Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Narinder Bains
Infrastructure Manager, National Farmers' Union (Guest Contributor)
Share
12
Sep 2022
The National Farmers' Union (NFU) is the largest farmers’ organization in England and Wales, representing more than 46,000 farming businesses and over 80,000 members. We champion farmers across the country and represent them in Europe, negotiating with governments and other organizations from our Brussels office.
Despite the wide scope of our operations, our IT team consists of only 15 individuals. Because of this, we began looking for a security solution which could bolster our small team and its capacity to monitor our organization without complicating our security efforts.
Revealing NFU’s Environment with AI
We were satisfied that our firewalls and other older security tools were doing all that they could to protect our perimeter security. These tools could be working perfectly, but we would still lack the ability to know whether attacks were unfolding under the radar within our network. In other words, we needed visibility when there were already hackers inside.
Even with the best perimeter protection we could buy, this remained a blind spot, and the numerous high-profile stories in the news regarding successful ransomware attacks over last few years left the team increasingly on edge.
We also knew that attackers weren’t just probing in one area – we needed coverage over our entire digital estate, including our endpoint devices and Microsoft 365 activity. These were the areas that were the most difficult to get visibility over, but also the newest parts of our digital estate and the most vulnerable to attacks.
When we were introduced to Darktrace, we quickly saw its potential: the visibility it gave us across our digital estate was unparalleled, and its Autonomous Response technology was something we knew could be a huge benefit for NFU.
Previously, we’d lost hours sifting through data in an attempt to respond to attacks, and that’s only after dealing with numerous emails and false positives from our old security solutions. Once Darktrace was implemented, it covered everything, allowing us to view our entire organization from a single platform, and it dealt with threats 24/7 without requiring any input from us.
Taking action on a pre-infected endpoint
NFU’s adoption of hybrid working brought the importance of endpoint security to the forefront of our team’s minds. The dispersion of company devices across the country made it harder than ever for the team to monitor logs with their existing manpower, and we were constantly worried that an employee at home – whether or not they were connected to the company VPN – might inadvertently open us up to an attack like ransomware.
Because it bases its detection on an understanding of the digital estate’s ‘normal’ behaviors, we hadn’t expected that Darktrace would be able to spot threats in pre-infected environments. As soon as we deployed Darktrace/Endpoint, however, it spotted a user trying to make root level changes to one of our servers from a company laptop without permission, and immediately blocked the activity while allowing the user to continue legitimate business operations. Its ability to differentiate between benign and risky activity was impressive.
A straightforward threat summary delivered to our security team allowed us to understand the situation quickly and easily. Seeing this technology not only spotting dangerous activity, but quickly taking the necessary steps to stop it and strengthen our security posture in its wake, has really given us that extra peace of mind.
Enhancing existing tools with AI
Adding something to your security stack can often mean taking one step forward and two steps back, as the incorporation of a new solution can damage the ability of an old one. For example, creating two VPNs: while it seems like it might provide greater security, the two networks often disrupt one another and only make protection more difficult.
Darktrace, however, augments existing endpoint solutions, utilizing the data they gather in its investigations. By implementing the technology, we weren’t replacing our existing security tools but enhancing them. The way we see it, the greater the depth and breadth of information we feed into Darktrace’s AI, the greater its understanding and the better its decision-making; ultimately, the better it can protect our organization.
In addition to our endpoint devices, Darktrace now works across our Microsoft 365 environments and the network. It uses data from all three areas to draw conclusions about emerging threats and can take action against attacks wherever and whenever they emerge in the digital environment. Knowing this allows us to finally feel confident in our security posture, and to focus our efforts on the rest of our business operations.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Narinder Bains
Infrastructure Manager, National Farmers' Union (Guest Contributor)
ClearFake: From Fake CAPTCHAs to Blockchain-Driven Payload Retrieval
Darktrace detected a potential ClearFake‑related incident involving signs of EtherHiding activity and interactions with blockchain‑based infrastructure. A single device showed repeated suspicious command‑line behavior, primarily involving Microsoft HTML Application Host. The activity occurred over the course of a day and indicated early‑stage attempts to load malicious content associated with the ClearFake campaign.
To observe adversary behavior in real time, Darktrace operates a global honeypot network known as “CloudyPots”, designed to capture malicious activity across a wide range of services, protocols, and cloud platforms. These honeypots provide valuable insights into the techniques, tools, and malware actively targeting internet‑facing infrastructure.
