Sophos Endpoint is architected from the ground up to automatically block exploits, ransomware, and attacker techniques by default with zero manual tuning. 

This threat case showcases how the unique anti-exploitation capabilities included with Sophos Endpoint blocked a supply chain attack through JDownloader, a free, Java-based download manager from AppWork GmbH that automates bulk downloads from one-click file hosters and video sites.

How the attack unfolded

This was a watering hole attack: between May 6 and May 7, 2026, attackers compromised the official JDownloader website and quietly swapped the Windows installers on the alternative download page with unsigned, malware-laced binaries. 

The trojanized binary bundled the real JDownloader alongside the malicious code, so the application installed and ran normally and the unsuspecting victim had no visible indication that they had been compromised. Reports from victims indicate that the payload disables Microsoft Defender as part of its execution chain.

The substitution went undetected for more than a day before a Reddit user spotted the SmartScreen warnings and a JDownloader developer confirmed the breach and took the site offline. Until that point, every download came with hidden malware baked in.

The root cause? An unpatched flaw in JDownloader's website that allowed the attackers to edit the site's access control lists without authenticating. Once in, they simply repointed the download links to their own malicious files. 

In a supply chain attack the challenge is not whether attackers will reach your endpoints, but whether your defenses can stop techniques they have never seen, without per-application tuning, exclusion lists, or a security specialist on standby.

In this attack, Sophos Endpoint blocked the trojanized installer through Kernel32Trap, one of the 60+ exploit mitigations that deploy automatically from day one. No cloud lookup, no signature, no AI inference, no prior knowledge of the campaign was required. 

A unique approach that turns the tables on attackers

Kernel32Trap targets MITRE ATT&CK T1027.007 (Dynamic API Resolution), a near-universal pattern in many shellcode where the payload locates the system functions it needs at runtime, rather than declaring them in the binary's import table where antivirus scanners would see them. 

MITRE itself classifies this technique as one that "cannot be easily mitigated with preventive controls since it is based on the abuse of system features."

At Sophos, our approach is to invert the assumption the technique depends on: just as attackers plant malware where users expect to find legitimate files, we plant a trap in the exact place the malware expects to find a legitimate system component. The moment the malware tries to call what it has just "resolved," control of the attack moves inside our mitigation and the process is terminated.

Two design choices, unique to Sophos Endpoint, make this work.

1. Sophos Endpoint loads its runtime protection into every process exceptionally early via a proprietary mechanism. That means the trap is already armed when the application launches; the attacker's very first move is checked against a defense that was waiting for it.
2. The mitigation triggers at the precise moment of weaponization: the malware is stopped on its first attempt to use a resolved API, not earlier (which would risk false positives on benign code) and not later (when the payload is already executing). When the kill fired, the malware was in the middle of building the list of Windows functions it needed to deploy its second stage.

Between May 6 and May 8, this single mitigation fired on 11 customer endpoints across our install base, blocking execution of the trojanized JDownloader installer in every case, well before the JDownloader team finished remediating the compromise on their side.

Sophos Endpoint’s strategic difference

Attackers tune their evasion against the defenses they expect to encounter, and the dominant assumption is the protection that ships in the box with the operating system. The mitigations that don't sit in their test matrix, the friction they didn't plan for, are where we win.

What makes Sophos Endpoint’s advantage durable is that most of the 60+ anti-exploitation mitigations apply to every running application by default without breaking compatibility and without per-environment tuning. Kernel32Trap is not a new feature; in fact, it’s been silently doing its job for 10 years: same code path, no tuning, same powerful protection against attacks engineered to bypass typical default defenses.

Comparable products that offer similar techniques typically restrict them to a fixed allow-list of known-sensitive processes, which is ineffective against a trojanized installer that can run under any process name. 

That is what technique-level defense-in-depth looks like in production: a 2016 mitigation, applied universally, turning an evasion technique that MITRE itself flags as unpreventable into a non-event for 11 customers in two days.

One story, many more examples

This story is one example of an all-too-common adversary approach. 

We observed a similar pattern in the CPU-Z incident in April 2026, when cpuid.com was compromised and download URLs for CPU-Z and HWMonitor were replaced with links to malicious installers that used DLL sideloading. 

Sophos Endpoint blocked that campaign as well, without prior knowledge, this time via Dynamic Shellcode Protection, another Sophos-specific mitigation in the same Runtime Protection layer.

Elevate your defenses against supply chain attacks with Sophos Endpoint

Sophos Endpoint delivers unmatched defense against human and AI-led attacks. To learn more and take it for a test drive, visit sophos.com/endpoint.