ctipilot.ch

Sophos State of Identity Security 2026: Switzerland highest breach incidence globally

annual-report · sophos-identity-security-2026

Coverage timeline
1
first 2026-05-15 → last 2026-05-15
Briefs
1
1 distinct
Sources cited
8
6 hosts
Sections touched
1
research
Co-occurring entities
4
see Related entities below

Story timeline

  1. 2026-05-15CTI Daily Brief — 2026-05-15
    researchFirst coverage. 70%+ of orgs breached via identity. CH highest globally. Energy and federal government hardest-hit sectors.

Where this entity is cited

  • research1

Source distribution

  • sophos.com2 (25%)
  • attack.mitre.org2 (25%)
  • helpnetsecurity.com1 (12%)
  • malwarebytes.com1 (12%)
  • isc.sans.edu1 (12%)
  • research.checkpoint.com1 (12%)

Related entities

All cited sources (8)

Items in briefs about Sophos State of Identity Security 2026: Switzerland highest breach incidence globally (2)

Sophos 2026 State of Identity Security: Switzerland records highest identity-breach incidence globally; energy and federal government hardest-hit sectors [SINGLE-SOURCE]

From CTI Daily Brief — 2026-05-15 · published 2026-05-15 · view item permalink →

Sophos published its State of Identity Security 2026 survey on 2026-05-14, drawing on responses from IT and cybersecurity leaders across 17 countries (Help Net Security, 2026-05-14). The headline finding is that more than 70% of surveyed organisations experienced at least one identity-related breach in the prior 12 months. Swiss organisations recorded the highest breach incidence among all surveyed countries. Sector analysis places energy, oil/gas, and utilities alongside federal government as the verticals with the highest breach rates — and two-thirds of ransomware victims in the survey attributed initial access to an identity compromise: stolen credentials, session hijacking, or MFA bypass. The survey corroborates NCSC-CH's sustained advisory focus on credential abuse and the trend visible across this brief series (Lumma Stealer takedown, FamousSparrow credential harvesting, TeamPCP OIDC token theft). Defenders in CH/EU public-sector environments should audit conditional access policies and MFA resilience controls — particularly for energy-sector service accounts and Entra ID/ADFS federations — against the pattern of phishing-resistant MFA requirements in NCSC-CH guidance.

Sophos: "Beagle" backdoor distributed via fake Claude AI site using DonutLoader + DLL sideloading on a signed G DATA AV updater

From CTI Daily Brief — 2026-05-10 · published 2026-05-15 · view item permalink →

Sophos X-Ops (cluster STAC4713) published a write-up on 2026-05-07 of a malvertising campaign using the counterfeit claude-pro[.]com site to distribute a previously-undocumented Windows backdoor named Beagle (Sophos X-Ops, 2026-05-07 · Malwarebytes, 2026-04-10 (earlier wave)). The chain delivers a 505 MB ZIP archive containing a malicious MSI that sideloads an attacker-controlled DLL alongside a legitimate, signed G DATA antivirus updater executable (T1574.002 DLL Side-Loading). The first-stage DonutLoader shellcode then fetches and injects Beagle into memory. Beagle communicates with license.claude-pro[.]com over TCP/443 and UDP/8080 with AES-encrypted payloads; supported commands are cmd, upload, download, ls. Sophos notes TTP similarity with PlugX operators (BRONZE PRESIDENT / Dragon Breath clusters) but explicitly does not confirm attribution. The campaign's distribution infrastructure was established March 2026 with samples observed in February, April and May.

The targeting class is the operationally important part: counterfeit AI-tooling sites lure technical users — developers, ML engineers, IT admins — who often hold privileged access to source code, cloud environments, and secrets. Defenders should treat AI-tool installer downloads as a high-risk software class and require allow-listed sources (anthropic.com, claude.ai, OS package managers) rather than ad-hoc web search results.