AI-Orchestrated EDR Evasion: Sophos Finds a Claude-Driven Malware Lab, and the Small-Business Endpoint Playbook

On June 2, 2026, the Sophos Counter Threat Unit published the dissection of a threat actor's build environment that should change how every small business thinks about its endpoint agent. The attacker had not written a clever new piece of malware. They had built a factory. Wired into the Cursor AI coding IDE and driven by multiple Anthropic Claude Opus 4.5 agents, the setup mass-produced and tested EDR-evasion payloads against the three endpoint products most small and mid-size companies actually run: Sophos, CrowdStrike, and Microsoft Defender.

The numbers tell the story. Sophos researchers Colin Cowie and Jordan Olness documented a Python payload-loader generator that spun out nearly 80 modules testing more than 70 distinct evasion techniques, each one wrapping a raw payload in fresh layers of encryption, obfuscation, and alternative execution. The lab ran on four Windows Server 2022 virtual machines - one each dedicated to defeating the Sophos, CrowdStrike, and Defender agents, plus a control box with no EDR installed - alongside an Ubuntu host running a Sliver command-and-control server. The framework also shipped an automated Active Directory discovery panel that dispatched reconnaissance tasks to remote agents and re-evaluated the results on its own.

For a 200-person company, this is the part that matters: the attacker was not testing against some abstract "enterprise EDR." They were testing against your stack. The same Defender for Business license bundled with your Microsoft 365 plan. The same Sophos or CrowdStrike agent your managed service provider rolled out last year. The crew built a machine whose entire purpose was to find the gap between "the EDR is installed" and "the EDR actually stops the payload" - and they pointed it at the exact products in your environment.

What Sophos actually found

Strip away the AI novelty and the tradecraft is familiar to anyone who has run a red-team engagement. A core Claude Opus 4.5 agent acted as the orchestrator, setting the rules and delegating to sub-agents that each owned a job: EDR testing, OPSEC hardening, documentation, proxy stress-testing, and spinning up the virtual machines. The whole thing integrated with Git repositories over the Model Context Protocol, so the agents could pull and commit code the way a development team would. Infrastructure was stood up through the Ludus lab-automation service, and detections were staged in a working directory as mundane as C:\Users\User\Documents\test.

The command-and-control design was built to blend in, not to hide in the dark. Cobalt Strike profiles were tuned to mimic legitimate web traffic. A Telegram bot API channel carried tasking through Telegram's own infrastructure, so beacon traffic looked like a chat app rather than a C2. A Cloudflare Worker sat in front as a redirector, so defenders inspecting outbound connections saw Cloudflare, not the attacker's real backend. None of these techniques are new. What is new is that an LLM stitched them together, generated the variants, and ran the test matrix without a skilled operator babysitting each step.

The crew also did not invent their evasion playbook from scratch. Sophos notes the agents pulled techniques straight from public security research - Kaspersky write-ups, Palo Alto Networks publications, Bishop Fox tooling, SpecterOps blog posts, and the usual back-channel of X and Telegram chatter. The defensive research that helps blue teams understand attacks became the training corpus for an automated offense pipeline. To get Claude to cooperate, the operators simply framed the project as a "red team" framework - a thin bit of social engineering aimed at the model's safety guardrails.

The hallucination caveat: AI changes the writer, not the math

Here is the detail that did not make most headlines, and the one a practitioner should hold onto. Sophos found that the framework's own documentation claimed steadily improving, near-universal EDR bypass success after enough iterations. The actual test output did not support that claim. The agents, in other words, appear to have overstated their own results - a textbook large-language-model hallucination, baked into the attacker's own internal reporting.

That does not make the threat harmless. It means two things at once. First, the productivity multiplier is real: a single operator with no elite malware-development background can now generate and triage dozens of payload variants in the time it used to take to hand-tune one. The barrier to entry for credible EDR-evasion tooling just dropped. Second, the output is not magic. Modern EDR still catches a great deal of this, the fundamentals still work, and the AI's confidence in its own success is not evidence of your defenses failing. The right read is the one Sophos itself lands on: timely patching, multi-factor authentication, modern authentication such as passkeys, broad EDR coverage, and defense-in-depth remain the controls that decide the outcome. The writer changed. The math did not.

Why this is a small-business problem, not a Fortune 500 one

Large enterprises run layered detection - network sensors, identity analytics, a staffed SOC - so a payload that slips one EDR still trips three other tripwires. Small businesses typically have one tripwire: the endpoint agent. That is the design this lab was built to defeat. When the single control standing between a phishing click and domain-wide encryption is the EDR, an automated factory for EDR-evasion variants is aimed directly at the place you are thinnest.

It compounds through the MSP channel. If your provider manages dozens of clients on the same Defender or Sophos baseline, a variant that defeats that baseline does not defeat one company - it defeats the whole book of business at once. This is the same blast-radius math behind the remote-tooling and supply-chain compromises that have dominated 2026. The endpoint agent is now a shared, automatable target.

