Category: Threat Research
-
Game of clones: Sophos and the MITRE ATT&CK Enterprise 2025 Evaluations
Game of clones: Sophos and the MITRE ATT&CK Enterprise 2025 Evaluations Winter is coming – so it must be time for Sophos X-Ops’ report on this year’s MITRE ATT&CK Enterprise Evaluations Matt Wixey Go to sophos
-
GOLD SALEM tradecraft for deploying Warlock ransomware
GOLD SALEM tradecraft for deploying Warlock ransomware Analysis of the tradecraft evolution across 6 months and 11 incidents Mindi McDowell Go to sophos
-
React2Shell flaw (CVE-2025-55182) exploited for remote code execution
React2Shell flaw (CVE-2025-55182) exploited for remote code execution The availability of exploit code will likely lead to more widespread opportunistic attacks Mindi McDowell Go to sophos
-
A big finish to 2025 in December’s Patch Tuesday
A big finish to 2025 in December’s Patch Tuesday A month with no Critical-severity Windows bugs is overshadowed by a mass of Mariner mop-up Angela Gunn Go to sophos
-
Inside Shanya, a packer-as-a-service fueling modern attacks
Inside Shanya, a packer-as-a-service fueling modern attacks The ransomware scene gains another would-be EDR killer Gabor Szappanos Go to sophos
-
Sharpening the knife: GOLD BLADE’s strategic evolution
Sharpening the knife: GOLD BLADE’s strategic evolution Updates include novel abuse of recruitment platforms, modified infection chains, and expansion into a hybrid operation that combines data theft and ransomware deployment Mindi McDowell Go to sophos
-
WhatsApp compromise leads to Astaroth deployment
WhatsApp compromise leads to Astaroth deployment Another campaign targeting WhatsApp users in Brazil spreads like a worm and employs multiple payloads for credential theft, session hijacking, and persistence Mindi McDowell Go to sophos
-
November Patch Tuesday does its chores
November Patch Tuesday does its chores A cleanup month brings 63 patches… wait, no, 68… how about 61? Angela Gunn Go to sophos
-
BRONZE BUTLER exploits Japanese asset management software vulnerability
BRONZE BUTLER exploits Japanese asset management software vulnerability The threat group targeted a LANSCOPE zero-day vulnerability (CVE-2025-61932) mindimcdowell Go to sophos
-
Windows Server Update Services (WSUS) vulnerability abused to harvest sensitive data
Windows Server Update Services (WSUS) vulnerability abused to harvest sensitive data Exploitation of CVE-2025-59287 began after public disclosure and the release of proof-of-concept code mindimcdowell Go to sophos
-
Threat Intelligence Executive Report – Volume 2025, Number 5
Threat Intelligence Executive Report – Volume 2025, Number 5 This issue of the Counter Threat Unit’s high-level bimonthly report discusses noteworthy updates in the threat landscape during July and August mindimcdowell Go to sophos
-
October Patch Tuesday beats January ’25 record
October Patch Tuesday beats January ’25 record Microsoft throws a farewell party for Win10, Office 2016, and Office 2019… a very big party Angela Gunn Go to sophos
-
F5 network compromised
F5 network compromised On October 15, 2025, F5 reported that a nation-state threat actor had gained long-term access to some F5 systems and exfiltrated data, including source code and information about undisclosed product vulnerabilities. This information may enable threat actors to compromise F5 devices by developing exploits for these vulnerabilities. The UK National Cyber Security…
-
WhatsApp Worm Targets Brazilian Banking Customers
WhatsApp Worm Targets Brazilian Banking Customers Counter Threat Unit™ (CTU) researchers are investigating multiple incidents in an ongoing campaign targeting users of the WhatsApp messaging platform. The campaign, which started on September 29, 2025, is focused on Brazil and seeks to trick users into executing a malicious file attached to a self-spreading message received from…
-
HeartCrypt’s wholesale impersonation effort
HeartCrypt’s wholesale impersonation effort How the notorious Packer-as-a-Service operation built itself into a hydra Gabor Szappanos Go to sophos
-
GOLD SALEM’s Warlock operation joins busy ransomware landscape
GOLD SALEM’s Warlock operation joins busy ransomware landscape The emerging group demonstrates competent tradecraft using a familiar ransomware playbook and hints of ingenuity mindimcdowell Go to sophos
-
September Patch Tuesday handles 81 CVEs
September Patch Tuesday handles 81 CVEs The last round of fixes before Win 10’s final shout touches 15 product families, including Xbox Angela Gunn Go to sophos
