Sophos 2026 Active Adversary Report — identity-dominant root causes; Impacket/AnyDesk

Sophos X-Ops disclosed an EDR-evasion development-and-testing environment recovered during an incident-response engagement and linked to an active (unnamed, still-under-investigation) ransomware group (Sophos X-Ops, 2026-06-02). The framework's Python payload generator — many modules partly AI-generated, with Russian-language comments — carried nearly 80 modules covering more than 70 evasion techniques. What distinguishes the lab is its agentic structure: a coordinator agent set rules for role-separated agents (EDR testing, OPSEC hardening, documentation, proxy stress-testing, VM deployment) connected over the Model Context Protocol to a Git repository, with the operator using the Cursor AI IDE and Ludus for rapid VM provisioning (Help Net Security, 2026-06-02). Payloads were tested against three isolated Windows Server 2022 VMs — one Sophos-equipped, one CrowdStrike-equipped, one EDR-free as baseline — with a Sliver/Cobalt Strike C2 stack and a Cloudflare Worker fronting the backend.

Why it matters to us: This is a concrete data point on adversaries operationalising agentic AI for detection-engineering against the exact EDR products (Sophos, CrowdStrike) deployed across CH/EU public-sector estates. The defensive principle is unchanged — the productivity multiplier is on the attacker's tooling, not a new bypass class — but it raises the priority of behavioural telemetry on payload-origin paths: Sophos noted the customer detection fired on "malicious payloads originating from a testing directory," a useful hunt pivot for anomalous build/test artefacts on endpoints.

Sophos published its 2026 Active Adversary Report (drawing on 661 IR/MDR cases) on 2026-06-02 (Sophos X-Ops, 2026-06-02). Per PD-9 this report gets one treatment; the findings that change defender priorities rather than the survey scorecard: identity-based compromise — stolen/valid credentials, brute force, and phishing — was the leading root cause, and missing or misconfigured MFA was present in a majority of incidents. Time from initial access to Active Directory compromise has compressed materially, with Impacket among the most frequently observed post-exploitation toolkits and AnyDesk the most-abused legitimate remote-access tool. The recurring telemetry blind spots are the actionable part: firewall logs were missing in roughly half of ransomware cases, and a meaningful share of compromised Windows Servers were running end-of-life builds. [SINGLE-SOURCE] (vendor IR telemetry report).

Why it matters to us: The hunt targets generalise directly to public-sector AD estates — alert on Impacket artefacts (impacket-* tool names in process trees, secretsdump-style NTDS access, SMBExec/WMIExec parent processes), instrument the initial-access-to-DC-compromise window, inventory EOL Windows Servers, and verify firewall log retention before an incident rather than during one.

Published 2026-05-15. Vendor-agnostic survey of 5,000 IT and security leaders across 17 countries (Q1 2026 fieldwork). The defender-relevant findings beyond the headline 71% identity-breach figure: (a) identity-to-ransomware pipeline dominant — 67% of ransomware victims attributed their ransomware incident directly to a prior identity attack, establishing identity-protocol abuse as the operationally dominant initial-access pattern; (b) non-human identity (NHI) mismanagement is the leading root cause — service accounts, API keys, AI-agent identities outnumber human identities by ratios up to 100:1 in surveyed organisations, weak NHI lifecycle management was the root cause in 41% of successful identity breaches, only 34% of organisations regularly audit NHI accounts; (c) Switzerland records the highest identity-breach incidence globally in the survey period; the daily 2026-05-15 also reported energy as the hardest-hit sector (Sophos blog; Help Net Security — Sophos 2026 identity-breach costs report; daily 2026-05-15).

The synthesis lens the daily did not have room for: the Sophos data corroborates the W19 Mandiant M-Trends finding that identity-rooted intrusions dominate IR-case data, and it converges with the Verizon DBIR 2026 finding (below) that stolen credentials remain the most common initial-access vector. The composite picture: for Swiss federal / cantonal estates with high service-account density and no NHI lifecycle governance, the NHI inventory + lifecycle gap is the single highest-leverage control deficit disclosed in this week's research output. The Sophos data is the empirical basis for prioritising NHI governance over endpoint-EDR upgrades, where budget pressure forces a choice. Detection focus: anomalous service-account Kerberos TGS requests (T1558.003 Kerberoasting), unusual OAuth token grants from CI/CD service identities, API key usage from unexpected source IPs or geographies.

Sophos published its State of Identity Security 2026 survey on 2026-05-14, drawing on responses from IT and cybersecurity leaders across 17 countries (Help Net Security, 2026-05-14). The headline finding is that more than 70% of surveyed organisations experienced at least one identity-related breach in the prior 12 months. Swiss organisations recorded the highest breach incidence among all surveyed countries. Sector analysis places energy, oil/gas, and utilities alongside federal government as the verticals with the highest breach rates — and two-thirds of ransomware victims in the survey attributed initial access to an identity compromise: stolen credentials, session hijacking, or MFA bypass. The survey corroborates NCSC-CH's sustained advisory focus on credential abuse and the trend visible across this brief series (Lumma Stealer takedown, FamousSparrow credential harvesting, TeamPCP OIDC token theft). Defenders in CH/EU public-sector environments should audit conditional access policies and MFA resilience controls — particularly for energy-sector service accounts and Entra ID/ADFS federations — against the pattern of phishing-resistant MFA requirements in NCSC-CH guidance.

Sophos X-Ops (cluster STAC4713) published a write-up on 2026-05-07 of a malvertising campaign using the counterfeit claude-pro[.]com site to distribute a previously-undocumented Windows backdoor named Beagle (Sophos X-Ops, 2026-05-07 · Malwarebytes, 2026-04-10 (earlier wave)). The chain delivers a 505 MB ZIP archive containing a malicious MSI that sideloads an attacker-controlled DLL alongside a legitimate, signed G DATA antivirus updater executable (T1574.002 DLL Side-Loading). The first-stage DonutLoader shellcode then fetches and injects Beagle into memory. Beagle communicates with license.claude-pro[.]com over TCP/443 and UDP/8080 with AES-encrypted payloads; supported commands are cmd, upload, download, ls. Sophos notes TTP similarity with PlugX operators (BRONZE PRESIDENT / Dragon Breath clusters) but explicitly does not confirm attribution. The campaign's distribution infrastructure was established March 2026 with samples observed in February, April and May.

The targeting class is the operationally important part: counterfeit AI-tooling sites lure technical users — developers, ML engineers, IT admins — who often hold privileged access to source code, cloud environments, and secrets. Defenders should treat AI-tool installer downloads as a high-risk software class and require allow-listed sources (anthropic.com, claude.ai, OS package managers) rather than ad-hoc web search results.