Claude Opus Was Named as the Coordinator in an AI-Built Ransomware Framework. Here's the Honest Read.

Sophos published a report today on an AI-built ransomware attack toolkit that automates Active Directory discovery and iterated through nearly eighty modules against more than seventy EDR evasion techniques. The framework tested payloads in a virtual lab against Sophos, CrowdStrike, and Microsoft Defender until the modules bypassed almost all of them. The payloads were generated in Rust and Go. The C2 ran through Telegram's infrastructure. A Cloudflare Worker fronted the backend to obscure the real server. The Python scripts were written in Russian.

Claude Opus 4.5 was named as the coordinator agent for the R&D process.

We use Claude Opus. It is our ride-or-die model, the reasoning layer at the center of everything we build. So let us be the ones to say this clearly, without hedging.

The same properties that make Claude effective for defense are available to anyone with an API key. Long context, iterative refinement, code generation, agent coordination, the ability to read security research and extract actionable techniques. When Sophos describes agents that read publications from Kaspersky, Palo Alto Networks, Bishop Fox, and SpecterOps, mapped the techniques to MITRE ATT&CK, prepared a test lab, executed the technique, and reported the outcome — that is not a failure of the model. That is the model doing what it was designed to do, directed toward a malicious purpose by humans who are responsible for that choice.

The researchers at Sophos were explicit: the workflow is entirely human-driven. Claude did not decide to build ransomware. A threat actor decided to build ransomware and used Claude to accelerate it. The distinction matters because conflating the two leads to the wrong conclusions about what the problem actually is.

The problem is not the model. The problem is that AI tools are shortening the period between the publication of offensive security research and its practical implementation. Techniques that previously required months of manual development, testing, and iteration can now be operationalized in days. The human expertise required to go from "I read a Bishop Fox paper on EDR evasion" to "I have a working payload" has dropped significantly. That is the threat. Not the model. The compression of the research-to-weapon pipeline.

What the toolkit built is not novel. Cobalt Strike profiles designed to blend into legitimate traffic are documented in the red team literature. Telegram as C2 is a well-established technique. Shellcode injection into legitimate Windows executables has been in the threat actor playbook for years. Cloudflare Workers as redirectors are in dozens of active campaigns in our corpus right now. Every component of this framework existed before AI. What AI provided was velocity and iteration — the ability to generate, test, fail, adjust, and try again across eighty variants without eighty developers.

This is the soft-surface thesis applied to offense. The hard parts of attack development — the final technique, the payload delivery, the C2 infrastructure — those still require human judgment and criminal infrastructure. The soft part — the research, the coding, the testing loop — is now dramatically accelerated. The asymmetry that AI creates for defenders also exists for attackers. The question is who compounds it faster.

We are not neutral on that question. We have an answer, and it is this platform. Seventeen point nine million documents. Eight point three six million autonomous threat decisions. A six-hour harvest cycle that converts proof-of-concept code into detection rules before vendor advisories land. The same iterative AI development loop that the threat actor used to build evasion modules, we use to build detection content. The race is real. We are in it.

The fake Claude domains in our corpus are a separate and useful footnote. We hold four domains impersonating Claude Code and Claude Desktop, all flagged as stealer C2 infrastructure from April 2026. Someone is impersonating the model to steal credentials from developers who think they are downloading Claude. The model's name is being used as a delivery mechanism for malware against its own users. That is the other edge of this: AI brand recognition as an attack surface.

The honest read is uncomfortable and worth stating plainly. The most capable AI models are dual-use by definition. That is not a flaw in their design. It is a property of any technology powerful enough to matter. The response is not to make them less capable. The response is to move faster on the defensive side of the same loop.

Claude Opus was named in a ransomware framework. We use Claude Opus. We are using it right now to build threat detection, to correlate IOCs, to write this post. The same tool, different hands, different intent, different outcome.

That is the whole story. The discipline is the differentiator. Not the model.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com