All news with #sophos tag

🔒 A fraudulent imitation of Anthropic's Claude hosted at claude-pro[.]com distributed a roughly 505 MB ZIP claiming to contain a "Claude-Pro Relay" tool, according to Sophos X-Ops. The MSI installer drops three items into the startup folder: a signed G DATA updater renamed NOVupdate.exe, an encrypted data file and a malicious avk.dll; when the updater runs it sideloads avk.dll, which decrypts shellcode and uses DonutLoader to load the Beagle backdoor. Sophos traced related samples to February–March 2026 and noted the campaign used Cloudflare for distribution while hosting C2 infrastructure on Alibaba Cloud.

🛡️ Sophos researchers identified three ClickFix campaigns that used malicious search ads and trusted-host lures to coax macOS users into pasting and executing terminal commands, resulting in the deployment of the MacSync infostealer. The campaigns—first observed in November and December 2025 and refreshed in February 2026—leveraged fake Google Sites, ChatGPT conversation redirects, and GitHub-style pages. The February variant introduced dynamic AppleScript and in-memory execution to harvest credentials, keychain data, files, and crypto seed phrases while attempting to erase traces.

🔐 2026 will bring faster, cheaper, and more credible cyberattacks as AI and automation lower the skill barrier for attackers. Industry leaders from Banco Santander, Vodafone, NordVPN, Sophos, and Cisco emphasize a shift from perimeter defenses to identity-centric, automated, resilience-focused models. Priority actions include continuous identity verification, integrated AI-driven security, XDR consolidation, supply-chain risk management, and stronger detection, response, and data-protection controls implemented with minimal customer friction.

🔒 A recent Sophos study finds the manufacturing sector is blocking more ransomware before encryption, with only 40% of attacks resulting in data encryption this year versus 74% in 2024. Despite improved containment, data theft remains high (39% of encrypted cases) and more than half of affected firms paid ransoms; the median payment was about €861,000. Shortages of skilled staff, unknown vulnerabilities and inadequate protections are cited as root causes, and attacks are increasing stress and leadership pressures within IT teams.

🔒 A Sophos study finds manufacturing firms are increasingly able to stop ransomware before encryption occurs, with only 40% of attacks leading to data encryption — the lowest rate in five years and down from 74% the prior year. Despite improved defenses, data theft remains a major concern: 39% of encrypted incidents resulted in data loss. More than half of affected companies still paid ransoms, with a median payment of about €861,000 versus median demands near €1 million. Respondents cited skills shortages, unknown vulnerabilities and missing protections as key contributors, and attacks continue to strain IT and leadership teams.

🔒 Sophos researchers discovered China-linked espionage group Bronze Butler exploiting a zero-day in Motex Lanscope Endpoint Manager (CVE-2025-61932) to deploy an updated Gokcpdoor backdoor. The flaw enabled unauthenticated remote code execution as SYSTEM on affected versions (<=9.4.7.2), and attackers used OAED Loader, DLL sideloading, and multiplexed C2 channels to evade detection. Motex released patches on October 20, 2025, and CISA added the vulnerability to its KEV list; organizations are advised to upgrade immediately since no mitigations exist.

⚠️ Sophos and JPCERT/CC have linked active exploitation of a critical Motex Lanscope Endpoint Manager vulnerability (CVE-2025-61932, CVSS 9.3) to the China-aligned Tick group. Attackers leveraged the flaw to execute SYSTEM-level commands and drop a Gokcpdoor backdoor, observed in both server and client variants that create covert C2 channels. The campaign used DLL side-loading to run an OAED Loader, deployed the Havoc post-exploitation framework on select hosts, and used tools like goddi and tunneled Remote Desktop for lateral movement. Organizations are advised to upgrade or isolate internet-facing LANSCOPE servers and review deployments of the MR and DA agents.

🔒 A recent Sophos survey reports that nearly 80% of German logistics companies have experienced cyberattacks, with incidents frequently occurring at interfaces with customers and suppliers. Forty percent of respondents noted impacts from supply-chain security failures. While many firms now embed IT security requirements in partner contracts, enforcement and regular checks are often missing. The human factor and understaffed security teams remain key vulnerabilities.

🔒 A Chinese state-sponsored group tracked as RedNovember carried out a global espionage campaign from June 2024 to July 2025, compromising defense contractors, government agencies, and major corporations by exploiting internet-facing network appliances. The attackers rapidly weaponized disclosed flaws in devices from SonicWall, Ivanti, Cisco, F5, Sophos, and Fortinet, often within 72 hours of public exploit code. They deployed Go-based tools including Pantegana, Cobalt Strike, and SparkRAT, and relied on open-source tooling and legitimate services to obfuscate attribution and maintain persistent access.

🔒 A Sophos survey of 300 C-level executives across the DACH region finds that budget shortfalls are the primary barrier to implementing planned cybersecurity measures, with roughly one in ten organisations abandoning initiatives due to cost. Manufacturing and retail report the highest incidence of cancelled projects, while service firms are least affected. The study also notes that technical complexity is rarely cited as a blocker and that some firms, notably in manufacturing, consciously accept cyber risk, with younger executives in Germany and Switzerland tending to be more risk tolerant.

📉 A new Sophos study finds that ransomware demands and payments in the education sector have dropped dramatically year‑on‑year, with average demands falling 74% for lower education and 80% for higher education. Median payments also plunged, moving education from among the highest to among the lowest payers. Improved detection, faster recovery and more effective negotiation are cited as key drivers behind the reductions.

🔍 In a recent Sophos report, unknown actors abused the open-source forensic tool Velociraptor to download and execute Visual Studio Code, enabling an encrypted tunnel to an attacker-controlled command-and-control server. The intruders used the Windows msiexec utility to fetch MSI installers hosted on Cloudflare Workers, staged additional tooling including a tunneling proxy and Radmin, and invoked an encoded PowerShell command to enable VS Code's tunnel option. Sophos warns that misuse of incident response tools can precede ransomware and recommends deploying EDR, monitoring for unauthorized Velociraptor activity, and hardening backup and monitoring processes.