Sophos says it found a ransomware attack toolkit in a customer environment that was built with help from AI coding agents and used to hide from security software and map a victim's Windows network. The framework included Cobalt Strike traffic-masking profiles, Telegram-based command and control, a Cloudflare Worker redirector, and Python tools that generated Rust and Go payloads for evasion and execution. Sophos found operator logs referencing a ransom note and organizations listed on a ransomware leak site, indicating criminal use rather than legitimate red-team testing.
Why it matters: This shows AI tools are being used to speed up real ransomware tradecraft, especially defense evasion and internal network discovery. Defenders should review detections for Telegram and Cloudflare-backed command channels, unusual payload loaders, and suspicious Active Directory reconnaissance, and treat AI-assisted malware development as an operational threat rather than a theory.
SecurityWeek News
2026.06.05
62% relevant
It adds reporting on Microsoft’s tracking of Storm-2697 and The Gentlemen ransomware-as-a-service, including the Go-based encryptor’s self-propagation via scheduled tasks with SYSTEM privileges.
Bill Toulas
2026.06.02
100% relevant
This article appears to be the first tracked report establishing this specific Sophos-documented ransomware toolkit and its AI-assisted development workflow.
← Back to all stories