Hackers Using AI Tools to Automate Active Directory Attacks and EDR Evasion - CyberSecurityNews

HomeAI Hackers Using AI Tools to Automate Active Directory Attacks and EDR Evasion By Abinaya June 3, 2026 A threat actor used AI-assisted tools to automate Active Directory discovery and test endpoint detection and response (EDR) evasion techniques, highlighting the rise of AI-supported post-exploitation frameworks. The activity was identified after a suspicious endpoint triggered alerts tied to payloads stored in a user directory. Investigation revealed a collection of malicious components forming a structured attack toolkit. These included customized Cobalt Strike profiles designed to mimic legitimate web traffic. Telegram bot–based command-and-control channel to hide communications within trusted infrastructure. Python scripts capable of injecting shellcode into legitimate Windows executables while maintaining normal functionality. A Cloudflare Worker was also used as a redirector to obscure the true backend C2 server. Hackers Use AI Red Team Tools A key finding was the presence of partially AI-generated Python scripts, many written in Russian, alongside a Git repository that contained a broader automation framework. This framework combined an automated AD discovery panel with a controlled lab environment used to iteratively develop and test malware against leading EDR platforms such as Sophos, CrowdStrike, and Microsoft Defender. The AD discovery system did not operate as a fully autonomous large language model. Instead, it followed a structured decision tree model, collecting results from executed tasks, selecting predefined next steps, and dispatching actions to remote agents. Diagram showing AI’s role in the malware development workflow (source : sophos) This allowed semi-automated reconnaissance across enterprise environments while maintaining predictable execution paths. The threat actor built the testing environment using virtual machines provisioned through Ludus. Multiple Windows Server 2022 systems were configured to evaluate bypass techniques against different EDR agents, alongside a separate Ubuntu system hosting a Sliver command-and-control server. Development was supported by an AI-native IDE, Cursor, and coordinated through multiple AI agents with assigned roles. One primary AI agent, powered by Claude Opus, managed orchestration and rule-setting. In contrast, others handled testing, operational security improvements, documentation, and infrastructure deployment. Article ingestion and technique mapping instructions for AI agents (source : sophos) Communication between agents and the code repository was managed using the Model Context Protocol, enabling automated commits and iterative development cycles. The framework also incorporated research on external threats. AI agents were instructed to ingest publicly available security blogs, extract attack techniques, map them to MITRE ATT&CK, and reproduce them within the lab. Sources included well-known security firms and red team research providers. This process enabled rapid prototyping of attack techniques based on real-world methodologies. At the core of the framework was a modular payload generator written in Python that produced executables in Rust and Go. These payloads were wrapped in layers of encryption and evasion logic, allowing attackers to test over 70 different techniques. While initial success rates were low, repeated iterations reportedly improved bypass effectiveness, though results remain partially unverified. Sophos researchers assess that this framework, while presented as red team tooling, is likely intended for real-world intrusions, including ransomware deployment and data theft. The use of AI significantly accelerates development cycles but does not fundamentally change defensive requirements. Organizations are advised to maintain strong security baselines, including timely patching, multi-factor authentication, and comprehensive EDR deployment, as attackers increasingly use AI to identify and exploit defensive gaps. Free Webinar on OWASP API Top 10 and Guide to Close Visibility Gaps With WAAP Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Critical Magento Cache Plugin Vulnerability Enables Remote Code Execution Attacks Microsoft 365 Service Degradation Bypassed Windows Driver Auto-Update Controls SideCopy Hackers Deploy Persistent XenoRAT Malware to Target Afghanistan Finance Ministry Web App and API Attacks are Rising: Are You Blind to AI Web Attacks? Join Free WAAP Security Webinar  Hackers Actively Exploiting WordPress Plugin Vulnerability to Inject Malicious PHP Code Latest News Cyber Security New EDRChoker Tool Uses Policy-Based Quality of Service to Block EDR Processes Cyber Security Instagram Fixes Password Reset Flaw That Exposes User Emails and Phone Numbers Cyber Security News CISA Warns of Linux Kernel Improper Authentication Vulnerability Exploited in Attacks Cyber Security New ChatGPT Lockdown Mode to Mitigate Prompt Injection and Data Exfiltration Attacks Cyber Security Free Apps on Samsung and LG Smart TVs Secretly Turning Your Devices Into AI Proxies