Blog
/
Network
/
June 23, 2023

How Darktrace Quickly Foiled An Information Stealer

Discover how Darktrace thwarted the CryptBot malware in just 2 seconds. Learn about this fast-moving threat and the defense strategies employed.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Alexandra Sentenac
Cyber Analyst
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
23
Jun 2023

The recent trend of threat actors using information stealer malware, designed to gather and exfiltrate confidential data, shows no sign of slowing. With new or updated info-stealer strains appearing in the wild on a regular basis, it came as no surprise to see a surge in yet another prolific variant in late 2022, CryptBot.

What is CryptBot?

CryptBot is a Windows-based trojan malware that was first discovered in the wild in December 2019. It belongs to the prolific category of information stealers whose primary objective, as the name suggests, is to gather information from infected devices and send it to the threat actor.

ZeuS was reportedly the first info-stealer to be discovered, back in 2006. After its code was leaked, many other variants came to light and have been gaining popularity amongst cyber criminals [1] [2] [3]. Indeed, Inside the SOC has discussed multiple infections across its customer base associated with several types of stealers in the past months [4] [5] [6] [7]. 

The Darktrace Threat Research team investigated CryptBot infections on the digital environments of more than 40 different Darktrace customers between October 2022 and January 2023. Darktrace DETECT™ and its anomaly-based approach to threat detection allowed it to successfully identify the unusual activity surrounding these info-stealer infections on customer networks. Meanwhile, Darktrace RESPOND™, when enabled in autonomous response mode, was able to quickly intervene and prevent the exfiltration of sensitive company data.

Why is info-stealer malware popular?

It comes as no surprise that info-stealers have “become one of the most discussed malware types on the cybercriminal underground in 2022”, according to Accenture’s Cyber Threat Intelligence team [10]. This is likely in part due to the fact that:

More sensitive data on devices

Due to the digitization of many aspects of our lives, such as banking and social interactions, a trend accelerated by the COVID-19 pandemic.

Cost effective

Info-stealers provide a great return on investment (ROI) for threat actors looking to exfiltrate data without having to do the traditional internal reconnaissance and data transfer associated with data theft. Info-stealers are usually cheap to purchase and are available through Malware-as-a-Service (MaaS) offerings, allowing less technical and resourceful threat actors in on the stealing action. This makes them a prevalent threat in the malware landscape. 

How does CryptBot work?

The techniques employed by info-stealers to gather and exfiltrate data as well as the type of data targeted vary from malware to malware, but the data targeted typically includes login credentials for a variety of applications, financial information, cookies and global information about the infected computer [8]. Given its variety and sensitivity, threat actors can leverage the stolen data in several ways to make a profit. In the case of CryptBot, the data obtained is sold on forums or underground data marketplaces and can be later employed in higher profile attacks [9]. For example, stolen login information has previously been leveraged in credential-based attacks, which can successfully bypass authentication-based security measures, including multi-factor authentication (MFA). 

CryptBot functionalities

Like many information stealers, CryptBot is designed to steal a variety of sensitive personal and financial information such as browser credentials, cookies and history information and social media accounts login information, as well as cryptocurrency wallets and stored credit card information [11]. General information (e.g., OS, installed applications) about the infected computer is also retrieved. Browsers targeted by CryptBot include Chrome, Firefox, and Edge. In early 2022, CryptBot’s code was revamped in order to streamline its data extraction capabilities and improve its overall efficiency, an update that coincided with a rise in the number of infections [11] [12].

Some of CryptBot's functionalities were removed and its exfiltration process was streamlined, which resulted in a leaner payload, around half its original size and a quicker infection process [11]. Some of the features removed included sandbox detection and evasion functionalities, the collection of desktop text files and screen captures, which were deemed unnecessary. At the same time, the code was improved in order to include new Chrome versions released after CryptBot’s first appearance in 2019. Finally, its exfiltration process was simplified: prior to its 2022 update, the malware saved stolen data in two separate folders before sending it to two separate command and control (C2) domains. Post update, the data is only saved in one location and sent to one C2 domain, which is hardcoded in the C2 transmission function of the code. This makes the infection process much more streamlined, taking only a few minutes from start to finish. 

Aside from the update to its malware code, CryptBot regularly updates and refreshes its C2 domains and dropper websites, making it a highly fluctuating malware with constantly new indicators of compromise and distribution sites. 

Even though CryptBot is less known than other info-stealers, it was reportedly infecting thousands of devices daily in the first months of 2020 [13] and its continued prevalence resulted in Google taking legal action against its distribution infrastructure at the end of April 2023 [14].  

How is CryptBot obtained?

