Blog
/
Network
/
March 12, 2025

Darktrace's Detection of State-Linked ShadowPad Malware

In 2024, Darktrace identified a cluster of intrusions involving the state-linked malware, ShadowPad. This blog will detail ShadowPad and the associated activities detected by Darktrace.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Sam Lister
SOC Analyst
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
12
Mar 2025


An integral part of cybersecurity is anomaly detection, which involves identifying unusual patterns or behaviors in network traffic that could indicate malicious activity, such as a cyber-based intrusion. However, attribution remains one of the ever present challenges in cybersecurity. Attribution involves the process of accurately identifying and tracing the source to a specific threat actor(s).

Given the complexity of digital networks and the sophistication of attackers who often use proxies or other methods to disguise their origin, pinpointing the exact source of a cyberattack is an arduous task. Threat actors can use proxy servers, botnets, sophisticated techniques, false flags, etc. Darktrace’s strategy is rooted in the belief that identifying behavioral anomalies is crucial for identifying both known and novel threat actor campaigns.

The ShadowPad cluster

Between July 2024 and November 2024, Darktrace observed a cluster of activity threads sharing notable similarities. The threads began with a malicious actor using compromised user credentials to log in to the target organization's Check Point Remote Access virtual private network (VPN) from an attacker-controlled, remote device named 'DESKTOP-O82ILGG'.  In one case, the IP from which the initial login was carried out was observed to be the ExpressVPN IP address, 194.5.83[.]25. After logging in, the actor gained access to service account credentials, likely via exploitation of an information disclosure vulnerability affecting Check Point Security Gateway devices. Recent reporting suggests this could represent exploitation of CVE-2024-24919 [27,28]. The actor then used these compromised service account credentials to move laterally over RDP and SMB, with files related to the modular backdoor, ShadowPad, being delivered to the  ‘C:\PerfLogs\’ directory of targeted internal systems. ShadowPad was seen communicating with its command-and-control (C2) infrastructure, 158.247.199[.]185 (dscriy.chtq[.]net), via both HTTPS traffic and DNS tunneling, with subdomains of the domain ‘cybaq.chtq[.]net’ being used in the compromised devices’ TXT DNS queries.

Darktrace’s Advanced Search data showing the VPN-connected device initiating RDP connections to a domain controller (DC). The device subsequently distributes likely ShadowPad-related payloads and makes DRSGetNCChanges requests to a second DC.
Figure 1: Darktrace’s Advanced Search data showing the VPN-connected device initiating RDP connections to a domain controller (DC). The device subsequently distributes likely ShadowPad-related payloads and makes DRSGetNCChanges requests to a second DC.
Event Log data showing a DC making DNS queries for subdomains of ‘cbaq.chtq[.]net’ to 158.247.199[.]185 after receiving SMB and RDP connections from the VPN-connected device, DESKTOP-O82ILGG.
Figure 2: Event Log data showing a DC making DNS queries for subdomains of ‘cbaq.chtq[.]net’ to 158.247.199[.]185 after receiving SMB and RDP connections from the VPN-connected device, DESKTOP-O82ILGG.

Darktrace observed these ShadowPad activity threads within the networks of European-based customers in the manufacturing and financial sectors.  One of these intrusions was followed a few months later by likely state-sponsored espionage activity, as detailed in the investigation of the year in Darktrace’s Annual Threat Report 2024.

[related-resource]

Related ShadowPad activity

Additional cases of ShadowPad were observed across Darktrace’s customer base in 2024. In some cases, common C2 infrastructure with the cluster discussed above was observed, with dscriy.chtq[.]net and cybaq.chtq[.]net both involved; however, no other common features were identified. These ShadowPad infections were observed between April and November 2024, with customers across multiple regions and sectors affected.  Darktrace’s observations align with multiple other public reports that fit the timeframe of this campaign.

Darktrace has also observed other cases of ShadowPad without common infrastructure since September 2024, suggesting the use of this tool by additional threat actors.

The data theft thread

One of the Darktrace customers impacted by the ShadowPad cluster highlighted above was a European manufacturer. A distinct thread of activity occurred within this organization’s network several months after the ShadowPad intrusion, in October 2024.

The thread involved the internal distribution of highly masqueraded executable files via Sever Message Block (SMB) and WMI (Windows Management Instrumentation), the targeted collection of sensitive information from an internal server, and the exfiltration of collected information to a web of likely compromised sites. This observed thread of activity, therefore, consisted of three phrases: lateral movement, collection, and exfiltration.

The lateral movement phase began when an internal user device used an administrative credential to distribute files named ‘ProgramData\Oracle\java.log’ and 'ProgramData\Oracle\duxwfnfo' to the c$ share on another internal system.  

Darktrace model alert highlighting an SMB write of a file named ‘ProgramData\Oracle\java.log’ to the c$ share on another device.
Figure 3: Darktrace model alert highlighting an SMB write of a file named ‘ProgramData\Oracle\java.log’ to the c$ share on another device.

