{"id":263519,"date":"2026-06-02T16:01:00","date_gmt":"2026-06-02T20:01:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/06\/02\/ai-built-ransomware-toolkit-automates-edr-evasion-ad-discovery\/"},"modified":"2026-06-03T22:10:11","modified_gmt":"2026-06-04T02:10:11","slug":"ai-built-ransomware-toolkit-automates-edr-evasion-ad-discovery","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/06\/02\/ai-built-ransomware-toolkit-automates-edr-evasion-ad-discovery\/","title":{"rendered":"AI-built ransomware toolkit automates EDR evasion, AD discovery"},"content":{"rendered":"<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/ai-built-ransomware-toolkit-automates-edr-evasion-ad-discovery\/amp\/\">AI-built ransomware toolkit automates EDR evasion, AD discovery<\/a><\/p>\n<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/ai-built-ransomware-toolkit-automates-edr-evasion-ad-discovery\/amp\/\">https:\/\/www.bleepingcomputer.com\/news\/security\/ai-built-ransomware-toolkit-automates-edr-evasion-ad-discovery\/amp\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-06-02 16:01:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.bleepingcomputer.com\">www.bleepingcomputer.com<\/a><\/p>\n<p>A threat actor is using an AI-built ransomware attack toolkit that automates Active Directory discovery and helps evade endpoint detection and response (EDR) solutions.<\/p>\n<p>Tool and payload development was assisted by Cursor and Claude Opus agents in various stages, including initial coding, analysis, and revisioning. Additionally, some agents were tasked with checking security research posts for various bypass techniques.<\/p>\n<p>Some of the malware created this way was tested in virtual environments against EDR tools from Sophos, CrowdStrike, and Microsoft.<\/p>\n<p>Despite the malware research and development orchestrated using AI technology, the researchers note that the workflow is entirely human-driven.<\/p>\n<h3>Rapid EDR-bypass development<\/h3>\n<p>Researchers at cybersecurity company Sophos detected activity from the toolkit on a system at a customer environment that triggered alerts for payloads stored in C:UsersUserDocumentstest.<\/p>\n<p>The malicious files suggested they were part of an attack framework that focused on evading detection:<\/p>\n<ul>\n<li>Cobalt Strike profiles designed to make beacon traffic resemble legitimate web requests<\/li>\n<li>A Telegram bot API\u2013based external command and control (C2) mechanism that routed communication through Telegram\u2019s infrastructure rather than using direct connections<\/li>\n<li>Python-based malware development scripts for injecting shellcode into legitimate Windows executables while preserving original functionality<\/li>\n<li>A Cloudflare Worker acting as a front-end redirector to obscure the actual backend C2 server<\/li>\n<\/ul>\n<p>The researchers say that while the tool may appear as a \u201cred team\u201d post-exploitation framework, it is used in cybercriminal activity related to ransomware.<\/p>\n<p>&#8220;Our initial assessment included the possibility that a legitimate Red Team was engaged, but our investigation revealed further artifacts that indicated malicious and criminal activity,&#8221; Sophos told BleepingComputer.<\/p>\n<p>The discovery in Cobalt Strike operator logs of entries pointing to a&#8230;<\/p>\n<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/ai-built-ransomware-toolkit-automates-edr-evasion-ad-discovery\/amp\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>AI-built ransomware toolkit automates EDR evasion, AD discovery https:\/\/www.bleepingcomputer.com\/news\/security\/ai-built-ransomware-toolkit-automates-edr-evasion-ad-discovery\/amp\/ Publish Date: 2026-06-02 16:01:00 Source Domain:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":263520,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.bleepstatic.com\/content\/hl-images\/2026\/04\/30\/AI-phish.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,24,32,34],"class_list":["post-263519","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-cybersecurity","tag-malware","tag-threat-actor"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/263519"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=263519"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/263519\/revisions"}],"predecessor-version":[{"id":263521,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/263519\/revisions\/263521"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/263520"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=263519"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=263519"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=263519"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}