Find notable cyber news and cases, enriched with sources, timelines, and signals.

AI-built ransomware toolkit with AD discovery and EDR evasion

Malware Activity
First reported
Last updated
Happening score
H score 36
1 unique sources, 1 articles

Summary

Hide ▲

A customer-detected AI-built ransomware toolkit is automating Active Directory discovery and EDR evasion, increasing the chance that payloads slip past security controls. The toolkit was found in a customer environment after artifacts appeared under `C:\Users\User\Documents\test`. Its development used Cursor and Claude Opus agents, and the malware was tested against Sophos, CrowdStrike, and Microsoft EDR products. The activity matters because it combines AI-assisted development, payload refinement, and operational evasion into a faster ransomware-building loop.

Related Happenings

SKILLCLOAK and SKILLDETONATE expose AI coding-agent skill scanner evasion with runtime-packed malware

Technical Analysis
H score22 First: 06.07.2026 09:33 Last: 06.07.2026 09:33 Sources 1

About this happening: SKILLCLOAK shows that malicious AI coding-agent skills can be rewritten to evade static scanners while still executing, exposing credentials, source code, and term...

Gentlemen ransomware EDR-killer tooling

Malware Activity
H score35 First: 19.06.2026 01:31 Last: 19.06.2026 01:31 Sources 1

About this happening: Gentlemen ransomware-as-a-service (RaaS) is actively maintaining a suite of EDR killers led by GentleKiller to disable endpoint defenses before encryption. ESET says t...

AI-assisted EDR-evasion malware development lab

Malware Activity
H score12 First: 02.06.2026 14:00 Last: 02.06.2026 14:00 Sources 1

About this happening: A threat actor is using AI coding tools to build and refine EDR-evasion malware, accelerating the creation of custom loaders that can bypass endpoint defenses. The lab tes...

DRILLAPP JavaScript backdoor through Microsoft Edge

Malware Activity
H score24 First: 16.03.2026 11:07 Last: 16.03.2026 11:07 Sources 1

About this happening: Observed in February 2026, the DRILLAPP backdoor now runs through Microsoft Edge, giving it file access plus access to the microphone, webcam, and screen...

Steaelite Windows RAT with FUD and multi-function capabilities

Malware Activity
H score28 First: 27.02.2026 12:06 Last: 27.02.2026 12:06 Sources 1

About this happening: The Steaelite Windows RAT is being marketed as a fully undetectable tool for Windows 10 and 11, giving operators browser-based control over infected machines and enabl...

Timeline

  1. 02.06.2026 23:01 2 articles · 1mo ago

    Sophos detects AI-built ransomware toolkit in a customer environment

    Initial Disclosure

    Sophos detects activity from an AI-built ransomware toolkit on a customer system after payloads stored in C:\Users\User\Documents\test triggered alerts. The toolkit automates Active Directory discovery and EDR evasion, includes Cobalt Strike profiles that mimic legitimate web traffic, a Telegram bot API–based C2 path, Python scripts for shellcode injection into legitimate Windows executables, and a Cloudflare Worker redirector to hide the backend C2 server. Sophos also found Cobalt Strike operator logs with ransom note references and details on organizations listed on a ransomware data leak site, and the malware was tested in virtual environments against Sophos, CrowdStrike, and Microsoft defenses while AI tools such as Cursor and Claude Opus assisted development, analysis, and revisioning.

    Show sources