Find notable cyber news and cases, enriched with sources, timelines, and signals.

AI-assisted EDR-evasion malware development lab

Malware Activity
First reported
Last updated
Happening score
H score 12
1 unique sources, 1 articles

Summary

Hide ▲

A threat actor is using AI coding tools to build and refine EDR-evasion malware, accelerating the creation of custom loaders that can bypass endpoint defenses. The lab tested the tooling against Sophos, CrowdStrike and Microsoft EDR agents, showing a concrete focus on defender evasion rather than harmless experimentation. The activity raises the speed and scale of malware development and suggests the workflow may support stealthy post-exploitation operations.

Related Happenings

SKILLCLOAK and SKILLDETONATE expose AI coding-agent skill scanner evasion with runtime-packed malware

Technical Analysis
H score22 First: 06.07.2026 09:33 Last: 06.07.2026 09:33 Sources 1

About this happening: SKILLCLOAK shows that malicious AI coding-agent skills can be rewritten to evade static scanners while still executing, exposing credentials, source code, and term...

AI-built ransomware toolkit with AD discovery and EDR evasion

Malware Activity
H score36 First: 02.06.2026 23:01 Last: 02.06.2026 23:01 Sources 1

About this happening: A customer-detected AI-built ransomware toolkit is automating Active Directory discovery and EDR evasion, increasing the chance that payloads slip past security contro...

EDR killer BYOVD analysis finds 54 tools abusing 34 vulnerable drivers

Technical Analysis
H score24 First: 19.03.2026 20:52 Last: 19.03.2026 20:52 Sources 1

About this happening: 54 EDR killers were found abusing BYOVD through 34 vulnerable drivers, showing how ransomware operators can disable endpoint defenses before encryption. The findin...

A0Backdoor malware deployed through signed MSI sideloading and DNS MX C2

Malware Activity
H score22 First: 10.03.2026 00:50 Last: 10.03.2026 00:50 Sources 1

About this happening: The A0Backdoor malware was deployed on Windows endpoints through digitally signed MSI installers and DLL sideloading, giving the operators a stealthier path to exe...

ClickFix fake CAPTCHA campaign delivering Amatera

Campaign
H score35 First: 26.01.2026 23:42 Last: 26.01.2026 23:42 Sources 1

About this happening: A ClickFix campaign now uses a fake CAPTCHA and a signed Microsoft App-V script to deliver Amatera to Windows victims, raising the risk of credential theft and...

Timeline

  1. 02.06.2026 14:00 2 articles · 1mo ago

    Sophos X-Ops uncovers AI-assisted EDR evasion malware lab

    Initial Disclosure

    Sophos X-Ops uncovered a threat actor using AI coding tools inside Cursor and Claude Opus to build and refine malware designed to slip past endpoint detection and response (EDR) software. The work was organized as a lab presented as a red team project, used a Python tool to wrap payloads in encryption and evasion layers, and was tested against EDR agents from Sophos, CrowdStrike and Microsoft after malicious files in a local test folder triggered alerts in a customer environment.

    Show sources