Category: featured
-
Game of clones: Sophos and the MITRE ATT&CK Enterprise 2025 Evaluations
Game of clones: Sophos and the MITRE ATT&CK Enterprise 2025 Evaluations Winter is coming – so it must be time for Sophos X-Ops’ report on this year’s MITRE ATT&CK Enterprise Evaluations Matt Wixey Go to sophos
-
GOLD SALEM tradecraft for deploying Warlock ransomware
GOLD SALEM tradecraft for deploying Warlock ransomware Analysis of the tradecraft evolution across 6 months and 11 incidents Mindi McDowell Go to sophos
-
React2Shell flaw (CVE-2025-55182) exploited for remote code execution
React2Shell flaw (CVE-2025-55182) exploited for remote code execution The availability of exploit code will likely lead to more widespread opportunistic attacks Mindi McDowell Go to sophos
-
A big finish to 2025 in December’s Patch Tuesday
A big finish to 2025 in December’s Patch Tuesday A month with no Critical-severity Windows bugs is overshadowed by a mass of Mariner mop-up Angela Gunn Go to sophos
-
Sophos achieves its best-ever results in the MITRE ATT&CK Enterprise 2025 Evaluation
Sophos achieves its best-ever results in the MITRE ATT&CK Enterprise 2025 Evaluation A major milestone: Sophos XDR delivers 100% detection coverage in the latest ATT&CK Evaluation. rajansanhotra Go to sophos
-
Inside Shanya, a packer-as-a-service fueling modern attacks
Inside Shanya, a packer-as-a-service fueling modern attacks The ransomware scene gains another would-be EDR killer Gabor Szappanos Go to sophos
-
Sharpening the knife: GOLD BLADE’s strategic evolution
Sharpening the knife: GOLD BLADE’s strategic evolution Updates include novel abuse of recruitment platforms, modified infection chains, and expansion into a hybrid operation that combines data theft and ransomware deployment Mindi McDowell Go to sophos
-
Introducing Sophos Intelix for Microsoft Security Copilot
Introducing Sophos Intelix for Microsoft Security Copilot Elevating threat intelligence for all Security Copilot users. Doug Aamoth Go to sophos
-
Introducing Sophos Intelix for Microsoft 365 Copilot
Introducing Sophos Intelix for Microsoft 365 Copilot Bringing Sophos threat intelligence directly into Microsoft 365 Copilot. Doug Aamoth Go to sophos
-
WhatsApp compromise leads to Astaroth deployment
WhatsApp compromise leads to Astaroth deployment Another campaign targeting WhatsApp users in Brazil spreads like a worm and employs multiple payloads for credential theft, session hijacking, and persistence Mindi McDowell Go to sophos
-
Advancing Cybersecurity for Microsoft Environments
Advancing Cybersecurity for Microsoft Environments From certified MDR services to open threat intelligence frameworks, Sophos is delivering the clarity, context, and confidence organizations need to stay ahead of evolving threats. Sally Adam Go to sophos
-
November Patch Tuesday does its chores
November Patch Tuesday does its chores A cleanup month brings 63 patches… wait, no, 68… how about 61? Angela Gunn Go to sophos
-
Detecting fraudulent North Korean hires: A CISO playbook
Detecting fraudulent North Korean hires: A CISO playbook Has a North Korean threat actor applied for a position at your organization, or even been hired? We’re sharing a toolkit to help you detect and avoid that risk. Ross McKerchar Go to sophos
-
Phake phishing: Phundamental or pholly?
