Hackers Using AI Tools to Automate Active Directory Attacks and EDR Evasion
Cybersecurity NewsArchived Jun 03, 2026✓ Full text saved
A threat actor used AI-assisted tools to automate Active Directory discovery and test endpoint detection and response (EDR) evasion techniques, highlighting the rise of AI-supported post-exploitation frameworks. The activity was identified after a suspicious endpoint triggered alerts tied to payloads stored in a user directory. Investigation revealed a collection of malicious components forming a structured […] The post Hackers Using AI Tools to Automate Active Directory Attacks and EDR Evasion
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeAI
Hackers Using AI Tools to Automate Active Directory Attacks and EDR Evasion
By Abinaya
June 3, 2026
A threat actor used AI-assisted tools to automate Active Directory discovery and test endpoint detection and response (EDR) evasion techniques, highlighting the rise of AI-supported post-exploitation frameworks.
The activity was identified after a suspicious endpoint triggered alerts tied to payloads stored in a user directory.
Investigation revealed a collection of malicious components forming a structured attack toolkit. These included customized Cobalt Strike profiles designed to mimic legitimate web traffic.
Telegram bot–based command-and-control channel to hide communications within trusted infrastructure.
Python scripts capable of injecting shellcode into legitimate Windows executables while maintaining normal functionality. A Cloudflare Worker was also used as a redirector to obscure the true backend C2 server.
Hackers Use AI Red Team Tools
A key finding was the presence of partially AI-generated Python scripts, many written in Russian, alongside a Git repository that contained a broader automation framework.
This framework combined an automated AD discovery panel with a controlled lab environment used to iteratively develop and test malware against leading EDR platforms such as Sophos, CrowdStrike, and Microsoft Defender.
The AD discovery system did not operate as a fully autonomous large language model. Instead, it followed a structured decision tree model, collecting results from executed tasks, selecting predefined next steps, and dispatching actions to remote agents.
Diagram showing AI’s role in the malware development workflow (source : sophos)
This allowed semi-automated reconnaissance across enterprise environments while maintaining predictable execution paths. The threat actor built the testing environment using virtual machines provisioned through Ludus.
Multiple Windows Server 2022 systems were configured to evaluate bypass techniques against different EDR agents, alongside a separate Ubuntu system hosting a Sliver command-and-control server.
Development was supported by an AI-native IDE, Cursor, and coordinated through multiple AI agents with assigned roles.
One primary AI agent, powered by Claude Opus, managed orchestration and rule-setting. In contrast, others handled testing, operational security improvements, documentation, and infrastructure deployment.
Article ingestion and technique mapping instructions for AI agents (source : sophos)
Communication between agents and the code repository was managed using the Model Context Protocol, enabling automated commits and iterative development cycles.
The framework also incorporated research on external threats. AI agents were instructed to ingest publicly available security blogs, extract attack techniques, map them to MITRE ATT&CK, and reproduce them within the lab.
Sources included well-known security firms and red team research providers. This process enabled rapid prototyping of attack techniques based on real-world methodologies.
At the core of the framework was a modular payload generator written in Python that produced executables in Rust and Go.
These payloads were wrapped in layers of encryption and evasion logic, allowing attackers to test over 70 different techniques.
While initial success rates were low, repeated iterations reportedly improved bypass effectiveness, though results remain partially unverified.
Sophos researchers assess that this framework, while presented as red team tooling, is likely intended for real-world intrusions, including ransomware deployment and data theft.
The use of AI significantly accelerates development cycles but does not fundamentally change defensive requirements.
Organizations are advised to maintain strong security baselines, including timely patching, multi-factor authentication, and comprehensive EDR deployment, as attackers increasingly use AI to identify and exploit defensive gaps.
Free Webinar on OWASP API Top 10 and Guide to Close Visibility Gaps With WAAP
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Abinayahttps://cybersecuritynews.com/
Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.
Trending News
Microsoft 365 Android Apps Account Takeover Vulnerability Impacted Billions of Android Users
Oracle Critical Security Update – Patch for 35 New Vulnerabilities Across Products
Android 0-Day Vulnerability Exploited in Attacks to Gain Complete Device Control
Claude Code’s GitHub Actions Vulnerability Lets Attackers Compromise Any Repository
Attackers Can Exploit BadHost to Access Sensitive AI Agent Server Endpoints
Latest News
Cyber Security News
Ivanti ITSM Vulnerability Lets Attackers Gain Admin Privilege
Cyber Security News
Laravel CRLF Injection Vulnerability Enables an Attacker to Interfere with Outbound Email Processing
Cyber Security News
Hackers Use YouTube and SEO Poisoning to Spread WeedHack Minecraft Malware
Cyber Security News
Microsoft 365 Android Apps Account Takeover Vulnerability Impacted Billions of Android Users
Cyber Security News
Windows Search URI Handler Flaw Leaks NTLMv2 Hashes to Attacker-Controlled Servers