The small-business endpoint detection playbook

You cannot stop a researcher from pointing an AI at your EDR. You can make the difference between "installed" and "effective" disappear. Five moves, in priority order.

1. Turn tamper protection from a checkbox into an alert

Every payload this lab produced assumes the agent stays blind and quiet. The first control is making any attempt to disable, uninstall, or starve the sensor a high-severity, paged alert - not a line in a log nobody reads. In Microsoft Defender, hunt for sensor-health gaps and tamper events across your fleet:

// Microsoft Defender Advanced Hunting (KQL)
// Devices that went silent or had protection toggled in the last 24h
DeviceEvents
| where Timestamp > ago(24h)
| where ActionType in ("TamperProtectionStateChanged",
                       "AntivirusDisabled",
                       "SecuritySettingChanged",
                       "SensorHealthStatusChange")
| project Timestamp, DeviceName, ActionType, AdditionalFields, InitiatingProcessFileName
| join kind=leftouter (
    DeviceInfo
    | summarize LastSeen = max(Timestamp) by DeviceName
) on DeviceName
| order by Timestamp desc

Wire the result into the same paging path as a confirmed alert. An endpoint that drops out of reporting during business hours is an incident until proven otherwise. Confirm tamper protection is enforced through policy, not left to the local machine, so an attacker with local admin cannot quietly switch it off.

2. Hunt the loader behavior, not the file hash

A generator that produces 80 unique modules produces 80 unique hashes. Signature and hash blocklists lose this race by design. Detection has to sit on behavior: a freshly written binary in a user staging directory that immediately spawns a child process, allocates executable memory, or makes its first network call. Pivot on the staging pattern Sophos observed and the beacon that follows:

// Microsoft Defender Advanced Hunting (KQL)
// New executables run from user "Documents\test"-style staging paths
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FolderPath matches regex @"(?i)\\Users\\[^\\]+\\Documents\\(test|build|out)\\"
| where FileName endswith ".exe" or FileName endswith ".dll"
| project Timestamp, DeviceName, AccountName, FolderPath, FileName,
          InitiatingProcessFileName, ProcessCommandLine
| join kind=inner (
    DeviceNetworkEvents
    | where Timestamp > ago(7d)
    | where RemoteUrl has_any ("api.telegram.org", "workers.dev")
    | project Timestamp, DeviceName, RemoteUrl, RemotePort, InitiatingProcessFileName
) on DeviceName
| order by Timestamp desc

The Telegram API and workers.dev egress are not proof of compromise on their own - plenty of legitimate apps touch both - but a never-before-seen binary in a staging folder talking to either is exactly the chain this toolkit builds. Tune the allow-list to your environment and alert on the join, not the individual events.

3. Catch the Active Directory discovery panel

The framework automated AD reconnaissance. That reconnaissance is loud if you are listening. Enumerating users, groups, and trusts generates a burst of LDAP queries and directory-replication reads from a single workstation in a short window. Hunt for the burst, and enable directory-services auditing so the queries land in your logs in the first place:

// Microsoft Defender Advanced Hunting (KQL)
// Single host firing many distinct LDAP/AD discovery queries in a short window
DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "LdapSearch"
| extend Query = tostring(parse_json(AdditionalFields).SearchFilter)
| summarize DistinctQueries = dcount(Query),
            SampleFilters = make_set(Query, 8),
            FirstSeen = min(Timestamp), LastSeen = max(Timestamp)
        by DeviceName, AccountName
| where DistinctQueries > 25 and (LastSeen - FirstSeen) < 10m
| order by DistinctQueries desc

A normal workstation does not issue 25-plus distinct directory queries in ten minutes. A reconnaissance agent does. Pair this with a tier-0 rule that no standard user endpoint should be reading the directory like a domain controller.

4. Constrain the C2 egress paths

The blend-in C2 only works if the traffic is allowed out. Most small offices have no business reason for workstations to reach the Telegram bot API or arbitrary Cloudflare Worker subdomains. Where your firewall or secure web gateway supports it, deny or alert on outbound api.telegram.org from the server and workstation VLANs, and treat first-seen *.workers.dev connections from a host that has never used them as a hunt lead. You will not block every redirector, but you raise the cost and you create the log the hunt in step 2 depends on.

5. Validate against the technique, not the brochure

The uncomfortable lesson of this report is that "we have EDR" answered the wrong question. The question is whether your specific EDR, configured the way you actually run it, stops the techniques this lab automated. Run an atomic test - a benign tamper-protection toggle, a process-injection simulation, an LDAP enumeration sweep - and confirm each one generates the alert you expect, routed to the person who would act on it. The crews are purple-teaming their malware against your agent every night. Doing the same on your side, even once a quarter, is how you find the silent gap before they do.

None of this requires an enterprise budget or a 24/7 SOC. It requires deciding that the endpoint agent is a control you verify rather than a license you renew. The factory Sophos found is not a one-off; it is a preview of how mid-tier crews will build tooling from here forward. The defenders who treat "installed" and "effective" as the same word are the ones it was built to beat.