Blog
/
Network
/
June 2, 2025

Darktrace Recognized as a Leader in the 2025 Gartner® Magic Quadrant™ for Network Detection and Response

Darktrace announces its Leader position in the inaugural Gartner® Magic Quadrant™ for Network Detection and Response (NDR).
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Mikey Anderson
Product Marketing Manager, Network Detection & Response
Man using darktrace security software on computerDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
02
Jun 2025

Darktrace has been recognized as a Leader in the first ever Magic Quadrant™ for Network Detection and Response (NDR).

A Gartner Magic Quadrant is a culmination of research in a specific market, giving you a wide-angle view of the relative positions of the market’s competitors. CIOs and CISOs can use this research to make informed decisions about NDR, which is evolving to offer broader threat detection. We encourage our customers to read the full report to get the complete picture.

Darktrace has also received accolades in other recent NDR leadership evaluations including IDC named as market share leader, and  KuppingerCole’s heralding us as an Overall Leader, Product Leader, Market Leader and Innovation Leader. We believe we have continued to be identified as a Leader due to the strength of our capabilities in NDR, driven by our unique application of AI in cybersecurity, continuous product innovation, and our ability to execute on a global scale to meet the evolving needs of our customers.

We’re proud of Darktrace’s unrivaled market, and ability to execute effectively in the network security market, reflecting our commitment to delivering high-quality, reliable solutions that meet the evolving needs of our customers.

Gartner MQ for NDR, NDR mq, Gartner NDR, Gartner best NDR solution
Gartner MQ for NDR

Why is Darktrace the market share leader and undisputed force in NDR?

Transforming network security and shifting to an AI-led SOC

Darktrace’s Self-Learning AITM understands normal for your entire network, intelligently detecting anomalies and containing sophisticated threats without historical attack data. This approach, based on advanced, unsupervised machine learning, enables Darktrace to catch novel, unknown and insider threats that traditional tools miss and other NDR vendors can’t detect. Darktrace has identified and contained attempted exploits of zero-day vulnerabilities up to 11 days before public disclosure.

We change SOC dynamics with our Cyber AI AnalystTM, which eliminates manual triage and investigation by contextualizing all relevant alerts across your environment, including third-party alerts, and performing end-to-end investigations at machine speed. Cyber AI Analyst gives your team the equivalent of 30 extra full time Level 2 analysts without the hiring overhead2, so you can shift your team away from manual, reactive workflows and uplift them to focus on more proactive tasks.

When combined, Darktrace Self-Learning AI and Cyber AI Analyst go far beyond the capabilities of traditional NDR approaches to completely transform your network security and help your teams operate at the speed and scale of AI.

Coverage across the extended IT enterprise and all-important OT devices

We believe the report validates the business-centric approach that Darktrace uses to deploy AI locally and train it solely on each unique environment, giving our customers tailored security outcomes without compromising on privacy.

This contrasts with other NDR vendors that require cloud connectivity to either deliver full functionality or to regularly update their globally trained models with the latest attack data. This capability is particularly sought after by organizations who are no longer just on-premise, have operational technology (OT) networks, or those that operate in classified environments.

Darktrace serves these organizations and industries by extending IT and unifying OT security within a single solution, reducing alert fatigue and accelerating alert investigation in industrial environments.

With Darktrace / NETWORK you can achieve:

  • Full visibility across your modern network, including on-premises, virtual networks, hybrid cloud, identities, remote workers and OT devices
  • Precision threat detection across your modern network to identify known, unknown and insider threats in real-time without relying on rules, signatures or threat intelligence,
  • 10x accelerated incident response times with agentic AI that uplifts your team and enables them to focus on more proactive tasks
  • Containment of threats with the first autonomous response solution proven to work in the enterprise, stopping attacks from progressing at the earliest stages with precise actions that avoid business disruption

Going beyond traditional NDR to build proactive network resilience

Darktrace does not just stop at threat detection, it helps you prevent threats from occurring and increase your resiliency for when attacks do happen. We help discover and prioritize up to 50% more risks across your environment and optimize incident response processes, reducing the impact of active cyber-attacks using an understanding of your data.

Attack path modeling: By leveraging attack path modeling and AI-driven risk validation, customers can close gaps before they’re exploited, focusing resources where they’ll have the greatest impact.

AI-driven playbooks and breach simulations: With AI-driven playbooks and realistic breach simulations, Darktrace helps your team practice response, strengthen processes, and reduce the impact of real-world incidents. You’re not just reacting; you’re proactively building long-term resilience.

