// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE INT-18DTG 0600Z
Endpoint Security Vendor

Sophos

18 PUBLIC SECURITY EVENTS ON FILE · 2023-05-31 — 2026-02-10

Publicly-known security events concerning Sophos — CVEs, advisories, and incidents drawn from open-source reporting. Every item links to its original source.

Category

What Sophos sells

EDR is agent-based endpoint tooling that monitors process/file/network activity, detects malicious behavior, and enables response. It is detection-led by design: it observes and acts after code executes. Its efficacy depends on recognizing a threat, so novel/zero-day techniques are a window of exposure until detected.

SOURCE · ColdRecon Reference

Sophos competes in the endpoint-security category. ColdRecon publishes only the factual public record below — no competitive analysis or positioning.

The Public Record

Recent security events

On file: 5 incidents · 11 research pocs · 2 vuln disclosures.

2026-02-10
incident
Reynolds Ransomware Embeds Vulnerable Driver to Kill EDR Before EncryptionReynolds ransomware
Broadcom researchers disclosed Reynolds ransomware in February 2026, which embeds the vulnerable NsecSoft NSecKrnl driver (CVE-2025-68947) directly into its payload to terminate endpoint security processes before encrypting files. This single-binary approach eliminates the detection gap of traditional BYOVD attacks, making it harder for defenders to spot. The ransomware targets major EDR products including CrowdStrike Falcon, Cortex XDR, and others.
2025-09-23
research poc
In-Memory PE Loader Demonstrates EDR Bypass via Dynamic ExecutionIn-Memory PE Loader
A proof-of-concept demonstrates an in-memory PE loader that downloads and executes a portable executable (e.g., putty.exe, EDRSilencer, Mimikatz) within an already-approved process, avoiding disk writes and evading detection by EDR solutions like Microsoft Defender XDR and Sophos XDR. The technique leverages dynamic execution to load malicious tools into a trusted process context, reducing EDR alerts.
2025-08-07
incident
HeartCrypt Packer-as-a-Service Used by Multiple Ransomware Groups to Disable Endpoint SecurityHeartCrypt
Sophos X-Ops uncovered HeartCrypt, a packer-as-a-service derived from EDRKillShifter, being used by at least eight ransomware groups to disable EDR and AV products before deploying ransomware. The tool injects malicious code into signed executables and uses BYOVD to load a kernel driver that terminates security processes. This represents a significant escalation in ransomware tactics through cybercrime-as-a-service.
2025-07-17
vuln disclosure
Sophos Intercept X for Windows Local Privilege Escalation VulnerabilityCVE-2025-7433
A local privilege escalation vulnerability (CVE-2025-7433) was disclosed in Sophos Intercept X for Windows with Central Device Encryption 2025.1 and older. It allows arbitrary code execution via deserialization of untrusted data. Sophos has released patches to address the issue.
2025-05-24
research poc
LoaderGate: C# Shellcode Loader Bypasses Cortex XDR and Sophos EDRLoaderGate
A security researcher released LoaderGate, a C# shellcode loader designed to bypass Palo Alto Cortex XDR and Sophos EDR. The tool demonstrates a specific evasion technique and was published with a detailed blog post. It highlights a potential detection gap in these endpoint security products.
2025-04-15
research poc
PatchedCLRLoader: .NET Assembly Loader with AMSI and ETW Patching BypassPatchedCLRLoader
A proof-of-concept tool named PatchedCLRLoader demonstrates loading .NET assemblies while bypassing AMSI and ETW by patching functions in clr.dll and ntdll.dll. It uses direct syscalls and RC4 encryption to evade detection, and was tested successfully against Cortex XDR, Sophos, MDE, and CrowdStrike. The technique specifically patches AmsiScanBuffer in clr.dll and NtTraceEvent to avoid newer Windows Defender protections.
2025-04-11
vuln disclosure
Resolved LPE vulnerability in Taegis Endpoint Agent (Linux) (CVE-2024-13861)CVE-2024-13861
Secureworks (a Sophos company) disclosed and fixed a local privilege escalation vulnerability in the Debian package component of Taegis Endpoint Agent for Linux. The flaw allowed arbitrary code execution. Red Hat-based Linux systems using RPM packages were not affected.
2025-02-07
research poc
Dark Web Actor Claims to Sell EDR Evasion ToolUnnamed EDR Evasion Tool
A threat actor on the dark web claims to sell a tool that bypasses EDR solutions using advanced cryptographic techniques. The tool reportedly targets CrowdStrike, Sophos, SentinelOne, and FortiClient. This highlights the growing black market for EDR evasion tools.
2024-08-02
research poc
RustPatchlessCLRLoader: Patchless AMSI and ETW Bypass for .NET Assembly LoadingRustPatchlessCLRLoader
RustPatchlessCLRLoader is a proof-of-concept tool that loads .NET assemblies while bypassing AMSI and ETW using hardware breakpoints instead of memory patching. It was tested against several EDR products and successfully executed without detection, though behavioral detection may still trigger on malicious actions.
2024-07-24
research poc
