top of page
perceptive_background_267k.jpg

AI-built ransomware toolkit automates EDR evasion, AD discovery

Published:

2 June 2026 at 20:01:20

Alert date:

2 June 2026 at 21:03:34

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Ransomware & Malware, Security Tools, Emerging Technologies

A threat actor is utilizing an artificial intelligence-built ransomware attack toolkit that automates Active Directory discovery processes and helps evade endpoint detection and response (EDR) solutions. This represents a significant advancement in ransomware capabilities, as AI automation can make attacks more efficient and harder to detect. The toolkit specifically targets enterprise environments by automating reconnaissance of Active Directory infrastructure, which is critical for lateral movement in corporate networks. The EDR evasion capabilities suggest sophisticated anti-detection techniques that could bypass traditional security measures.

Technical details

Threat actors are using AI agents including Cursor and Claude Opus to develop ransomware attack toolkits that automate Active Directory discovery and evade EDR solutions. The framework includes Cobalt Strike profiles to make beacon traffic resemble legitimate web requests, Telegram bot API-based C2 mechanism routing through Telegram infrastructure, Python-based malware development scripts for shellcode injection into legitimate Windows executables, and Cloudflare Worker as front-end redirector. The system uses multiple AI agents with distinct roles - Claude Opus 4.5 as coordinator, others handling testing, OPSEC hardening, documentation, proxy stress testing, and VM deployment. Close to 80 modules were generated and tested against more than 70 evasion techniques targeting EDR solutions from Sophos, CrowdStrike, and Microsoft Defender. The main component is a Python tool generating payloads in Rust and Go based on evasion techniques, wrapping raw payloads in encryption, evasion, and alternative execution techniques.

Mitigation steps:

Monitor for suspicious activity in C:\Users\User\Documents\test directory, implement enhanced EDR monitoring for Python-based malware development scripts, watch for Telegram bot API-based C2 communications, monitor for Cloudflare Worker redirectors being used maliciously, enhance detection for shellcode injection into legitimate Windows executables

Affected products:

Sophos EDR
CrowdStrike EDR
Microsoft Defender
Windows Defender
Active Directory
Cobalt Strike

Related links:

https://www.sophos.com/en-us/blog/pointing-a-cursor-at-evading-detection

Related CVE's:

Related threat actors:

IOC's:

C:\Users\User\Documents\test

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page