Sophos finds an attacker-built, AI-orchestrated EDR-evasion testing lab during incident response

Sophos X-Ops disclosed an EDR-evasion development-and-testing environment recovered during an incident-response engagement and linked to an active (unnamed, still-under-investigation) ransomware group (Sophos X-Ops, 2026-06-02). The framework's Python payload generator — many modules partly AI-generated, with Russian-language comments — carried nearly 80 modules covering more than 70 evasion techniques. What distinguishes the lab is its agentic structure: a coordinator agent set rules for role-separated agents (EDR testing, OPSEC hardening, documentation, proxy stress-testing, VM deployment) connected over the Model Context Protocol to a Git repository, with the operator using the Cursor AI IDE and Ludus for rapid VM provisioning (Help Net Security, 2026-06-02). Payloads were tested against three isolated Windows Server 2022 VMs — one Sophos-equipped, one CrowdStrike-equipped, one EDR-free as baseline — with a Sliver/Cobalt Strike C2 stack and a Cloudflare Worker fronting the backend.

Why it matters to us: This is a concrete data point on adversaries operationalising agentic AI for detection-engineering against the exact EDR products (Sophos, CrowdStrike) deployed across CH/EU public-sector estates. The defensive principle is unchanged — the productivity multiplier is on the attacker's tooling, not a new bypass class — but it raises the priority of behavioural telemetry on payload-origin paths: Sophos noted the customer detection fired on "malicious payloads originating from a testing directory," a useful hunt pivot for anomalous build/test artefacts on endpoints.