Claude Opus 4.5 as malware coordinator: inside the AI-built ransomware R&D lab Sophos found

Sophos published research last week about a threat actor who used Claude Opus 4.5 and Model Context Protocol to build a multi-agent development environment for writing, testing, and refining ransomware and EDR evasion tools. This is the first documented case of a threat actor deploying a frontier model plus MCP-connected multi-agent architecture specifically for malware R&D.

The finding matters not because AI wrote undetectable malware (it did not, and Sophos caught the campaign). It matters because it documents the industrialization of the malware development cycle using the same AI tools that defenders use every day.

The architecture

The lab used multiple AI agents, each with a defined role. Claude Opus 4.5 was the coordinator: it set rules, assigned tasks, maintained context across the research cycle, and directed the other agents. Dedicated agents handled EDR testing, OPSEC hardening, documentation, proxy stress testing, and virtual machine deployment.

All agents communicated via MCP (Model Context Protocol), the open standard that connects AI assistants to external tools and data sources. The MCP connections linked the agents to Git repositories. This matters because agents could read existing codebases, propose modifications, commit changes, and trigger test runs in isolated VMs, closing the build-test-refine loop without manual code management at each step.

The primary coding interface was Cursor, an AI-native IDE. The virtualized lab infrastructure was provisioned via Ludus, a platform designed for rapidly deploying security testing environments.

What the lab produced

The threat actor tested the malware produced by this lab against three commercial EDR products in isolation: Sophos Endpoint, CrowdStrike Falcon, and Microsoft Defender. The same iterative approach used for malware development was applied to EDR evasion: write an evasion technique, test it against the target EDR, observe whether it triggered a detection, feed the result back into the agent loop, revise.

Additional outputs from the lab: Cobalt Strike command-and-control profiles designed to disguise beacon traffic as legitimate web requests. A Telegram-based C2 channel as fallback. Shellcode injection tooling. A Cloudflare Worker used to conceal backend infrastructure. Sophos linked the activity to live ransomware deployment and data theft operations. This was not a research environment that never made it to production.

What AI actually contributed

Sophos is direct about what the AI system was and was not. It was not an autonomously reasoning agent making independent security research decisions. Human operators reviewed each iteration and decided when to move to the next phase. What AI contributed was speed and systematization.

The build-test-refine cycle that a human malware developer would run manually takes hours per iteration. The MCP-connected agent loop structures that cycle as a repeatable pipeline with logged outputs at each stage. The iteration cadence accelerates. Documentation is automatic. The OPSEC review is handled by a dedicated agent rather than a post-hoc manual check.

The practical result: the attacker's EDR evasion R&D cadence runs faster than the defender's signature update cycle. Not because the AI is brilliant. Because it is systematic and tireless in a way that manual iteration is not.

What this means for defenders

The MCP-and-agent pattern is not exotic. It is the same architecture being adopted in enterprise software development, security operations, and AI-assisted coding workflows. The tooling the attacker used (Claude, Cursor, MCP, Git) is the same tooling that security teams use. The attack industrialized the defender's own development workflow.

Specific actions: add AI coding tool activity and MCP connections to your threat model for insider risk and supply chain compromise scenarios. Review whether your endpoint security agents produce observable signals when iteratively targeted in an isolated environment. Consider threat hunting for Cobalt Strike profiles using legitimate-traffic disguise patterns alongside Telegram-based C2 indicators.

Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if you want to discuss AI security architecture or red team assessment methodology.

AI SecurityLLMVulnerability Researchllm-security

Twenty-two seconds: what Mandiant's M-Trends 2026 actually says about how fast attackers now move

Mandiant’s M-Trends 2026 report pegs 22 seconds as the median time between initial access and hand-off to a secondary threat group in 2025, down from more than 8 hours in 2022. Here’s what that acceleration really means for detection, response, and security architecture.

June 2, 2026

CVEendpoint-securityVulnerability ResearchCritical Infrastructure

When Your Antivirus Is the Way In: Microsoft Defender CVE-2026-41091 Under Active Attack

Microsoft has confirmed that CVE-2026-41091 and a related flaw in Microsoft Defender are being actively exploited. Here’s what the vulnerabilities mean, how attackers are abusing them, and what security teams should do right now.

June 1, 2026

CVEVulnerability ResearchZero Trustendpoint-security

CVE-2026-0257: When Reusing One Certificate Hands Over Your VPN

CVE-2026-0257 is a configuration-dependent authentication bypass in Palo Alto Networks PAN-OS GlobalProtect, disclosed May 13, 2026. This post explains what it is, who is affected, how the bug works conceptually, and concrete steps to mitigate and harden your VPN deployment.