Reflective Code Loading × Sophos XDR

A publicly-reported instance of Reflective Code Loading bypassing Sophos XDR, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Sophos XDR

Technique

Reflective Code Loading

MITRE ATT&CK

T1620

Confidence

Medium

Severity

High

Status

poc

Disclosed

2025-09-23

Config / version noted

Not stated

Provenance

g3tsyst3m.com
disclosed 2025-09-23 · original source · via exa
cyberpress.org
disclosed 2025-09-24 · original source · via exa
cybersecuritynews.com
disclosed 2025-09-24 · original source · via exa
cyberpress.org
disclosed 2025-09-24 · original source · via raw
gbhackers.com
disclosed 2025-09-24 · original source · via raw

Reported as

evading detection by EDR solutions like ... Sophos XDR

Mechanism

The loader downloads a 64-bit PE file from a remote URL into memory, parses its headers, allocates memory within the calling process, maps sections, resolves imports, applies relocations, sets memory protections, and executes the entry point—all without writing to disk. This bypasses EDR by executing code inside a process that has already passed initial security checks.

Detection & mitigation

Monitor for suspicious memory allocation patterns (e.g., VirtualAlloc with PAGE_EXECUTE_READWRITE) and thread creation within trusted processes, especially when followed by network connections to download additional code. Enforce application control and code integrity policies to restrict unsigned code execution in memory.

Reflective Code Loading has also been recorded against

Microsoft

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.