Continued innovation in network security

Darktrace leads innovation in the NDR market with more than 200+ patents and active filings, covering a range of detection, response and AI techniques. Our AI Research Center is foundational to our ongoing innovation, including hundreds of R&D employees examining how AI can be applied to real-world problems and augment human teams.

Trusted by thousands of customers globally

Our commitment to innovation and patented Self-Learning AITM has protected organizations in all industries from known and novel attacks since 2013, bolstering network security and augmenting human teams for our 10,000 active customers across 110 countries. These organizations place a great deal of trust in Darktrace’s unique approach to cybersecurity and application of AI to detect and respond to threats across their modern network.

A new standard for NDR

Darktrace / NETWORK is not just another NDR tool; we are the most advanced network security platform in the industry that pushes beyond traditional capabilities to protect thousands of organizations against known and novel threats.

From real-time threat detection and autonomous response to proactive risk management, we’re transforming network security from reactive to resilient.

[related-resource]

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Magic Quadrant is a registered trademark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

References

1, 3 Gartner, Magic Quadrant for Network Detection and Response, by Thomas Lintemuth, Esraa ElTahawy, John Collins, Charanpal Bhogal, 29 May, 2025

2 Darktrace Cyber AI Analyst fleet data, 2023

Download your copy today

Read the Gartner® Magic Quadrant™ report & discover what it means to be recognized in NDR as a leader.

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Mikey Anderson
Product Marketing Manager, Network Detection & Response

More in this series

No items found.

Blog

/

Cloud

/

July 15, 2025

Forensics or Fauxrensics: Five Core Capabilities for Cloud Forensics and Incident Response

people working and walking in officeDefault blog imageDefault blog image

The speed and scale at which new cloud resources can be spun up has resulted in uncontrolled deployments, misconfigurations, and security risks. It has had security teams racing to secure their business’ rapid migration from traditional on-premises environments to the cloud.

While many organizations have successfully extended their prevention and detection capabilities to the cloud, they are now experiencing another major gap: forensics and incident response.

Once something bad has been identified, understanding its true scope and impact is nearly impossible at times. The proliferation of cloud resources across a multitude of cloud providers, and the addition of container and serverless capabilities all add to the complexities. It’s clear that organizations need a better way to manage cloud incident response.

Security teams are looking to move past their homegrown solutions and open-source tools to incorporate real cloud forensics capabilities. However, with the increased buzz around cloud forensics, it can be challenging to decipher what is real cloud forensics, and what is “fauxrensics.”

This blog covers the five core capabilities that security teams should consider when evaluating a cloud forensics and incident response solution.

[related-resource]

1. Depth of data

There have been many conversations among the security community about whether cloud forensics is just log analysis. The reality, however, is that cloud forensics necessitates access to a robust dataset that extends far beyond traditional log data sources.

While logs provide valuable insights, a forensics investigation demands a deeper understanding derived from multiple data sources, including disk, network, and memory, within the cloud infrastructure. Full disk analysis complements log analysis, offering crucial context for identifying the root cause and scope of an incident.

For instance, when investigating an incident involving a Kubernetes cluster running on an EC2 instance, access to bash history can provide insights into the commands executed by attackers on the affected instance, which would not be available through cloud logs alone.

Having all of the evidence in one place is also a capability that can significantly streamline investigations, unifying your evidence be it disk images, memory captures or cloud logs, into a single timeline allowing security teams to reconstruct an attacks origin, path and impact far more easily. Multi–cloud environments also require platforms that can support aggregating data from many providers and services into one place. Doing this enables more holistic investigations and reduces security blind spots.

There is also the importance of collecting data from ephemeral resources in modern cloud and containerized environments. Critical evidence can be lost in seconds as resources are constantly spinning up and down, so having the ability to capture this data before its gone can be a huge advantage to security teams, rather than having to figure out what happened after the affected service is long gone.

darktrace / cloud, cado, cloud logs, ost, and memory information. value of cloud combined analysis

2. Chain of custody

Chain of custody is extremely critical in the context of legal proceedings and is an essential component of forensics and incident response. However, chain of custody in the cloud can be extremely complex with the number of people who have access and the rise of multi-cloud environments.

