Threat Actor Uses AI to Build EDR Evasion Tools

Sophos X-Ops discovered a development lab where a threat actor used AI-native development tools and multi-agent workflows to accelerate creation and iterative testing of EDR-evasion tooling and custom Python loaders (leveraging techniques from frameworks like Cobalt Strike and Sliver). The operation—framed as red teaming but assessed as likely malicious—produced roughly 80 modules covering 70+ techniques, was linked to ransomware and data-theft activity, and demonstrated that AI can speed up human-led malware development; Sophos recommends reinforcing defense-in-depth and EDR coverage.