Over the next few days, Darktrace detected several other internal systems using administrative credentials to upload files with the following names to the c$ share on internal systems:

ProgramData\Adobe\ARM\webservices.dll

ProgramData\Adobe\ARM\wksprt.exe

ProgramData\Oracle\Java\wksprt.exe

ProgramData\Oracle\Java\webservices.dll

ProgramData\Microsoft\DRM\wksprt.exe

ProgramData\Microsoft\DRM\webservices.dll

ProgramData\Abletech\Client\webservices.dll

ProgramData\Abletech\Client\client.exe

ProgramData\Adobe\ARM\rzrmxrwfvp

ProgramData\3Dconnexion\3DxWare\3DxWare.exe

ProgramData\3Dconnexion\3DxWare\webservices.dll

ProgramData\IDMComp\UltraCompare\updater.exe

ProgramData\IDMComp\UltraCompare\webservices.dll

ProgramData\IDMComp\UltraCompare\imtrqjsaqmm

Cyber AI Analyst highlighting an SMB write of a file named ‘ProgramData\Adobe\ARM\webservices.dll’ to the c$ share on an internal system.
Figure 4: Cyber AI Analyst highlighting an SMB write of a file named ‘ProgramData\Adobe\ARM\webservices.dll’ to the c$ share on an internal system.

The threat actor appears to have abused the Microsoft RPC (MS-RPC) service, WMI, to execute distributed payloads, as evidenced by the ExecMethod requests to the IWbemServices RPC interface which immediately followed devices’ SMB uploads.  

Cyber AI Analyst data highlighting a thread of activity starting with an SMB data upload followed by ExecMethod requests.
Figure 5: Cyber AI Analyst data highlighting a thread of activity starting with an SMB data upload followed by ExecMethod requests.

Several of the devices involved in these lateral movement activities, both on the source and destination side, were subsequently seen using administrative credentials to download tens of GBs of sensitive data over SMB from a specially selected server.  The data gathering stage of the threat sequence indicates that the threat actor had a comprehensive understanding of the organization’s system architecture and had precise objectives for the information they sought to extract.

Immediately after collecting data from the targeted server, devices went on to exfiltrate stolen data to multiple sites. Several other likely compromised sites appear to have been used as general C2 infrastructure for this intrusion activity. The sites used by the threat actor for C2 and data exfiltration purport to be sites for companies offering a variety of service, ranging from consultancy to web design.

Screenshot of one of the likely compromised sites used in the intrusion. 
Figure 6: Screenshot of one of the likely compromised sites used in the intrusion.

At least 16 sites were identified as being likely data exfiltration or C2 sites used by this threat actor in their operation against this organization. The fact that the actor had such a wide web of compromised sites at their disposal suggests that they were well-resourced and highly prepared.  

Darktrace model alert highlighting an internal device slowly exfiltrating data to the external endpoint, yasuconsulting[.]com.
Figure 7: Darktrace model alert highlighting an internal device slowly exfiltrating data to the external endpoint, yasuconsulting[.]com.
Darktrace model alert highlighting an internal device downloading nearly 1 GB of data from an internal system just before uploading a similar volume of data to another suspicious endpoint, www.tunemmuhendislik[.]com    
Figure 8: Darktrace model alert highlighting an internal device downloading nearly 1 GB of data from an internal system just before uploading a similar volume of data to another suspicious endpoint, www.tunemmuhendislik[.]com  

Cyber AI Analyst spotlight

Cyber AI Analyst identifying and piecing together the various steps of a ShadowPad intrusion.
Figure 9: Cyber AI Analyst identifying and piecing together the various steps of a ShadowPad intrusion.  
Cyber AI Analyst Incident identifying and piecing together the various steps of the data theft activity.
Figure 10: Cyber AI Analyst Incident identifying and piecing together the various steps of the data theft activity.

As shown in the above figures, Cyber AI Analyst’s ability to thread together the different steps of these attack chains are worth highlighting.

In the ShadowPad attack chains, Cyber AI Analyst was able to identify SMB writes from the VPN subnet to the DC, and the C2 connections from the DC. It was also able to weave together this activity into a single thread representing the attacker’s progression.

Similarly, in the data exfiltration attack chain, Cyber AI Analyst identified and connected multiple types of lateral movement over SMB and WMI and external C2 communication to various external endpoints, linking them in a single, connected incident.

These Cyber AI Analyst actions enabled a quicker understanding of the threat actor sequence of events and, in some cases, faster containment.

Attribution puzzle

Publicly shared research into ShadowPad indicates that it is predominantly used as a backdoor in People’s Republic of China (PRC)-sponsored espionage operations [5][6][7][8][9][10]. Most publicly reported intrusions involving ShadowPad  are attributed to the China-based threat actor, APT41 [11][12]. Furthermore, Google Threat Intelligence Group (GTIG) recently shared their assessment that ShadowPad usage is restricted to clusters associated with APT41 [13]. Interestingly, however, there have also been public reports of ShadowPad usage in unattributed intrusions [5].

The data theft activity that later occurred in the same Darktrace customer network as one of these ShadowPad compromises appeared to be the targeted collection and exfiltration of sensitive data. Such an objective indicates the activity may have been part of a state-sponsored operation. The tactics, techniques, and procedures (TTPs), artifacts, and C2 infrastructure observed in the data theft thread appear to resemble activity seen in previous Democratic People’s Republic of Korea (DPRK)-linked intrusion activities [15] [16] [17] [18] [19].

The distribution of payloads to the following directory locations appears to be a relatively common behavior in DPRK-sponsored intrusions.