CryptBot is primarily distributed through malicious websites offering free and illegally modified software (i.e., cracked software) for common commercial programs (e.g., Microsoft Windows and Office, Adobe Photoshop, Google Chrome, Nitro PDF Pro) and video games. From these ‘malvertising’ pages, the user is redirected through multiple sites to the actual payload dropper page [15]. This distribution method has seen a gain in popularity amongst info-stealers in recent months and is also used by other malware families such as Raccoon Stealer and Vidar [16] [17].

A same network of cracked software websites can be used to download different malware strains, which can result in multiple simultaneous infections. Additionally, these networks often use search engine optimization (SEO) in order to make adverts for their malware distributing sites appear at the top of the Google search results page, thus increasing the chances of the malicious payloads being downloaded.

Furthermore, CryptBot leverages Pay-Per-Install (PPI) services such as 360Installer and PrivateLoader, a downloader malware family used to deliver payloads of multiple malware families operated by different threat actors [18] [19] [20]. The use of this distribution method for CryptBot payloads appears to have stemmed from its 2022 update. According to Google, 161 active domains were associated with 360Installer, of which 90 were associated with malware delivery activities and 29 with the delivery of CryptBot malware specifically. Google further identified hundreds of domains used by CryptBot as C2 sites, all of which appear to be hosted on the .top top-level domain [21].

This simple yet effective distribution tactic, combined with the MaaS model and the lucrative prospects of selling the stolen data resulted in numerous infections. Indeed, CryptBot was estimated to have infected over 670,000 computers in 2022 [14]. Even though the distribution method chosen means that most of the infected devices are likely to be personal computers, bring your own device (BYOD) policies and users’ tendency to reuse passwords means that corporate environments are also at risk. 

CryptBot Attack Overview

In some cases observed by Darktrace, after connecting to malvertising websites, devices were seen making encrypted SSL connections to file hosting services such as MediaFire or Mega, while in others devices were observed connecting to an endpoint associated with a content delivery network. This is likely the location from where the malware payload was downloaded alongside cracked software, which is executed by the unsuspecting user. As the user expects to run an executable file to install their desired software, the malware installation often happens without the user noticing.

Some of the malvertising sites observed by Darktrace on customer deployments were crackful[.]com, modcrack[.]net, windows-7-activator[.]com and office-activator[.]com. However, in many cases detected by Darktrace, CryptBot was propagated via websites offering trojanized KMSPico software (e.g., official-kmspico[.]com, kmspicoofficial[.]com). KMSPico is a popular Microsoft Windows and Office product activator that emulates a Windows Key Management Services (KMS) server to activate licenses fraudulently. 

Once it has been downloaded and executed, CryptBot will search the system for confidential information and create a folder with a seemingly randomly generated name, matching the regex [a-zA-Z]{10}, to store the gathered sensitive data, ready for exfiltration. 

Figure 1: Packet capture (PCAP) of an HTTP POST request showing the file with the stolen data being sent over the connection.
Figure 1: Packet capture (PCAP) of an HTTP POST request showing the file with the stolen data being sent over the connection.

This data is then sent to the C2 domain via HTTP POST requests on port 80 to the URI /gate.php. As previously stated, CryptBot C2 infrastructure is changed frequently and many of the domains seen by Darktrace had been registered within the previous 30 days. The domain names detected appeared to have been generated by an algorithm, following the regex patterns [a-z]{6}[0-9]{2,3}.top or [a-z]{6}[0-9]{2,3}.cfd. In several cases, the C2 domain had not been flagged as malicious by other security vendors or had just one detection. This is likely because of the frequent changes in the C2 infrastructure operated by the threat actors behind CryptBot, with new malicious domains being created periodically to avoid detection. This makes signature-based security solutions much less efficient to detect and block connections to malicious domains. Additionally, the fact that the stolen data is sent over regular HTTP POST requests, which are used daily as part of a multitude of legitimate processes such as file uploads or web form submissions, allows the exfiltration connections to blend in with normal and legitimate traffic making it difficult to isolate and detect as malicious activity. 

In this context, anomaly-based security detections such as Darktrace DETECT are the best way to pick out these anomalous connections amidst legitimate Internet traffic. In the case of CryptBot, two DETECT models were seen consistently breaching for CryptBot-related activity: ‘Device / Suspicious Domain’, breaching for connections to 100% rare C2 .top domains, and ‘Anomalous Connection / POST to PHP on New External Host’, breaching on the data exfiltration HTTP POST request. 

In deployments where Darktrace RESPOND was deployed, a RESPOND model breached within two seconds of the first HTTP POST request. If enabled in autonomous mode, RESPOND would block the data exfiltration connections, thus preventing the data safe from being sold in underground forums to other threat actors. In one of the cases investigated by Darktrace’s Threat Research team, DETECT was able to successfully identify and alert the customer about CryptBot-related malicious activity on a device that Darktrace had only begun to monitor one day before, showcasing how fast Darktrace’s Self-Learning AI learns every nuance of customer networks and the devices within it.

