Blog
/
Identity
/
December 15, 2023

How Darktrace Halted A DarkGate in MS Teams

Discover how Darktrace thwarted DarkGate malware in Microsoft Teams. Stay informed on the latest cybersecurity measures and protect your business.
Written by
Natalia Sánchez Rocafort
Cyber Security Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Natalia Sánchez Rocafort
Cyber Security Analyst
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
15
Dec 2023

Securing Microsoft Teams and SharePoint

Given the prevalence of the Microsoft Teams and Microsoft SharePoint platforms in the workplace in recent years, it is essential that organizations stay vigilant to the threat posed by applications vital to hybrid and remote work and prioritize the security and cyber hygiene of these services. For just as the use of these platforms has increased exponentially with the rise of remote and hybrid working, so too has the malicious use of them to deliver malware to unassuming users.

Researchers across the threat landscape have begun to observe these legitimate services being leveraged by malicious actors as an initial access method. Microsoft Teams can easily be exploited to send targeted phishing messages to individuals within an organization, while appearing legitimate and safe. Although the exact contents of these messages may vary, the messages frequently use social engineering techniques to lure users to click on a SharePoint link embedded into the message. Interacting with the malicious link will then download a payload [1].

Darktrace observed one such malicious attempt to use Microsoft Teams and SharePoint in September 2023, when a device was observed downloading DarkGate, a commercial trojan that is known to deploy other strains of malware, also referred to as a commodity loader [2], after clicking on SharePoint link. Fortunately for the customer, Darktrace’s suite of products was perfectly poised to identify the initial signs of suspicious activity and Darktrace RESPOND™ was able to immediately halt the advancement of the attack.

DarkGate Attack Overview

On September 8, 2023, Darktrace DETECT™ observed around 30 internal devices on a customer network making unusual SSL connections to an external SharePoint site which contained the name of a person, 'XXXXXXXX-my.sharepoint[.]com' (107.136[.]8, 13.107.138[.]8). The organization did not have any employees who went by this name and prior to this activity, no internal devices had been seen contacting the endpoint.

At first glance, this initial attack vector would have appeared subtle and seemingly trustworthy to users. Malicious actors likely sent various users a phishing message via Microsoft Teams that contained the spoofed SharePoint link to the personalized SharePoint link ''XXXXXXXX-my.sharepoint[.]com'.

Figure 1: Advanced Search query showing a sudden spike in connections to ''XXXXXXXX -my.sharepoint[.]com'.

Darktrace observed around 10 devices downloading approximately 1 MB of data during their connections to the Sharepoint endpoint. Darktrace DETECT observed some of the devices making subsequent HTTP GET requests to a range of anomalous URIs. The devices utilized multiple user-agents for these connections, including ‘curl’, a command line tool that allows individuals to request and transfer data from a specific URL. The connections were made to the IP 5.188.87[.]58, an endpoint that has been flagged as an indicator of compromise (IoC) for DarkGate malware by multiple open-source intelligence (OSINT) sources [3], commonly associated with HTTP GET requests:

  1. GET request over port 2351 with the User-Agent header 'Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)' and the target URI '/bfyxraav' to 5.188.87[.]58
  2. GET request over port 2351 with the user-agent header 'curl' and the target URI '/' to 5.188.87[.]58
  3. GET request over port 2351 with the user-agent header 'curl/8.0.1' and the target URI '/msibfyxraav' to 5.188.87[.]58

The HTTP GET requests made with the user-agent header 'curl' and the target URI '/' to 5.188.87[.]58 were responded to with a filename called 'Autoit3.exe'. The other requests received script files with names ending in '.au3, such as 'xkwtvq.au3', 'otxynh.au3', and 'dcthbq.au3'. DarkGate malware has been known to make use of legitimate AutoIt files, and typically runs multiple AutoIt scripts (‘.au3’) [4].

Following these unusual file downloads, the devices proceeded to make hundreds of HTTP POST requests to the target URI '/' using the user-agent header 'Mozilla/4.0 (compatible; Synapse)' to 5.188.87[.]58. The contents of these requests, along with the contents of the responses, appear to be heavily obfuscated.

Figure 2: Example of obfuscated response, as shown in a packet capture downloaded from Darktrace.

While Microsoft’s Safe Attachments and Safe Links settings were unable to detect this camouflaged malicious activity, Darktrace DETECT observed the unusual over-the-network connectivity that occurred. While Darktrace DETECT identified multiple internal devices engaging in this anomalous behavior throughout the course of the compromise, the activity observed on one device in particular best showcases the overall kill chain of this attack.

The device in question was observed using two different user agents (curl/8.0.1 and Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)) when connecting to the endpoint 5.188.87[.]58 and target URI ‘/bfyxraav’. Additionally, Darktrace DETECT recognized that it was unusual for this device to be making these HTTP connections via destination port 2351.