How attackers used a Jenkins honeypot to deploy the botnet
One such software honeypotted by Darktrace is Jenkins, a CI build system that allows developers to build code and run tests automatically. The instance of Jenkins in Darktrace’s honeypot is intentionally configured with a weak password, allowing attackers to obtain remote code execution on the service.
In one instance observed by Darktrace on March 18, 2026, a threat actor seemingly attempted to target Darktrace’s Jenkins honeypot to deploy a distributed denial-of-service (DDoS) botnet. Further analysis by Darktrace’s Threat Research team revealed the botnet was intended to specifically target video game servers.
How the Jenkins scriptText endpoint was used for remote code execution
The Jenkins build system features an endpoint named scriptText, which enables users to programmatically send new jobs, in the form of a Groovy script. Groovy is a programming language with similar syntax to Java and runs using the Java Virtual Machine (JVM). An attacker can abuse the scriptText endpoint to run a malicious script, achieving code execution on the victim host.
Figure 1: Request sent to the scriptText endpoint containing the malicious script.
The malicious script is sent using the form-data content type, which results in the contents of the script being URL encoded. This encoding can be decoded to recover the original script, as shown in Figure 2, where Darktrace Analysts decoded the script using CyberChef,
Figure 2: The malicious script decoded using CyberChef.
What happens after Jenkins is compromised
As Jenkins can be deployed on both Microsoft Windows and Linux systems, the script includes separate branches to target each platform.
In the case of Windows, the script performs the following actions:
Downloads a payload from 103[.]177.110.202/w.exe and saves it to C:\Windows\Temp\update.dat.
Renames the “update.dat” file to “win_sys.exe” (within the same folder)
Runs the Unblock-File command is used to remove security restrictions typically applied to files downloaded from the internet.
Adds a firewall allow rule is added for TCP port 5444, which the payload uses for command-and-control (C2) communications.
On Linux systems, the script will instead use a Bash one-liner to download the payload from 103[.]177.110.202/bot_x64.exe to /tmp/bot and execute it.
Why this botnet uses a single IP for delivery and command and control
The IP 103[.]177.110.202 belongs to Webico Company Limited, specifically its Tino brand, a Vietnamese company that offers domain registrar services and server hosting. Geolocation data indicates that the IP is located in Ho Chi Minh City. Open-source intelligence (OSINT) analysis revealed multiple malicious associations tied to the IP [1].
Darktrace’s analysis found that the IP 103[.]177.110.202 is used for multiple stages of an attack, including spreading and initial access, delivering payloads, and C2 communication. This is an unusual combination, as many malware families separate their spreading servers from their C2 infrastructure. Typically, malware distribution activity results in a high volume of abuse complaints, which may result in server takedowns or service suspension by internet providers. Separate C2 infrastructure ensures that existing infections remain controllable even if the spreading server is disrupted.
How the malware evades detection and maintains persistence
Analysis of the Linux payload (bot _x64)
The sample begins by setting the environmental variables BUILD_ID and JENKINS_NODE_COOKIE to “dontKillMe”. By default, Jenkins terminates long-running scripts after a defined timeout period; however, setting these variables to “dontKillMe” bypasses this check, allowing the script to continue running uninterrupted.
The script then performs several stealth behaviors to evade detection. First, it deletes the original executable from disk and then renames itself to resemble the legitimate kernel processes “ksoftirqd/0” or “kworker”, which are found on Linux installations by default. It then uses a double fork to daemonize itself, enabling it to run in the background, before redirecting standard input, standard output, and standard error to /dev/null, hiding any logging from the malware. Finally, the script creates a signal handler for signals such as SIGTERM, causing them to be ignored and making it harder to stop the process.
Figure 3: Stealth component of the main function
How the botnet communicates with command and control (C2)
The sample then connects to the C2 server and sends the detected architecture of the system on which the agent was installed. The malware then enters a loop to handle incoming commands.
The sample features two types of commands, utility commands used to manage the malware, and commands to trigger attacks. Three special commands are defined: “PING” (which replies with PONG as a keep-alive mechanism), “!stop” which causes the malware to exit, and “!update”, which triggers the malware to download a new version from the C2 server and restart itself.
Figure 4: Initial connection to the C2 sever.