In the cloud, maintaining a reliable chain of custody becomes even more complex than it already is, due to having to account for multiple access points, service providers and third parties. Having automated evidence tracking is a must. It means that all actions are logged, from collection to storage to access. Automation also minimizes the chance of human error, reducing the risk of mistakes or gaps in evidence handling, especially in high pressure fast moving investigations.

The ability to preserve unaltered copies of forensic evidence in a secure manner is required to ensure integrity throughout an investigation. It is not just a technical concern, its a legal one, ensuring that your evidence handling is documented and time stamped allows it to stand up to court or regulatory review.

Real cloud forensics platforms should autonomously handle chain of custody in the background, recording and safeguarding evidence without human intervention.

3. Automated collection and isolation

When malicious activity is detected, the speed at which security teams can determine root cause and scope is essential to reducing Mean Time to Response (MTTR).

Automated forensic data collection and system isolation ensures that evidence is collected and compromised resources are isolated at the first sign of malicious activity. This can often be before an attacker has had the change to move latterly or cover their tracks. This enables security teams to prevent potential damage and spread while a deeper-dive forensics investigation takes place. This method also ensures critical incident evidence residing in ephemeral environments is preserved in the event it is needed for an investigation. This evidence may only exist for minutes, leaving no time for a human analyst to capture it.

Cloud forensics and incident response platforms should offer the ability to natively integrate with incident detection and alerting systems and/or built-in product automation rules to trigger evidence capture and resource isolation.

4. Ease of use

Security teams shouldn’t require deep cloud or incident response knowledge to perform forensic investigations of cloud resources. They already have enough on their plates.

While traditional forensics tools and approaches have made investigation and response extremely tedious and complex, modern forensics platforms prioritize usability at their core, and leverage automation to drastically simplify the end-to-end incident response process, even when an incident spans multiple Cloud Service Providers (CSPs).

Useability is a core requirement for any modern forensics platform. Security teams should not need to have indepth knowledge of every system and resource in a given estate. Workflows, automation and guidance should make it possible for an analyst to investigate whatever resource they need to.

Unifying the workflow across multiple clouds can also save security teams a huge amount of time and resources. Investigations can often span multiple CSP’s. A good security platform should provide a single place to search, correlate and analyze evidence across all environments.

Offering features such as cross cloud support, data enrichment, a single timeline view, saved search, and faceted search can help advanced analysts achieve greater efficiency, and novice analysts are able to participate in more complex investigations.

5. Incident preparedness

Incident response shouldn't just be reactive. Modern security teams need to regularly test their ability to acquire new evidence, triage assets and respond to threats across both new and existing resources, ensuring readiness even in the rapidly changing environments of the cloud.  Having the ability to continuously assess your incident response and forensics workflows enables you to rapidly improve your processes and identify and mitigate any gaps identified that could prevent the organization from being able to effectively respond to potential threats.

Real forensics platforms deliver features that enable security teams to prepare extensively and understand their shortcomings before they are in the heat of an incident. For example, cloud forensics platforms can provide the ability to:

  • Run readiness checks and see readiness trends over time
  • Identify and mitigate issues that could prevent rapid investigation and response
  • Ensure the correct logging, management agents, and other cloud-native tools are appropriately configured and operational
  • Ensure that data gathered during an investigation can be decrypted
  • Verify that permissions are aligned with best practices and are capable of supporting incident response efforts

Cloud forensics with Darktrace

Darktrace delivers a proactive approach to cyber resilience in a single cybersecurity platform, including cloud coverage. Darktrace / CLOUD is a real time Cloud Detection and Response (CDR) solution built with advanced AI to make cloud security accessible to all security teams and SOCs. By using multiple machine learning techniques, Darktrace brings unprecedented visibility, threat detection, investigation, and incident response to hybrid and multi-cloud environments.

Darktrace’s cloud offerings have been bolstered with the acquisition of Cado Security Ltd., which enables security teams to gain immediate access to forensic-level data in multi-cloud, container, serverless, SaaS, and on-premises environments.

[related-resource]

Continue reading
About the author
Calum Hall
Technical Content Researcher

Blog

/

Cloud

/

July 10, 2025

Crypto Wallets Continue to be Drained in Elaborate Social Media Scam

password on computer screenDefault blog imageDefault blog image

Overview

Continued research by Darktrace has revealed that cryptocurrency users are being targeted by threat actors in an elaborate social engineering scheme that continues to evolve. In December 2024, Cado Security Labs detailed a campaign targeting Web 3 employees in the Meeten campaign. The campaign included threat actors setting up meeting software companies to trick users into joining meetings and installing the information stealer Realst disguised as video meeting software.