-
Velociraptor incident response tool abused for remote access
Velociraptor incident response tool abused for remote access This approach represents an evolution from threat actors abusing remote monitoring and management tools mindimcdowell Go to sophos
-
Threat Intelligence Executive Report – Volume 2025, Number 4
Threat Intelligence Executive Report – Volume 2025, Number 4 This issue of the Counter Threat Unit’s high-level bimonthly report discusses noteworthy updates in the threat landscape during May and June mindimcdowell Go to sophos
-
August Patch Tuesday includes blasts from the (recent) past
August Patch Tuesday includes blasts from the (recent) past Microsoft haul this month covers 109 CVEs… more or less Angela Gunn Go to sophos
-
Sophos AI at Black Hat USA ’25: Anomaly detection betrayed us, so we gave it a new job
Sophos AI at Black Hat USA ’25: Anomaly detection betrayed us, so we gave it a new job Following on from our preview, here’s Ben Gelman and Sean Bergeron’s research on enhancing command line classification with benign anomalous data Matt Wixey Go to sophos
-
Shared secret: EDR killer in the kill chain
Shared secret: EDR killer in the kill chain A look under the hood at a tool designed to disable protections Gabor Szappanos Go to sophos
-
GOLD BLADE remote DLL sideloading attack deploys RedLoader
GOLD BLADE remote DLL sideloading attack deploys RedLoader Attacks surged in July 2025 after the threat group updated its process to combine malicious LNK files and a recycled WebDAV technique mindimcdowell Go to sophos
-
Small world: The revitalization of small AI models for cybersecurity
Small world: The revitalization of small AI models for cybersecurity Sophos X-Ops explores why larger isn’t always better when it comes to solving security challenges with AI Matt Wixey Go to sophos
-
SharePoint ‘ToolShell’ vulnerabilities being exploited in the wild
SharePoint ‘ToolShell’ vulnerabilities being exploited in the wild Sophos X-Ops sees exploitation across multiple customer estates Matt Wixey Go to sophos
-
SophosAI at Black Hat USA ’25: Anomaly detection betrayed us, so we gave it a new job
SophosAI at Black Hat USA ’25: Anomaly detection betrayed us, so we gave it a new job Sophos’ Ben Gelman and Sean Bergeron will present their research on enhancing command line classification with benign anomalous data at Las Vegas Matt Wixey Go to sophos
-
July Patch Tuesday offers 127 fixes
July Patch Tuesday offers 127 fixes The seventh month is always a big one for Microsoft, and this year is no exception Angela Gunn Go to sophos
-
Threat Intelligence Executive Report – Volume 2025, Number 3
Threat Intelligence Executive Report – Volume 2025, Number 3 This issue of the Counter Threat Unit’s high-level bimonthly report discusses noteworthy updates in the threat landscape during March and April mindimcdowell Go to sophos
-
Using AI to identify cybercrime masterminds
Using AI to identify cybercrime masterminds Analyzing dark web forums to identify key experts on e-crime gallagherseanm Go to sophos
-
Taking the shine off BreachForums
Taking the shine off BreachForums ShinyHunters threat group members were arrested in a coordinated law enforcement action for their association with BreachForums mindimcdowell Go to sophos
-
June Patch Tuesday digs into 67 bugs
June Patch Tuesday digs into 67 bugs An extremely Windows-heavy month, with a surprise cameo by… Sophos?! Angela Gunn Go to sophos
-
The strange tale of ischhfd83: When cybercriminals eat their own
The strange tale of ischhfd83: When cybercriminals eat their own A simple customer query leads to a rabbit hole of backdoored malware and game cheats Matt Wixey Go to sophos
-
DragonForce actors target SimpleHelp vulnerabilities to attack MSP, customers
DragonForce actors target SimpleHelp vulnerabilities to attack MSP, customers Ransomware actor exploited RMM to access multiple organizations; Sophos EDR blocked encryption on customer’s network gallagherseanm Go to sophos
-
DragonForce targets rivals in a play for dominance
DragonForce targets rivals in a play for dominance Not content with attacking retailers, this aggressive group is fighting a turf war with other ransomware operators Angela Gunn Go to sophos
-
A familiar playbook with a twist: 3AM ransomware actors dropped virtual machine with vishing and Quick Assist
