Key Takeaways
- Sophos X-Ops identified a threat actor using AI coding agents in a structured workflow to refine malware designed to bypass EDR tools.
- The project was framed as red teaming, though analysts assessed it aligned with post-exploitation and ransomware activity.
- AI-enabled automation accelerates malware iteration, prompting a renewed focus on defense in depth and secure AI governance.
Sophos X-Ops detailed a discovery inside a customer environment: a lab where a threat actor used AI-driven coding tools to build and test malware intended to bypass popular endpoint detection and response products. The findings, published on June 19, 2026, illustrate how attackers fold AI agents into their development cycles without relying on fully autonomous systems.
The investigation began with anomalous files inside a local test folder. The alert surfaced Python scripts, infrastructure, and a linked Git repository. This environment was configured to test evasive payloads against EDR agents from Sophos, CrowdStrike, and Microsoft. Some of the material appeared to be partly written by AI tools and included Russian-language comments.
Sophos emphasized that no autonomously reasoning model directed the workflow. There was no self-directed malware, no automatic propagation logic, and no embedded AI inside the payloads. Instead, the actor relied on Cursor, an AI-native development environment, to coordinate several assigned agents. Claude Opus set the guidance, while supporting agents handled security research, quality checks, and documentation.
A separate playbook instructed the agents to mine public threat research and map techniques to the MITRE ATT&CK framework. Commits then flowed back through the Model Context Protocol. The EU Agency for Cybersecurity has warned that ransomware operators increasingly use automation and AI-assisted development to fine-tune toolchains, a trend highlighted in recent industry analysis by Paubox.
At the center of the lab sat a Python-based wrapper tool designed to encrypt payloads, layer in evasion techniques, and produce custom loaders drawing from offensive kits such as Cobalt Strike and Sliver. Sophos counted nearly 80 modules across more than 70 techniques. The agents reported high success rates after multiple testing cycles, though Sophos noted that the documented output did not substantiate all of those claims.
The project carried a red team label, which Sophos indicated likely served to bypass Claude’s guardrails around malware development. The company assessed that the objective aligned more closely with stealthy post-exploitation and data theft operations. This assessment fits with broader industry reporting. For example, a 2024 Forrester analysis on cybercrime and generative AI, also detailed by Paubox, describes criminal groups using coding assistants to industrialize malware production and reduce the necessary expertise.
While AI support accelerated the actor’s workflow, humans remained part of every cycle. Operators reviewed outputs, adjusted parameters, and drove the project. Sophos found no signs of runaway development or autonomous malware evolution. This hybrid model demonstrates attackers finding practical ways to augment their operators. It reflects warnings in the NIST AI Risk Management Framework that generative AI and agentic tools can be misused to amplify software supply chain attacks.
Other researchers have flagged the overlap between AI tooling and traditional malware build pipelines. Work from MIT on adversarial machine learning outlines how automated agents may test their own payloads against defensive models. Even if those agents lack full autonomy today, the workflow documented by Sophos reveals early versions of an automated feedback loop.
The presence of EDR-evasion testing echoes observations from the broader security research community. Unit 42, Carnegie Mellon’s Software Engineering Institute, and the IEEE security community have reported on attackers using local sandboxes to profile detection logic. Integrating AI-driven code generation adjusts the speed and volume of these testing cycles.
Sophos suggests that defense in depth provides the most reliable mitigation path. This encompasses prompt patching, multi-factor authentication, passkeys where applicable, strong identity controls, and broad EDR coverage.
Organizations deploying AI coding agents must revisit their internal governance strategies, particularly under standards influenced by NIST and other bodies. As Gartner noted in 2024, 50% of enterprise software is expected to include AI agents by 2027. If attackers utilize small-scale agent clusters to refine malware, enterprises require similar rigor to supervise their internal development tools.
The Sophos findings confirm that the blend of AI automation, human oversight, and open-source offensive frameworks is actively used to develop EDR-evasion tooling. Attackers combine these established frameworks with AI coordination tools to iterate malicious payloads, requiring defenders to adapt their detection strategies to identify increasingly refined, machine-assisted malware.
⬇️