In most cases investigated by Darktrace, fewer than 5 minutes elapsed between the first connection to the endpoint offering free cracked software and the data being exfiltrated to the C2 domain. For example, in one of the attack chains observed in a university’s network, a device was seen connecting to the 100% rare endpoint official-kmspico[.]com at 16:53:47 (UTC).

Device Event Log showing SSL connections to the official-kmspico[.]com malvertising website.
Figure 2: Device Event Log showing SSL connections to the official-kmspico[.]com malvertising website.

One minute later, at 16:54:19 (UTC), the same device was seen connecting to two mega[.]co[.]nz subdomains and downloading around 13 MB of data from them. As mentioned previously, these connections likely represent the CryptBot payload and cracked software download.

Device Event Log showing SSL connections to mega[.]com endpoints following the connection to the malvertising site.
Figure 3: Device Event Log showing SSL connections to mega[.]com endpoints following the connection to the malvertising site.

At 16:56:01 (UTC), Darktrace detected the device making a first HTTP POST request to the 100% rare endpoint, avomyj24[.]top, which has been associated with CryptBot’s C2 infrastructure [22]. This initial HTTP POST connection likely represents the transfer of confidential data to the attacker’s infrastructure.

Device Event Log showing HTTP connections made by the infected device to the C2 domain. 
Figure 4: Device Event Log showing HTTP connections made by the infected device to the C2 domain. 

The full attack chain, from visiting the malvertising website to the malicious data egress, took less than three minutes to complete. In this circumstance, the machine-speed detection and response capabilities offered by Darktrace DETECT and RESPOND are paramount in order to stop CryptBot before it can successfully exfiltrates sensitive data. This is an incredibly quick infection timeline, with no lateral movement nor privilege escalation required to carry out the malware’s objective. 

Device Event Log showing the DETECT and RESPOND models breached during the attack. 
Figure 5: Device Event Log showing the DETECT and RESPOND models breached during the attack. 

Darktrace Cyber AI Analyst incidents were also generated as a result of this activity, displaying all relevant information in one panel for easy review by customer security teams.

Cyber AI Analyst event log showing the HTTP connections made by the breach device to the C2 endpoint.
Figure 6: Cyber AI Analyst event log showing the HTTP connections made by the breach device to the C2 endpoint.

Conclusion 

CryptBot info-stealer is fast, efficient, and apt at evading detection given its small size and swift process of data gathering and exfiltration via legitimate channels. Its constantly changing C2 infrastructure further makes it difficult for traditional security tools that really on rules and signatures or known indicators of compromise (IoCs) to detect these infections. 

In the face of such a threat, Darktrace’s anomaly-based detection allows it to recognize subtle deviations in a device’s pattern of behavior that may signal an evolving threat and instantly bring it to the attention of security teams. Darktrace DETECT is able to distinguish between benign activity and malicious behavior, even from newly monitored devices, while Darktrace RESPOND can move at machine-speed to prevent even the fastest moving threat actors from stealing confidential company data, as it demonstrated here by stopping CryptBot infections in as little as 2 seconds.

Credit to Alexandra Sentenac, Cyber Analyst, Roberto Romeu, Senior SOC Analyst

Darktrace Model Detections  

AI Analyst Coverage 

  • Possible HTTP Command and Control  

DETECT Model Breaches  

  • Device / Suspicious Domain 
  • Anomalous Connection / POST to PHP on New External Host 
  • Anomalous Connection / Multiple HTTP POSTs to Rare Hostname 
  • Compromise / Multiple SSL to Rare DGA Domains

List of IOCs

Indicator Type Description
luaigz34[.]top Hostname CryptBot C2 endpoint
watibt04[.]top Hostname CryptBot C2 endpoint
avolsq14[.]top Hostname CryptBot C2 endpoint

MITRE ATT&CK Mapping

Category Technique Tactic
INITIAL ACCESS Drive-by Compromise - T1189 N/A
COMMAND AND CONTROL Web Protocols - T1071.001 N/A
COMMAND AND CONTROL Domain Generation Algorithm - T1568.002 N/A

References

[1] https://www.malwarebytes.com/blog/threats/info-stealers

[2] https://cybelangel.com/what-are-infostealers/

[3] https://ke-la.com/information-stealers-a-new-landscape/

[4] https://darktrace.com/blog/vidar-info-stealer-malware-distributed-via-malvertising-on-google

[5] https://darktrace.com/blog/a-surge-of-vidar-network-based-details-of-a-prolific-info-stealer 

[6] https://darktrace.com/blog/laplas-clipper-defending-against-crypto-currency-thieves-with-detect-respond

[7] https://darktrace.com/blog/amadey-info-stealer-exploiting-n-day-vulnerabilities 

[8] https://cybelangel.com/what-are-infostealers/

[9] https://webz.io/dwp/the-top-10-dark-web-marketplaces-in-2022/

[10] https://www.accenture.com/us-en/blogs/security/information-stealer-malware-on-dark-web