What DDoS attack techniques this botnet uses
The attack commands consist of the following:
Many of these commands invoke the same function despite appearing to be different attack techniques. For example, specialized attacks such as Cloudflare bypass (cfbypass, uam) use the exact same function as a standard HTTP attack. This may indicate the threat actor is attempting to make the botnet look like it has more capabilities than it actually has, or it could suggest that these commands are placeholders for future attack functionality that has yet to be implemented
All the commands take three arguments: IP, port to attack, and the duration of the attack.
attack_udp and attack_udp_pps
The attack_udp and attack_udp_pps functions both use a basic loop and sendto system call to send UDP packets to the victim’s IP, either targeting a predetermined port or a random port. The attack_udp function sends packets with 1,450 bytes of data, aimed at bandwidth saturation, while the attack_udp_pps function sends smaller 64-byte packets. In both cases, the data body of the packet consists of entirely random data.
Figure 5: Code for the UDP attack method
attack_dayz
The attack_dayz function follows a similar structure to the attack_udp function; however, instead of sending random data, it will instead send a TSource Engine Query. This command is specific to Valve Source Engine servers and is designed to return a large volume of data about the targeted server. By repeatedly flooding this request, an attacker can exhaust the resources of a server using a comparatively small amount of data.
The Valve Source Engine server, also called Source Engine Dedicated server, is a server developed by video game company Valve that enables multiplayer gameplay for titles built using the Source game engine, which is also developed by Valve. The Source engine is used in games such as Counterstrike and Team Fortress 2. Curiously, the function attack_dayz, appears to be named after another popular online multiplayer game, DayZ; however, DayZ does not use the Valve Source Engine, making it unclear why this name was chosen.
Figure 6: The code for the “attack_dayz” attack function.
attack_tcp_push
The attack_tcp_push function establishes a TCP socket with the non-blocking flag set, allowing it to rapidly call functions such as connect() and send() without waiting for their completion. For the duration of the attack, it enters a while loop in which it repeatedly connects to the victim, sends 1,024 bytes of random data, and then closes the connection. This process repeats until the attack duration ends. If the mode flag is set to 1, the function also configures the socket with TCP no-delay enabled, allowing for packets to be sent immediately without buffering, resulting in a higher packet rate and a more effective attack.
Figure 7: The code for the TCP attack function.
attack_http
Similar to attach_tcp_push, attack_http configures a socket with no-delay enabled and non-blocking set. After establishing the connection, it sends 64 HTTP GET requests before closing the socket.
Figure 8: The code for the HTTP attack function.
attack_special
The attack_special function creates a UDP socket and sets the port and payload based on the value of the mode flag:
Mode 0: Port 53 (DNS), sending a 10-byte malformed data packet.
Mode 1: Port 27015 (Valve Source Engine), sending the previously observed TSource Engine Query packet.
Mode 2: Port 123 (NTP), sending the start of an NTP control request.
Figure 9: The code for the attack_special function.
What this botnet reveals about opportunistic attacks on internet-facing systems
Jenkins is one of the less frequently exploited services honeypotted by Darktrace, with only a handful campaigns observed. Nonetheless, the emergence of this new DDoS botnet demonstrates that attackers continue to opportunistically exploit any internet-facing misconfiguration at scale to grow the botnet strength.
While the hosts most commonly affected by these opportunistic attacks are usually “lower-value” systems, this distinction is largely irrelevant for botnets, where numbers alone are more important to overall effectiveness
The presence of game-specific DoS techniques further highlights that the gaming industry continues to be extensively targeted by cyber attackers, with Cloudflare reporting it as the fourth most targeted industry [2]. This botnet has likely already been used against game servers, serving as a reminder for server operators to ensure appropriate mitigations are in place.
Credit to Nathaniel Bill (Malware Research Engineer) Edited by Ryan Traill (Content Manager)
Indicators of Compromise (IoCs)
103[.]177.110.202 - Attacker and command-and-control IP
In part 1 of this blog series, we explored how AI is remaking the attack surface, with new tools, models, agents — and vulnerabilities — popping up just about everywhere. Now embedded in workflows across the enterprise, and often with far-reaching access to sensitive data, AI systems are quickly becoming a favorite target of cyber threat actors.
Among bad actors, though, AI is more often used as a tool than a target. Nearly 62% of organizations experienced a social engineering attack involving a deepfake, or an incident in which bad actors used AI-generated video or audio to try to trick a biometric authentication system, compared to 32% that reported an AI prompt injection attack.
