This campaign, observed between November 2024 and January 2025, involved over 55 attempted attacks and at least 15 confirmed incidents. Initial access was achieved through email bombing and vishing, exploiting Microsoft Quick Assist.

A sideloading campaign active from late 2023 to early 2024 targeted organisations in East Asia and later Sweden, delivering Cobalt Strike payloads via legitimate Windows executables and malicious DLLs.

In January 2025, a phishing email targeting an MSP administrator led to a ransomware attack, with the Qilin ransomware group gaining access to the administrator's credentials and attacking the MSP's customers.

In the latest campaign, Sophos X-Ops researchers found PJobRAT samples disguising themselves as instant messaging apps. As per their telemetry, all the victims appeared to be based in Taiwan.

Attackers have been observed using the graphics file format scalable vector graphics (SVG) for this purpose. SVGs contain Extensible Markup Language (XML)-like text instructions to draw resizable, vector-based images on a computer.

The operators of Gootloader continually refine their obfuscation techniques. Sophos X-Ops identified heavily obfuscated scripts, with key capabilities like string decryption and counter loops spread across multiple functions.

Frag ransomware allows attackers to choose the percentage of each file to encrypt, potentially to avoid detection or delay file recovery. Files encrypted by Frag are renamed with a .frag extension.

This new attack campaign uses SEO poisoning to trick users looking for information on Bengal cat ownership laws into downloading malware disguised as relevant information.

The PoorTry Windows driver, originally used to disable EDR solutions, has now evolved into an EDR wiper, deleting crucial files to make system restoration harder. Sophos has confirmed actual EDR wiping attacks in the wild.

A recent Qilin ransomware attack targeted several endpoints, stealing VPN credentials and Chrome browser data. This attack, detected in July 2024, involved network access through compromised VPN credentials without multi-factor authentication.