Attacker-built AI-orchestrated EDR-evasion testing lab (Sophos X-Ops)

Sophos X-Ops disclosed an EDR-evasion development-and-testing environment recovered during an incident-response engagement and linked to an active (unnamed, still-under-investigation) ransomware group (Sophos X-Ops, 2026-06-02). The framework's Python payload generator — many modules partly AI-generated, with Russian-language comments — carried nearly 80 modules covering more than 70 evasion techniques. What distinguishes the lab is its agentic structure: a coordinator agent set rules for role-separated agents (EDR testing, OPSEC hardening, documentation, proxy stress-testing, VM deployment) connected over the Model Context Protocol to a Git repository, with the operator using the Cursor AI IDE and Ludus for rapid VM provisioning (Help Net Security, 2026-06-02). Payloads were tested against three isolated Windows Server 2022 VMs — one Sophos-equipped, one CrowdStrike-equipped, one EDR-free as baseline — with a Sliver/Cobalt Strike C2 stack and a Cloudflare Worker fronting the backend.

Why it matters to us: This is a concrete data point on adversaries operationalising agentic AI for detection-engineering against the exact EDR products (Sophos, CrowdStrike) deployed across CH/EU public-sector estates. The defensive principle is unchanged — the productivity multiplier is on the attacker's tooling, not a new bypass class — but it raises the priority of behavioural telemetry on payload-origin paths: Sophos noted the customer detection fired on "malicious payloads originating from a testing directory," a useful hunt pivot for anomalous build/test artefacts on endpoints.

Sophos published its 2026 Active Adversary Report (drawing on 661 IR/MDR cases) on 2026-06-02 (Sophos X-Ops, 2026-06-02). Per PD-9 this report gets one treatment; the findings that change defender priorities rather than the survey scorecard: identity-based compromise — stolen/valid credentials, brute force, and phishing — was the leading root cause, and missing or misconfigured MFA was present in a majority of incidents. Time from initial access to Active Directory compromise has compressed materially, with Impacket among the most frequently observed post-exploitation toolkits and AnyDesk the most-abused legitimate remote-access tool. The recurring telemetry blind spots are the actionable part: firewall logs were missing in roughly half of ransomware cases, and a meaningful share of compromised Windows Servers were running end-of-life builds. [SINGLE-SOURCE] (vendor IR telemetry report).

Why it matters to us: The hunt targets generalise directly to public-sector AD estates — alert on Impacket artefacts (impacket-* tool names in process trees, secretsdump-style NTDS access, SMBExec/WMIExec parent processes), instrument the initial-access-to-DC-compromise window, inventory EOL Windows Servers, and verify firewall log retention before an incident rather than during one.

Over the weekend of 31 May–1 June, instructions circulated on Telegram showing how to coax Meta's conversational "AI support assistant" into linking an attacker-controlled email to a target Instagram account and triggering a password reset, bypassing Instagram's normal account-recovery friction (Krebs on Security, 2026-06-01 · TechCrunch, 2026-06-01). Pro-Iranian actors used the method to briefly deface high-profile accounts, including the archived Obama White House handle and that of the Chief Master Sergeant of the U.S. Space Force. The exploit reportedly failed against any account with MFA enabled; Meta said the issue was resolved by 1 June.

Defender takeaway: This is an emerging attack class, not a one-off — an AI support agent able to modify account credentials or recovery linkages without re-challenging the currently registered second factor punctures the account's MFA envelope from the support-channel direction. Any organisation deploying AI for account-recovery or helpdesk workflows should scope those agents to read-only actions and require out-of-band challenge to existing registered methods before any credential or recovery change.

