Joseph H. Levy’s declaration for Sophos is a focused incident-response and infrastructure-seizure filing arising from the 2020 attacks on Sophos firewall products. Submitted by the Sophos chief technology officer, the declaration explains how the defendants allegedly exploited a previously unknown SQL injection vulnerability to gain remote code execution on Sophos firewalls, insert Linux shell commands into a database table, and trigger the download of malicious shell scripts from look-alike domains such as sophosfirewallupdate.com. Levy describes the infection chain in practical forensic detail: the initial install script wrote additional files into the device, modified existing operating-system scripts, established persistence so malicious components would run on boot, concealed attacker activity in the administrative panel, and downloaded an executable referred to as “2own.” The malware then repeatedly attempted to resolve malicious domains, retrieve additional payloads, and maintain covert access to targeted firewall appliances.

What makes this declaration distinct is its combination of exploitation narrative and domain-impersonation evidence. Levy identifies a series of domains that mimicked Sophos branding and, in one instance, its Reflexion cloud email security subsidiary, including sophosenterprisecenter.com, sophosproductupdate.com, xn--rflexion-b1a.com, reflexion.com, and related downloader domains. He explains that the defendants used privacy services, deceptive naming conventions, and hard-coded IP values to conceal operations while confusing customers and tarnishing the Sophos mark. The declaration is crafted to justify emergency ex parte relief: Levy argues that transferring or redirecting the malicious domains without advance notice is essential because the attackers are sophisticated, persistent, and likely to relocate infrastructure or destroy evidence if warned. For readers researching Sophos firewall hacking, SQL injection against security appliances, remote code execution on firewalls, malware persistence on Linux-based network devices, deceptive typosquatting domains, and emergency botnet or domain sinkhole litigation, this filing is a concise but highly important expert declaration.