301/69 Friday, June 5, 2026
Cybersecurity researchers have revealed that threat actors are increasingly leveraging artificial intelligence (AI) to develop automated malware testing platforms designed to evade Endpoint Detection and Response (EDR) solutions. The activity was observed targeting leading security products, including Sophos, CrowdStrike, and Microsoft Defender. The campaign was uncovered after suspicious payloads triggered security alerts from user directories on compromised endpoints. The findings highlight how attackers are enhancing their malware development and testing capabilities through automation and AI-assisted workflows, enabling increasingly sophisticated evasion techniques.
Analysis revealed that the threat actors had established a dedicated testing environment to systematically evaluate malware evasion techniques. The infrastructure consisted of multiple Virtual Machines running Windows Server 2022, each configured with different EDR products for comparative testing. Researchers also identified a Command-and-Control (C2) server running the Sliver framework on Ubuntu Linux. In addition, the attackers utilized Python scripts containing Russian-language comments and reportedly relied on AI-powered development tools such as Cursor and Claude Opus to automate malware testing, collect results, and continuously refine evasion techniques based on the MITRE ATT&CK framework. Investigators also found evidence that the operators gathered and analyzed public research published by cybersecurity vendors to identify new opportunities for bypassing EDR defenses.
Organizations and system administrators should strengthen their security posture by adopting a Defense-in-Depth strategy rather than relying solely on EDR solutions. Security teams are advised to monitor for unusual execution of files or scripts originating from user-accessible directories, such as Documents folders, and to inspect network traffic for indicators associated with frameworks like Sliver. In addition, organizations should continuously consume and update Threat Intelligence feeds to improve detection capabilities, refine behavioral analytics, and rapidly respond to emerging attack techniques specifically engineered to bypass modern endpoint security controls.
Source https://www.darkreading.com/endpoint-security/attackers-automate-edr-evasion-testing