As a result, Darktrace’s Cyber AI Analyst™ launched an autonomous investigation into the suspicious activity and was able to connect the unusual external connections together, viewing them as one beaconing incident as opposed to isolated series of connections.

Figure 3: Cyber AI Analyst investigation summarizing the unusual repeated connections made to 5.188.87[.]58 via destination port 2351.

Darktrace then observed the device downloading the ‘Autoit3.exe’ file. Darktrace RESPOND took swift mitigative action by blocking similar connections to this endpoint, preventing the device from downloading any additional suspicious files.

Figure 4: Suspicious ‘Autoit3.exe’ downloaded by the source device from the malicious external endpoint.

Just one millisecond later, Darktrace observed the device making suspicious HTTP GET requests to URIs including ‘/msibfyxraav’. Darktrace recognized that the device had carried out several suspicious actions within a relatively short period of time, breaching multiple DETECT models, indicating that it may have been compromised. As a result, RESPOND took action against the offending device by preventing it from communicating externally [blocking all outbound connections] for a period of one hour, allowing the customer’s security team precious time to address the issue.

It should be noted that, at this point, had the customer subscribed to Darktrace’s Proactive Threat Notification (PTN) service, the Darktrace Security Operations Center (SOC) would have investigated these incidents in greater detail, and likely would have sent a notification directly to the customer to inform them of the suspicious activity.

Additionally, AI Analyst collated various distinct events and suggested that these stages were linked as part of an attack. This type of augmented understanding of events calculated at machine speed is extremely valuable since it likely would have taken a human analyst hours to link all the facets of the incident together.  

Figure 5: AI Analyst investigation showcasing the use of the ‘curl’ user agent to connect to the target URI ‘/msibfyxraav’.
Figure 6: Darktrace RESPOND moved to mitigate any following connections by blocking all outgoing traffic for 1 hour.

Following this, an automated investigation was launched by Microsoft Defender for Endpoint. Darktrace is designed to coordinate with multiple third-party security tools, allowing for information on ongoing incidents to be seamlessly exchanged between Darktrace and other security tools. In this instance, Microsoft Defender identified a ‘low severity’ incident on the device, this automatically triggered a corresponding alert within DETECT, presented on the Darktrace Threat Visuallizer.

The described activity occurred within milliseconds. At each step of the attack, Darktrace RESPOND took action either by enforcing expected patterns of life [normality] on the affected device, blocking connections to suspicious endpoints for a specified amount of time, and/or blocking all outgoing traffic from the device. All the relevant activity was detected and promptly stopped for this device, and other compromised devices, thus containing the compromise and providing the security team invaluable remediation time.

Figure 7: Overview of the compromise activity, all of which took place within a matter of miliseconds.

Darktrace identified similar activity on other devices in this customer’s network, as well as across Darktrace’s fleet around the same time in early September.

On a different customer environment, Darktrace DETECT observed more than 25 ‘.au3’ files being downloaded; this activity can be seen in Figure 9.

Figure 8: High volume of file downloads following GET request and 'curl' commands.

Figure 9 provides more details of this activity, including the source and destination IP addresses (5.188.87[.]58), the destination port, the HTTP method used and the MIME/content-type of the file

Figure 9: Additional information of the anomalous connections.

A compromised server in another customer deployment was seen establishing unusual connections to the external IP address 80.66.88[.]145 – an endpoint that has been associated with DarkGate by OSINT sources [5]. This activity was identified by Darktrace/DETECT as a new connection for the device via an unusual destination port, 2840. As the device in question was a critical server, Darktrace DETECT treated it with suspicion and generated an ‘Anomalous External Activity from Critical Network Device’ model breach.  

Figure 10: Model breach and model breach event log for suspicious connections to additional endpoint.

Conclusion

While Microsoft Teams and SharePoint are extremely prominent tools that are essential to the business operations of many organizations, they can also be used to compromise via living off the land, even at initial intrusion. Any Microsoft Teams user within a corporate setting could be targeted by a malicious actor, as such SharePoint links from unknown senders should always be treated with caution and should not automatically be considered as secure or legitimate, even when operating within legitimate Microsoft infrastructure.

Malicious actors can leverage these commonly used platforms as a means to carry out their cyber-attacks, therefore organizations must take appropriate measures to protect and secure their digital environments. As demonstrated here, threat actors can attempt to deploy malware, like DarkGate, by targeting users with spoofed Microsoft Teams messages. By masking malicious links as legitimate SharePoint links, these attempts can easily convince targets and bypass traditional security tools and even Microsoft’s own Safe Links and Safe Attachments security capabilities.

When the chain of events of an attack escalates within milliseconds, organizations must rely on AI-driven tools that can quickly identify and automatically respond to suspicious events without latency. As such, the value of Darktrace DETECT and Darktrace RESPOND cannot be overstated. Given the efficacy and efficiency of Darktrace’s detection and autonomous response capabilities, a more severe network compromise in the form of the DarkGate commodity loader was ultimately averted.

