AI-built ransomware toolkit with AD discovery and EDR evasion
Malware Activity
Summary
Hide ▲
Show ▼
A customer-detected AI-built ransomware toolkit is automating Active Directory discovery and EDR evasion, increasing the chance that payloads slip past security controls. The toolkit was found in a customer environment after artifacts appeared under `C:\Users\User\Documents\test`. Its development used Cursor and Claude Opus agents, and the malware was tested against Sophos, CrowdStrike, and Microsoft EDR products. The activity matters because it combines AI-assisted development, payload refinement, and operational evasion into a faster ransomware-building loop.
Related Happenings
SKILLCLOAK and SKILLDETONATE expose AI coding-agent skill scanner evasion with runtime-packed malware
Technical Analysis
H score22
First: 06.07.2026 09:33
Last: 06.07.2026 09:33
Sources 1
About this happening:
SKILLCLOAK shows that malicious AI coding-agent skills can be rewritten to evade static scanners while still executing, exposing credentials, source code, and term...
SKILLCLOAK and SKILLDETONATE expose AI coding-agent skill scanner evasion with runtime-packed malware
Technical AnalysisAbout this happening: SKILLCLOAK shows that malicious AI coding-agent skills can be rewritten to evade static scanners while still executing, exposing credentials, source code, and term...
Gentlemen ransomware EDR-killer tooling
Malware Activity
H score35
First: 19.06.2026 01:31
Last: 19.06.2026 01:31
Sources 1
About this happening:
Gentlemen ransomware-as-a-service (RaaS) is actively maintaining a suite of EDR killers led by GentleKiller to disable endpoint defenses before encryption. ESET says t...
Gentlemen ransomware EDR-killer tooling
Malware ActivityAbout this happening: Gentlemen ransomware-as-a-service (RaaS) is actively maintaining a suite of EDR killers led by GentleKiller to disable endpoint defenses before encryption. ESET says t...
AI-assisted EDR-evasion malware development lab
Malware Activity
H score12
First: 02.06.2026 14:00
Last: 02.06.2026 14:00
Sources 1
About this happening:
A threat actor is using AI coding tools to build and refine EDR-evasion malware, accelerating the creation of custom loaders that can bypass endpoint defenses. The lab tes...
AI-assisted EDR-evasion malware development lab
Malware ActivityAbout this happening: A threat actor is using AI coding tools to build and refine EDR-evasion malware, accelerating the creation of custom loaders that can bypass endpoint defenses. The lab tes...
DRILLAPP JavaScript backdoor through Microsoft Edge
Malware Activity
H score24
First: 16.03.2026 11:07
Last: 16.03.2026 11:07
Sources 1
About this happening:
Observed in February 2026, the DRILLAPP backdoor now runs through Microsoft Edge, giving it file access plus access to the microphone, webcam, and screen...
DRILLAPP JavaScript backdoor through Microsoft Edge
Malware ActivityAbout this happening: Observed in February 2026, the DRILLAPP backdoor now runs through Microsoft Edge, giving it file access plus access to the microphone, webcam, and screen...
Steaelite Windows RAT with FUD and multi-function capabilities
Malware Activity
H score28
First: 27.02.2026 12:06
Last: 27.02.2026 12:06
Sources 1
About this happening:
The Steaelite Windows RAT is being marketed as a fully undetectable tool for Windows 10 and 11, giving operators browser-based control over infected machines and enabl...
Steaelite Windows RAT with FUD and multi-function capabilities
Malware ActivityAbout this happening: The Steaelite Windows RAT is being marketed as a fully undetectable tool for Windows 10 and 11, giving operators browser-based control over infected machines and enabl...
Timeline
-
02.06.2026 23:01 2 articles · 1mo ago
Sophos detects AI-built ransomware toolkit in a customer environment
Initial DisclosureSophos detects activity from an AI-built ransomware toolkit on a customer system after payloads stored in C:\Users\User\Documents\test triggered alerts. The toolkit automates Active Directory discovery and EDR evasion, includes Cobalt Strike profiles that mimic legitimate web traffic, a Telegram bot API–based C2 path, Python scripts for shellcode injection into legitimate Windows executables, and a Cloudflare Worker redirector to hide the backend C2 server. Sophos also found Cobalt Strike operator logs with ransom note references and details on organizations listed on a ransomware data leak site, and the malware was tested in virtual environments against Sophos, CrowdStrike, and Microsoft defenses while AI tools such as Cursor and Claude Opus assisted development, analysis, and revisioning.
Show sources
- AI-built ransomware toolkit automates EDR evasion, AD discovery — www.bleepingcomputer.com — 02.06.2026 23:01
- AI-built ransomware toolkit automates EDR evasion, AD discovery — www.bleepingcomputer.com — 02.06.2026 23:01