AI Automates EDR Evasion Testing: Sophos X-Ops Reports

Attackers are now using artificial intelligence to automate testing for EDR evasion. Sophos X-Ops analysts report an unidentified threat actor is using AI to develop ways to bypass endpoint detection and response systems. This activity was detected when an unusual endpoint in a customer's system triggered alerts for malicious payloads. Analysts found multiple Python scripts, written in Russian and partially AI-generated. These scripts are linked to an automated Active Directory panel and a lab that tests malware against EDR agents from Sophos, CrowdStrike, and Windows Defender. The attackers test malware, collect data, and then the automated panel selects the next task. This process creates a structured engineering test cycle to build and refine more effective malware. The attackers are also studying vendor research to find ways to bypass EDR tools. They use virtual machines to emulate red-teaming processes, testing against Sophos and CrowdStrike agents. This shows a growing sophistication in how threat actors are developing their evasion techniques.