2026-06-025 minhigh

Pointing a Cursor at evading detection

Sophos researchers uncovered a threat actor utilizing AI-native development tools, specifically the Cursor IDE and Claude Opus, to build and iteratively test a post-exploitation framework designed to evade major EDR solutions. The framework automates the ingestion of public security research to generate and refine custom Rust and Go payloads, ultimately supporting ransomware and data theft operations.

Conf:highAnalyzed:2026-06-02Google

Authors: Sophos Counter Threat Unit Research Team

IOCs · 1

.txt .json

filename
C:\Users\User\Documents\testDirectory used by the threat actor to store and execute malicious payloads during EDR evasion testing.

Detection / HunterGoogle

What Happened

Security researchers discovered hackers using artificial intelligence tools to write and test malicious software. The attackers used AI assistants to read public security blogs and automatically create code designed to bypass popular security software. By setting up a virtual testing lab, the hackers could repeatedly test their tools until they successfully avoided detection. This activity has been linked to groups that deploy ransomware and steal data. Organizations should ensure they have strong, layered defenses including multi-factor authentication and up-to-date security software.

Key Takeaways

Threat actors are utilizing AI tools like the Cursor IDE and Claude Opus to automate the development and testing of EDR evasion techniques.
The attackers built a virtualized lab environment to iteratively test custom Rust and Go payloads against Sophos, CrowdStrike, and Windows Defender.
AI agents were orchestrated to ingest public security research, extract evasion techniques, map them to MITRE ATT&CK, and reproduce them in the lab.
The framework includes an automated Active Directory discovery panel and utilizes legitimate services like Telegram APIs and Cloudflare Workers for C2.
This AI-assisted malware development activity has been linked to known ransomware deployment and data theft operations.

Affected Systems

Windows Server 2022
Active Directory environments
Endpoint Detection and Response (EDR) agents

Attack Chain

The threat actor provisioned a virtualized lab environment using Ludus to develop and test malware. Using the Cursor IDE and Claude Opus AI agents, they ingested public security research to extract evasion techniques. A Python-based generator then created custom Rust and Go payloads, which were iteratively tested against EDR agents on Windows Server 2022 VMs. Successful payloads and tools, including Cobalt Strike and Sliver, were staged for operational use in ransomware and data theft campaigns.

Detection Availability

YARA Rules: No
Sigma Rules: No
Snort/Suricata Rules: No
KQL Queries: No
Splunk SPL Queries: No
EQL Queries: No
Other Detection Logic: No
Platforms: Sophos

Sophos provides proprietary detection signatures (e.g., ATK/ExtC2-A, ATK_BLOODHOUND) for the tools and behaviors associated with this threat framework.

Detection Engineering Assessment

EDR Visibility: High — The framework specifically targets EDR evasion, meaning EDR telemetry (process creation, API hooking, memory allocation) is the primary battleground and source of visibility. Network Visibility: Medium — C2 traffic is routed through Telegram APIs and Cloudflare Workers, which blends with legitimate traffic, making network-based detection moderately difficult. Detection Difficulty: Hard — The threat actor iteratively tests payloads against major EDRs until successful, meaning out-of-the-box static signatures are likely to fail, requiring behavioral and anomaly-based detection.

Required Log Sources

Process Creation (Event ID 4688 / Sysmon 1)
Network Connections (Sysmon 3)
Image Load (Sysmon 7)

Hunting Hypotheses

copy:

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Consider hunting for unusual processes communicating with Telegram API endpoints, which may indicate external C2 mechanisms.	Network Connections, DNS Queries	Command and Control	Medium
If you have visibility into process memory, look for anomalous shellcode injection into legitimate Windows executables.	EDR Memory Events, API Calls	Defense Evasion	Low
Evaluate whether automated Active Directory enumeration tools are executing from unexpected endpoints or user contexts.	Process Creation, LDAP Queries	Discovery	Medium

Control Gaps

Static AV signatures
Basic network blocking (due to Cloudflare/Telegram abuse)

Key Behavioral Indicators

Execution of payloads from atypical user document directories
Anomalous Telegram API traffic from non-browser processes
Cloudflare Worker redirector traffic associated with unknown binaries

False Positive Assessment

Recommendations

Immediate Mitigation

Verify against your organization's incident response runbook and team escalation paths before acting.
Consider reviewing EDR alerts for anomalous activity originating from user document directories, specifically 'C:\Users\User\Documents\test'.

Infrastructure Hardening

Evaluate whether access to Telegram APIs and Cloudflare Workers can be restricted or monitored for non-standard endpoints.
Consider implementing modern authentication mechanisms such as passkeys and enforcing MFA across all critical services.

User Protection

Ensure broad deployment and proper configuration of an effective EDR solution across all endpoints.
If applicable, restrict the execution of unapproved binaries from user profile directories.

Security Awareness

Consider educating security teams on the increasing use of AI tools by threat actors to rapidly iterate and bypass standard defenses.

MITRE ATT&CK Mapping

T1562.001 - Impair Defenses: Disable or Modify Tools
T1059.006 - Command and Scripting Interpreter: Python
T1090 - Proxy
T1071.001 - Application Layer Protocol: Web Protocols
T1055 - Process Injection
T1087 - Account Discovery

Additional IOCs

File Paths:
- C:\Users\User\Documents\test - Directory used by the threat actor to store and execute malicious payloads during EDR evasion testing.