A threat actor is using an AI-assisted ransomware toolkit to automate Active Directory discovery and rapidly develop EDR-bypass payloads tested against Sophos, CrowdStrike, and Microsoft defenses. Sophos found the operation was human-driven but heavily accelerated by Cursor and Claude Opus, with modular loaders, Cobalt Strike profiles, and other components built to evade detection. #Sophos #CrowdStrike #Microsoft #Cursor #ClaudeOpus #CobaltStrike #ActiveDirectory
Keypoints
- The toolkit automates Active Directory discovery and attack planning.
- Cursor and Claude Opus helped develop, analyze, and revise the malware.
- The payloads were tested against Sophos, CrowdStrike, and Microsoft EDR tools.
- The framework used Cobalt Strike, Telegram-based C2, Cloudflare Workers, and Python injectors.
- Sophos found the workflow was human-driven and used to speed up ransomware development.