Credit to Natalia Sánchez Rocafort, Cyber Security Analyst, Zoe Tilsiter.

Appendices

Darktrace DETECT Model Detections

  • [Model Breach: Device / Initial Breach Chain Compromise 100% –– Breach URI: /#modelbreach/114039 ] (Enhanced Monitoring)·      [Model Breach: Device / Initial Breach Chain Compromise 100% –– Breach URI: /#modelbreach/114124 ] (Enhanced Monitoring)
  • [Model Breach: Device / New User Agent and New IP 62% –– Breach URI: /#modelbreach/114030 ]
  • [Model Breach: Anomalous Connection / Application Protocol on Uncommon Port 46% –– Breach URI: /#modelbreach/114031 ]
  • [Model Breach: Anomalous Connection / New User Agent to IP Without Hostname 62% –– Breach URI: /#modelbreach/114032 ]
  • [Model Breach: Device / New User Agent 32% –– Breach URI: /#modelbreach/114035 ]
  • [Model Breach: Device / Three Or More New User Agents 31% –– Breach URI: /#modelbreach/114036 ]
  • [Model Breach: Anomalous Server Activity / Anomalous External Activity from Critical Network Device 62% –– Breach URI: /#modelbreach/612173 ]
  • [Model Breach: Anomalous File / EXE from Rare External Location 61% –– Breach URI: /#modelbreach/114037 ]
  • [Model Breach: Anomalous Connection / Multiple Connections to New External TCP Port 61% –– Breach URI: /#modelbreach/114042 ]
  • [Model Breach: Security Integration / Integration Ransomware Detected 100% –– Breach URI: /#modelbreach/114049 ]
  • [Model Breach: Compromise / Beaconing Activity To External Rare 62% –– Breach URI: /#modelbreach/114059 ]
  • [Model Breach: Compromise / HTTP Beaconing to New Endpoint 30% –– Breach URI: /#modelbreach/114067 ]
  • [Model Breach: Security Integration / C2 Activity and Integration Detection 100% –– Breach URI: /#modelbreach/114069 ]
  • [Model Breach: Anomalous File / EXE from Rare External Location 55% –– Breach URI: /#modelbreach/114077 ]
  • [Model Breach: Compromise / High Volume of Connections with Beacon Score 66% –– Breach URI: /#modelbreach/114260 ]
  • [Model Breach: Security Integration / Low Severity Integration Detection 59% –– Breach URI: /#modelbreach/114293 ]
  • [Model Breach: Security Integration / Low Severity Integration Detection 33% –– Breach URI: /#modelbreach/114462 ]
  • [Model Breach: Security Integration / Integration Ransomware Detected 100% –– Breach URI: /#modelbreach/114109 ]·      [Model Breach: Device / Three Or More New User Agents 31% –– Breach URI: /#modelbreach/114118 ]·      [Model Breach: Anomalous Connection / Application Protocol on Uncommon Port 46% –– Breach URI: /#modelbreach/114113 ] ·      [Model Breach: Anomalous Connection / New User Agent to IP Without Hostname 62% –– Breach URI: /#modelbreach/114114 ]·      [Model Breach: Device / New User Agent 32% –– Breach URI: /#modelbreach/114117 ]·      [Model Breach: Anomalous File / EXE from Rare External Location 61% –– Breach URI: /#modelbreach/114122 ]·      [Model Breach: Security Integration / Low Severity Integration Detection 54% –– Breach URI: /#modelbreach/114310 ]
  • [Model Breach: Security Integration / Integration Ransomware Detected 65% –– Breach URI: /#modelbreach/114662 ]Darktrace/Respond Model Breaches
  • [Model Breach: Antigena / Network::External Threat::Antigena Suspicious File Block 61% –– Breach URI: /#modelbreach/114033 ]
  • [Model Breach: Antigena / Network::External Threat::Antigena File then New Outbound Block 100% –– Breach URI: /#modelbreach/114038 ]
  • [Model Breach: Antigena / Network::Significant Anomaly::Antigena Enhanced Monitoring from Client Block 100% –– Breach URI: /#modelbreach/114040 ]
  • [Model Breach: Antigena / Network::Significant Anomaly::Antigena Significant Anomaly from Client Block 87% –– Breach URI: /#modelbreach/114041 ]
  • [Model Breach: Antigena / Network::Significant Anomaly::Antigena Controlled and Model Breach 87% –– Breach URI: /#modelbreach/114043 ]
  • [Model Breach: Antigena / Network::External Threat::Antigena Ransomware Block 100% –– Breach URI: /#modelbreach/114052 ]
  • [Model Breach: Antigena / Network::Significant Anomaly::Antigena Significant Security Integration and Network Activity Block 87% –– Breach URI: /#modelbreach/114070 ]
  • [Model Breach: Antigena / Network::Significant Anomaly::Antigena Breaches Over Time Block 87% –– Breach URI: /#modelbreach/114071 ]
  • [Model Breach: Antigena / Network::External Threat::Antigena Suspicious Activity Block 87% –– Breach URI: /#modelbreach/114072 ]
  • [Model Breach: Antigena / Network::External Threat::Antigena Suspicious File Block 53% –– Breach URI: /#modelbreach/114079 ]
  • [Model Breach: Antigena / Network::Significant Anomaly::Antigena Breaches Over Time Block 64% –– Breach URI: /#modelbreach/114539 ]
  • [Model Breach: Antigena / Network::External Threat::Antigena Ransomware Block 66% –– Breach URI: /#modelbreach/114667 ]
  • [Model Breach: Antigena / Network::External Threat::Antigena Suspicious Activity Block 79% –– Breach URI: /#modelbreach/114684 ]·      
  • [Model Breach: Antigena / Network::External Threat::Antigena Ransomware Block 100% –– Breach URI: /#modelbreach/114110 ]·      
  • [Model Breach: Antigena / Network::Significant Anomaly::Antigena Significant Anomaly from Client Block 87% –– Breach URI: /#modelbreach/114111 ]·      
  • [Model Breach: Antigena / Network::Significant Anomaly::Antigena Controlled and Model Breach 87% –– Breach URI: /#modelbreach/114115 ]·      
  • [Model Breach: Antigena / Network::Significant Anomaly::Antigena Breaches Over Time Block 87% –– Breach URI: /#modelbreach/114116 ]·      
  • [Model Breach: Antigena / Network::External Threat::Antigena Suspicious File Block 61% –– Breach URI: /#modelbreach/114121 ]·      
  • [Model Breach: Antigena / Network::External Threat::Antigena File then New Outbound Block 100% –– Breach URI: /#modelbreach/114123 ]·      
  • [Model Breach: Antigena / Network::Significant Anomaly::Antigena Enhanced Monitoring from Client Block 100% –– Breach URI: /#modelbreach/114125 ]

