Sophos Found a Live AI Malware Lab Hunting EDR Bypasses

The discovery moves AI assisted malware development from a research curiosity into observed practice. For the last year researchers have been describing what would happen if an attacker wired a frontier language model into a malware build pipeline. Sophos has now caught that pipeline running.

Key Takeaways

• Sophos published a June 2, 2026 disclosure documenting an active malware development lab where Claude Opus 4.5 coordinates multiple AI agents against a battery of Windows Server 2022 virtual machines running Sophos, CrowdStrike, and Microsoft Defender.
• The lab uses Ludus to spin up virtual security test environments, Cursor as an AI native IDE for payload code, a Sliver command and control server on Ubuntu, and the Model Context Protocol to connect AI agents to Git repositories of attack tooling.
• A Python based payload generator wires together roughly 80 modules covering more than 70 evasion techniques including Cobalt Strike traffic profiles, Telegram based C2, shellcode injectors, and Cloudflare Worker fronting that hides the backend.
• Director of Threat Intelligence Rafe Pilling stated the lab matches a year of observed attempts to bypass model safeguards using benign framing for malicious prompts, and that the threat actor is currently impacting organisations globally including in the United States.

What Is Inside the Lab?

The architecture is the part security teams should study. According to Help Net Security's reporting on the Sophos disclosure, the operator built a setup that looks indistinguishable from a corporate red team:

• Multiple Windows Server 2022 virtual machines, each running a different EDR product, so a payload can be benchmarked against three of the leading vendors simultaneously.
• A single Ubuntu VM hosting a Sliver command and control server, which is the open source successor to Cobalt Strike that adversary simulation teams have increasingly adopted.
• Ludus, the platform purpose built for deploying repeatable virtualised security testing environments. It is normally used by defenders to study attacks. The lab uses it to study defences.
• Cursor, the AI native IDE, for writing and editing the actual malware code. The model assists with refactoring, encrypting strings, and rotating signature byte patterns.
• A Python payload generator wired together with about 80 modules implementing more than 70 evasion techniques.

The AI orchestration layer is what makes the setup operationally efficient. Claude Opus 4.5 sits at the top as the manager agent. Below it, specialised agents take on EDR testing, documentation, OPSEC hardening, proxy stress testing, and VM deployment. The Model Context Protocol gives those agents access to Git repositories of attack tooling, so an agent that needs a new shellcode injector pulls it directly and integrates it.

What Techniques Did Sophos Find Inside?

The 70 plus evasion techniques span the catalogue of modern offensive tooling. The disclosure specifically calls out:

• Cobalt Strike malleable profiles that disguise beacon traffic as legitimate web protocols.
• Telegram based command and control, which we saw deployed end to end in the GreyVibe Russian AI phishing campaign.
• Shellcode injection tools designed to defeat behavioural detection by avoiding the API sequences EDR products hook.
• Cloudflare Worker fronting that hides the backend infrastructure behind one of the largest CDN footprints on the internet, the same primitive that made the Underminr domain fronting attack viable across 88 million domains.
• Custom Windows executables and DLLs with bespoke encryption and packing routines, generated and tested in batches.

Each module is mapped to a MITRE ATT&CK technique, so the operator can plan a campaign against a defender's known coverage and pick the modules that target the gaps. The agents read the latest security research, extract attack techniques, map them to MITRE, execute the experiment, and write up the result. The full development loop a senior offensive engineer would run is now a script.

How Did the Operator Bypass Model Safeguards?

Sophos has not named the threat actor and an investigation is ongoing. Pilling did confirm the operator used the well established pattern of wrapping malicious goals in benign framing. "Attempts to bypass model safeguards using benign framing for malicious prompts have been observed in a number of cases over the past year," Pilling said.

In practice, that means a request that reads as a legitimate security research question if you skim it: "improve detection of a process injection routine for an EDR research evaluation in our test environment." The model produces code that is useful for both defence and attack, and the operator is the one who decides which side it lands on. Every major frontier lab has been adding guardrails against this pattern for two years, and every major frontier lab still has the loophole.

Why This Changes the Defender Calculus

For a SOC team, the practical consequence is the cadence at which novel evasions reach production. An old style malware development shop ships a new build weekly. A lab like this can iterate dozens of variants per day, each one tested against the three top EDR vendors before it ever leaves the lab. The signatures and behavioural rules a SOC relies on are working against a model that has already seen them inside the loop.

Several defensive implications follow:

• Detection engineering needs to assume tested evasions. If your rule depends on a specific API sequence or a known string, expect the next sample to have permuted both.
• Telemetry beyond the endpoint becomes the higher confidence signal. Network anomalies, identity anomalies, and cloud access patterns are harder for the lab to test against because it does not have your environment.
• Treat email and identity controls as the front line. If the payload is hard to detect once on disk, the higher value detection is during initial access, when the message lands or the credential is reused.
• Hunt for the lab's signatures. Sophos has published indicators tied to the Ludus deployment pattern, the Sliver C2 footprint, and the Cloudflare Worker fronting style. Threat hunters should ingest them.

Where the Investigation Stands

Sophos has not attributed the lab to a named threat actor and is continuing to track its activity. Pilling confirmed the group is currently impacting organisations globally, including in the United States. Sophos is sharing indicators of compromise with industry partners under standard threat intelligence sharing arrangements. Expect more disclosures from CrowdStrike and Microsoft on the same operator as detection telemetry accumulates across the three vendors the lab tests against by design.

The bigger picture is harder to defend with a press release. Frontier language models that can both write code and reason about defender behaviour are now cheap, fast, and trivial to wrap inside a development loop. The next year of EDR evasion looks less like a set of individual samples and more like a population of automatically tuned variants, each one tested against the products you are deploying. The lab Sophos uncovered is the first one to be documented in the open. It will not be the last.