AI accelerates development of ransomware toolkit with EDR evasion capabilities

A threat actor is leveraging an AI-powered ransomware attack toolkit that automates Active Directory discovery and aids in evading endpoint detection and response (EDR) solutions. The development and refinement of this toolkit, including its initial coding, analysis, and revisioning, were significantly assisted by AI agents like Cursor and Claude Opus, with some agents specifically tasked with researching security posts for various bypass techniques. This advanced toolkit was tested against EDR solutions from Sophos, CrowdStrike, and Microsoft, as reported by Bleeping Computer.

The toolkit, discovered by Sophos, includes features such as Cobalt Strike profiles to disguise beacon traffic, a Telegram bot API for command and control, Python scripts for injecting shellcode into legitimate Windows executables, and a Cloudflare Worker to obscure the C2 server. Researchers confirmed its use in cybercriminal ransomware operations, noting that while AI assisted in its development, the overall workflow remains human-driven.

The AI agents were instrumental in documenting bypass techniques, mapping them to the MITRE ATT&CK framework, and iteratively testing payloads against EDR solutions. This modular payload generator wraps payloads in encryption and evasion techniques to resist detection. While AI was not found embedded in deployed malware, its use significantly shortens the time between the release of offensive security research and its implementation by threat actors, posing a growing challenge for cybersecurity defenses.

Source: Bleeping Computer