A familiar playbook with a twist: 3AM ransomware actors dropped virtual machine with vishing and Quick Assist Another adversary picks up the email bombing / vishing Storm-1811 playbook, doing thorough reconnaissance to target specific employees with fake help desk call—this time, over the phone. gallagherseanm Go to sophos
-
Beyond the kill chain: What cybercriminals do with their money (Part 3)
Beyond the kill chain: What cybercriminals do with their money (Part 3) In the third of our five-part series, Sophos X-Ops explores the more legally and ethically dubious business interests of financially motivated threat actors Matt Wixey Go to sophos
-
Beyond the kill chain: What cybercriminals do with their money (Part 4)
Beyond the kill chain: What cybercriminals do with their money (Part 4) In the fourth of our five-part series, Sophos X-Ops explores threat actors’ real-world criminal business interests Matt Wixey Go to sophos
-
Beyond the kill chain: What cybercriminals do with their money (Part 5)
Beyond the kill chain: What cybercriminals do with their money (Part 5) In the last of our five-part series, Sophos X-Ops explores the implications and opportunities arising from threat actors’ involvement in real-world industries and crimes Matt Wixey Go to sophos
-
Beyond the kill chain: What cybercriminals do with their money (Part 1)
Beyond the kill chain: What cybercriminals do with their money (Part 1) Sophos X-Ops investigates what financially motivated threat actors invest their ill-gotten profits in, once the dust has settled Matt Wixey Go to sophos
-
Beyond the kill chain: What cybercriminals do with their money (Part 2)
Beyond the kill chain: What cybercriminals do with their money (Part 2) In the second of our five-part series, Sophos X-Ops investigates the so-called ‘white’ (legitimate) business interests of threat actors Matt Wixey Go to sophos
-
Microsoft primes 71 fixes for May Patch Tuesday
Microsoft primes 71 fixes for May Patch Tuesday Five issues actively exploited in the wild, but the real excitement may have been handled in advance Angela Gunn Go to sophos
-
Lumma Stealer, coming and going
Lumma Stealer, coming and going The high-profile information stealer switches up its TTPs, but keeps the CAPTCHA tactic; we take a deep dive Angela Gunn Go to sophos
-
Finding Minhook in a sideloading attack – and Sweden too
Finding Minhook in a sideloading attack – and Sweden too Multifaceted changes in TTPs illustrate what researchers see when they start digging Gabor Szappanos Go to sophos
-
Moving CVEs past one-nation control
Moving CVEs past one-nation control A near-miss episode of attempted defunding spotlights a need for a better way Chester Wisniewski Go to sophos
-
The Sophos Annual Threat Report: Cybercrime on Main Street 2025
The Sophos Annual Threat Report: Cybercrime on Main Street 2025 Ransomware remains the biggest threat, but old and misconfigured network devices are making it too easy gallagherseanm Go to sophos
-
Sophos Annual Threat Report appendix: Most frequently encountered malware and abused software
Sophos Annual Threat Report appendix: Most frequently encountered malware and abused software These are the tools of the trade Sophos detected in use by cybercriminals over 2024 gallagherseanm Go to sophos
-
Industrial-strength April Patch Tuesday covers 135 CVEs
Industrial-strength April Patch Tuesday covers 135 CVEs One actively exploited issue patched; five Critical-severity Office vulns exploitable via Preview Pane Angela Gunn Go to sophos
-
It takes two: The 2025 Sophos Active Adversary Report
It takes two: The 2025 Sophos Active Adversary Report The dawn of our fifth year deepens our understanding of the enemies at the gate, and some tensions inside it; plus, an anniversary gift from us to you Angela Gunn Go to sophos
-
Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers downstream
Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers downstream Attack matches three-year long pattern of ScreenConnect attacks tracked by Sophos MDR as STAC4365. gallagherseanm Go to sophos
-
Stealing user credentials with evilginx
Stealing user credentials with evilginx A malevolent mutation of the widely used nginx web server facilitates Adversary-in-the-Middle action, but there’s hope Angela Gunn Go to sophos
-
PJobRAT makes a comeback, takes another crack at chat apps
PJobRAT makes a comeback, takes another crack at chat apps Sophos X-Ops uncovers a recent campaign from an Android RAT first seen in 2019 – now infecting users in Taiwan Pankaj Kohli Go to sophos
-
The future of MFA is clear – but is it here yet?