Push Security documented LLMShare, a malvertising campaign in which attackers buy Google Ads targeting "ChatGPT" and "ChatGPT download" queries (Push Security, 2026-05-29; BleepingComputer, 2026-05-29). Victims clicking the ads land on legitimate chatgpt.com/s/[unique-id] share URLs that render attacker-controlled HTML — a fake high-traffic outage page with a "Download our desktop app to continue" button — directly from the OpenAI domain. Because chatgpt.com is trusted by enterprise web-filtering rules and firewalls, the landing page is not blocked. The download button redirects to an attacker-controlled domain impersonating OpenAI; the site uses cloaking (serves a benign page to scanners). Windows users receive an infostealer payload. The technique exploits the same ChatGPT Artifacts/sharing feature previously abused in the ACR Stealer campaign (covered 2026-05-26) and extends it to malvertising. Detection: monitor for browser-spawned executable downloads from chatgpt.com domains — legitimate ChatGPT desktop app downloads do not originate from that path; alert on unusual process launch from browser-extracted or browser-downloaded unsigned executables. MITRE ATT&CK: T1566.002, T1204.001, T1036, T1027.

The German federal cabinet approved the Cybersicherheitsstärkungsgesetz (Law to Strengthen Cybersecurity) on 2026-05-27, granting three federal agencies — the Bundeskriminalamt (BKA), the Bundesamt für Sicherheit in der Informationstechnik (BSI) and the Bundespolizei — new authority to conduct what the government frames as active cyber defence rather than offensive hackback (Heise Security, 2026-05-27; onvista / dpa, 2026-05-27; t-online, 2026-05-27). Under the law the agencies may redirect attacker-controlled traffic, selectively intervene in IT systems used to attack Germany, delete or modify data on attacker servers, and shut down dangerous C2 nodes — explicitly including foreign infrastructure. Interior Minister Alexander Dobrindt (CSU) positioned the measure as active cyber defence targeting attacker command-and-control infrastructure rather than retaliatory hackback. The bill funds the order of 350 new positions across the three agencies and approximately €50 million per year in personnel and material (per onvista/dpa; t-online reports a smaller initial figure — see § 7). The Bundesverband der Deutschen Industrie (BDI) and civil-society voices warned of collateral-damage risk on shared hosting and VPN servers and flagged constitutional concerns. The bill next proceeds to the Bundestag; it does not yet have force of law.

Why it matters to us: German LE gaining the legal authority to sinkhole, redirect, or disable attack infrastructure will change the threat-intel attribution picture across Europe. SOC managers should expect that unexplained C2 outages on Germany-adjacent hosting may be LE action rather than malware infrastructure rotation. Threat-intel teams tracking takedown patterns should add de.bka, de.bsi, de.bpol as expected actors in the takedown attribution stack alongside CrowdStrike Counter Adversary Operations, Microsoft DCU and Europol.

Sophos X-Ops (cluster STAC4713) published a write-up on 2026-05-07 of a malvertising campaign using the counterfeit claude-pro[.]com site to distribute a previously-undocumented Windows backdoor named Beagle (Sophos X-Ops, 2026-05-07 · Malwarebytes, 2026-04-10 (earlier wave)). The chain delivers a 505 MB ZIP archive containing a malicious MSI that sideloads an attacker-controlled DLL alongside a legitimate, signed G DATA antivirus updater executable (T1574.002 DLL Side-Loading). The first-stage DonutLoader shellcode then fetches and injects Beagle into memory. Beagle communicates with license.claude-pro[.]com over TCP/443 and UDP/8080 with AES-encrypted payloads; supported commands are cmd, upload, download, ls. Sophos notes TTP similarity with PlugX operators (BRONZE PRESIDENT / Dragon Breath clusters) but explicitly does not confirm attribution. The campaign's distribution infrastructure was established March 2026 with samples observed in February, April and May.

The targeting class is the operationally important part: counterfeit AI-tooling sites lure technical users — developers, ML engineers, IT admins — who often hold privileged access to source code, cloud environments, and secrets. Defenders should treat AI-tool installer downloads as a high-risk software class and require allow-listed sources (anthropic.com, claude.ai, OS package managers) rather than ad-hoc web search results.