List of IoCs

IoC - Type - Description + Confidence

5.188.87[.]58 - IP address - C2 endpoint

80.66.88[.]145 - IP address - C2 endpoint

/bfyxraav - URI - Possible C2 endpoint URI

/msibfyxraav - URI - Possible C2 endpoint URI

Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) - User agent - Probable user agent leveraged

curl - User agent - Probable user agent leveraged

curl/8.0.1 - User agent - Probable user agent leveraged

Mozilla/4.0 (compatible; Synapse) - User agent - Probable user agent leveraged

Autoit3.exe - Filename - Exe file

CvUYLoTv.au3    

eDVeqcCe.au3

FeLlcFRS.au3

FTEZlGhe.au3

HOrzcEWV.au3

rKlArXHH.au3

SjadeWUz.au3

ZgOLxJQy.au3

zSrxhagw.au3

ALOXitYE.au3

DKRcfZfV.au3

gQZVKzek.au3

JZrvmJXK.au3

kLECCtMw.au3

LEXCjXKl.au3

luqWdAzF.au3

mUBNrGpv.au3

OoCdHeJT.au3

PcEJXfIl.au3

ssElzrDV.au3

TcBwRRnp.au3

TFvAUIgu.au3

xkwtvq.au3

otxynh.au3

dcthbq.au3 - Filenames - Possible exe files delivered in response to curl/8.0.1 GET requests with Target URI '/msibfyxraav

f3a0a85fe2ea4a00b3710ef4833b07a5d766702b263fda88101e0cb804d8c699 - SHA256 file hash - Possible SHA256 hashes of 'Autoit3.exe' files

afa3feea5964846cd436b978faa7d31938e666288ffaa75d6ba75bfe6c12bf61 - SHA256 file hash - Possible SHA256 hashes of 'Autoit3.exe' files

63aeac3b007436fa8b7ea25298362330423b80a4cb9269fd2c3e6ab1b1289208 - SHA256 file hash - Possible SHA256 hashes of 'Autoit3.exe' files

ab6704e836a51555ec32d1ff009a79692fa2d11205f9b4962121bda88ba55486 - SHA256 file hash - Possible SHA256 hashes of 'Autoit3.exe' files

References

1. https://www.truesec.com/hub/blog/darkgate-loader-delivered-via-teams

2. https://feedit.cz/wp-content/uploads/2023/03/YiR2022_onepager_ransomware_loaders.pdf

3. https://www.virustotal.com/gui/ip-address/5.188.87[.]58

4. https://www.forescout.com/resources/darkgate-loader-malspam-campaign/

5. https://otx.alienvault.com/indicator/ip/80.66.88[.]145

Written by
Natalia Sánchez Rocafort
Cyber Security Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Natalia Sánchez Rocafort
Cyber Security Analyst

Tracking a Dragon: Investigating a DragonForce-affiliated ransomware attack with Darktrace

