAPTCHA campaign delivering Amatera
CampaignAbout this happening: A ClickFix campaign now uses a fake CAPTCHA and a signed Microsoft App-V script to deliver Amatera to Windows victims, raising the risk of credential theft and...
Timeline
-
02.06.2026 14:00 2 articles · 1mo ago
Sophos X-Ops uncovers AI-assisted EDR evasion malware lab
Initial DisclosureSophos X-Ops uncovered a threat actor using AI coding tools inside Cursor and Claude Opus to build and refine malware designed to slip past endpoint detection and response (EDR) software. The work was organized as a lab presented as a red team project, used a Python tool to wrap payloads in encryption and evasion layers, and was tested against EDR agents from Sophos, CrowdStrike and Microsoft after malicious files in a local test folder triggered alerts in a customer environment.
Show sources
- Threat Actor Uses AI to Build EDR Evasion Tools — www.infosecurity-magazine.com — 02.06.2026 14:00
- Threat Actor Uses AI to Build EDR Evasion Tools — www.infosecurity-magazine.com — 02.06.2026 14:00