Phake phishing: Phundamental or pholly? Debates over the effectiveness of phishing simulations are widespread. Sophos X-Ops looks at the arguments for and against – and our own phishing philosophy Ross McKerchar Go to sophos
-
BRONZE BUTLER exploits Japanese asset management software vulnerability
BRONZE BUTLER exploits Japanese asset management software vulnerability The threat group targeted a LANSCOPE zero-day vulnerability (CVE-2025-61932) mindimcdowell Go to sophos
-
Windows Server Update Services (WSUS) vulnerability abused to harvest sensitive data
Windows Server Update Services (WSUS) vulnerability abused to harvest sensitive data Exploitation of CVE-2025-59287 began after public disclosure and the release of proof-of-concept code mindimcdowell Go to sophos
-
Threat Intelligence Executive Report – Volume 2025, Number 5
Threat Intelligence Executive Report – Volume 2025, Number 5 This issue of the Counter Threat Unit’s high-level bimonthly report discusses noteworthy updates in the threat landscape during July and August mindimcdowell Go to sophos
-
October Patch Tuesday beats January ’25 record
October Patch Tuesday beats January ’25 record Microsoft throws a farewell party for Win10, Office 2016, and Office 2019… a very big party Angela Gunn Go to sophos
-
F5 network compromised
F5 network compromised On October 15, 2025, F5 reported that a nation-state threat actor had gained long-term access to some F5 systems and exfiltrated data, including source code and information about undisclosed product vulnerabilities. This information may enable threat actors to compromise F5 devices by developing exploits for these vulnerabilities. The UK National Cyber Security…
-
WhatsApp Worm Targets Brazilian Banking Customers
WhatsApp Worm Targets Brazilian Banking Customers Counter Threat Unit™ (CTU) researchers are investigating multiple incidents in an ongoing campaign targeting users of the WhatsApp messaging platform. The campaign, which started on September 29, 2025, is focused on Brazil and seeks to trick users into executing a malicious file attached to a self-spreading message received from…
-
HeartCrypt’s wholesale impersonation effort
HeartCrypt’s wholesale impersonation effort How the notorious Packer-as-a-Service operation built itself into a hydra Gabor Szappanos Go to sophos
-
What happens when a cybersecurity company gets phished?
What happens when a cybersecurity company gets phished? A Sophos employee was phished, but we countered the threat with an end-to-end defense process Ross McKerchar Go to sophos
-
GOLD SALEM’s Warlock operation joins busy ransomware landscape
GOLD SALEM’s Warlock operation joins busy ransomware landscape The emerging group demonstrates competent tradecraft using a familiar ransomware playbook and hints of ingenuity mindimcdowell Go to sophos
-
September Patch Tuesday handles 81 CVEs
September Patch Tuesday handles 81 CVEs The last round of fixes before Win 10’s final shout touches 15 product families, including Xbox Angela Gunn Go to sophos
-
Velociraptor incident response tool abused for remote access
Velociraptor incident response tool abused for remote access This approach represents an evolution from threat actors abusing remote monitoring and management tools mindimcdowell Go to sophos
-
Threat Intelligence Executive Report – Volume 2025, Number 4
Threat Intelligence Executive Report – Volume 2025, Number 4 This issue of the Counter Threat Unit’s high-level bimonthly report discusses noteworthy updates in the threat landscape during May and June mindimcdowell Go to sophos
-
August Patch Tuesday includes blasts from the (recent) past
August Patch Tuesday includes blasts from the (recent) past Microsoft haul this month covers 109 CVEs… more or less Angela Gunn Go to sophos
-
Sophos AI at Black Hat USA ’25: Anomaly detection betrayed us, so we gave it a new job
Sophos AI at Black Hat USA ’25: Anomaly detection betrayed us, so we gave it a new job Following on from our preview, here’s Ben Gelman and Sean Bergeron’s research on enhancing command line classification with benign anomalous data Matt Wixey Go to sophos
-
Shared secret: EDR killer in the kill chain
Shared secret: EDR killer in the kill chain A look under the hood at a tool designed to disable protections Gabor Szappanos Go to sophos
-
GOLD BLADE remote DLL sideloading attack deploys RedLoader
GOLD BLADE remote DLL sideloading attack deploys RedLoader Attacks surged in July 2025 after the threat group updated its process to combine malicious LNK files and a recycled WebDAV technique mindimcdowell Go to sophos
-
Sophos’ Secure by Design 2025 Progress
Sophos’ Secure by Design 2025 Progress One year on, we are pleased to share progress on our secure-by-design commitments. Ross McKerchar Go to sophos