The latest research from Darktrace shows that this campaign is still ongoing and continues to trick targets to download software to drain crypto wallets. The campaign features:

  • Threat actors creating fake startup companies with AI, gaming, video meeting software, web3 and social media themes.
  • Use of compromised X (formerly Twitter) accounts for the companies and employees - typically with verification to contact victims and create a facade of a legitimate company.
  • Notion, Medium, Github used to provide whitepapers, project roadmaps and employee details.
  • Windows and macOS versions.
  • Stolen software signing certificates in Windows versions for credibility and defense evasion.
  • Anti-analysis techniques including obfuscation, and anti-sandboxing.

To trick as many victims as possible, threat actors try to make the companies look as legitimate as possible. To achieve this, they make use of sites that are used frequently with software companies such as Twitter, Medium, Github and Notion. Each company has a professional looking website that includes employees, product blogs, whitepapers and roadmaps. X is heavily used to contact victims, and to increase the appearance of legitimacy. Some of the observed X accounts appear to be compromised accounts that typically are verified and have a higher number of followers and following, adding to the appearance of a real company.

Example of a compromised X account to create a “BuzzuAI” employee.
Figure 1: Example of a compromised X account to create a “BuzzuAI” employee.

The threat actors are active on these accounts while the campaign is active, posting about developments in the software, and product marketing. One of the fake companies part of this campaign, “Eternal Decay”, a blockchain-powered game, has created fake pictures pretending to be presenting at conferences to post on social media, while the actual game doesn’t exist.

From the Eternal Decay X account, threat actors have altered a photo from an Italian exhibition (original on the right) to make it look like Eternal Decay was presented.
Figure 2: From the Eternal Decay X account, threat actors have altered a photo from an Italian exhibition (original on the right) to make it look like Eternal Decay was presented.

In addition to X, Medium is used to post blogs about the software. Notion has been used in various campaigns with product roadmap details, as well as employee lists.

Notion project team page for Swox.
Figure 3: Notion project team page for Swox.

Github has been used to detail technical aspects of the software, along with Git repositories containing stolen open-source projects with the name changed in order to make the code look unique. In the Eternal Decay example, Gitbook is used to detail company and software information. The threat actors even include company registration information from Companies House, however they have linked to a company with a similar name and are not a real registered company.

 From the Eternal Decay Gitbook linking to a company with a similar name on Companies House.
Figure 4: From the Eternal Decay Gitbook linking to a company with a similar name on Companies House.
Gitbook for “Eternal Decay” listing investors.
Figure 5: Gitbook for “Eternal Decay” listing investors.
Gameplay images are stolen from a different game “Zombie Within” and posted pretending to be Eternal Decay gameplay.
Figure 6: Gameplay images are stolen from a different game “Zombie Within” and posted pretending to be Eternal Decay gameplay.

In some of the fake companies, fake merchandise stores have even been set up. With all these elements combined, the threat actors manage to create the appearance of a legitimate start-up company, increasing their chances of infection.

Each campaign typically starts with a victim being contacted through X messages, Telegram or Discord. A fake employee of the company will contact a victim asking to test out their software in exchange for a cryptocurrency payment. The victim will be directed to the company website download page, where they need to enter a registration code, provided by the employee to download a binary. Depending on their operating system, the victim will be instructed to download a macOS DMG (if available) or a Windows Electron application.

Example of threat actor messaging a victim on X with a registration code.
Figure 7: Example of threat actor messaging a victim on X with a registration code.

Windows Version

Similar to the aforementioned Meeten campaign, the Windows version being distributed by the fake software companies is an Electron application. Electron is an open-source framework used to run Javascript apps as a desktop application. Once the user follows directions sent to them via message, opening the application will bring up a Cloudflare verification screen.

Cloudflare verification screen.
Figure 8: Cloudflare verification screen.

The malware begins by profiling the system, gathering information like the username, CPU and core count, RAM, operating system, MAC address, graphics card, and UUID.

Code from the Electron app showing console output of system profiling.
Figure 9: Code from the Electron app showing console output of system profiling.

A verification process occurs with a captcha token extracted from the app-launcher URL and sent along with the system info and UUID. If the verification is successful, an executable or MSI file is downloaded and executed quietly. Python is also retrieved and stored in /AppData/Temp, with Python commands being sent from the command-and-control (C2) infrastructure.

