.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
The Counter Threat Unit™ (CTU) research team analyzes security threats to help organizations protect their systems. Based on observations in September and October, CTU™ researchers identified the following noteworthy issues and changes in the global threat landscape:
- EDR killers pose a threat
- Configuration matters
- Infostealers remain major ransomware precursors
EDR killers pose a threat
Good security hygiene could prevent threat actors from disabling endpoint detections.
CTU researchers investigated a Chaos ransomware incident during which the attackers were able to ‘switch off’ endpoint detection and response (EDR) protection on the compromised system. Chaos is an emerging ransomware variant that was first observed in early 2025 and appears to be a direct continuation of the Royal and BlackSuit ransomware families.
Neutralizing endpoint security solutions could enable threat actors to avoid detection while conducting their attack and deploying payloads. Tools with these capabilities are available for sale on underground forums. They can be used in Bring Your Own Vulnerable Driver (BYOVD) attacks, which involve a threat actor installing a driver on a victim’s system and then exploiting a known vulnerability in the driver to conduct post-compromise activity. Other tools offering the same functionality may be available as part of penetration testing frameworks or as open-source tools on GitHub. They are growing in sophistication and are increasingly being incorporated into ransomware groups’ attack arsenals. There is evidence that effective tools are shared and customized by multiple groups.
Sophos has developed detections and behavioral protection rules that can identify and stop this type of defense evasion. Good security hygiene also provides an extra line of defense. In general, these tools can only be used effectively if the attackers have been able to escalate privileges and obtain administrator rights. Strict separation of admin and user rights can help protect against threat actors loading these types of drivers and tools.
 | What You Should Do Next Enable tamper protection if your EDR system offers it. |
Configuration matters
Straightforward configuration changes can result in major security improvements.
Several incidents reinforced that threat actors will take advantage of native system features if appropriate defensive measures are not in place. For example, attackers continued to use Microsoft 365’s Direct Send feature in September to deliver phishing emails that appeared to originate from the victims’ organizations. Printers, scanners, and other devices use Direct Send to send messages on behalf of an organization, but its lack of authentication leaves it open to abuse. These emails invited victims to review their payroll information with the goal of capturing user credentials.
According to Microsoft, secure use of Direct Send assumes that customers have properly configured email security protocols for their Microsoft Exchange tenants to prevent email spoofing. But that doesn’t always happen. In addition to proper configuration, customers can follow Microsoft’s guidance to introduce more control over Direct Send or can turn it off entirely.
CTU researchers also observed threat actors abusing Windows servers running unpatched versions of Windows Server Update Services (WSUS) after Microsoft released patches for CVE-2025-59287 and a researcher published a proof-of-concept exploit. However, Microsoft’s mitigation advice clarified that the WSUS Server Role is not enabled by default on Windows servers. Disabling this role or blocking inbound traffic to certain ports on the host firewall prevents servers from being vulnerable to this flaw.
In many cases, the most straightforward and useful configuration change for hardening purposes remains blocking access to devices and services from the internet where it is not necessary.
| What You Should Do Next Audit Direct Send configuration settings and determine if additional hardening is necessary. |
Infostealers remain major ransomware precursors
Stolen credentials open the way for additional attacks, typically ransomware deployment.
CTU researchers investigated the deployment of Qilin ransomware after a ClickFix attack led to an infostealer infection. Qilin is a highly active ransomware family operated by GOLD FEATHER. Its leak site listed the most victims of any name-and-shame scheme between October 2024 through September 2025. ClickFix is an increasingly common tactic used by threat actors to dupe victims into pasting malicious code into their device’s Run dialog box. In this case, the malicious code led to the download of the StealC V2 infostealer.
Infostealers are malware that steal data from devices they infect, including user credentials and tokens. These credentials are then either used by the same threat actor to gain access to networks or are packaged as logs and sold on underground marketplaces. The buyers then use them in attacks that often culminate in ransomware deployment. Infostealers may be delivered via phishing attacks, drive-by downloads, or other malware.
StealC was first offered for sale on the dark web on or before January 2023 and has been used regularly since. Version 2 was launched in 2025. Other infostealers offered significantly more logs; for example, over five times more LummaC2 logs were for sale on Russian Market at the end of 2024. However, LummaC2 has experienced a sharp drop in the number of captured logs, possibly due to a series of disruptions in 2025 that included a law enforcement takedown in May and a later doxxing of its developers that impacted LummaC2 infrastructure and operators. StealC and other popular infostealers may see an increase in use as result.
Individual stealers come and go, but overall they remain a persistent threat. Organizations can guard against this threat by regularly patching internet-facing devices, comprehensively implementing phishing-resistant multi-factor authentication (MFA) as part of a conditional access policy, and monitoring their network and endpoints for malicious activity.
| What You Should Do Next Educate employees about the dangers of infostealers as part of ongoing security awareness training. |
Conclusion
A good defensive posture does not always require layers of different or new security products. Sometimes, meaningful improvements can come from measures as straightforward as ensuring implementations are comprehensive, hardening configurations, or applying the principle of least privilege to account permissions.