[11] https://www.bleepingcomputer.com/news/security/revamped-cryptbot-malware-spread-by-pirated-software-sites/

[12] https://blogs.blackberry.com/en/2022/03/threat-thursday-cryptbot-infostealer

[13] https://www.deepinstinct.com/blog/cryptbot-how-free-becomes-a-high-price-to-pay

[14] https://blog.google/technology/safety-security/continuing-our-work-to-hold-cybercriminal-ecosystems-accountable/

[15] https://asec.ahnlab.com/en/31802/

[16] https://darktrace.com/blog/the-last-of-its-kind-analysis-of-a-raccoon-stealer-v1-infection-part-1

[17] https://www.trendmicro.com/pt_br/research/21/c/websites-hosting-cracks-spread-malware-adware.html

[18] https://intel471.com/blog/privateloader-malware

[19] https://cyware.com/news/watch-out-pay-per-install-privateloader-malware-distribution-service-is-flourishing-888273be 

[20] https://regmedia.co.uk/2023/04/28/handout_google_cryptbot_complaint.pdf

[21] https://www.bankinfosecurity.com/google-wins-court-order-to-block-cryptbot-infrastructure-a-21905

[22] https://github.com/stamparm/maltrail/blob/master/trails/static/malware/cryptbot.txt

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Alexandra Sentenac
Cyber Analyst

More in this series

No items found.

Blog

/

Compliance

/

June 9, 2025

Modernising UK Cyber Regulation: Implications of the Cyber Security and Resilience Bill

Two individuals sitting at a desk working on a documentDefault blog imageDefault blog image

The need for security and continued cyber resilience

The UK government has made national security a key priority, and the new Cyber Security and Resilience Bill (CSRB) is a direct reflection of that focus. In introducing the Bill, Secretary of State for Science, Innovation and Technology, Peter Kyle, recognised that the UK is “desperately exposed” to cyber threats—from criminal groups to hostile nation-states that are increasingly targeting the UK's digital systems and critical infrastructure[1].

Context and timeline for the new legislation

First announced during the King’s Speech of July 2024, and elaborated in a Department for Science, Innovation and Technology (DSIT) policy statement published in April 2025, the CSRB is expected to be introduced in Parliament during the 2025-26 legislative session.

For now, organisations in the UK remain subject to the 2018 Network and Information Systems (NIS) Regulations – an EU-derived law which was drafted before today’s increasing digitisation of critical services, rise in cloud adoption and emergence of AI-powered threats.

Why modernisation is critical

Without modernisation, the Government believes UK’s infrastructure and economy risks falling behind international peers. The EU, which revised its cybersecurity regulation under the NIS2 Directive, already imposes stricter requirements on a broader set of sectors.

The urgency of the Bill is also underscored by recent high-impact incidents, including the Synnovis attack which targeted the National Health Service (NHS) suppliers and disrupted thousands of patient appointments and procedures[2]. The Government has argued that such events highlight a systemic failure to keep pace with a rapidly evolving threat landscape[3].

What the Bill aims to achieve

This Bill represents a decisive shift. According to the Government, it will modernise and future‑proof the UK’s cyber laws, extending oversight to areas where risk has grown but regulation has not kept pace[4]. While the legislation builds on previous consultations and draws lessons from international frameworks like the EU’s NIS2 directive, it also aims to tailor solutions to the UK’s unique threat environment.

Importantly, the Government is framing cybersecurity not as a barrier to growth, but as a foundation for it. The policy statement emphasises that strong digital resilience will create the stability businesses need to thrive, innovate, and invest[5]. Therefore, the goals of the Bill will not only be to enhance security but also act as an enabler to innovation and economic growth.

Recognition that AI changes cyber threats

The CSRB policy statement recognises that AI is fundamentally reshaping the threat landscape, with adversaries now leveraging AI and commercial cyber tools to exploit vulnerabilities in critical infrastructure and supply chains. Indeed, the NCSC has recently assessed that AI will almost certainly lead to “an increase in the frequency and intensity of cyber threats”[6]. Accordingly, the policy statement insists that the UK’s regulatory framework “must keep pace and provide flexibility to respond to future threats as and when they emerge”[7].

To address the threat, the Bill signals new obligations for MSPs and data centres, timely incident reporting and dynamic guidance that can be refreshed without fresh primary legislation, making it essential for firms to follow best practices.

What might change in day-to-day practice?

New organisations in scope of regulation

Under the existing Network and Information Systems (NIS) Regulations[8], the UK already supervises operators in five critical sectors—energy, transport, drinking water, health (Operators of Essential Services, OES) and digital infrastructure (Relevant Digital Service Providers, RDSPs).

