Cado Security Labs (now part of Darktrace) identified two new campaigns exploiting misconfigured Selenium Grid instances for cryptomining and proxyjacking. Attackers injected scripts to deploy reverse shells, IPRoyal Pawn, EarnFM, TraffMonetizer, and WatchTower for proxyjacking, and a Golang binary to install a cryptominer. These attacks highlight the critical need for Selenium Grid users to enable authentication.

Unifying network and email security closes critical gaps in your defenses, enabling faster detection, investigation, and response. Discover how an integrated, AI-driven approach strengthens protection across the entire attack lifecycle.

This blog details a simulation of a ransomware attack that bypassed EDR, simulated via a ClickFix social engineering technique. The attack used an obfuscated HTML and custom C++ binary to encrypt files and establish a reverse shell. Cado's forensic platform then demonstrated how to trace the attack chain, highlighting the need for robust DFIR beyond EDR.

Darktrace identified anomalous activity within its customer base linked to a supply chain attack exploiting Salesloft integrations in August 2025. Learn about the campaign and how Darktrace detects and responds to such threats using AI-driven threat detection and Autonomous Response capabilities.

Cado Security Labs (now part of Darktrace) identified a "Meeten" campaign deploying a cross-platform (macOS/Windows) infostealer called Realst. Threat actors create fake Web3 companies with AI-generated content and social media to trick targets into downloading malicious meeting applications.

"Commando Cat" is a novel cryptojacking campaign exploiting exposed Docker API endpoints. This campaign demonstrates the continued determination attackers have to exploit the service and achieve a variety of objectives.

Migo is a cryptojacking campaign targeting Redis servers, that uses novel system-weakening techniques for initial access. It deploys a Golang ELF binary for cryptocurrency mining, which employs compile-time obfuscation and achieves persistence on Linux hosts. Migo also utilizes a modified user-mode rootkit to hide its processes and on-disk artifacts, complicating analysis and forensics.

Signature-based detection has been a mainstay of IT security for decades, but the unique realities of operational technology (OT) environments make it a poor return on investment for power utilities. While signatures can still provide value for commodity IT malware, they fail against insider misuse, zero-day exploits, and custom-built malware designed for grid operations. Historical evidence shows signatures rarely generalize across different utilities, and overreliance creates strategic blind spots. To effectively defend critical energy infrastructure, utilities should prioritize behavioral analytics, anomaly detection, and intelligence sharing across the community.

A practical guide to the key detection and response updates in CAF v4.0, including anomaly-based detection, machine-led threat hunting, and proactive security posture requirements.

Cado Security Labs identified a GuLoader campaign targeting European industrial companies via spearphishing emails with compressed batch files. This malware uses obfuscated PowerShell scripts and shellcode with anti-debugging techniques to establish persistence and inject into legitimate processes, to deliver Remote Access Trojans. GuLoader's ongoing evolution highlights the need for robust security.

Cado Security Labs (now part of Darktrace) identified a Docusign spearphishing campaign targeting tech executives. Attackers use compromised Japanese business emails and malicious links redirecting to credential-stealing sites. The campaign leverages obfuscated JavaScript to mimic legitimate login pages, aiming to steal credentials for further attacks like BEC scams.

Cado Security Labs (now part of Darktrace) identified Triton RAT, a Python-based open-source tool controlled via Telegram.

Cado Security Labs (now part of Darktrace) identified a malware campaign targeting the Royal Thai Police, attributed to Chinese APT group Mustang Panda. The campaign uses a disguised LNK file and PDF decoy to deliver the Yokai backdoor.

Cado Security (now a part of Darktrace) found attackers are abusing Cloudflare's WARP service, a free VPN, to launch attacks. WARP traffic often bypasses firewalls due to Cloudflare's trusted status, making it harder to detect. Campaigns like "SSWW" cryptojacking and SSH brute-forcing exploit this trust, highlighting a significant security risk for organizations.

P2Pinfect, a sophisticated Rust-based malware, has evolved from a dormant spreading botnet to actively deploying ransomware and a cryptominer, primarily infecting Redis servers and using a P2P C2. The updated version includes a user-mode rootkit, but its ransomware impact is limited by the low privileges often associated with Redis.

Cerber ransomware's Linux variant is actively exploiting CVE-2023-22518 in Confluence servers. It uses three UPX-packed C++ payloads: a primary stager, a log checker for environment assessment, and an encryptor that renames files with a .L0CK3D extension.

Cado Security Labs uncovered a new campaign targeting vulnerable Docker services. Attackers deploy XMRig miners and the 9hits viewer application to generate credits. This campaign highlights attackers' evolving monetization strategies and the ongoing vulnerability of exposed Docker hosts.

Cado Security Labs discovered a new cryptomining campaign exploiting exposed Jupyter Notebooks on Windows and Linux. The attack deploys UPX-packed binaries that decrypt and execute a cryptominer, targeting various cryptocurrencies.

Cado researchers detected a typosquatting domain mimicking their corporate site, part of a broader campaign targeting tech companies. The malicious domain redirected to the legitimate one, and an accompanying fake X (Twitter) account was created. Cado took swift action, informing staff, blocking emails, and reporting the domain for suspension.

Cado Security labs researchers (now part of Darktrace) encountered a Linux malware campaign, "Spinning YARN," that targets Docker, Apache Hadoop, Redis, and Confluence. This campaign exploits vulnerabilities in these widely used platforms to gain access.

A new P2Pinfect variant compiled for the Microprocessor without Interlocked Pipelined Stages (MIPS) architecture has been discovered. This demonstrates increased targeting of routers, Internet of Things (IoT) and other embedded devices by those behind P2Pinfect.

OracleIV is a DDoS botnet exploiting misconfigured Docker Engine APIs. It delivers a malicious Python ELF executable within a Docker container ("oracleiv_latest") to perform various DoS attacks. The botnet communicates with a C2 server for commands, demonstrating attackers' continued use of exposed Docker instances.

Qubitstrike is an emerging cryptojacking campaign primarily targeting exposed Jupyter Notebooks that exfiltrates cloud credentials, mines XMRig, and employs persistence mechanisms. The malware utilizes Discord for C2, displaying compromised host information and enabling command execution, file transfer, and process hiding via the Diamorphine rootkit.

Cryptojacking attacks are rising as threat actors exploit hard-to-detect cryptomining malware. Learn how Darktrace detected and contained a cryptojacking attempt in its early stages using Autonomous Response, with expert analysis of the malware itself revealing insights into a novel cryptomining strain.

Darktrace identified coordinated SaaS account compromises across multiple customer environments. The incidents involved suspicious logins from VPS-linked infrastructure followed by unauthorized inbox rule creation and deletion of phishing-related emails. These consistent behaviors across devices point to a targeted phishing campaign leveraging virtual infrastructure for access and concealment. Discover how Darktrace uncovered this activity and what it means for the future of SaaS security.