Dark ReadingArchived Jun 04, 2026✓ Full text saved
Python scripts were used to test malware against endpoint detection and response agents from Sophos, CrowdStrike, and Windows Defender.
Full text archived locally
✦ AI Summary· Claude Sonnet
ENDPOINT SECURITY
THREAT INTELLIGENCE
VULNERABILITIES & THREATS
APPLICATION SECURITY
NEWS
Attackers Use AI to Automate EDR Evasion Testing
Python scripts were used to test malware against endpoint detection and response agents from Sophos, CrowdStrike, and Windows Defender.
Alexander Culafi,Senior News Writer,Dark Reading
June 3, 2026
3 Min Read
SOURCE: SUNDRY PHOTOGRAPHY VIA GETTY IMAGES
Sophos X-Ops analysts published research this week concerning an unidentified threat actor using AI technology to develop endpoint detection and response (EDR) evasion tactics through the lens of what the company described as a "red team" post-exploitation framework.
"The activity was detected when an anomalous endpoint registered within a customer tenant triggered alerts for payloads originating from C:\Users\User\Documents\test," Sophos said in its blog post. "Multiple files in this directory were malicious and indicative of a broader attack framework focused on evading detection."
Sophos analysts discovered the presence of multiple Python scripts, written in Russian and at least partially AI-generated. This is not surprising in its own right, as threat actors have been using large language model (LLM) technology to build malware and run attacks for some time now.
What is more novel is that these scripts were aligned with an automated Active Directory (AD) panel and a lab that iteratively develops and tests malware against Sophos, CrowdStrike, and Windows Defender EDR agents. Attackers would test malware against the EDR tools, collect observations, and the automated AD panel would choose the next task from a predefined list before dispatching work to remote agents and reevaluating upon the conclusion of work.
Related:China's Webworm Uses Discord, Microsoft Graphs to Hack EU Governments
Threat Actors Create EDR Evasion Lab
While the AI malware development was "more limited" and used to support experimentation and coordinate workflows, the EDR lab "was a structured engineering test cycle that included human review and iteration." In other words, Sophos saw the attackers do iterative sandboxing to create more effective malware — build, test, analyze, refine.
Further professionalizing its workflows, artifacts within the attacker's Git repository revealed evidence that the attacker was studying vendor research to identify potential malware bypass techniques. Attackers assigned agents to study this information, extract relevant information, map identified techniques to MITRE ATT&CK techniques, prepare the lab testing environment, and test.
The attacker testing environment used multiple virtual machines running Windows Server 2022 to emulate a red-teaming process, down to having its own dedicated control environment. "One VM tested tools to bypass the Sophos agent, one was for the CrowdStrike agent, and a third was a control environment without an EDR agent installed. A fourth VM, which ran a version of Ubuntu, was a Sliver post-exploitation framework C2 server," Sophos said.
Related:FCC Softens Ban on Foreign-Made Routers
Sophos identified multiple LLM tools the threat actor used, including AI-powered coding editor Cursor for malware development and Claude Opus as a primary model used by the attacker's AI agents. The agents in particular were used to orchestrate and automate malware testing and also provide other functions related to operational security.
Focus On the Basics
While the blog focuses on the novel malware testing environment, Sophos said this framework was built to facilitate stealthy post-exploitation activity in target environments, and that the activity was connected to "known ransomware deployment and data theft operations."
Sophos notes that while there are sophisticated elements to this activity, organizations can still protect themselves via tried-and-true methods such as practicing defense-in-depth. "The fundamentals remain critical, including timely patching, multifactor authentication (MFA), modern authentication mechanisms such as passkeys, and the broad deployment of an effective EDR solution," Sophos said.
Dark Reading contacted Sophos for additional information.
About the Author
Alexander Culafi
Senior News Writer, Dark Reading
Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere.
At Dark Reading, he covers a variety of cybersecurity topics, including the cybercrime ecosystem, open source security, and the intersection between AI and threat actors. In his spare time, Alex hosts the weekly Nintendo podcast, "Talk Nintendo Podcast," and works on personal writing projects, including two previously self-published science fiction novels.
He has received numerous awards, including TechTarget's Writer of the Year in 2022 as well as more than 10 Azbee awards for his reporting between 2022 and today.
Want more Dark Reading stories in your Google search results?
ADD US NOW
More Insights
Industry Reports
How Organizations Are Managing Incident Response
How Enterprises Are Developing Secure Applications
Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy
Essential News & Insights from Black Hat USA 2025
How Enterprises Are Harnessing Emerging Technologies in Cybersecurity
Access More Research
Webinars
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
Defending in the Shadow Era: When the CVE Feed Goes Dark
Building SecOps That Make the Most of Every Dollar
AI-Powered Cybersecurity for Resource-Constrained Organizations
More Webinars
You May Also Like
ENDPOINT SECURITY
2 Separate Campaigns Probe Corporate LLMs for Secrets
by Elizabeth Montalbano, Contributing Writer
JAN 12, 2026
ENDPOINT SECURITY
Pro-Russian Hackers Use Linux VMs to Hide in Windows
by Alexander Culafi
NOV 04, 2025
ENDPOINT SECURITY
Chrome Store Features Extension Poisoned With Sophisticated Spyware
by Elizabeth Montalbano, Contributing Writer
JUL 07, 2025
ENDPOINT SECURITY
We've All Been Wrong: Phishing Training Doesn't Work
by Nate Nelson, Contributing Writer
JUL 01, 2025
Editor's Choice
CYBERSECURITY OPERATIONS
20 Leaders Who Built the CISO Era: 2 Decades of Change
byDark Reading Editorial Team
MAY 12, 2026
41 MIN READ
APPLICATION SECURITY
It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight
byJai Vijayan
MAY 12, 2026
5 MIN READ
CYBERATTACKS & DATA BREACHES
Instructure Breach Exposes Schools' Vendor Dependence
byAlexander Culafi
MAY 6, 2026
4 MIN READ
Want more Dark Reading stories in your Google search results?
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
SUBSCRIBE
Webinars
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
TUESDAY, JUNE 23, 2026 1:00 PM EDT
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
THURS, JUNE 25, 2026, AT 1PM EST
Defending in the Shadow Era: When the CVE Feed Goes Dark
TUES, JUNE 16, 2026 AT 1PM EST
Building SecOps That Make the Most of Every Dollar
THURS, JULY 9, 2026 AT 1PM EST
AI-Powered Cybersecurity for Resource-Constrained Organizations
THURS, JUNE 18, 2026, AT 1PM EST
More Webinars
BLACK HAT USA | MANDALAY BAY, LAS VEGAS
The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.
GET YOUR PASS