Observed examples:

C:\ProgramData\Oracle\Java\  

C:\ProgramData\Adobe\ARM\  

C:\ProgramData\Microsoft\DRM\  

C:\ProgramData\Abletech\Client\  

C:\ProgramData\IDMComp\UltraCompare\  

C:\ProgramData\3Dconnexion\3DxWare\

Additionally, the likely compromised websites observed in the data theft thread, along with some of the target URI patterns seen in the C2 communications to these sites, resemble those seen in previously reported DPRK-linked intrusion activities.

No clear evidence was found to link the ShadowPad compromise to the subsequent data theft activity that was observed on the network of the manufacturing customer. It should be noted, however, that no clear signs of initial access were found for the data theft thread – this could suggest the ShadowPad intrusion itself represents the initial point of entry that ultimately led to data exfiltration.

Motivation-wise, it seems plausible for the data theft thread to have been part of a DPRK-sponsored operation. DPRK is known to pursue targets that could potentially fulfil its national security goals and had been publicly reported as being active in months prior to this intrusion [21]. Furthermore, the timing of the data theft aligns with the ratification of the mutual defense treaty between DPRK and Russia and the subsequent accused activities [20].

Darktrace assesses with medium confidence that a nation-state, likely DPRK, was responsible, based on our investigation, the threat actor applied resources, patience, obfuscation, and evasiveness combined with external reporting, collaboration with the cyber community, assessing the attacker’s motivation and world geopolitical timeline, and undisclosed intelligence.


Conclusion

When state-linked cyber activity occurs within an organization’s environment, previously unseen C2 infrastructure and advanced evasion techniques will likely be used. State-linked cyber actors, through their resources and patience, are able to bypass most detection methods, leaving anomaly-based methods as a last line of defense.

Two threads of activity were observed within Darktrace’s customer base over the last year: The first operation involved the abuse of Check Point VPN credentials to log in remotely to organizations’ networks, followed by the distribution of ShadowPad to an internal domain controller. The second operation involved highly targeted data exfiltration from the network of one of the customers impacted by the previously mentioned ShadowPad activity.

Despite definitive attribution remaining unresolved, both the ShadowPad and data exfiltration activities were detected by Darktrace’s Self-Learning AI, with Cyber AI Analyst playing a significant role in identifying and piecing together the various steps of the intrusion activities.  

Credit to Sam Lister (R&D Detection Analyst), Emma Foulger (Principal Cyber Analyst), Nathaniel Jones (VP), and the Darktrace Threat Research team.

Appendices

Darktrace / NETWORK model alerts

User / New Admin Credentials on Client

Anomalous Connection / Unusual Admin SMB Session

Compliance / SMB Drive Write  

Device / Anomalous SMB Followed By Multiple Model Breaches

Anomalous File / Internal / Unusual SMB Script Write

User / New Admin Credentials on Client  

Anomalous Connection / Unusual Admin SMB Session

Compliance / SMB Drive Write

Device / Anomalous SMB Followed By Multiple Model Breaches

Anomalous File / Internal / Unusual SMB Script Write

Device / New or Uncommon WMI Activity

Unusual Activity / Internal Data Transfer

Anomalous Connection / Download and Upload

Anomalous Server Activity / Rare External from Server

Compromise / Beacon to Young Endpoint

Compromise / Agent Beacon (Short Period)

Anomalous Server Activity / Anomalous External Activity from Critical Network Device

Anomalous Connection / POST to PHP on New External Host

Compromise / Sustained SSL or HTTP Increase

Compromise / Sustained TCP Beaconing Activity To Rare Endpoint

Anomalous Connection / Multiple Failed Connections to Rare Endpoint

Device / Multiple C2 Model Alerts

Anomalous Connection / Data Sent to Rare Domain

Anomalous Connection / Download and Upload

Unusual Activity / Unusual External Data Transfer

Anomalous Connection / Low and Slow Exfiltration

Anomalous Connection / Uncommon 1 GiB Outbound  

MITRE ATT&CK mapping

(Technique name – Tactic ID)

ShadowPad malware threads

Initial Access - Valid Accounts: Domain Accounts (T1078.002)

Initial Access - External Remote Services (T1133)

Privilege Escalation - Exploitation for Privilege Escalation (T1068)

Privilege Escalation - Valid Accounts: Default Accounts (T1078.001)

Defense Evasion - Masquerading: Match Legitimate Name or Location (T1036.005)

Lateral Movement - Remote Services: Remote Desktop Protocol (T1021.001)

Lateral Movement - Remote Services: SMB/Windows Admin Shares (T1021.002)

Command and Control - Proxy: Internal Proxy (T1090.001)

Command and Control - Application Layer Protocol: Web Protocols (T1071.001)

Command and Control - Encrypted Channel: Asymmetric Cryptography (T1573.002)

Command and Control - Application Layer Protocol: DNS (T1071.004)

Data theft thread

Resource Development - Compromise Infrastructure: Domains (T1584.001)

Privilege Escalation - Valid Accounts: Default Accounts (T1078.001)

Privilege Escalation - Valid Accounts: Domain Accounts (T1078.002)

Execution - Windows Management Instrumentation (T1047)

Defense Evasion - Masquerading: Match Legitimate Name or Location (T1036.005)

Defense Evasion - Obfuscated Files or Information (T1027)

Lateral Movement - Remote Services: SMB/Windows Admin Shares (T1021.002)

Collection - Data from Network Shared Drive (T1039)

Command and Control - Application Layer Protocol: Web Protocols (T1071.001)