Code from the Electron app looping through Python objects.
Figure 10: Code from the Electron app looping through Python objects.

As there was no valid token, this process did not succeed. However, based on previous campaigns and reports from victims on social media, an information stealer targeting crypto wallets is executed at this stage. A common tactic in the observed campaigns is the use of stolen code signing certificates to evade detection and increase the appearance of legitimate software. The certificates of two legitimate companies Jiangyin Fengyuan Electronics Co., Ltd. and Paperbucketmdb ApS (revoked as of June 2025) were used during this campaign.

MacOS Version

For companies that have a macOS version of the malware, the user is directed to download a DMG. The DMG contains a bash script and a multiarch macOS binary. The bash script is obfuscated with junk, base64 and is XOR’d.

Obfuscated Bash script.
Figure 11: Obfuscated Bash script.

After decoding, the contents of the script are revealed showing that AppleScript is being used. The script looks for disk drives, specifically for the mounted DMG “SwoxApp” and moves the hidden .SwoxApp binary to /tmp/ and makes it executable. This type of AppleScript is commonly used in macOS malware, such as Atomic Stealer.

AppleScript used to mount the malware and make it executable.
Figure 12: AppleScript used to mount the malware and make it executable.

The SwoxApp binary is the prominent macOS information stealer Atomic Stealer. Once executed the malware performs anti-analysis checks for QEMU, VMWare and Docker-OSX, the script exits if these return true.  The main functionality of Atomic Stealer is to steal data from stores including browser data, crypto wallets, cookies and documents. This data is compressed into /tmp/out.zip and sent via POST request to 45[.]94[.]47[.]167/contact. An additional bash script is retrieved from 77[.]73[.]129[.]18:80/install.sh.

Additional Bash script ”install.sh”.
Figure 13: Additional Bash script ”install.sh”.

Install.sh, as shown in Figure 13, retrieves another script install_dynamic.sh from the server https://mrajhhosdoahjsd[.]com. Install_dynamic.sh downloads and extracts InstallerHelper.app, then sets up persistence via Launch Agent to run at login.

Persistence added via Plist configuration.
Figure 14: Persistence added via Plist configuration.

This plist configuration installs a macOS LaunchAgent that silently runs the app at user login. RunAtLoad and KeepAlive keys are used to ensure the app starts automatically and remains persistent.

The retrieved binary InstallerHelper is an Objective-C/Swift binary that logs active application usage, window information, and user interaction timestamps. This data is written to local log files and periodically transmits the contents to https://mrajhhoshoahjsd[.]com/collect-metrics using scheduled network requests.

List of known companies

Darktrace has identified a number of the fake companies used in this scam. These can be found in the list below:

Pollens AI
X: @pollensapp, @Pollens_app
Website: pollens.app, pollens.io, pollens.tech
Windows: 02a5b35be82c59c55322d2800b0b8ccc
Notes: Posing as an AI software company with a focus on “collaborative creation”.

Buzzu
X: @BuzzuApp, @AI_Buzzu, @AppBuzzu, @BuzzuApp
Website: Buzzu.app, Buzzu.us, buzzu.me, Buzzu.space
Windows: 7d70a7e5661f9593568c64938e06a11a
Mac: be0e3e1e9a3fda76a77e8c5743dd2ced
Notes: Same as Pollens including logo but with a different name.

Cloudsign
X: @cloudsignapp
Windows: 3a3b13de4406d1ac13861018d74bf4b2
Notes: Claims to be a document signing platform.

Swox
X: @SwoxApp, @Swox_AI, @swox_app, @App_Swox, @AppSwox, @SwoxProject, @ProjectSwox
Website: swox.io, swox.app, swox.cc, swoxAI.com, swox.us
Windows: d50393ba7d63e92d23ec7d15716c7be6
Mac: 81996a20cfa56077a3bb69487cc58405ced79629d0c09c94fb21ba7e5f1a24c9
Notes: Claims to be a “Next gen social network in the WEB3”. Same GitHub code as Pollens.

KlastAI
X: Links to Pollens X account
Website: Links to pollens.tech
Notes: Same as Pollens, still shows their branding on its GitHub readme page.

Wasper
X: @wasperAI, @WasperSpace
Website: wasper.pro, wasper.app, wasper.org, wasper.space
Notes: Same logo and GitHub code as Pollens.