Network
November 5, 2025
Justin Torres
Cyber Analyst
Watch the NIS2 Webinar
Trending blogs
1
Pre-CVE Threat Detection: 10 Examples Identifying Malicious Activity Prior to Public Disclosure of a Vulnerability
Jul 2, 2025
2
Darktrace Recognized as a Leader in the 2025 Gartner® Magic Quadrant™ for Network Detection and Response
Jun 2, 2025
3
Evaluating Email Security: How to Select the Best Solution for Your Organization
May 21, 2025
4
2025 Cyber Threat Landscape: Darktrace’s Mid-Year Review
Aug 5, 2025
5
Introducing the AI Maturity Model for Cybersecurity
Jul 16, 2025

More in this series

No items found.
Continue reading
Identity
August 21, 2025

From VPS to Phishing: How Darktrace Uncovered SaaS Hijacks through Virtual Infrastructure Abuse

Darktrace identified coordinated SaaS account compromises across multiple customer environments. The incidents involved suspicious logins from VPS-linked infrastructure followed by unauthorized inbox rule creation and deletion of phishing-related emails. These consistent behaviors across devices point to a targeted phishing campaign leveraging virtual infrastructure for access and concealment. Discover how Darktrace uncovered this activity and what it means for the future of SaaS security.
Rajendra Rushanth
Cyber Analyst
Read more
Identity
July 8, 2025

Defending the Cloud: Stopping Cyber Threats in Azure and AWS with Darktrace

This blog examines three real-world cloud-based attacks in Azure and AWS environments, including credential compromise, data exfiltration, and ransomware detonation. Learn how Darktrace’s AI-driven threat detection and Autonomous Response capabilities help organizations defend against evolving threats in complex cloud environments.
Alexandra Sentenac
Cyber Analyst
Read more
Identity
July 3, 2025

Top Eight Threats to SaaS Security and How to Combat Them

SaaS security requires new methods to keep up with evolving threats and business infrastructure. In this blog, learn the top eight threats to identity security and how AI-based solutions can help.
Carlos Gray
Senior Product Marketing Manager, Email
Read more

Blog

/

Network

/

November 6, 2025

Darktrace Named the Only 2025 Gartner® Peer Insights™ Customers’ Choice for Network Detection and Response

Default blog imageDefault blog image

Darktrace: The only Customers’ Choice for NDR in 2025

In a year defined by rapid change across the threat landscape, recognition from those who use and rely on security technology every day means the most.

That’s why we’re proud to share that Darktrace has been named the only Customers’ Choice in the 2025 Gartner® Peer Insights™ Voice of the Customer for Network Detection and Response (NDR).

Out of 11 leading NDR vendors evaluated, Darktrace stood alone as the sole Customers’ Choice, a recognition that we feel reflects not just our innovation, but the trust and satisfaction of the customers who secure their networks with Darktrace every day.

What the Gartner® Peer Insights™ Voice of the Customer means

“Voice of the Customer” is a document that synthesizes Gartner Peer Insights reviews into insights for buyers of technology and services. This aggregated peer perspective, along with the individual detailed reviews, is complementary to Gartner expert research and can play a key role in your buying process. Peers are verified reviewers of a technology product or service, who not only rate the offering, but also provide valuable feedback to consider before making a purchase decision. Vendors placed in the upper-right “Customers’ Choice” quadrant of the “Voice of the Customer” have scores that meet or exceed the market average for both axes (User Interest and Adoption, and Overall Experience).It’s not just a rating. We feel it’s a reflection of genuine customer sentiment and success in the field.

In our view, Customers consistently highlight Darktrace’s ability to:

  • Detect and respond to unknown threats in real time
  • Deliver unmatched visibility across IT, OT, and cloud environments
  • Automate investigations and responses through AI-driven insights

We believe this recognition reinforces what our customers already know: that Darktrace helps them see, understand, and stop attacks others miss.

A rare double: recognized by customers and analysts alike

This distinction follows another major recogniton. Darktrace’s placement as a Leader in the Gartner® Magic Quadrant™ for Network Detection and Response earlier this year.

That makes Darktrace the only vendor to achieve both:

  • A Leader status in the Gartner Magic Quadrant for NDR, and
  • A Customers’ Choice in Gartner Peer Insights 2025

It’s a rare double that we feel reflects both industry leadership and customer trust, two perspectives that, together, define what great cybersecurity looks like.

A Customers’ Choice across the network and the inbox

To us, this recognition also builds on Darktrace’s momentum across multiple domains. Earlier this year, Darktrace was also named a Customers’ Choice for Email Security Platforms in the Gartner® Peer Insights™ report.

With more than 1,000 verified reviews across Network Detection and Response, Email Security Platforms, and Cyber Physical Systems (CPS), we at Darktrace are proud to be trusted across the full attack surface, from the inbox to the industrial network.

Thank you to our customers

We’re deeply grateful to every customer who shared their experience with Darktrace on Gartner Peer Insights. Your insights drive our innovation and continue to shape how we protect complex, dynamic environments across the world.