Command and Control - Encrypted Channel: Asymmetric Cryptography (T1573.002)

Command and Control - Proxy: External Proxy (T1090.002)

Exfiltration - Exfiltration Over C2 Channel (T1041)

Exfiltration - Data Transfer Size Limits (T1030)

List of indicators of compromise (IoCs)

IP addresses and/or domain names (Mid-high confidence):

ShadowPad thread

- dscriy.chtq[.]net • 158.247.199[.]185 (endpoint of C2 comms)

- cybaq.chtq[.]net (domain name used for DNS tunneling)  

Data theft thread

- yasuconsulting[.]com (45.158.12[.]7)

- hobivan[.]net (94.73.151[.]72)

- mediostresbarbas.com[.]ar (75.102.23[.]3)

- mnmathleague[.]org (185.148.129[.]24)

- goldenborek[.]com (94.138.200[.]40)

- tunemmuhendislik[.]com (94.199.206[.]45)

- anvil.org[.]ph (67.209.121[.]137)

- partnerls[.]pl (5.187.53[.]50)

- angoramedikal[.]com (89.19.29[.]128)

- awork-designs[.]dk (78.46.20[.]225)

- digitweco[.]com (38.54.95[.]190)

- duepunti-studio[.]it (89.46.106[.]61)

- scgestor.com[.]br (108.181.92[.]71)

- lacapannadelsilenzio[.]it (86.107.36[.]15)

- lovetamagotchith[.]com (203.170.190[.]137)

- lieta[.]it (78.46.146[.]147)

File names (Mid-high confidence):

ShadowPad thread:

- perflogs\1.txt

- perflogs\AppLaunch.exe

- perflogs\F4A3E8BE.tmp

- perflogs\mscoree.dll

Data theft thread

- ProgramData\Oracle\java.log

- ProgramData\Oracle\duxwfnfo

- ProgramData\Adobe\ARM\webservices.dll

- ProgramData\Adobe\ARM\wksprt.exe

- ProgramData\Oracle\Java\wksprt.exe

- ProgramData\Oracle\Java\webservices.dll

- ProgramData\Microsoft\DRM\wksprt.exe

- ProgramData\Microsoft\DRM\webservices.dll

- ProgramData\Abletech\Client\webservices.dll

- ProgramData\Abletech\Client\client.exe

- ProgramData\Adobe\ARM\rzrmxrwfvp

- ProgramData\3Dconnexion\3DxWare\3DxWare.exe

- ProgramData\3Dconnexion\3DxWare\webservices.dll

- ProgramData\IDMComp\UltraCompare\updater.exe

- ProgramData\IDMComp\UltraCompare\webservices.dll

- ProgramData\IDMComp\UltraCompare\imtrqjsaqmm

- temp\HousecallLauncher64.exe

Attacker-controlled device hostname (Mid-high confidence)

- DESKTOP-O82ILGG

References  

[1] https://www.kaspersky.com/about/press-releases/shadowpad-how-attackers-hide-backdoor-in-software-used-by-hundreds-of-large-companies-around-the-world  

[2] https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/08/07172148/ShadowPad_technical_description_PDF.pdf

[3] https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities

[4] https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/

[5] https://assets.sentinelone.com/c/Shadowpad?x=P42eqA

[6] https://www.cyfirma.com/research/the-origins-of-apt-41-and-shadowpad-lineage/

[7] https://www.csoonline.com/article/572061/shadowpad-has-become-the-rat-of-choice-for-several-state-sponsored-chinese-apts.html

[8] https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/shadowpad-new-activity-from-the-winnti-group

[9] https://cymulate.com/threats/shadowpad-privately-sold-malware-espionage-tool/

[10] https://www.secureworks.com/research/shadowpad-malware-analysis

[11] https://blog.talosintelligence.com/chinese-hacking-group-apt41-compromised-taiwanese-government-affiliated-research-institute-with-shadowpad-and-cobaltstrike-2/

[12] https://hackerseye.net/all-blog-items/tails-from-the-shadow-apt-41-injecting-shadowpad-with-sideloading/

[13] https://cloud.google.com/blog/topics/threat-intelligence/scatterbrain-unmasking-poisonplug-obfuscator

[14] https://www.domaintools.com/wp-content/uploads/conceptualizing-a-continuum-of-cyber-threat-attribution.pdf

[15] https://www.nccgroup.com/es/research-blog/north-korea-s-lazarus-their-initial-access-trade-craft-using-social-media-and-social-engineering/  

[16] https://www.microsoft.com/en-us/security/blog/2021/01/28/zinc-attacks-against-security-researchers/

[17] https://www.microsoft.com/en-us/security/blog/2022/09/29/zinc-weaponizing-open-source-software/  

[18] https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/  

[19] https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html  

[20] https://usun.usmission.gov/joint-statement-on-the-unlawful-arms-transfer-by-the-democratic-peoples-republic-of-korea-to-russia/

[21] https://media.defense.gov/2024/Jul/25/2003510137/-1/-1/1/Joint-CSA-North-Korea-Cyber-Espionage-Advance-Military-Nuclear-Programs.PDF  

[22] https://kyivindependent.com/first-north-korean-troops-deployed-to-front-line-in-kursk-oblast-ukraines-military-intelligence-says/

[23] https://www.microsoft.com/en-us/security/blog/2024/12/04/frequent-freeloader-part-i-secret-blizzard-compromising-storm-0156-infrastructure-for-espionage/  

