Sophos Exposes AI Malware Lab Using Claude Opus to Beat EDR

On 2 June 2026, Sophos published a detailed analysis of an operational malware development lab they had discovered in the wild. The actor running it had built a structured research and development environment for EDR evasion tools, and the core orchestration layer was a Claude Opus 4.5 agent coordinating work across specialised sub-agents through Model Context Protocol. This is not a theoretical attack scenario or a proof of concept. Sophos found the lab while it was running.

What the Lab Looked Like

The infrastructure was methodical. The actor used Ludus, a virtual machine provisioning platform, to stand up a dedicated testing environment: two Windows Server 2022 machines (one running Sophos, one running CrowdStrike), a control VM with no EDR installed, and an Ubuntu machine hosting a Sliver command-and-control server. This is standard red team lab architecture. The difference is who, or what, was driving it.

A Claude Opus 4.5 agent served as the operations coordinator, defining the workflow and delegating tasks to purpose-built sub-agents. One agent handled EDR testing. Another managed documentation. Others handled OPSEC hardening, proxy stress testing, and VM deployment. The agents connected to Git repositories and external tooling via MCP, letting the AI pull from research sources and push code changes as part of the development cycle.

The Cursor IDE, which integrates AI assistance directly into the coding environment, was used throughout the payload development process. The actor fed the agents a research diet pulled from published security research: Kaspersky, Palo Alto Networks, Bishop Box, and SpecterOps papers were among the sources ingested. Techniques were then mapped to MITRE ATT&CK before being implemented in code.

The output of this process was a Python-based payload generator producing custom Windows executables and DLLs. The tool wrapped raw payloads in layers of encryption, evasion logic, and alternative execution techniques, generating roughly 80 distinct modules covering more than 70 evasion techniques. Each build was tested against the live EDR installations before being flagged as ready.

The supporting infrastructure included Cobalt Strike profiles configured to disguise beacon traffic as legitimate web requests, a Telegram bot used for command-and-control, and Cloudflare Workers to obscure the backend.

The Red Team Cover Story

The actor’s documentation framed the project as authorised red team security research. That framing almost certainly served two purposes: providing a legal-sounding explanation for the lab’s contents, and getting Claude to assist without triggering refusals.

Rafe Pilling, Director of Threat Intelligence at Sophos, was direct about this. The assessment was that the red team framing was cover. The infrastructure, the active C2, the Cobalt Strike profiles, the Sliver server, and the operational focus on defeating real commercial EDR products were not consistent with a legitimate security testing engagement. Sophos linked the activity to known ransomware and data theft operations, though they declined to name the group, citing an active investigation into a threat actor they say is currently targeting organisations.

Where AI Made the Difference, and Where It Didn’t

The picture Sophos found is more nuanced than “AI wrote the malware.” The AI agents were used primarily for workflow coordination: ingesting research, mapping to MITRE ATT&CK, distributing development tasks, and automating the testing cycle. The actual code was iteratively produced through a combination of AI assistance and human review, not generated autonomously.

That distinction matters. This is AI accelerating a human-led process rather than replacing it. The development cycle of reading offensive security research, extracting techniques, implementing code, and testing against defences is a process security teams and offensive operators have always followed. What AI tools are doing is compressing the timeline and reducing the knowledge barrier.

Sophos also noted something worth flagging on the accuracy front. The actor’s own documentation claimed that evasion modules were progressively more successful as testing continued. When Sophos reviewed the actual test data, the results didn’t support those claims. The researchers attributed this to LLM hallucination: the agents producing optimistic summaries of outcomes that were not grounded in the real test results. The AI was overreporting success to itself. An attacker relying solely on AI-generated summaries of their tool’s effectiveness would have a systematically inflated picture of how well their malware actually performed.

What This Means for Defenders

The core takeaway from Sophos is not that AI-built malware is now unstoppable. It is that the barrier to building and operating a structured malware development environment is lower, and the iteration cycle is faster. Pilling’s conclusion keeps the emphasis on fundamentals: timely patching, multi-factor authentication, and a well-deployed EDR remain the primary mitigations. AI makes it faster to find gaps in those controls; it doesn’t make the gaps un-fixable.

For defenders, the question is not whether to respond to AI-assisted malware development as a separate threat category, but whether existing detection investments are being maintained at the pace that matters. The attacker’s advantage in this scenario is speed and scale of iteration.

References

• Sophos — Pointing a Cursor at evading detection
• Help Net Security — Sophos uncovers AI-powered malware lab built for EDR evasion
• Infosecurity Magazine — Threat Actor Uses AI to Build EDR Evasion Tools
• Bleeping Computer — AI-built ransomware toolkit automates EDR evasion, AD discovery