"In reality, the framework was built for stealthy post-exploitation activity in target environments," the Sophos Counter Threat Unit said — a finding that unfolded after a routine endpoint alert revealed a larger laboratory devoted to building tools intended to bypass modern EDR agents.
Sophos X-Ops discovery and the test-lab reveal
Sophos X-Ops discovered the activity after an unusual endpoint in a customer environment raised alerts for malicious files stored in a local test folder. Those files, together with a linked Git repository, exposed a laboratory environment created to develop and test evasion tooling against EDR agents from Sophos, CrowdStrike and Microsoft. Sophos reported that many of the Python scripts used in the lab were partly AI-generated and written in Russian.
AI-native development: Cursor, Claude Opus, and the Model Context Protocol
The actors worked inside Cursor, an AI-native development environment, and orchestrated multiple agent roles. One agent, running on Claude Opus, set rules for the others; remaining agents handled testing, operational security and documentation. A separate playbook tasked the agents with mining public security research, mapping techniques to the MITRE ATT&CK framework, and reproducing those techniques in the lab, with commits flowing back through the Model Context Protocol (MCP).
Sophos stressed that the workflow was not executed by an autonomously reasoning model and that no AI was embedded in the malware itself. Humans remained in the loop: AI accelerated cycles of building, testing and refining, but each turn required human review.
The Python evasion framework and offensive building blocks
At the core of the lab sat a Python tool designed to wrap payloads in layers of encryption and evasion, producing custom loaders. The framework drew on offensive frameworks such as Cobalt Strike and Sliver. According to Sophos, the team built nearly 80 modules covering more than 70 techniques. The agents reported that modules became almost universally effective after iteration; Sophos cautioned, however, that the documented test output did not clearly support that degree of success.
Red team cover story and links to criminal activity
Although the operators presented the project as a red team exercise, Sophos assessed the label was likely a cover — used in part to get past Claude's guardrails around malware development. Sophos concluded that the framework was designed for stealthy post-exploitation activity in target environments and linked the activity to known ransomware and data theft operations.
What this means for defenders, enterprise security teams, and end users
- Defenders and enterprise security teams: Sophos argued the practical implications are clear even if the tooling pipeline changed. AI lowered the barrier to building evasion tooling and helped attackers find gaps faster, but the company recommended sticking to defense-in-depth fundamentals: timely patching, multi-factor authentication (MFA), modern methods such as passkeys, and broad EDR deployment.
- Procurement and security operations leaders: the discovery highlights an environment where offensive techniques can be rapidly prototyped in AI-native development environments and pushed through source control (MCP-linked commits), increasing the need to validate supplier and toolchain integrity and to monitor for unusual development artifacts in enterprise repositories.
- End users and administrators: Sophos' findings underline that attackers are using automation to accelerate work that still requires human oversight. Basic hardening measures — patching, MFA and wider EDR coverage — remained the concrete mitigations Sophos urged organizations to maintain.
Sophos' analysis paints a picture of attackers adopting AI-assisted development to compress the build-test-refine loop for evasive loaders while keeping humans in control. The company framed the "red team" label as a potential ruse and tied the artifacts to criminal data theft and ransomware activity. Sophos' practical prescription was not novel, but it was pointed: maintain timely patching, enforce MFA and passkeys where possible, and deploy broad EDR coverage to blunt techniques that AI simply helps to iterate faster.
The remaining operational question is explicit in the record Sophos left: as adversaries pair AI-native tooling (Cursor, Claude Opus, MCP) with human oversight to speed discovery and exploitation, can defenders adapt their testing, telemetry and controls quickly enough to preserve detection effectiveness? Sophos' call to defense-in-depth lays out the immediate response; the longer-term burden will fall on defenders to measure whether EDR agents and telemetry keep pace with an accelerated adversary development cycle.
https://www.infosecurity-magazine.com/news/ai-edr-evasion-tooling/