[24] https://www.microsoft.com/en-us/security/blog/2024/12/11/frequent-freeloader-part-ii-russian-actor-secret-blizzard-using-tools-of-other-groups-to-attack-ukraine/  

[25] https://www.sentinelone.com/labs/chamelgang-attacking-critical-infrastructure-with-ransomware/    

[26] https://thehackernews.com/2022/06/state-backed-hackers-using-ransomware.html/  

[27] https://blog.checkpoint.com/security/check-point-research-explains-shadow-pad-nailaolocker-and-its-protection/

[28] https://www.orangecyberdefense.com/global/blog/cert-news/meet-nailaolocker-a-ransomware-distributed-in-europe-by-shadowpad-and-plugx-backdoors

[related-resource]

AI Cybersecurity: Insights for 2025

We surveyed 1,500+ cybersecurity professionals globally to explore their views, knowledge, and priorities on AI cybersecurity in 2025.

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Sam Lister
SOC Analyst

More in this series

No items found.

Blog

/

/

April 29, 2025

MFA Under Attack: AiTM Phishing Kits Abusing Legitimate Services

fingerprintDefault blog imageDefault blog image

In late 2024 and early 2025, the Darktrace Security Operations Center (SOC) investigated alerts regarding separate cases of Software-as-a-Service (SaaS) account compromises on two customer environments that presented several similarities, suggesting they were part of a wider phishing campaign.

This campaign was found to leverage the project collaboration and note-taking application, Milanote, and the Tycoon 2FA phishing kit.

Legitimate services abused

As highlighted in Darktrace's 2024 Annual Threat Report [1], threat actors are abusing legitimate services, like Milanote, in their phishing campaigns. By leveraging these trusted platforms and domains, malicious actors can bypass traditional security measures, making their phishing emails appear benign and increasing the likelihood of successful attacks.

Darktrace categorizes these senders and platforms as free content senders. These services allow users to send emails containing custom content (e.g., files) from fully validated, fixed service address belonging to legitimate corporations. Although some of these services permit full body and subject customization by attackers, the structure of these emails is generally consistent, making it challenging to differentiate between legitimate and malicious emails.

What is Tycoon 2FA?

Tycoon 2FA is an Adversary-in-the-Middle (AitM) phishing kit, first seen in August 2023 and distributed via the Phishing-as-a-Service (PhaaS) model [2]. It targets multi-factor authentication (MFA) by intercepting credentials and MFA tokens during authentication on fake Microsoft or Google login pages. The attacker captures session cookies after MFA is completed, allowing them to replay the session and access the user account, even if credentials are reset. The rise in MFA use has increased the popularity of AitM phishing kits like Tycoon 2FA and Mamba 2FA, another AiTM phishing kit investigated by Darktrace.

Initial access via phishing email

At the beginning of 2025, Darktrace observed phishing emails leveraging Milanote being sent to multiple internal recipients in an organization. In this attack, the same email was sent to 19 different users, all of which were held by Darktrace.

The subject line of the emails mentioned both a legitimate internal user of the company, the company name, as well as a Milanote board regarding a “new agreement” in German. It is a common social engineering technique to mention urgent matters, such as unpaid invoices, expired passwords, or awaiting voicemails, in the subject line to prompt immediate action from the user. However, this tactic is now widely covered in phishing awareness training, making users more suspicious of such emails. In this case, while the subject mentioned a “new agreement,” likely raising the recipient’s curiosity, the tone remained professional and not overly alarming. Additionally, the mention of a colleague and the standardized language typical of free content sender emails further helped dispel concerns regarding the email.

These emails were sent by the legitimate address support@milanote[.]com and referenced "Milanote" in the personal field of the header but originated from the freemail address “ahnermatternk.ef.od.13@gmail[.]com”. Darktrace / EMAIL recognized that none of the recipients had previously received a file share email from Milanote, making this sender unfamiliar in the customer's email environment

The emails contained several benign links to legitimate Milanote endpoints (including an unsubscribe link) which were not flagged by Darktrace. However, they also included a malicious link designed to direct recipients to a pre-filled credential harvesting page hosted on Milanote, prompting them to register for an account. Despite not blocking the legitimate Milanote links in the same email, Darktrace locked the malicious link, preventing users from visiting the credential harvester.

Credential harvesting page sent to recipients, as seen in. sandbox environment.
Figure 1: Credential harvesting page sent to recipients, as seen in. sandbox environment.

Around one minute later, one recipient received a legitimate email from Milanote confirming their successful account registration, indicating they had accessed the phishing page. This email had a lower anomaly score and was not flagged by Darktrace / EMAIL because, unlike the first email, it did not contain any suspicious links and was a genuine account registration notification. Similarly, in the malicious Milanote email, only the link leading to the phishing page was blocked, while the benign and legitimate Milanote links remained accessible, demonstrating Darktrace’s precise and targeted actioning.

A legitimate and a malicious Milanote email received by one recipient.
Figure 2: A legitimate and a malicious Milanote email received by one recipient.

Around the same time, Darktrace / NETWORK observed the same user’s device making DNS query for the domain name “lrn.ialeahed[.]com” , which has been flagged as a Tycoon 2FA domain [2], suggesting the use of this phishing platform.