In the hands of attackers, AI can do many things. It’s being used across the entire kill chain: to supercharge reconnaissance, personalize phishing, accelerate lateral movement, and automate data exfiltration. Evidence from Anthropic demonstrates that threat actors have harnessed AI to orchestrate an entire cyber espionage campaign from end to end, allegedly running it with minimal human involvement.
CISOs inhabit a world where these increasingly sophisticated attacks are ubiquitous. Naturally, combatting AI-powered threats is top of mind among security professionals, but many worry about whether their capabilities are up to the challenge.
AI-powered threats at scale: no longer hypothetical
AI-driven threats share signature characteristics. They operate at speed and scale. Automated tools can probe multiple attack paths, search for multiple vulnerabilities and send out a barrage of phishing emails, all within seconds. The ability to attack everywhere at once, at a pace that no human operator could sustain, is the hallmark of an AI-powered threat. AI-powered threats are also dynamic. They can adapt their behavior to spread across a network more efficiently or rewrite their own code to evade detection.
Security teams are seeing the signs that they’re fighting AI-powered threats at every stage of the kill chain, and the sophistication of these threats is testing their resolve and their resources.
73% say that AI-powered cyber threats are having a significant impact on their organization
92% agree that these threats are forcing them to upgrade their defenses
87% agree that AI is significantly increasing the sophistication and success rate of malware
87% say AI is significantly increasing the workload of their security operations team
Up all night: Security professionals’ worry list is long
Traditional security methods were never built to handle the complexity and subtlety of AI-driven behavior. Working in the trenches, defenders have deep firsthand experience of how difficult it can be to detect and stop AI-assisted threats.
Increasingly effective social engineering attacks are among their top concerns. 50% of security leaders mentioned hyper-personalized phishing campaigns as one of their biggest worries, while 40% voiced apprehension about deepfake voice fraud. These concerns are legitimate: AI-generated phishing emails are increasingly tailored to individual organizations, business activities, or individuals. Gone are the telltale signs – like grammar or spelling mistakes – that once distinguished malicious communications. Notably, 33% of the malicious emails Darktrace observed in 2025 contained over 1,000 characters, indicating probable LLM usage.
Security leaders also worry about how bad actors can leverage AI to make attacks even faster and more dynamic. 45% listed automated vulnerability scanning and exploit chaining among their biggest concerns, while 40% mentioned adaptive malware.
Confidence is lacking
Protecting against AI demands capabilities that many organizations have not yet built. It requires interpreting new indicators, uncovering the subtle intent within interactions, and recognizing when AI behavior – human or machine – could be suspicious. Leaders know that their current tools aren’t prepared for this. Nearly half don’t feel confident in their ability to defend against AI-powered attacks.
We’ve asked participants in our survey about their confidence for the last three years now. In 2024, 60% said their organizations were not adequately prepared to defend against AI-driven threats. Last year, that percentage shrunk to 45%, a possible indicator that security programs were making progress. Since then, however, the progress has apparently stalled. 46% of security leaders now feel inadequately prepared to protect their organizations amidst the current threat landscape.
Some of these differences are accentuated across different cultures. Respondents in Japan are far less confident (77% say they are not adequately prepared) than respondents in Brazil (where only 21% don’t feel prepared).
Where security programs are falling short
It’s no longer the case that cybersecurity is overlooked or underfunded by executive leadership. Across industries, management recognizes that AI-powered threats are a growing problem, and insufficient budget is near the bottom of most CISO’s list of reasons that they struggle to defend against AI-powered threats.
It’s the things that money can’t buy – experience, knowledge, and confidence – that are holding programs back. Near the top of the list of inhibitors that survey participants mention is “insufficient knowledge or use of AI-driven countermeasures.” As bad actors embrace AI technologies en masse, this challenge is coming into clearer focus: attack-centric security tools, which rely on static rules, signatures, and historical attack patterns, were never designed to handle the complexity and subtlety of AI-driven attacks. These challenges feel new to security teams, but they are the core problems Darktrace was built to solve.
Our Self-Learning AI develops a deep understanding of what “normal” looks like for your organization –including unique traffic patterns, end user habits, application and device profiles – so that it can detect and stop novel, dynamic threats at the first encounter. By focusing on learning the business, rather than the attack, our AI can keep pace with AI-powered threats as they evolve.
Explore the full State of AI Cybersecurity 2026 report for deeper insights into how security leaders are responding to AI-driven risks.