Discover why customers choose Darktrace for network and email security.

Gartner® Peer Insights™ content consists of the opinions of individual end users based on their own experiences, and should not be construed as statements of fact, nor do they represent the views of Gartner or its affiliates. Gartner does not endorse any vendor, product or service depicted in this content nor makes any warranties, expressed or implied, with respect to this content, about its accuracy or completeness, including any warranties of merchantability or fitness for a particular purpose.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Magic Quadrant and Peer Insights are registered trademarks of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved.

Gartner, Voice of the Customer for Network Detection and Response, By Peer Community Contributor, 30 October 2025

Continue reading
About the author
Mikey Anderson
Product Marketing Manager, Network Detection & Response

Blog

/

Network

/

November 5, 2025

Tracking a Dragon: Investigating a DragonForce-affiliated ransomware attack with Darktrace

Tracking a Dragon: Investigating a DragonForce-affiliated ransomware attack with Darktrace Default blog imageDefault blog image

What is DragonForce?

DragonForce is a Ransomware-as-a-Service (RaaS) platform that emerged in late 2023, offering broad-scale capabilities and infrastructure to threat actors. Recently, DragonForce has been linked to attacks targeting the UK retail sector, resulting in several high-profile cases [1][2]. Moreover, the group launched an affiliate program offering a revenue share of roughly 20%, significantly lower than commissions reported across other RaaS platforms [3].

This Darktrace case study examines a DragonForce-linked RaaS infection within the manufacturing industry. The earliest signs of compromise were observed during working hours in August 2025, where an infected device started performing network scans and attempted to brute-force administrative credentials. After eight days of inactivity, threat actors returned and multiple devices began encrypting files via the SMB protocol using a DragonForce-associated file extension. Ransom notes referencing the group were also dropped, suggesting the threat actor is claiming affiliation with DragonForce, though this has not been confirmed.

Despite Darktrace’s detection of the attack in its early stages, the customer’s deployment did not have Darktrace’s Autonomous Response capability configured, allowing the threat to progress to data exfiltration and file encryption.

Darktrace's Observations

While the initial access vector was not clearly defined in this case study, it was likely achieved through common methods previously employed out by DragonForce affiliates. These include phishing emails leveraging social engineering tactics, exploitation of public-facing applications with known vulnerabilities, web shells, and/or the abuse of remote management tools.

Darktrace’s analysis identified internal devices performing internal network scanning, brute-forcing credentials, and executing unusual Windows Registry operations. Notably, Windows Registry events involving "Schedule\Taskcache\Tasks" contain subkeys for individual tasks, storing GUIDs that can be used to locate and analyze scheduled tasks. Additionally, Control\WMI\Security holds security descriptors for WMI providers and Event Tracing loggers that use non-default security settings respectively.

Furthermore, Darktrace identified data exfiltration activity over SSH, including connections to an ASN associated with a malicious hosting service geolocated in Russia.

1. Network Scan & Brute Force

Darktrace identified anomalous behavior in late August to early September 2025, originating from a source device engaging in internal network scanning followed by brute-force attempts targeting administrator credential, including “administrator”, “Admin”, “rdpadmin”, “ftpadmin”.

Upon further analysis, one of the HTTP connections seen in this activity revealed the use of the user agent string “OpenVAS-VT”, suggesting that the device was using the OpenVAS vulnerability scanner. Subsequently, additional devices began exhibiting network scanning behavior. During this phase, a file named “delete.me” was deleted by multiple devices using SMB protocol. This file is commonly associated with network scanning and penetration testing tool NetScan.

2. Windows Registry Key Update

Following the scanning phase, Darktrace observed the initial device then performing suspicious Winreg operations. This included the use of the ”BaseRegOpenKey” function across multiple registry paths.

Additional operations such as “BaseRegOpenKey” and “BaseRegQueryValue” were also seen around this time. These operations are typically used to retrieve specific registry key values and allow write operations to registry keys.

The registry keys observed included “SYSTEM\CurrentControlSet\Control\WMI\Security” and “Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tasks”. These keys can be leveraged by malicious actors to update WMI access controls and schedule malicious tasks, respectively, both of which are common techniques for establishing persistence within a compromised system.

3. New Administrator Credential Usage

Darktrace subsequently detected the device using a highly privileged credential, “administrator”, via a successful Kerberos login for the first time. Shortly after, the same credential was used again for a successful SMB session.

These marked the first instances of authentication using the “administrator” credential across the customer’s environment, suggesting potential malicious use of the credential following the earlier brute-force activity.

Darktrace’s detection of administrator credentials being used in Kerberos login events by an infected device.
Figure 1: Darktrace’s detection of administrator credentials being used in Kerberos login events by an infected device.
Darktrace’s detection of administrator credentials being used in SMB sessions by an infected device.
Figure 2: Darktrace’s detection of administrator credentials being used in SMB sessions by an infected device.