Once the user had entered their details in the credential harvester, it is likely that they were presented a document hosted on Milanote that contained the final payload link – likely hidden behind text instructing users to access a “new agreement” document.

External research indicates that the user was likely directed to a Cloudflare Turnstile challenge meant to reroute unwanted traffic, such as automated security scripts and penetration testing tools [2] [3]. After these checks and other background processes are completed, the user is directed to the final landing page. In this case, it was likely a fake login prompt hosted on the attacker’s server, where the user is asked to authenticate to their account using MFA. By burrowing malicious links and files in this manner, threat actors can evade analysis by traditional security email gateways, effectively bypassing their protection.

Darktrace’s analysis of the structure and word content of the phishing emails resulted in an 82% probability score that the email was malicious, and the email further received a 67% phishing inducement score, representing how closely the structure and word content of the emails compared to typical phishing emails.

All these unusual elements triggered multiple alerts in Darktrace / EMAIL, focusing on two main suspicious aspects: a new, unknown sender with no prior correspondence with the recipients or the environment, and the inclusion of a link to a previously unseen file storage solution.

Milanote phishing email as seen within Darktrace / EMAIL.
Figure 3: Milanote phishing email as seen within Darktrace / EMAIL.

After detecting the fifth email, the “Sender Surge” model alert was triggered in Darktrace / EMAIL due to a significant number of recipients being emailed by this new suspicious sender in a short period. These recipients were from various departments across the customer’s organization, including sales, marketing, purchasing, and production. Darktrace / EMAIL determined that the emails were sent to a highly unusual group of internal recipients, further raising doubts about the business legitimacy.

Darktrace / EMAIL suggested actions to contain the attack by holding all Milanote phishing emails back from recipient’s inboxes, except for the detailed email with locked links. However, autonomous actions were not enabled at the time, allowing the initial email to reach recipients' inboxes, providing a brief window for interaction. Unfortunately, during this window, one recipient clicked on the Milanote payload link, leading to the compromise of their account.

SaaS account takeover

About three minutes after the malicious Milanote email was received, Darktrace / IDENTITY detected an unusual login to the email recipient’s SaaS account. The SaaS actor was observed accessing files from their usual location in Germany, while simultaneously, a 100% rare login occurred from a location in the US that had never been seen in the customer’s environment before. This login was also flagged as suspicious by Microsoft 365, triggering a 'Conditional Access Policy' that required MFA authentication, which was successfully completed.

Tycoon 2FA adnimistration panel login page dated from October 2023 [3].
Figure 4: Tycoon 2FA adnimistration panel login page dated from October 2023 [3].

Despite the successful authentication, Darktrace / IDENTITY recognized that the login from this unusual location, coupled with simultaneous activity in another geographically distant location, were highly suspicious. Darktrace went on to observe MFA-validated logins from three separate US-based IP addresses: 89.185.80[.]19, 5.181.3[.]68, and 38.242.7[.]252. Most of the malicious activity was performed from the latter, which is associated with the Hide My Ass (HMA) VPN network [5].

Darktrace’s detection of the suspicious login from the US while the legitimate user was logged in from Germany.
Figure 5: Darktrace’s detection of the suspicious login from the US while the legitimate user was logged in from Germany.
Darktrace’s detection of the suspicious login following successful MFA authentication.
Figure 6: Darktrace’s detection of the suspicious login following successful MFA authentication.

Following this, the malicious actor accessed the user’s inbox and created a new mailbox rule named “GTH” that deleted any incoming email containing the string “milanote” in the subject line or body. Rules like this are a common technique used by attackers to leverage compromised accounts for launching phishing campaigns and concealing replies to phishing emails that might raise suspicions among legitimate account holders. Using legitimate, albeit compromised, accounts to send additional phishing emails enhances the apparent legitimacy of the malicious emails. This tactic has been reported as being used by Tycoon 2FA attackers [4].

The attacker accessed over 140 emails within the legitimate user’s inbox, including both the inbox and the “Sent Items” folder. Notably, the attacker accessed five emails in the “Sent Items” folder and modified their attachments. These emails were mainly related to invoices, suggesting the threat actor may have been looking to hijack those email threads to send fake invoices or replicate previous invoice emails.

Darktrace’s Cyber AI AnalystTM launched autonomous investigations into the individual events surrounding this suspicious activity. It connected these separate events into a single, broad account takeover incident, providing the customer with a clearer view of the ongoing compromise.

Cyber AI Analyst’s detection of unusual SaaS account activities in a single incident.
Figure 7: Cyber AI Analyst’s detection of unusual SaaS account activities in a single incident.
Cyber AI Analyst investigation of suspicious activities performed by the attacker.
Figure 8: Cyber AI Analyst investigation of suspicious activities performed by the attacker.

Darktrace's response

Within three minutes of the first unusual login alert, Darktrace’s Autonomous Response intervened, disabling the compromised user account for two hours.

As the impacted customer was subscribed to the Managed Threat Detection Service, Darktrace’s SOC team investigated the activity further and promptly alerted the customer’s security team. With the user’s account still disabled by Autonomous Response, the attack was contained, allowing the customer’s security team valuable time to investigate and remediate. Within ten minutes of receiving the alert from Darktrace’s SOC, they reset the user’s password, closed all active SaaS sessions, and deleted the malicious email rule. Darktrace’s SOC further supported the customer through the Security Operations Service Support service by providing information about the data accessed and identifying any other affected users.

