Sophos finds AI malware lab designed to evade EDR detection
▼ Summary
– A threat actor used AI to build a malware-testing framework for developing EDR evasion techniques, linked to ransomware and data theft operations.
– The framework included Cobalt Strike profiles, a Telegram-based C2 mechanism, shellcode injection tools, and a Cloudflare Worker to hide backend infrastructure.
– AI agents, including a Claude Opus 4.5 coordinator, automated tasks like reading security research, extracting attack techniques, and testing payloads against EDR products.
– The testing lab used Windows Server 2022 VMs dedicated to specific EDR products (Sophos, CrowdStrike, and a control), along with an Ubuntu VM for a Sliver C2 server.
– Evasion modules were reported as increasingly successful after testing, but Sophos found the test data unsupported the claims, likely due to LLM hallucinations.
A threat actor has leveraged AI technologies to construct a sophisticated malware-testing framework aimed at refining techniques to bypass endpoint detection and response (EDR) systems, according to a recent investigation by Sophos.
The probe began when an unusual endpoint in a customer environment generated alerts tied to malicious payloads originating from a testing directory. These files pointed to a broader framework specifically designed to evade detection.
Within the environment, researchers discovered Cobalt Strike profiles configured to disguise beacon traffic as legitimate web requests, a Telegram-based command-and-control mechanism, shellcode injection tools, and a Cloudflare Worker used to mask backend infrastructure.
Sophos linked the activity to ransomware deployment and data theft operations but declined to identify the specific group involved.
“We are not disclosing the ransomware group at this time due to ongoing active investigations related to this threat actor. However, it is a group that is currently active and impacting organisations globally, including in the United States,” said Rafe Pilling, Director of Threat Intelligence at Sophos.
AI-generated scripts and automated discovery
Researchers found multiple Python scripts, many written in Russian, that appeared to be partially AI-generated. They also uncovered a Git repository containing an automated Active Directory discovery panel and a malware-testing lab used to evaluate payloads against protections from Sophos, CrowdStrike, and Microsoft Defender.
The Active Directory discovery component collected information from completed tasks, selected follow-up actions from predefined workflows, dispatched tasks to remote agents, and reevaluated results as they were returned. While the behavior resembled AI-driven automation, it did not represent an autonomously reasoning LLM.
“Artifacts within the Git repository suggest that the threat actor identified potential bypass techniques from research blogs published by organizations such as Kaspersky, Palo Alto Networks, and Bishop Fox,” Sophos researchers wrote. “Information was also sourced from X and Telegram, although it is unclear if these sources influenced the tool development.”
Dedicated testing lab
The lab consisted of several Windows Server 2022 virtual machines used to test payloads against different EDR products. One system was dedicated to Sophos, another to CrowdStrike, while a third served as a control environment without EDR software installed. A fourth Ubuntu virtual machine hosted a Sliver command-and-control server.
Multiple AI agents operated within the framework. A Claude Opus 4.5 agent coordinated activity and set rules for the other agents, while additional agents handled EDR testing, documentation, OPSEC hardening, proxy stress testing, and virtual machine deployment.
The setup relied on Model Context Protocol (MCP), an open standard that enables AI assistants to interact with external tools and data sources, connecting the agents to Git repositories.
The threat actor used Ludus, a platform for rapidly deploying and managing virtualized security testing environments, to provision the lab infrastructure. They also relied on Cursor, an AI-native integrated development environment, during the malware development process.
The AI agents were tasked with reading security research, extracting attack techniques, mapping them to the MITRE ATT&CK framework, preparing test environments, executing experiments, and reporting the results.
The findings suggest the threat actor presented the project as a red-team framework while interacting with Claude. Asked about the use of such framing in attempts to bypass safeguards, Sophos pointed to a broader pattern observed in recent attacks.
“Attempts to bypass model safeguards using benign framing for malicious prompts, such as the use of a red team pretext, have been observed in a number of cases over the past year, including in attacks recently reported targeting government entities in Mexico. We have been in touch with Anthropic regarding our observations,” Pilling noted.
At the core of the framework was a Python-based payload generation tool that produced custom Windows executables and DLLs, a type of Windows library file that programs can load and execute. The payloads incorporated encryption, evasion, and alternative execution techniques and were then used for testing.
Sophos said the tool supported nearly 80 modules used to test more than 70 evasion techniques.
Questions over reported success rates
Documentation generated within the framework suggested the evasion modules became increasingly successful after repeated testing and refinement. However, the available test data reviewed during the investigation did not support those claims.
“We don’t have the data to fully account for the discrepancies, but it’s likely that common large language model issues, such as hallucinations, played a role in the differences observed,” Pilling concluded.
Despite the use of AI agents, Sophos said the defensive fundamentals remain unchanged, including patching, MFA, passkeys, and endpoint protection.
(Source: Help Net Security)