A threat actor has been observed using AI coding tools to develop and refine malware designed to slip past endpoint detection and response (EDR) software, in what was presented as a red team project.
The activity was uncovered by Sophos X-Ops. According to new analysis from its Counter Threat Unit, the activity was discovered after an unusual endpoint in a customer environment raised alerts for malicious files in a local test folder.
Those files, alongside a linked Git repository, revealed a lab built to develop evasion tooling and test it against EDR agents from Sophos, CrowdStrike and Microsoft. Many of the Python scripts were partly AI-generated and written in Russian.
Humans Stayed in the Loop
The most important finding is what the AI did not do. Sophos stressed that the workflow was not run by an autonomously reasoning model, and that no AI was embedded in the malware itself.
Instead, AI sped up a structured cycle of building, testing and refining that still relied on human review at each turn. The actor worked inside Cursor, an AI-native development environment, and assigned roles to several agents.
One, running on Claude Opus, set the rules for the others, while the rest handled testing, operational security and documentation.
A separate playbook tasked them with mining public security research, mapping techniques to the MITRE ATT&CK framework and reproducing them in the lab, with commits flowing back through the Model Context Protocol (MCP).
A Red Team Cover Story
At the core of the lab was a Python tool that wrapped payloads in layers of encryption and evasion to produce custom loaders, drawing on offensive frameworks such as Cobalt Strike and Sliver.
Sophos said nearly 80 modules covering more than 70 techniques were built this way. The agents reported the modules became almost universally effective after iteration, though Sophos noted its documented test output did not clearly support that.
Read more on AI-generated malware: VoidLink Linux Malware Was Built Using an AI Agent, Researchers Reveal
Although the project was framed as red teaming, Sophos assessed that the label was likely a cover, used in part to get past Claude’s guardrails around malware development.
”In reality, the framework was built for stealthy post-exploitation activity in target environments,” the team said. Sophos also linked the activity to known ransomware and data theft operations.
For defenders, the company argued the shift changes little in practice, even as AI lowers the barrier to building such tooling and helps attackers find gaps faster.
The team urged organizations to maintain defense-in-depth fundamentals: timely patching, multi-factor authentication (MFA), modern methods such as passkeys, and broad EDR deployment.
