Full Report
A threat actor is using an AI-built ransomware attack toolkit that automates Active Directory discovery and helps evade endpoint detection and response (EDR) solutions. [...]
Analysis Summary
# Tool/Technique: AI-Built Ransomware Attack Toolkit (Uncoded Proxy/Loader Framework)
## Overview
This is a modular cybercriminal attack framework developed using an "agentic" AI workflow. The toolkit automates Active Directory (AD) discovery and the iterative creation of malware loaders designed specifically to evade Endpoint Detection and Response (EDR) solutions. While the workflow is human-driven, it utilizes AI agents (Claude Opus, Cursor) to research, code, test, and refine payloads against leading security products.
## Technical Details
- **Type**: Malware Development Framework / Post-Exploitation Toolkit
- **Platform**: Windows (Primary target), Cross-platform (Scripts in Python, payloads in Rust/Go)
- **Capabilities**: Automated EDR evasion testing, Active Directory discovery, shellcode injection, obfuscated C2 communication.
- **First Seen**: June 2026 (Reported by Sophos)
## MITRE ATT&CK Mapping
- **[TA0002 - Execution]**
- [T1059.003 - Command and Scripting Interpreter: Windows Command Shell]
- **[TA0007 - Discovery]**
- [T1087.002 - Account Discovery: Domain Account]
- [T1018 - Remote System Discovery]
- **[TA0005 - Defense Evasion]**
- [T1027 - Obfuscated Files or Information]
- [T1562.001 - Impair Defenses: Disable or Modify Tools]
- [T1055 - Process Injection]
- [T1205 - Traffic Signaling (Port Knocking/Cloudflare Workers)]
- **[TA0011 - Command and Control]**
- [T1102.002 - Web Service: Bidirectional Communication (Telegram API)]
- [T1090.003 - Proxy: Multi-hop Proxy (Cloudflare Workers)]
## Functionality
### Core Capabilities
- **Modular Payload Generation**: A Python-based tool that wraps raw payloads in encryption and evasion layers, outputting executables or DLLs in Rust and Go.
- **Automated AD Discovery**: Collects environment observations and uses AI logic to determine the next steps for domain enumeration.
- **Command and Control (C2)**: Uses Telegram Bot API for external communication and Cloudflare Workers as front-end redirectors to mask backend infrastructure.
### Advanced Features
- **Agentic R&D Workflow**: Uses AI agents (e.g., Claude 4.5 Opus) to act as coordinators, documentation specialists, and testers.
- **Iterative EDR Testing**: A "lab" environment that automatically tests generated malware against Sophos, CrowdStrike, and Windows Defender, refining the code until bypass is achieved.
- **Technique Synthesis**: Agents ingest research from security firms (Kaspersky, SpecterOps, etc.) and social media to convert theoretical bypasses into functional code.
## Indicators of Compromise
- **File Hashes**:
- *Note: Specific hashes were not provided in the article, but payloads are typically unique due to AI generation.*
- **File Names**:
- Often found in `C:\Users\User\Documents\test` during development/deployment.
- **Network Indicators**:
- `api[.]telegram[.]org` (Abused for C2)
- Cloudflare Worker URLs (Used as redirectors)
- **Behavioral Indicators**:
- Python scripts executing shellcode injection into legitimate Windows processes.
- Cobalt Strike beacons mimicking legitimate web traffic profiles.
- High-frequency automated queries to Active Directory from a single host.
## Associated Threat Actors
- **Unattributed Ransomware Affiliates**: While specific group names were not released, logs linked the toolkit to multiple organizations on ransomware data leak sites.
## Detection Methods
- **Signature-based detection**: Likely ineffective due to the modular and iterative nature of AI-generated code (Rust/Go loaders).
- **Behavioral detection**:
- Monitor for unusual Python execution patterns involving process injection.
- Detect anomalous Telegram API traffic originating from server or workstation endpoints.
- Identify Active Directory enumeration patterns that follow a systematic, task-based logic.
- **YARA rules**: Focus on detecting the "wrapper" logic used in the Rust/Go loaders rather than the final payload.
## Mitigation Strategies
- **Prevention measures**: Implement "AmsiScanBuffer" bypass protections and restrict the use of Python in non-developer environments.
- **Hardening recommendations**:
- Apply the principle of least privilege to Active Directory service accounts.
- Use EDR "Tamper Protection" features to prevent the toolkit from disabling security agents during the discovery phase.
- Block or monitor traffic to Telegram Bot API at the network level.
## Related Tools/Techniques
- **Cobalt Strike**: Used for post-exploitation and C2.
- **Claude / Cursor**: AI tools repurposed for malware development.
- **Cloudflare Workers**: Used for infrastructure concealment.