🔴 A threat actor used AI to build a malware testing lab… specifically to defeat the security tools you deploy for clients

Sophos published some scary research on Tuesday.

A threat actor linked to ransomware and data theft operations, built a complete AI-orchestrated malware development and testing framework. Using AI agents including Claude Opus and Cursor, they generated Python shellcode injection scripts, automated Active Directory discovery, and systematically refined EDR evasion techniques across 80+ modules and 70+ bypass methods.

All of it’s been tested against dedicated virtual machines running Sophos, CrowdStrike, and Microsoft Defender… the exact tools MSPs deploy for clients. BleepingComputer

The toolkit also includes Cobalt Strike profiles disguising beacon traffic as legitimate web requests, a Telegram bot for command and control, and a Cloudflare Worker concealing backend infrastructure. This is a sophisticated, layered setup that took significant effort to build and is being used operationally. Help Net Security

Two things worth understanding.

• First: this is AI being used to accelerate attack development, not replace the attacker. The workflow is entirely human-driven. AI just makes it dramatically faster.

• Second: the specific EDR tools tested were Sophos, CrowdStrike, and Defender. We don’t yet know how successful the evasion was. Sophos notes the attacker’s claimed success rate appears to include AI hallucination. But the direction this is going is clear.

🟡 The World Cup starts in a week. The scammers have been ready for months

The 2026 FIFA World Cup kicks off a week today across the US, Canada, and Mexico. The FBI issued a formal warning last week: hundreds of fake FIFA websites are already live, designed to steal credentials, payment details, and personal information from fans buying tickets, merch, and streaming packages. BleepingComputer

The most sophisticated campaign runs across 300+ domains and includes a pixel-perfect replica of the official FIFA website, complete with a fake single sign-on flow and support in 11 languages. Typosquatted domains include fiffa[.]com, vww-fifa[.]com, and fake employment portals like jobs-fifa[.]com. Cybernews

The practical angle for MSPs: your clients’ employees are football fans. Some of them will be buying related stuff over the next seven weeks. A short, timely reminder about verifying URLs before entering payment details is worth sending this week… it’s the kind of proactive communication that shows you have their back.

🟢 Pax8 Beyond opens this Sunday in Salt Lake City

Pax8 Beyond 2026 opens Sunday at the Salt Palace Convention Center in Salt Lake City. Three days of sessions, vendors, and announcements covering Microsoft licensing, AI tools, cybersecurity stack consolidation, and MSP business growth. Pax8 Beyond

If you’re going, hit reply to let us know. It’s worth knowing that announcements from the show floor this weekend could affect Microsoft licensing pricing and AI product availability for MSPs. We’ll keep an eye on what comes out of it and cover anything significant early next week.

Great, that’s Thursday done. We’ll be back in your inbox in the morning, for the final time this week. Have a good one.