-
Small world: The revitalization of small AI models for cybersecurity
Small world: The revitalization of small AI models for cybersecurity Sophos X-Ops explores why larger isn’t always better when it comes to solving security challenges with AI Matt Wixey Go to sophos
-
SharePoint ‘ToolShell’ vulnerabilities being exploited in the wild
SharePoint ‘ToolShell’ vulnerabilities being exploited in the wild Sophos X-Ops sees exploitation across multiple customer estates Matt Wixey Go to sophos
-
SophosAI at Black Hat USA ’25: Anomaly detection betrayed us, so we gave it a new job
SophosAI at Black Hat USA ’25: Anomaly detection betrayed us, so we gave it a new job Sophos’ Ben Gelman and Sean Bergeron will present their research on enhancing command line classification with benign anomalous data at Las Vegas Matt Wixey Go to sophos
-
July Patch Tuesday offers 127 fixes
July Patch Tuesday offers 127 fixes The seventh month is always a big one for Microsoft, and this year is no exception Angela Gunn Go to sophos
-
Threat Intelligence Executive Report – Volume 2025, Number 3
Threat Intelligence Executive Report – Volume 2025, Number 3 This issue of the Counter Threat Unit’s high-level bimonthly report discusses noteworthy updates in the threat landscape during March and April mindimcdowell Go to sophos
-
Using AI to identify cybercrime masterminds
Using AI to identify cybercrime masterminds Analyzing dark web forums to identify key experts on e-crime gallagherseanm Go to sophos
-
Taking the shine off BreachForums
Taking the shine off BreachForums ShinyHunters threat group members were arrested in a coordinated law enforcement action for their association with BreachForums mindimcdowell Go to sophos
-
The strange tale of ischhfd83: When cybercriminals eat their own
The strange tale of ischhfd83: When cybercriminals eat their own A simple customer query leads to a rabbit hole of backdoored malware and game cheats Matt Wixey Go to sophos
-
DragonForce actors target SimpleHelp vulnerabilities to attack MSP, customers
DragonForce actors target SimpleHelp vulnerabilities to attack MSP, customers Ransomware actor exploited RMM to access multiple organizations; Sophos EDR blocked encryption on customer’s network gallagherseanm Go to sophos
-
DragonForce targets rivals in a play for dominance
DragonForce targets rivals in a play for dominance Not content with attacking retailers, this aggressive group is fighting a turf war with other ransomware operators Angela Gunn Go to sophos
-
Beyond the kill chain: What cybercriminals do with their money (Part 1)
Beyond the kill chain: What cybercriminals do with their money (Part 1) Sophos X-Ops investigates what financially motivated threat actors invest their ill-gotten profits in, once the dust has settled Matt Wixey Go to sophos
-
Microsoft primes 71 fixes for May Patch Tuesday
Microsoft primes 71 fixes for May Patch Tuesday Five issues actively exploited in the wild, but the real excitement may have been handled in advance Angela Gunn Go to sophos
-
Lumma Stealer, coming and going
Lumma Stealer, coming and going The high-profile information stealer switches up its TTPs, but keeps the CAPTCHA tactic; we take a deep dive Angela Gunn Go to sophos
-
Moving CVEs past one-nation control
Moving CVEs past one-nation control A near-miss episode of attempted defunding spotlights a need for a better way Chester Wisniewski Go to sophos
-
The Sophos Annual Threat Report: Cybercrime on Main Street 2025
The Sophos Annual Threat Report: Cybercrime on Main Street 2025 Ransomware remains the biggest threat, but old and misconfigured network devices are making it too easy gallagherseanm Go to sophos
-
Industrial-strength April Patch Tuesday covers 135 CVEs
Industrial-strength April Patch Tuesday covers 135 CVEs One actively exploited issue patched; five Critical-severity Office vulns exploitable via Preview Pane Angela Gunn Go to sophos
-
It takes two: The 2025 Sophos Active Adversary Report
It takes two: The 2025 Sophos Active Adversary Report The dawn of our fifth year deepens our understanding of the enemies at the gate, and some tensions inside it; plus, an anniversary gift from us to you Angela Gunn Go to sophos
-
Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers downstream
Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers downstream Attack matches three-year long pattern of ScreenConnect attacks tracked by Sophos MDR as STAC4365. gallagherseanm Go to sophos
-
PJobRAT makes a comeback, takes another crack at chat apps
PJobRAT makes a comeback, takes another crack at chat apps Sophos X-Ops uncovers a recent campaign from an Android RAT first seen in 2019 – now infecting users in Taiwan Pankaj Kohli Go to sophos
-
The future of MFA is clear – but is it here yet?