Autonomous Response actions carried out by Darktrace / IDENTITY to contain the malicious activity
Figure 9: Autonomous Response actions carried out by Darktrace / IDENTITY to contain the malicious activity.

A wider Milanote phishing campaign?

Around a month before this compromise activity, Darktrace alerted another customer to similar activities involving two compromised user accounts. These accounts created new inbox rules named “GFH” and “GVB” to delete all incoming emails containing the string “milanote” in their subject line and/or body.

The phishing emails that led to the compromise of these user accounts were similar to the ones discussed above. Specifically, these emails were sent via the Milanote platform and referenced a “new agreement” (in Spanish) being shared by a colleague. Additionally, the payload link included in the phishing emails showed the same UserPrincipalName (UPN) attribute (i.e., click?upn=u001.qLX9yCzR), which has been seen in other Milanote phishing emails leveraging Tycoon 2FA reported by OSINT sources [6]. Interestingly, in some cases, the email also referenced a “new agreement” in Portuguese, indicating a global campaign.

Based on the similarities in the rule’s naming convention and action, as well as the similarities in the phishing email subjects, it is likely that these were part of the same campaign leveraging Milanote and Tycoon 2FA to compromise user accounts. Since its introduction, the Tycoon 2FA phishing kit has undergone several enhancements to increase its stealth and obfuscation methods, making it harder for security tools to detect. For example, the latest versions contain special source code to obstruct web page analysis by defenders, prevent users from copying meaningful text from the phishing webpages, and disable the right-click menu to prevent offline analysis [4].

Conclusion

Threat actors are continually employing new methods to bypass security detection tools and measures. As highlighted in this blog, even robust security mechanisms like MFA can be compromised using AitM phishing kits. The misuse of legitimate services such as Milanote for malicious purposes can help attackers evade traditional email security solutions by blurring the distinction between legitimate and malicious content.

This is why security tools based on anomaly detection are crucial for defending against such attacks. However, user awareness is equally important. Delays in processing can impact the speed of response, making it essential for users to be informed about these threats.

Appendices

References

[1] https://www.darktrace.com/resources/annual-threat-report-2024

[2] https://www.validin.com/blog/tycoon_2fa_analyzing_and_hunting_phishing-as-a-service_domains

[3] https://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/#h-iocs-amp-technical-details

[4] https://blog.barracuda.com/2025/01/22/threat-spotlight-tycoon-2fa-phishing-kit

[5] https://spur.us/context/38.242.7.252    

[6] https://any.run/report/5ef1ac94e4c6c1dc35579321c206453aea80d414108f9f77abd2e2b03ffbd658/be5351d9-53c0-470b-8708-ee2e29300e70

Indicators of Compromise (IoCs)

IoC         Type      Description + Probability

89.185.80[.]19 - IP Address - Malicious login

5.181.3[.]68 - IP Address -Malicious login

38.242.7[.]252 - IP Address - Malicious login and new email inbox rule creation -  Hide My Ass VPN

lrn.ialeahed[.]com – Hostname - Likely Tycoon 2FA domain

Darktrace Model Detections

Email alerts

Platforms / Free Content Sender + High Sender Surge

Platforms / Free Content Sender + Sender Surge

Platforms / Free Content Sender + Unknown Initiator

Platforms / Free Content Sender

Platforms / Free Content Sender + First Time Recipient

Unusual / New Sender Surge

Unusual / Sender Surge

Antigena Anomaly / High Antigena Anomaly

Association / Unknown Sender

History / New Sender

Link / High Rarity Link to File Storage

Link/ Link To File Storage

Link / Link to File Storage + Unknown Sender

Link / Low Link Association

Platforms / Free Content Sender + First Time Initiator

Platforms / Free Content Sender + Unknown Initiator + Freemail

Platforms / Free Content Sender Link

Unusual / Anomalous Association

Unusual / Unlikely Recipient Association

IDENTITY

SaaS / Access / Unusual External Source for SaaS Credential Use

SaaS / Compromise / Login from Rare High Risk Endpoint

SaaS / Access / M365 High Risk Level Login

SaaS / Compromise / Login From Rare Endpoint While User Is Active

SaaS / Access / MailItemsAccessed from Rare Endpoint

SaaS / Unusual Activity / Multiple Unusual SaaS Activities

SaaS / Unusual Activity / Multiple Unusual External Sources For SaaS Credential

SaaS / Compliance / Anomalous New Email Rule

SaaS / Compromise / Unusual Login and New Email Rule

SaaS / Compromise / SaaS Anomaly Following Anomalous Login

Antigena / SaaS / Antigena Suspicious SaaS Activity Block

Antigena / SaaS / Antigena Enhanced Monitoring from SaaS User Block

Antigena / SaaS / Antigena Unusual Activity Block

Antigena / SaaS / Antigena Suspicious SaaS and Email Activity Block

Cyber AI Analyst Incident

Possible Hijack of Office365 Account

MITRE ATT&CK Mapping

Tactic – Technique

DEFENSE EVASION, PERSISTENCE, PRIVILEGE ESCALATION, INITIAL ACCESS - Cloud Accounts

INITIAL ACCESS - Phishing

CREDENTIAL ACCESS - Steal Web Session Cookie

PERSISTENCE - Account Manipulation

PERSISTENCE - Outlook Rules

RESOURCE DEVELOPMENT - Email Accounts

RESOURCE DEVELOPMENT - Compromise Accounts

Continue reading
About the author
Alexandra Sentenac
Cyber Analyst

Blog

/

/

April 29, 2025

The Importance of NDR in Resilient XDR

picture of hands typing on laptop Default blog imageDefault blog image

As threat actors become more adept at targeting and disabling EDR agents, relying solely on endpoint detection leaves critical blind spots.