Lunelior
Website: lunelior.net, Lunelior.app, lunelior.io, lunelior.us
Windows: 74654e6e5f57a028ee70f015ef3a44a4
Mac: d723162f9197f7a548ca94802df74101

BeeSync
X: @BeeSyncAI, @AIBeeSync
Website: beesync.ai, beesync.cc
Notes: Previous alias of Buzzu, Git repo renamed January 2025.

Slax
X: @SlaxApp, @Slax_app, @slaxproject
Website: slax.tech, slax.cc, slax.social, slaxai.app

Solune
X: @soluneapp
Website: solune.io, solune.me
Windows: 22b2ea96be9d65006148ecbb6979eccc

Eternal Decay
X: @metaversedecay
Website: eternal-decay.xyz
Windows: 558889183097d9a991cb2c71b7da3c51
Mac: a4786af0c4ffc84ff193ff2ecbb564b8

Dexis
X: @DexisApp
Website: dexis.app
Notes: Same branding as Swox.

NexVoo
X: @Nexvoospace
Website: nexvoo.app, Nexvoo.net, Nexvoo.us

NexLoop
X: @nexloopspace
Website: nexloop.me

NexoraCore
Notes: Rename of the Nexloop Git repo.

YondaAI
X: @yondaspace
Website: yonda.us

Traffer Groups

A “traffer” malware group is an organized cybercriminal operation that specializes in directing internet users to malicious content typically information-stealing malware through compromised or deceptive websites, ads, and links. They tend to operate in teams with hierarchical structures with administrators recruiting “traffers” (or affiliates) to generate traffic and malware installs via search engine optimization (SEO), YouTube ads, fake software downloads, or owned sites, then monetize the stolen credentials and data via dedicated marketplaces.

A prominent traffer group “CrazyEvil” was identified by Recorded Future in early 2025. The group, who have been active since at least 2021, specialize in social engineering attacks targeted towards cryptocurrency users, influencers, DeFi professionals, and gaming communities. As reported by Recorded Future, CrazyEvil are estimated to have made millions of dollars in revenue from their malicious activity. CrazyEvil and their sub teams create fake software companies, similar to the ones described in this blog, making use of Twitter and Medium to target victims. As seen in this campaign, CrazyEvil instructs users to download their software which is an info stealer targeting both macOS and Windows users.

While it is unclear if the campaigns described in this blog can be attributed to CrazyEvil or any sub teams, the techniques described are similar in nature. This campaign highlights the efforts that threat actors will go to make these fake companies look legitimate in order to steal cryptocurrency from victims, in addition to use of newer evasive versions of malware.

Indicators of Compromise (IoCs)

Manboon[.]com

https://gaetanorealty[.]com

Troveur[.]com

Bigpinellas[.]com

Dsandbox[.]com

Conceptwo[.]com

Aceartist[.]com

turismoelcasco[.]com

Ekodirect[.]com

https://mrajhhosdoahjsd[.]com

https://isnimitz.com/zxc/app[.]zip

http://45[.]94[.]47[.]112/contact

45[.]94[.]47[.]167/contact

77[.]73[.]129[.]18:80

Domain Keys associated with the C2s

YARA Rules

rule Suspicious_Electron_App_Installer

{

  meta:

      description = "Detects Electron apps collecting HWID, MAC, GPU info and executing remote EXEs/MSIs"

      date = "2025-06-18"

  strings:

      $electron_require = /require\(['"]electron['"]\)/

      $axios_require = /require\(['"]axios['"]\)/

      $exec_use = /exec\(.*?\)/

      $url_token = /app-launcher:\/\/.*token=/

      $getHWID = /(Get-CimInstance Win32_ComputerSystemProduct).UUID/

      $getMAC = /details\.mac && details\.mac !== '00:00:00:00:00:00'/

      $getGPU = /wmic path win32_VideoController get name/

      $getInstallDate = /InstallDate/

      $os_info = /os\.cpus\(\)\[0\]\.model/

      $downloadExe = /\.exe['"]/

      $runExe = /msiexec \/i.*\/quiet \/norestart/

      $zipExtraction = /AdmZip\(.*\.extractAllTo/

  condition:

      (all of ($electron_require, $axios_require, $exec_use) and

       3 of ($getHWID, $getMAC, $getGPU, $getInstallDate, $os_info) and

       2 of ($downloadExe, $runExe, $zipExtraction, $url_token))

}

Continue reading
About the author
Tara Gould
Threat Researcher
Your data. Our AI.
Elevate your network security with Darktrace AI