The Cyber Security and Resilience Bill retains this foundation and adds Managed Service Providers (MSPs) and data centres to the scope of regulation to “better recognise the increasing reliance on digital services and the vulnerabilities posed by supply chains”[9]. It also grants the Secretary of State for Science, Innovation and Technology the power to add new sectors or sub‑sectors via secondary legislation, following consultation with Parliament and industry.

Managed service providers (MSPs)

MSPs occupy a central position within the UK’s enterprise information‑technology infrastructure. Because they remotely run or monitor clients’ systems, networks and data, they hold privileged, often continuous access to multiple environments. This foothold makes them an attractive target for malicious actors.

The Bill aims to bring MSPs in scope of regulation by making them subject to the same duties as those placed on firms that provide digital services under the 2018 NIS Regulations. By doing so, the Bill seeks to raise baseline security across thousands of customer environments and to provide regulators with better visibility of supply‑chain risk.

The proposed definition for MSPs is a service which:

  1. Is provided to another organisation
  2. Relies on the use of network and information systems to deliver the service
  3. Relates to ongoing management support, active administration and/or monitoring of AI systems, IT infrastructure, applications, and/or IT networks, including for the purpose of activities relating to cyber security.
  4. Involves a network connection and/or access to the customer’s network and information systems.

Data centres

Building on the September 2024 designation of data centres as critical national infrastructure, the CSRB will fold data infrastructure into the NIS-style regime by naming it an “relevant sector" and data centres as “essential service”[10].

About 182 colocation facilities run by 64 operators will therefore come under statutory duties to notify the regulator, maintain proportionate CAF-aligned controls and report significant incidents, regardless of who owns them or what workloads they host.

New requirements for regulated organisations

Incident reporting processes

There could be stricter timelines or broader definitions of what counts as a reportable incident. This might nudge organisations to formalise detection, triage, and escalation procedures.

The Government is proposing to introduce a new two-stage incident reporting process. This would include an initial notification which would be submitted within 24 hours of becoming aware of a significant incident, followed by a full incident report which should be submitted within 72 hours of the same.

Supply chain assurance requirements

Supply chains for the UK's most critical services are becoming increasingly complex and present new and serious vulnerabilities for cyber-attacks. The recent Synnovis ransomware attacks on the NHS[11] exemplify the danger posed by attacks against the supply chains of important services and organisations. This is concerning when reflecting on the latest Cyber Security Breaches survey conducted by DSIT, which highlights that fewer than 25% of large businesses review their supply chain risks[12].

Despite these risks, the UK’s legacy cybersecurity regulatory regime does not explicitly cover supply chain risk management. The UK instead relies on supporting and non-statutory guidance to close this gap, such as the NCSC’s Cyber Assessment Framework (CAF)[13].

The CSRB policy statement acts on this regulatory shortcoming and recognises that “a single supplier’s disruption can have far-reaching impacts on the delivery of essential or digital services”[14].

To address this, the Bill would make in-scope organisations (OES and RDPS) directly accountable for the cybersecurity of their supply chains. Secondary legislation would spell out these duties in detail, ensuring that OES and RDSPs systematically assess and mitigate third-party cyber risks.

Updated and strengthened security requirements

By placing the CAF into a firmer footing and backing it with a statutory Code of Practice, the Government is setting clearer expectations about government expectations on technical standards and methods organisations will need to follow to prove their resilience.

How Darktrace can help support affected organizations

Demonstrate resilience

Darktrace’s Self-Learning AITM continuously monitors your digital estate across cloud, network, OT, email, and endpoint to detect, investigate, and autonomously respond to emerging threats in real time. This persistent visibility and defense posture helps organizations demonstrate cyber resilience to regulators with confidence.

Streamline incident reporting and compliance

Darktrace surfaces clear alerts and automated investigation reports, complete with timeline views and root cause analysis. These insights reduce the time and complexity of regulatory incident reporting and support internal compliance workflows with auditable, AI-generated evidence.

Improve supply chain visibility

With full visibility across connected systems and third-party activity, Darktrace detects early indicators of lateral movement, account compromise, and unusual behavior stemming from vendor or partner access, reducing the risk of supply chain-originated cyber-attacks.

Ensure MSPs can meet new standards

For managed service providers, Darktrace offers native multi-tenant support and autonomous threat response that can be embedded directly into customer environments. This ensures consistent, scalable security standards across clients—helping MSPs address increasing regulatory obligations.

