Cybersecurity researchers at Sophos have uncovered a ransomware-related framework that uses artificial intelligence to speed up malware development and testing. The toolkit automates Active Directory (AD) discovery and includes features designed to evade endpoint detection and response (EDR) products.
According to Sophos, the framework's code and payloads were developed using AI agents powered by Cursor and Claude Opus. The AI tools were used for coding, analysis, revisions, and reviewing security research to identify bypass techniques. However, the operation remained fully controlled by human operators, researchers say.
The toolkit was discovered on a compromised system where malicious files were stored in a test directory. Components included Cobalt Strike profiles that disguised beacon traffic as legitimate web requests, a Telegram-based command-and-control channel, malware scripts capable of injecting shellcode into legitimate Windows executables, and a Cloudflare Worker used to hide the real command-and-control server.
Researchers also found a Git repository containing an automated Active Directory discovery platform and a testing environment used to evaluate malware against EDR solutions from Sophos, CrowdStrike, and Microsoft Defender. The framework uses multiple AI agents with dedicated roles such as coordination, testing, operational security improvements, documentation, and virtual machine deployment.
A central Python-based tool generates malware payloads in Rust and Go based on selected evasion methods. Researchers identified nearly 80 generated modules that were tested against more than 70 detection-evasion techniques. While early tests showed frequent failures, repeated development cycles reportedly improved the malware's ability to bypass security products.
Sophos found no evidence that AI was embedded within deployed malware or operating autonomously on victim systems. Instead, AI was used to accelerate the process of researching, developing, testing, and refining malware designed to avoid detection by modern security tools.