4. Data Exfiltration

Prior to ransomware deployment, several infected devices were observed exfiltrating data to the malicious IP 45.135.232[.]229 via SSH connections [7][8]. This was followed by the device downloading data from other internal devices and transferring an unusually large volume of data to the same external endpoint.

The IP address was first seen on the network on September 2, 2025 - the same date as the observed data exfiltration activity preceding ransomware deployment and encryption.

Further analysis revealed that the endpoint was geolocated in Russia and registered to the malicious hosting provider Proton66. Multiple external researchers have reported malicious activity involving the same Proton66 ASN (AS198953 Proton66 OOO) as far back as April 2025. These activities notably included vulnerability scanning, exploitation attempts, and phishing campaigns, which ultimately led to malware [4][5][6].

Data Exfiltration Endpoint details.

  • Endpoint: 45.135.232[.]229
  • ASN: AS198953 Proton66 OOO
  • Transport protocol: TCP
  • Application protocol: SSH
  • Destination port: 22
Darktrace’s summary of the external IP 45.135.232[.]229, first detected on September 2, 2025. The right-hand side showcases model alerts triggered related to this endpoint including multiple data exfiltration related model alerts.
Figure 3: Darktrace’s summary of the external IP 45.135.232[.]229, first detected on September 2, 2025. The right-hand side showcases model alerts triggered related to this endpoint including multiple data exfiltration related model alerts.

Further investigation into the endpoint using open-source intelligence (OSINT) revealed that it led to a Microsoft Internet Information Services (IIS) Manager console webpage. This interface is typically used to configure and manage web servers. However, threat actors have been known to exploit similar setups, using fake certificate warnings to trick users into downloading malware, or deploying malicious IIS modules to steal credentials.

Live screenshot of the destination (45.135.232[.]229), captured via OSINT sources, displaying a Microsoft IIS Manager console webpage.
Figure 4: Live screenshot of the destination (45.135.232[.]229), captured via OSINT sources, displaying a Microsoft IIS Manager console webpage.

5. Ransomware Encryption & Ransom Note

Multiple devices were later observed connecting to internal devices via SMB and performing a range of actions indicative of file encryption. This suspicious activity prompted Darktrace’s Cyber AI Analyst to launch an autonomous investigation, during which it pieced together associated activity and provided concrete timestamps of events for the customer’s visibility.

During this activity, several devices were seen writing a file named “readme.txt” to multiple locations, including network-accessible webroot paths such as inetpub\ and wwwroot\. This “readme.txt” file, later confirmed to be the ransom note, claimed the threat actors were affiliated with DragonForce.

At the same time, devices were seen performing SMB Move, Write and ReadWrite actions involving files with the “.df_win” extension across other internal devices, suggesting that file encryption was actively occurring.

Darktrace’s detection of SMB events (excluding Read events) where the device was seen moving or writing files with the “.df_win” extension.
Figure 5: Darktrace’s detection of SMB events (excluding Read events) where the device was seen moving or writing files with the “.df_win” extension.
Darktrace’s detection of a spike in SMB Write events with the filename “readme.txt” on September 9, indicating the start of file encryption.
Figure 6: Darktrace’s detection of a spike in SMB Write events with the filename “readme.txt” on September 9, indicating the start of file encryption.

Conclusion

The rise of Ransomware-as-a-Service (RaaS) and increased attacker customization is fragmenting tactics, techniques, and procedures (TTPs), making it increasingly difficult for security teams to prepare for and defend against each unique intrusion. RaaS providers like DragonForce further complicate this challenge by enabling a wide range of affiliates, each with varying levels of sophistication [9].

In this instance, Darktrace was able to identify several stages of the attack kill chain, including network scanning, the first-time use of privileged credentials, data exfiltration, and ultimately ransomware encryption. Had the customer enabled Darktrace’s Autonomous Response capability, it would have taken timely action to interrupt the attack in its early stages, preventing the eventual data exfiltration and ransomware detonation.

Credit to Justin Torres, Senior Cyber Analyst, Nathaniel Jones, VP, Security & AI Strategy, FCISO, & Emma Foulger, Global Threat Research Operations Lead.

Edited by Ryan Traill (Analyst Content Lead)

Appendices

References:

1. https://www.infosecurity-magazine.com/news/dragonforce-goup-ms-coop-harrods/

2. https://www.picussecurity.com/resource/blog/dragonforce-ransomware-attacks-retail-giants

3. https://blog.checkpoint.com/security/dragonforce-ransomware-redefining-hybrid-extortion-in-2025/

4. https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/proton66-part-1-mass-scanning-and-exploit-campaigns/

5. https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/proton66-part-2-compromised-wordpress-pages-and-malware-campaigns/

6. https://www.broadcom.com/support/security-center/protection-bulletin/proton66-infrastructure-tied-to-expanding-malware-campaigns-and-c2-operations

