AI-assisted EDR-evasion malware development lab
Malware Activity
Summary
Hide ▲
Show ▼
A threat actor is using AI coding tools to build and refine EDR-evasion malware, accelerating the creation of custom loaders that can bypass endpoint defenses. The lab tested the tooling against Sophos, CrowdStrike and Microsoft EDR agents, showing a concrete focus on defender evasion rather than harmless experimentation. The activity raises the speed and scale of malware development and suggests the workflow may support stealthy post-exploitation operations.
Related Happenings
EDR killer BYOVD analysis finds 54 tools abusing 34 vulnerable drivers
Technical Analysis
First: 19.03.2026 20:52
Last: 19.03.2026 20:52
Sources 1
About this happening:
**54 EDR killers** were found abusing **BYOVD** through **34 vulnerable drivers**, showing how ransomware operators can **disable endpoint defenses** before encryption. The findin...
EDR killer BYOVD analysis finds 54 tools abusing 34 vulnerable drivers
Technical AnalysisAbout this happening: **54 EDR killers** were found abusing **BYOVD** through **34 vulnerable drivers**, showing how ransomware operators can **disable endpoint defenses** before encryption. The findin...
A0Backdoor malware deployed through signed MSI sideloading and DNS MX C2
Malware Activity
First: 10.03.2026 00:50
Last: 10.03.2026 00:50
Sources 1
About this happening:
The **A0Backdoor** malware was deployed on **Windows endpoints** through **digitally signed MSI installers** and **DLL sideloading**, giving the operators a stealthier path to exe...
A0Backdoor malware deployed through signed MSI sideloading and DNS MX C2
Malware ActivityAbout this happening: The **A0Backdoor** malware was deployed on **Windows endpoints** through **digitally signed MSI installers** and **DLL sideloading**, giving the operators a stealthier path to exe...
ClickFix fake CAPTCHA campaign delivering Amatera
Campaign
First: 26.01.2026 23:42
Last: 26.01.2026 23:42
Sources 1
About this happening:
A **ClickFix** campaign now uses a **fake CAPTCHA** and a signed **Microsoft App-V** script to deliver **Amatera** to **Windows** victims, raising the risk of credential theft and...
ClickFix fake CAPTCHA campaign delivering Amatera
CampaignAbout this happening: A **ClickFix** campaign now uses a **fake CAPTCHA** and a signed **Microsoft App-V** script to deliver **Amatera** to **Windows** victims, raising the risk of credential theft and...
Storm-0249 SentinelOne EDR abuse for stealthy malware execution
Malware Activity
First: 09.12.2025 17:24
Last: 09.12.2025 17:24
Sources 1
About this happening:
**Storm-0249** is abusing **SentinelOne EDR** components and trusted **Windows utilities** to load malware, establish **C2**, and maintain persistence, increasing the risk that th...
Storm-0249 SentinelOne EDR abuse for stealthy malware execution
Malware ActivityAbout this happening: **Storm-0249** is abusing **SentinelOne EDR** components and trusted **Windows utilities** to load malware, establish **C2**, and maintain persistence, increasing the risk that th...
Bitcoin Black and Codo AI VS Code extensions delivering infostealer
Malware Activity
First: 09.12.2025 00:30
Last: 09.12.2025 00:30
Sources 1
About this happening:
The **Bitcoin Black** and **Codo AI** extensions on **Microsoft's Visual Studio Code Marketplace** are delivering an **infostealer** to **developers' machines**, creating immediat...
Bitcoin Black and Codo AI VS Code extensions delivering infostealer
Malware ActivityAbout this happening: The **Bitcoin Black** and **Codo AI** extensions on **Microsoft's Visual Studio Code Marketplace** are delivering an **infostealer** to **developers' machines**, creating immediat...
Timeline
-
02.06.2026 14:00 2 articles · 4h ago
Sophos X-Ops uncovers AI-assisted EDR evasion malware lab
Initial DisclosureSophos X-Ops uncovered a threat actor using AI coding tools inside Cursor and Claude Opus to build and refine malware designed to slip past endpoint detection and response (EDR) software. The work was organized as a lab presented as a red team project, used a Python tool to wrap payloads in encryption and evasion layers, and was tested against EDR agents from Sophos, CrowdStrike and Microsoft after malicious files in a local test folder triggered alerts in a customer environment.
Show sources
- Threat Actor Uses AI to Build EDR Evasion Tools — www.infosecurity-magazine.com — 02.06.2026 14:00
- Threat Actor Uses AI to Build EDR Evasion Tools — www.infosecurity-magazine.com — 02.06.2026 14:00