The future of MFA is clear – but is it here yet? Not all authentication is equal to the task in 2025, but there is a best choice within reach Chester Wisniewski Go to sophos
-
Little fires everywhere for March Patch Tuesday
Little fires everywhere for March Patch Tuesday Just 57 CVEs to contend with (plus advisories), but six are already under exploit in the wild Angela Gunn Go to sophos
-
February Patch Tuesday delivers 57 packages
February Patch Tuesday delivers 57 packages After January’s deluge, a calmer update volume returns Angela Gunn Go to sophos
-
Scalable Vector Graphics files pose a novel phishing threat
Scalable Vector Graphics files pose a novel phishing threat The SVG file format can harbor malicious HTML, scripts, and malware Andrew Brandt Go to sophos
-
Sophos MDR tracks two ransomware campaigns using “email bombing,” Microsoft Teams “vishing”
Sophos MDR tracks two ransomware campaigns using “email bombing,” Microsoft Teams “vishing” Sophos MDR identifies a new threat cluster riffing on the playbook of Storm-1811, and amped-up activity from the original connected to Black Basta ransomware. gallagherseanm Go to sophos
-
Gootloader inside out
Gootloader inside out Open-source intelligence reveals the server-side code of this pernicious SEO-driven malware – without needing a lawyer afterward Gabor Szappanos Go to sophos
-
159-CVE January Patch Tuesday smashes single-month record
159-CVE January Patch Tuesday smashes single-month record Brace yourselves… and consider reading your email in plaintext for now Angela Gunn Go to sophos
-
Phishing platform Rockstar 2FA trips, and “FlowerStorm” picks up the pieces
Phishing platform Rockstar 2FA trips, and “FlowerStorm” picks up the pieces A sudden disruption of a major phishing-as-a-service provider leads to the rise of another…that looks very familiar gallagherseanm Go to sophos
-
The Bite from Inside: The Sophos Active Adversary Report
The Bite from Inside: The Sophos Active Adversary Report A sea change in available data fuels fresh insights from the first half of 2024 Angela Gunn Go to sophos
-
December Patch Tuesday arrives bearing 71 gifts
December Patch Tuesday arrives bearing 71 gifts Seventeen Critical-severity CVEs ready to deck your halls; also, new blog guidance for Windows Server admins Angela Gunn Go to sophos
-
Keeping it real: Sophos and the 2024 MITRE ATT&CK Evaluations: Enterprise
Keeping it real: Sophos and the 2024 MITRE ATT&CK Evaluations: Enterprise Sophos X-Ops looks at the realism of this year’s MITRE ATT&CK Evaluations Michael Wood Go to sophos
-
Sophos excels in the 2024 MITRE ATT&CK® Evaluations: Enterprise
Sophos excels in the 2024 MITRE ATT&CK® Evaluations: Enterprise Results from the latest ATT&CK Evaluations for endpoint detection and response solutions. rajansanhotra Go to sophos
-
Sophos named a Gartner® Peer Insights™ Customers’ Choice for Managed Detection and Response (MDR) Services for the 2nd time
Sophos named a Gartner® Peer Insights™ Customers’ Choice for Managed Detection and Response (MDR) Services for the 2nd time Sophos is the only vendor named a Customers’ Choice across Endpoint Protection Platforms, Network Firewalls, and Managed Detection and Response rajansanhotra Go to sophos