[related-resource]

References

[1] https://www.theguardian.com/uk-news/article/2024/jul/29/uk-desperately-exposed-to-cyber-threats-and-pandemics-says-minister

[2] https://www.england.nhs.uk/2024/06/synnovis-cyber-attack-statement-from-nhs-england/

[3] https://www.gov.uk/government/publications/cyber-security-and-resilience-bill-policy-statement/cyber-security-and-resilience-bill-policy-statement

[4] https://www.gov.uk/government/publications/cyber-security-and-resilience-bill-policy-statement/cyber-security-and-resilience-bill-policy-statement

[5] https://www.gov.uk/government/publications/cyber-security-and-resilience-bill-policy-statement/cyber-security-and-resilience-bill-policy-statement

[6] https://www.ncsc.gov.uk/report/impact-ai-cyber-threat-now-2027

[7] https://www.gov.uk/government/publications/cyber-security-and-resilience-bill-policy-statement/cyber-security-and-resilience-bill-policy-statement

[8] https://www.gov.uk/government/collections/nis-directive-and-nis-regulations-2018

[9] https://www.gov.uk/government/publications/cyber-security-and-resilience-bill-policy-statement/cyber-security-and-resilience-bill-policy-statement

[10] https://www.gov.uk/government/publications/cyber-security-and-resilience-bill-policy-statement/cyber-security-and-resilience-bill-policy-statement

[11] https://www.england.nhs.uk/2024/06/synnovis-cyber-attack-statement-from-nhs-england/

[12] https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2025/cyber-security-breaches-survey-2025

[13] https://www.ncsc.gov.uk/collection/cyber-assessment-framework

[14] https://www.gov.uk/government/publications/cyber-security-and-resilience-bill-policy-statement/cyber-security-and-resilience-bill-policy-statement

Continue reading
About the author
The Darktrace Community

Blog

/

Network

/

June 5, 2025

Unpacking ClickFix: Darktrace’s detection of a prolific social engineering tactic

Woman on laptop in office buildingDefault blog imageDefault blog image

What is ClickFix and how does it work?

Amid heightened security awareness, threat actors continue to seek stealthy methods to infiltrate target networks, often finding the human end user to be the most vulnerable and easily exploited entry point.

ClickFix baiting is an exploitation of the end user, making use of social engineering techniques masquerading as error messages or routine verification processes, that can result in malicious code execution.

Since March 2024, the simplicity of this technique has drawn attention from a range of threat actors, from individual cybercriminals to Advanced Persistent Threat (APT) groups such as APT28 and MuddyWater, linked to Russia and Iran respectively, introducing security threats on a broader scale [1]. ClickFix campaigns have been observed affecting organizations in across multiple industries, including healthcare, hospitality, automotive and government [2][3].

Actors carrying out these targeted attacks typically utilize similar techniques, tools and procedures (TTPs) to gain initial access. These include spear phishing attacks, drive-by compromises, or exploiting trust in familiar online platforms, such as GitHub, to deliver malicious payloads [2][3]. Often, a hidden link within an email or malvertisements on compromised legitimate websites redirect the end user to a malicious URL [4]. These take the form of ‘Fix It’ or fake CAPTCHA prompts [4].

From there, users are misled into believing they are completing a human verification step, registering a device, or fixing a non-existent issue such as a webpage display error. As a result, they are guided through a three-step process that ultimately enables the execution of malicious PowerShell commands:

  1. Open a Windows Run dialog box [press Windows Key + R]
  2. Automatically or manually copy and paste a malicious PowerShell command into the terminal [press CTRL+V]
  3. And run the prompt [press ‘Enter’] [2]

Once the malicious PowerShell command is executed, threat actors then establish command and control (C2) communication within the targeted environment before moving laterally through the network with the intent of obtaining and stealing sensitive data [4]. Malicious payloads associated with various malware families, such as XWorm, Lumma, and AsyncRAT, are often deployed [2][3].

Attack timeline of ClickFix cyber attack

Based on investigations conducted by Darktrace’s Threat Research team in early 2025, this blog highlights Darktrace’s capability to detect ClickFix baiting activity following initial access.

Darktrace’s coverage of a ClickFix attack chain

Darktrace identified multiple ClickFix attacks across customer environments in both Europe, the Middle East, and Africa (EMEA) and the United States. The following incident details a specific attack on a customer network that occurred on April 9, 2025.

Although the initial access phase of this specific attack occurred outside Darktrace’s visibility, other affected networks showed compromise beginning with phishing emails or fake CAPTCHA prompts that led users to execute malicious PowerShell commands.

Darktrace’s visibility into the compromise began when the threat actor initiated external communication with their C2 infrastructure, with Darktrace / NETWORK detecting the use of a new PowerShell user agent, indicating an attempt at remote code execution.

Darktrace / NETWORK's detection of a device making an HTTP connection with new PowerShell user agent, indicating PowerShell abuse for C2 communications.
Figure 1: Darktrace / NETWORK's detection of a device making an HTTP connection with new PowerShell user agent, indicating PowerShell abuse for C2 communications.

Download of Malicious Files for Lateral Movement

A few minutes later, the compromised device was observed downloading a numerically named file. Numeric files like this are often intentionally nondescript and associated with malware. In this case, the file name adhered to a specific pattern, matching the regular expression: /174(\d){7}/. Further investigation into the file revealed that it contained additional malicious code designed to further exploit remote services and gather device information.