The future of MFA is clear – but is it here yet? Not all authentication is equal to the task in 2025, but there is a best choice within reach Chester Wisniewski Go to sophos
-
Little fires everywhere for March Patch Tuesday
Little fires everywhere for March Patch Tuesday Just 57 CVEs to contend with (plus advisories), but six are already under exploit in the wild Angela Gunn Go to sophos
-
February Patch Tuesday delivers 57 packages
February Patch Tuesday delivers 57 packages After January’s deluge, a calmer update volume returns Angela Gunn Go to sophos
-
Scalable Vector Graphics files pose a novel phishing threat
Scalable Vector Graphics files pose a novel phishing threat The SVG file format can harbor malicious HTML, scripts, and malware Andrew Brandt Go to sophos
-
Sophos MDR tracks two ransomware campaigns using “email bombing,” Microsoft Teams “vishing”
Sophos MDR tracks two ransomware campaigns using “email bombing,” Microsoft Teams “vishing” Sophos MDR identifies a new threat cluster riffing on the playbook of Storm-1811, and amped-up activity from the original connected to Black Basta ransomware. gallagherseanm Go to sophos
-
Gootloader inside out
Gootloader inside out Open-source intelligence reveals the server-side code of this pernicious SEO-driven malware – without needing a lawyer afterward Gabor Szappanos Go to sophos
-
159-CVE January Patch Tuesday smashes single-month record
159-CVE January Patch Tuesday smashes single-month record Brace yourselves… and consider reading your email in plaintext for now Angela Gunn Go to sophos
-
Prioritizing patching: A deep dive into frameworks and tools – Part 2: Alternative frameworks
Prioritizing patching: A deep dive into frameworks and tools – Part 2: Alternative frameworks In the second of a two-part series on tools and frameworks designed to help with remediation prioritization, we explore some alternatives to CVSS Matt Wixey Go to sophos
-
Prioritizing patching: A deep dive into frameworks and tools – Part 1: CVSS
Prioritizing patching: A deep dive into frameworks and tools – Part 1: CVSS In the first of a two-part series exploring tools and frameworks which can help organizations with remediation prioritization, Sophos X-Ops takes a look at the Common Vulnerability Scoring System (CVSS) Matt Wixey Go to sophos
-
Phishing platform Rockstar 2FA trips, and “FlowerStorm” picks up the pieces
Phishing platform Rockstar 2FA trips, and “FlowerStorm” picks up the pieces A sudden disruption of a major phishing-as-a-service provider leads to the rise of another…that looks very familiar gallagherseanm Go to sophos
-
The Bite from Inside: The Sophos Active Adversary Report
The Bite from Inside: The Sophos Active Adversary Report A sea change in available data fuels fresh insights from the first half of 2024 Angela Gunn Go to sophos
-
December Patch Tuesday arrives bearing 71 gifts
December Patch Tuesday arrives bearing 71 gifts Seventeen Critical-severity CVEs ready to deck your halls; also, new blog guidance for Windows Server admins Angela Gunn Go to sophos
-
Keeping it real: Sophos and the 2024 MITRE ATT&CK Evaluations: Enterprise
Keeping it real: Sophos and the 2024 MITRE ATT&CK Evaluations: Enterprise Sophos X-Ops looks at the realism of this year’s MITRE ATT&CK Evaluations Michael Wood Go to sophos
-
Bengal cat lovers in Australia get psspsspss’d in Google-driven Gootloader campaign
Bengal cat lovers in Australia get psspsspss’d in Google-driven Gootloader campaign The Internet is full of cats—and in this case, malware-delivering fake cat websites used for very targeted search engine optimization. gallagherseanm Go to sophos
-
VEEAM exploit seen used again with a new ransomware: “Frag”
VEEAM exploit seen used again with a new ransomware: “Frag” Last month, Sophos X-Ops reported several MDR cases where threat actors exploited a vulnerability in Veeam backup servers. We continue to track the activities of this threat cluster, which recently included deployment of a new ransomware. The vulnerability, CVE-2024-40711, was used as part of a…
-
Sophos MDR blocks and tracks activity from probable Iranian state actor “MuddyWater”
Sophos MDR blocks and tracks activity from probable Iranian state actor “MuddyWater” Sophos MDR has observed a new campaign that uses targeted phishing to entice the target to download a legitimate remote machine management tool to dump credentials. We believe with moderate confidence that this activity, which we track as STAC 1171, is related to…