A new wave of sophisticated EDR killer tools, often packed with HeartCrypt, is being deployed by multiple ransomware groups to disable endpoint defenses and facilitate ransomware execution.

A new campaign by the GOLD BLADE threat group leverages remote DLL sideloading technique to deploy RedLoader malware. This attack chain combines malicious LNK files and WebDAV-based delivery mechanisms to evade detection and establish persistence.

A recent targeted ransomware attack leveraged vulnerabilities in SimpleHelp remote monitoring and management (RMM) software to compromise a Managed Service Provider (MSP) and its clients.

This campaign, observed between November 2024 and January 2025, involved over 55 attempted attacks and at least 15 confirmed incidents. Initial access was achieved through email bombing and vishing, exploiting Microsoft Quick Assist.

A sideloading campaign active from late 2023 to early 2024 targeted organisations in East Asia and later Sweden, delivering Cobalt Strike payloads via legitimate Windows executables and malicious DLLs.

In January 2025, a phishing email targeting an MSP administrator led to a ransomware attack, with the Qilin ransomware group gaining access to the administrator's credentials and attacking the MSP's customers.

In the latest campaign, Sophos X-Ops researchers found PJobRAT samples disguising themselves as instant messaging apps. As per their telemetry, all the victims appeared to be based in Taiwan.

Attackers have been observed using the graphics file format scalable vector graphics (SVG) for this purpose. SVGs contain Extensible Markup Language (XML)-like text instructions to draw resizable, vector-based images on a computer.

The operators of Gootloader continually refine their obfuscation techniques. Sophos X-Ops identified heavily obfuscated scripts, with key capabilities like string decryption and counter loops spread across multiple functions.

Frag ransomware allows attackers to choose the percentage of each file to encrypt, potentially to avoid detection or delay file recovery. Files encrypted by Frag are renamed with a .frag extension.