Darktrace / NETWORK's detection of a numeric file, one minute after the new PowerShell User Agent alert.
Figure 2: Darktrace / NETWORK's detection of a numeric file, one minute after the new PowerShell User Agent alert.

The file contained a script that sent system information to a specified IP address using an HTTP POST request, which also processed the response. This process was verified through packet capture (PCAP) analysis conducted by the Darktrace Threat Research team.

By analyzing the body content of the HTTP GET request, it was observed that the command converts the current time to Unix epoch time format (i.e., 9 April 2025 13:26:40 GMT), resulting in an additional numeric file observed in the URI: /1744205200.

PCAP highlighting the HTTP GET request that sends information to the specific IP, 193.36.38[.]237, which then generates another numeric file titled per the current time.
Figure 3: PCAP highlighting the HTTP GET request that sends information to the specific IP, 193.36.38[.]237, which then generates another numeric file titled per the current time.

Across Darktrace’s investigations into other customers' affected by ClickFix campaigns, both internal information discovery events and further execution of malicious code were observed.

Data Exfiltration

By following the HTTP stream in the same PCAP, the Darktrace Threat Research Team assessed the activity as indicative of data exfiltration involving system and device information to the same command-and-control (C2) endpoint, , 193.36.38[.]237. This endpoint was flagged as malicious by multiple open-source intelligence (OSINT) vendors [5].

PCAP highlighting HTTP POST connection with the numeric file per the URI /1744205200 that indicates data exfiltration to 193.36.38[.]237.
Figure 4: PCAP highlighting HTTP POST connection with the numeric file per the URI /1744205200 that indicates data exfiltration to 193.36.38[.]237.

Further analysis of Darktrace’s Advanced Search logs showed that the attacker’s malicious code scanned for internal system information, which was then sent to a C2 server via an HTTP POST request, indicating data exfiltration

Advanced Search further highlights Darktrace's observation of the HTTP POST request, with the second numeric file representing data exfiltration.
Figure 5: Advanced Search further highlights Darktrace's observation of the HTTP POST request, with the second numeric file representing data exfiltration.

Actions on objectives

Around ten minutes after the initial C2 communications, the compromised device was observed connecting to an additional rare endpoint, 188.34.195[.]44. Further analysis of this endpoint confirmed its association with ClickFix campaigns, with several OSINT vendors linking it to previously reported attacks [6].

In the final HTTP POST request made by the device, Darktrace detected a file at the URI /init1234 in the connection logs to the malicious endpoint 188.34.195[.]44, likely depicting the successful completion of the attack’s objective, automated data egress to a ClickFix C2 server.

Darktrace / NETWORK grouped together the observed indicators of compromise (IoCs) on the compromised device and triggered an Enhanced Monitoring model alert, a high-priority detection model designed to identify activity indicative of the early stages of an attack. These models are monitored and triaged 24/7 by Darktrace’s Security Operations Center (SOC) as part of the Managed Threat Detection service, ensuring customers are promptly notified of malicious activity as soon as it emerges.

Darktrace correlated the separate malicious connections that pertained to a single campaign.
Figure 6: Darktrace correlated the separate malicious connections that pertained to a single campaign.

Darktrace Autonomous Response

In the incident outlined above, Darktrace was not configured in Autonomous Response mode. As a result, while actions to block specific connections were suggested, they had to be manually implemented by the customer’s security team. Due to the speed of the attack, this need for manual intervention allowed the threat to escalate without interruption.

However, in a different example, Autonomous Response was fully enabled, allowing Darktrace to immediately block connections to the malicious endpoint (138.199.156[.]22) just one second after the initial connection in which a numerically named file was downloaded [7].

Darktrace Autonomous Response blocked connections to a suspicious endpoint following the observation of the numeric file download.
Figure 7: Darktrace Autonomous Response blocked connections to a suspicious endpoint following the observation of the numeric file download.

This customer was also subscribed to our Managed Detection and Response service, Darktrace’s SOC extended a ‘Quarantine Device’ action that had already been autonomously applied in order to buy their security team additional time for remediation.

Autonomous Response blocked connections to malicious endpoints, including 138.199.156[.]22, 185.250.151[.]155, and rkuagqnmnypetvf[.]top, and also quarantined the affected device. These actions were later manually reinforced by the Darktrace SOC.
Figure 8: Autonomous Response blocked connections to malicious endpoints, including 138.199.156[.]22, 185.250.151[.]155, and rkuagqnmnypetvf[.]top, and also quarantined the affected device. These actions were later manually reinforced by the Darktrace SOC.

Conclusion

ClickFix baiting is a widely used tactic in which threat actors exploit human error to bypass security defenses. By tricking end point users into performing seemingly harmless, everyday actions, attackers gain initial access to systems where they can access and exfiltrate sensitive data.