7. https://www.virustotal.com/gui/ip-address/45.135.232.229

8. https://spur.us/context/45.135.232.229

9. https://www.group-ib.com/blog/dragonforce-ransomware/

IoC - Type - Description + Confidence

·      45.135.232[.]229 - Endpoint Associated with Data Exfiltration

·      .readme.txt – Ransom Note File Extension

·      .df_win – File Encryption Extension Observed

MITRE ATT&CK Mapping

DragonForce TTPs vs Darktrace Models

Initial Access:

·      Anomalous Connection::Callback on Web Facing Device

Command and Control:

·      Compromise::SSL or HTTP Beacon

·      Compromise::Beacon to Young Endpoint

·      Compromise::Beaconing on Uncommon Port

·      Compromise::Suspicious SSL Activity

·      Anomalous Connection::Devices Beaconing to New Rare IP

·      Compromise::Suspicious HTTP and Anomalous Activity

·      DNS Tunnel with TXT Records

Tooling:

·      Anomalous File::EXE from Rare External Location

·      Anomalous File::Masqueraded File Transfer

·      Anomalous File::Numeric File Download

·      Anomalous File::Script from Rare External Location

·      Anomalous File::Uncommon Microsoft File then Exe

·      Anomalous File::Zip or Gzip from Rare External Location

·      Anomalous File::Uncommon Microsoft File then Exe

·      Anomalous File::Internet Facing System File Download

Reconnaissance:

·      Device::Suspicious SMB Query

·      Device::ICMP Address Scan

·      Anomalous Connection::SMB Enumeration

·      Device::Possible SMB/NTLM Reconnaissance

·      Anomalous Connection::Possible Share Enumeration Activity

·      Device::Possible Active Directory Enumeration

·      Anomalous Connection::Large Volume of LDAP Download

·      Device::Suspicious LDAP Search Operation

Lateral Movement:

·      User::Suspicious Admin SMB Session

·      Anomalous Connection::Unusual Internal Remote Desktop

·      Anomalous Connection::Unusual Long Remote Desktop Session

·      Anomalous Connection::Unusual Admin RDP Session

·      User::New Admin Credentials on Client

·      User::New Admin Credentials on Server

·      Multiple Device Correlations::Spreading New Admin Credentials

·      Anomalous Connection::Powershell to Rare External

·      Device::New PowerShell User Agent

·      Anomalous Active Directory Web Services

·      Compromise::Unusual SVCCTL Activity

Evasion:

·      Unusual Activity::Anomalous SMB Delete Volume

·      Persistence

·      Device::Anomalous ITaskScheduler Activity

·      Device::AT Service Scheduled Task

·      Actions on Objectives

·      Compromise::Ransomware::Suspicious SMB Activity (EM)

·      Anomalous Connection::Sustained MIME Type Conversion

·      Compromise::Ransomware::SMB Reads then Writes with Additional Extensions

·      Compromise::Ransomware::Possible Ransom Note Write

·      Data Sent to Rare Domain

·      Uncommon 1 GiB Outbound

·      Enhanced Unusual External Data Transfer

Darktrace Cyber AI Analyst Coverage/Investigation Events:

·      Web Application Vulnerability Scanning of Multiple Devices

·      Port Scanning

·      Large Volume of SMB Login Failures

·      Unusual RDP Connections

·      Widespread Web Application Vulnerability Scanning

·      Unusual SSH Connections

·      Unusual Repeated Connections

·      Possible Application Layer Reconnaissance Activity

·      Unusual Administrative Connections

·      Suspicious Remote WMI Activity

·      Extensive Unusual Administrative Connections

·      Suspicious Directory Replication Service Activity

·      Scanning of Multiple Devices

·      Unusual External Data Transfer

·      SMB Write of Suspicious File

·      Suspicious Remote Service Control Activity

·      Access of Probable Unencrypted Password Files

·      Internal Download and External Upload

·      Possible Encryption of Files over SMB

·      SMB Writes of Suspicious Files to Multiple Devices

The content provided in this blog is published by Darktrace for general informational purposes only and reflects our understanding of cybersecurity topics, trends, incidents, and developments at the time of publication. While we strive to ensure accuracy and relevance, the information is provided “as is” without any representations or warranties, express or implied. Darktrace makes no guarantees regarding the completeness, accuracy, reliability, or timeliness of any information presented and expressly disclaims all warranties.

Nothing in this blog constitutes legal, technical, or professional advice, and readers should consult qualified professionals before acting on any information contained herein. Any references to third-party organizations, technologies, threat actors, or incidents are for informational purposes only and do not imply affiliation, endorsement, or recommendation.

Darktrace, its affiliates, employees, or agents shall not be held liable for any loss, damage, or harm arising from the use of or reliance on the information in this blog.

The cybersecurity landscape evolves rapidly, and blog content may become outdated or superseded. We reserve the right to update, modify, or remove any content.

Continue reading
About the author
Justin Torres
Cyber Analyst
Your data. Our AI.
Elevate your network security with Darktrace AI