Network detection and response (NDR) offers the visibility and resilience needed to catch what EDR can’t especially in environments with unmanaged devices or advanced threats that evade local controls.

This blog explores how threat actors can disable or bypass EDR-based XDR solutions and demonstrates how Darktrace’s approach to NDR closes the resulting security gaps with Self-Learning AI that enables autonomous, real-time detection and response.

Threat actors see local security agents as targets

Recent research by security firms has highlighted ‘EDR killers’: tools that deliberately target EDR agents to disable or damage them. These include the known malicious tool EDRKillShifter, the open source EDRSilencer, EDRSandblast and variants of Terminator, and even the legitimate business application HRSword.

The attack surface of any endpoint agent is inevitably large, whether the software is challenged directly, by contesting its local visibility and access mechanisms, or by targeting the Operating System it relies upon. Additionally, threat actors can readily access and analyze EDR tools, and due to their uniformity across environments an exploit proven in a lab setting will likely succeed elsewhere.

Sophos have performed deep research into the EDRShiftKiller tool, which ESET have separately shown became accessible to multiple threat actor groups. Cisco Talos have reported via TheRegister observing significant success rates when an EDR kill was attempted by ransomware actors.

With the local EDR agent silently disabled or evaded, how will the threat be discovered?

What are the limitations of relying solely on EDR?

Cyber attackers will inevitably break through boundary defences, through innovation or trickery or exploiting zero-days. Preventive measures can reduce but not completely stop this. The attackers will always then want to expand beyond their initial access point to achieve persistence and discover and reach high value targets within the business. This is the primary domain of network activity monitoring and NDR, which includes responsibility for securing the many devices that cannot run endpoint agents.

In the insights from a CISA Red Team assessment of a US CNI organization, the Red Team was able to maintain access over the course of months and achieve their target outcomes. The top lesson learned in the report was:

“The assessed organization had insufficient technical controls to prevent and detect malicious activity. The organization relied too heavily on host-based endpoint detection and response (EDR) solutions and did not implement sufficient network layer protections.”

This proves that partial, isolated viewpoints are not sufficient to track and analyze what is fundamentally a connected problem – and without the added visibility and detection capabilities of NDR, any downstream SIEM or MDR services also still have nothing to work with.

Why is network detection & response (NDR) critical?

An effective NDR finds threats that disable or can’t be seen by local security agents and generally operates out-of-band, acquiring data from infrastructure such as traffic mirroring from physical or virtual switches. This means that the security system is extremely inaccessible to a threat actor at any stage.

An advanced NDR such as Darktrace / NETWORK is fully capable of detecting even high-end novel and unknown threats.

Detecting exploitation of Ivanti CS/PS with Darktrace / NETWORK

On January 9th 2025, two new vulnerabilities were disclosed in Ivanti Connect Secure and Policy Secure appliances that were under malicious exploitation. Perimeter devices, like Ivanti VPNs, are designed to keep threat actors out of a network, so it's quite serious when these devices are vulnerable.

An NDR solution is critical because it provides network-wide visibility for detecting lateral movement and threats that an EDR might miss, such as identifying command and control sessions (C2) and data exfiltration, even when hidden within encrypted traffic and which an EDR alone may not detect.

Darktrace initially detected suspicious activity connected with the exploitation of CVE-2025-0282 on December 29, 2024 – 11 days before the public disclosure of the vulnerability, this early detection highlights the benefits of an anomaly-based network detection method.

Throughout the campaign and based on the network telemetry available to Darktrace, a wide range of malicious activities were identified, including the malicious use of administrative credentials, the download of suspicious files, and network scanning in the cases investigated.

Darktrace / NETWORK’s autonomous response capabilities played a critical role in containment by autonomously blocking suspicious connections and enforcing normal behavior patterns. At the same time, Darktrace Cyber AI Analyst™ automatically investigated and correlated the anomalous activity into cohesive incidents, revealing the full scope of the compromise.

This case highlights the importance of real-time, AI-driven network monitoring to detect and disrupt stealthy post-exploitation techniques targeting unmanaged or unprotected systems.

Unlocking adaptive protection for evolving cyber risks

Darktrace / NETWORK uses unique AI engines that learn what is normal behavior for an organization’s entire network, continuously analyzing, mapping and modeling every connection to create a full picture of your devices, identities, connections, and potential attack paths.

With its ability to uncover previously unknown threats as well as detect known threats Darktrace is an essential layer of the security stack. Darktrace has helped secure customers against attacks including 2024 threat actor campaigns against Fortinet’s FortiManager , Palo Alto firewall devices, and more.  

Stay tuned for part II of this series which dives deeper into the differences between NDR types.

Credit to Nathaniel Jones VP, Security & AI Strategy, FCISO & Ashanka Iddya, Senior Director of Product Marketing for their contribution to this blog.

Continue reading
About the author
Nathaniel Jones
VP, Security & AI Strategy, Field CISO
Your data. Our AI.
Elevate your network security with Darktrace AI