Darktrace’s anomaly-based approach to threat detection identifies early indicators of targeted attacks without relying on prior knowledge or IoCs. By continuously learning each device’s unique pattern of life, Darktrace detects subtle deviations that may signal a compromise. In this case, Darktrace's Autonomous Response, when operating in a fully autonomous mode, was able to swiftly contain the threat before it could progress further along the attack lifecycle.

Credit to Keanna Grelicha (Cyber Analyst) and Jennifer Beckett (Cyber Analyst)

Appendices

NETWORK Models

  • Device / New PowerShell User Agent
  • Anomalous Connection / New User Agent to IP Without Hostname
  • Anomalous Connection / Posting HTTP to IP Without Hostname
  • Anomalous Connection / Powershell to Rare External
  • Device / Suspicious Domain
  • Device / New User Agent and New IP
  • Anomalous File / New User Agent Followed By Numeric File Download (Enhanced Monitoring Model)
  • Device / Initial Attack Chain Activity (Enhanced Monitoring Model)

Autonomous Response Models

  • Antigena / Network::Significant Anomaly::Antigena Significant Anomaly from Client Block
  • Antigena / Network::Significant Anomaly::Antigena Enhanced Monitoring from Client Block
  • Antigena / Network::External Threat::Antigena File then New Outbound Block
  • Antigena / Network::External Threat::Antigena Suspicious File Block
  • Antigena / Network::Significant Anomaly::Antigena Alerts Over Time Block
  • Antigena / Network::External Threat::Antigena Suspicious File Block

IoC - Type - Description + Confidence

·       141.193.213[.]11 – IP address – Possible C2 Infrastructure

·       141.193.213[.]10 – IP address – Possible C2 Infrastructure

·       64.94.84[.]217 – IP address – Possible C2 Infrastructure

·       138.199.156[.]22 – IP address – C2 server

·       94.181.229[.]250 – IP address – Possible C2 Infrastructure

·       216.245.184[.]181 – IP address – Possible C2 Infrastructure

·       212.237.217[.]182 – IP address – Possible C2 Infrastructure

·       168.119.96[.]41 – IP address – Possible C2 Infrastructure

·       193.36.38[.]237 – IP address – C2 server

·       188.34.195[.]44 – IP address – C2 server

·       205.196.186[.]70 – IP address – Possible C2 Infrastructure

·       rkuagqnmnypetvf[.]top – Hostname – C2 server

·       shorturl[.]at/UB6E6 – Hostname – Possible C2 Infrastructure

·       tlgrm-redirect[.]icu – Hostname – Possible C2 Infrastructure

·       diagnostics.medgenome[.]com – Hostname – Compromised Website

·       /1741714208 – URI – Possible malicious file

·       /1741718928 – URI – Possible malicious file

·       /1743871488 – URI – Possible malicious file

·       /1741200416 – URI – Possible malicious file

·       /1741356624 – URI – Possible malicious file

·       /ttt – URI – Possible malicious file

·       /1741965536 – URI – Possible malicious file

·       /1.txt – URI – Possible malicious file

·       /1744205184 – URI – Possible malicious file

·       /1744139920 – URI – Possible malicious file

·       /1744134352 – URI – Possible malicious file

·       /1744125600 – URI – Possible malicious file

·       /1[.]php?s=527 – URI – Possible malicious file

·       34ff2f72c191434ce5f20ebc1a7e823794ac69bba9df70721829d66e7196b044 – SHA-256 Hash – Possible malicious file

·       10a5eab3eef36e75bd3139fe3a3c760f54be33e3 – SHA-1 Hash – Possible malicious file

MITRE ATT&CK Mapping

Tactic – Technique – Sub-Technique  

Spearphishing Link - INITIAL ACCESS - T1566.002 - T1566

Drive-by Compromise - INITIAL ACCESS - T1189

PowerShell - EXECUTION - T1059.001 - T1059

Exploitation of Remote Services - LATERAL MOVEMENT - T1210

Web Protocols - COMMAND AND CONTROL - T1071.001 - T1071

Automated Exfiltration - EXFILTRATION - T1020 - T1020.001

References

[1] https://www.logpoint.com/en/blog/emerging-threats/clickfix-another-deceptive-social-engineering-technique/

[2] https://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape

[3] https://cyberresilience.com/threatonomics/understanding-the-clickfix-attack/

[4] https://www.group-ib.com/blog/clickfix-the-social-engineering-technique-hackers-use-to-manipulate-victims/

[5] https://www.virustotal.com/gui/ip-address/193.36.38.237/detection

[6] https://www.virustotal.com/gui/ip-address/188.34.195.44/community

[7] https://www.virustotal.com/gui/ip-address/138.199.156.22/detection

Continue reading
About the author
Keanna Grelicha
Cyber Analyst
Your data. Our AI.
Elevate your network security with Darktrace AI