Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

AI-built ransomware toolkit with AD discovery and EDR evasion

Malware Activity
First reported
Last updated
Happening score
H score 36
1 unique sources, 1 articles

Summary

Hide ▲

A customer-detected AI-built ransomware toolkit is automating Active Directory discovery and EDR evasion, increasing the chance that payloads slip past security controls. The toolkit was found in a customer environment after artifacts appeared under `C:\Users\User\Documents\test`. Its development used Cursor and Claude Opus agents, and the malware was tested against Sophos, CrowdStrike, and Microsoft EDR products. The activity matters because it combines AI-assisted development, payload refinement, and operational evasion into a faster ransomware-building loop.

Related Happenings

AI-assisted EDR-evasion malware development lab

Malware Activity
First: 02.06.2026 14:00 Last: 02.06.2026 14:00 Sources 1

About this happening: A threat actor is using **AI coding tools** to build and refine **EDR-evasion malware**, accelerating the creation of custom loaders that can bypass endpoint defenses. The lab tes...

Open Happening

DRILLAPP JavaScript backdoor through Microsoft Edge

Malware Activity
First: 16.03.2026 11:07 Last: 16.03.2026 11:07 Sources 1

About this happening: Observed in **February 2026**, the **DRILLAPP** backdoor now runs through **Microsoft Edge**, giving it **file access** plus access to the **microphone**, **webcam**, and **screen...

Open Happening

Steaelite Windows RAT with FUD and multi-function capabilities

Malware Activity
First: 27.02.2026 12:06 Last: 27.02.2026 12:06 Sources 1

About this happening: The **Steaelite** Windows RAT is being marketed as a **fully undetectable** tool for **Windows 10 and 11**, giving operators browser-based control over infected machines and enabl...

Open Happening

Reynolds ransomware BYOVD defense-evasion activity

Malware Activity
First: 10.02.2026 16:36 Last: 10.02.2026 16:36 Sources 1

About this happening: The **Reynolds** ransomware family now matters because it bundles a **vulnerable NsecSoft NSecKrnl driver** inside the payload to disable **EDR** and terminate security processes...

Open Happening

PDFSider malware deployed for stealthy Windows backdoor access

Malware Activity
First: 19.01.2026 23:00 Last: 19.01.2026 23:00 Sources 1

About this happening: The **PDFSider** malware is being used to deliver payloads on **Windows systems**, giving attackers a stealthy backdoor for **long-term covert access** and raising the risk of ran...

Open Happening

Timeline

  1. 02.06.2026 23:01 2 articles · 1h ago

    Sophos detects AI-built ransomware toolkit in a customer environment

    Initial Disclosure

    Sophos detects activity from an AI-built ransomware toolkit on a customer system after payloads stored in C:\Users\User\Documents\test triggered alerts. The toolkit automates Active Directory discovery and EDR evasion, includes Cobalt Strike profiles that mimic legitimate web traffic, a Telegram bot API–based C2 path, Python scripts for shellcode injection into legitimate Windows executables, and a Cloudflare Worker redirector to hide the backend C2 server. Sophos also found Cobalt Strike operator logs with ransom note references and details on organizations listed on a ransomware data leak site, and the malware was tested in virtual environments against Sophos, CrowdStrike, and Microsoft defenses while AI tools such as Cursor and Claude Opus assisted development, analysis, and revisioning.

    Show sources
    Open in new tab