SyscallTempering: EDR Evasion via Hardware Breakpoint Syscall Argument SpoofingSyscallTempering
A proof-of-concept tool named SyscallTempering demonstrates a technique to evade EDR detection by tampering with system call arguments. It uses hardware breakpoints and a vectored exception handler to replace spoofed arguments with real ones on unhooked syscalls, successfully launching a payload under Sophos EDR. The method improves upon prior syscall tampering research by randomly selecting benign, unhooked syscalls and spoofing up to 11 arguments.
2024-07-17
incident
Fin7's AvNeutralizer Tool Enables EDR Tampering for Ransomware GangsAvNeutralizer
SentinelOne reports that the Fin7 threat group has developed and sold a custom tool called AvNeutralizer (aka AuKill) that tampers with endpoint detection and response (EDR) solutions. The tool has been used by multiple ransomware gangs, including AvosLocker, MedusaLocker, BlackCat, and LockBit, since early 2023. AvNeutralizer leverages a previously unseen technique using the Windows TTD monitor driver ProcLaunchMon.sys and a hardened process explorer driver to cause a denial-of-service condition on affected security products.
2024-05-26
research poc
BOAZ Multilayered AV/EDR Evasion Framework ReleasedBOAZ
BOAZ is a modular evasion framework that combines signature, heuristic, and behavioral bypass techniques to generate undetectable payloads. It was tested against 14 desktop AVs and 7 EDRs, including Sophos, Windows Defender, and ESET. The tool serves as both an evasion testing utility and a packer/obfuscator for researchers.
2024-01-20
incident
Terminator EDR Killer Tool Uses BYOVD to Terminate Security ProcessesTerminator EDR Killer (Spyboy)
A threat actor named Spyboy is selling a tool called Terminator that uses the Bring Your Own Vulnerable Driver (BYOVD) technique to terminate processes of endpoint security products. The tool loads a vulnerable Zemana anti-malware driver to execute code in kernel mode, bypassing user-mode protections. SentinelOne detects known samples, and organizations are advised to review provided indicators of compromise.
2023-12-27
research poc
Novel EDR Bypass Techniques Using Hardware Breakpoints and Intentional ExceptionsHardware Breakpoint EDR Bypass
Researcher Marcus Hutchins published two novel techniques to bypass EDR user-mode hooks without triggering callstack-based detections. The methods use hardware breakpoints and intentional exceptions to manipulate parameters after EDR inspection, demonstrated against Sophos Intercept X process hollowing detection. A proof-of-concept is available on GitHub.
2023-12-24
research poc
Researcher Documents Meterpreter Evasion Against EDR Using XOR Encryption and .data SectionMeterpreter EDR Evasion via XOR and .data Section
A red teamer documents their process of evading EDR detection for a Meterpreter payload by applying XOR encryption and storing the encrypted shellcode in the .data section to reduce static signatures. The technique was tested against Sophos XDR Intercept and Microsoft Defender for Endpoint on Windows 11, aiming to run the payload with minimal alerts. The article is part one of a series, focusing on theoretical foundations and initial evasion attempts.
2023-08-16
research poc
AuKill EDR Killer Malware Technical AnalysisAuKill
A technical analysis of the AuKill malware, which uses a Bring Your Own Vulnerable Driver (BYOVD) technique with the PROCEXP.SYS driver to terminate protected EDR processes. The malware targets solutions like Sophos and Windows Defender, and has been used by ransomware groups including LockBit and Medusa.
2023-06-01
research poc
New malware tool claims to terminate multiple EDR and antivirus agentsEDR-Terminator
A video and Reddit post surfaced on May 28, 2023, showing an executable that allegedly disables tamper protection and terminates the on-premise agents of numerous endpoint security products. The tool claims to work against vendors including CrowdStrike, SentinelOne, Carbon Black, and Windows Defender. ThreatLocker notes that its application allowlisting would block such an unknown executable from running.
2023-05-31
incident
Terminator tool uses BYOVD with Zemana driver to terminate security productsTerminator
A threat actor is selling a tool called Terminator that uses a Bring Your Own Vulnerable Driver (BYOVD) attack to terminate antivirus, EDR, and XDR processes. The tool drops a legitimate but vulnerable Zemana anti-malware driver (zamguard64.sys or zam64.sys) to gain kernel-level privileges and kill security software user-mode processes. CrowdStrike confirmed the technique is a BYOVD attack, not a novel bypass.
Every event on this page is a record in ColdRecon's canonical set, drawn from public reporting and linked to its source above. ColdRecon monitors open-source signal only; it publishes no non-public or customer information.

Sophos ships. Your prospect reads the headline. Do you?

ColdRecon turns this signal into one short daily brief, written from the seller's seat — what changed, why it matters to your deals, how to position. Request clearance and the first lands tomorrow at 0600.

Request Clearance →