"While conducting a postmortem review of the Asnarök attack, [Sophos] built a specialized kernel implant to deploy to devices that Sophos had high confidence were controlled by groups conducting malicious exploit research. The tool allowed for remote file and log collection without any visible userland artifacts." https://www.securityweek.com/sophos-used-custom-implants-to-surveil-chinese-hackers-targeting-firewall-zero-days/
See Tweet