Blog
/
Network
/
September 4, 2022

Steps of a BumbleBee Intrusion to a Cobalt Strike

Discover the steps of a Bumblebee intrusion, from initial detection to Cobalt Strike deployment. Learn how Darktrace defends against evolving threats with AI.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Sam Lister
SOC Analyst
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
04
Sep 2022

Introduction

Throughout April 2022, Darktrace observed several cases in which threat actors used the loader known as ‘BumbleBee’ to install Cobalt Strike Beacon onto victim systems. The threat actors then leveraged Cobalt Strike Beacon to conduct network reconnaissance, obtain account password data, and write malicious payloads across the network. In this article, we will provide details of the actions threat actors took during their intrusions, as well as details of the network-based behaviours which served as evidence of the actors’ activities.  

BumbleBee 

In March 2022, Google’s Threat Analysis Group (TAG) provided details of the activities of an Initial Access Broker (IAB) group dubbed ‘Exotic Lily’ [1]. Before March 2022, Google’s TAG observed Exotic Lily leveraging sophisticated impersonation techniques to trick employees of targeted organisations into downloading ISO disc image files from legitimate file storage services such as WeTransfer. These ISO files contained a Windows shortcut LNK file and a BazarLoader Dynamic Link Library (i.e, DLL). BazarLoader is a member of the Bazar family — a family of malware (including both BazarLoader and BazarBackdoor) with strong ties to the Trickbot malware, the Anchor malware family, and Conti ransomware. BazarLoader, which is typically distributed via email campaigns or via fraudulent call campaigns, has been known to drop Cobalt Strike as a precursor to Conti ransomware deployment [2]. 

In March 2022, Google’s TAG observed Exotic Lily leveraging file storage services to distribute an ISO file containing a DLL which, when executed, caused the victim machine to make HTTP requests with the user-agent string ‘bumblebee’. Google’s TAG consequently called this DLL payload ‘BumbleBee’. Since Google’s discovery of BumbleBee back in March, several threat research teams have reported BumbleBee samples dropping Cobalt Strike [1]/[3]/[4]/[5]. It has also been reported by Proofpoint [3] that other threat actors such as TA578 and TA579 transitioned to BumbleBee in March 2022.  

Interestingly, BazarLoader’s replacement with BumbleBee seems to coincide with the leaking of the Conti ransomware gang’s Jabber chat logs at the end of February 2022. On February 25th, 2022, the Conti gang published a blog post announcing their full support for the Russian state’s invasion of Ukraine [6]. 

Figure 1: The Conti gang's public declaration of their support for Russia's invasion of Ukraine

Within days of sharing their support for Russia, logs from a server hosting the group’s Jabber communications began to be leaked on Twitter by @ContiLeaks [7]. The leaked logs included records of conversations among nearly 500 threat actors between Jan 2020 and March 2022 [8]. The Jabber logs were supposedly stolen and leaked by a Ukrainian security researcher [3]/[6].

Affiliates of the Conti ransomware group were known to use BazarLoader to deliver Conti ransomware [9]. BumbleBee has now also been linked to the Conti ransomware group by several threat research teams [1]/[10]/[11]. The fact that threat actors’ transition from BazarLoader to BumbleBee coincides with the leak of Conti’s Jabber chat logs may indicate that the transition occurred as a result of the leaks [3]. Since the transition, BumbleBee has become a significant tool in the cyber-crime ecosystem, with links to several ransomware operations such as Conti, Quantum, and Mountlocker [11]. The rising use of BumbleBee by threat actors, and particularly ransomware actors, makes the early detection of BumbleBee key to identifying the preparatory stages of ransomware attacks.  

Intrusion Kill Chain 

In April 2022, Darktrace observed the following pattern of threat actor activity within the networks of several Darktrace clients: 

1.     Threat actor socially engineers user via email into running a BumbleBee payload on their device

2.     BumbleBee establishes HTTPS communication with a BumbleBee C2 server

3.     Threat actor instructs BumbleBee to download and execute Cobalt Strike Beacon

4.     Cobalt Strike Beacon establishes HTTPS communication with a Cobalt Strike C2 server

5.     Threat actor instructs Cobalt Strike Beacon to scan for open ports and to enumerate network shares

6.     Threat actor instructs Cobalt Strike Beacon to use the DCSync technique to obtain password account data from an internal domain controller

7.     Threat actor instructs Cobalt Strike Beacon to distribute malicious payloads to other internal systems 

With limited visibility over affected clients’ email environments, Darktrace was unable to determine how the threat actors interacted with users to initiate the BumbleBee infection. However, based on open-source reporting on BumbleBee [3]/[4]/[10]/[11]/[12]/[13]/[14]/[15]/[16]/[17], it is likely that the actors tricked target users into running BumbleBee by sending them emails containing either a malicious zipped ISO file or a link to a file storage service hosting the malicious zipped ISO file. These ISO files typically contain a LNK file and a BumbleBee DLL payload. The properties of these LNK files are set in such a way that opening them causes the corresponding DLL payload to run. 

In several cases observed by Darktrace, devices contacted a file storage service such as Microsoft OneDrive or Google Cloud Storage immediately before they displayed signs of BumbleBee infection. In these cases, it is likely that BumbleBee was executed on the users’ devices as a result of the users interacting with an ISO file which they were tricked into downloading from a file storage service. 

Figure 2: The above figure, taken from the event log for an infected device, shows that the device contacted a OneDrive endpoint immediately before making HTTPS connections to the BumbleBee C2 server, 45.140.146[.]244
Figure 3: The above figure, taken from the event log for an infected device, shows that the device contacted a Google Cloud Storage endpoint and then the malicious endpoint ‘marebust[.]com’ before making HTTPS connections to the  BumbleBee C2 servers, 108.62.118[.]61 and 23.227.198[.]217

After users ran a BumbleBee payload, their devices immediately initiated communications with BumbleBee C2 servers. The BumbleBee samples used HTTPS for their C2 communication, and all presented a common JA3 client fingerprint, ‘0c9457ab6f0d6a14fc8a3d1d149547fb’. All analysed samples excluded domain names in their ‘client hello’ messages to the C2 servers, which is unusual for legitimate HTTPS communication. External SSL connections which do not specify a destination domain name and whose JA3 client fingerprint is ‘0c9457ab6f0d6a14fc8a3d1d149547fb’ are potential indicators of BumbleBee infection. 

Figure 4:The above figure, taken from Darktrace's Advanced Search interface, depicts an infected device's spike in HTTPS connections with the JA3 client fingerprint ‘0c9457ab6f0d6a14fc8a3d1d149547fb’

Once the threat actors had established HTTPS communication with the BumbleBee-infected systems, they instructed BumbleBee to download and execute Cobalt Strike Beacon. This behaviour resulted in the infected systems making HTTPS connections to Cobalt Strike C2 servers. The Cobalt Strike Beacon samples all had the same JA3 client fingerprint ‘a0e9f5d64349fb13191bc781f81f42e1’ — a fingerprint associated with previously seen Cobalt Strike samples [18]. The domain names ‘fuvataren[.]com’ and ‘cuhirito[.]com’ were observed in the samples’ HTTPS communications. 

Figure 5:The above figure, taken from Darktrace's Advanced Search interface, depicts the Cobalt Strike C2 communications which immediately followed a device's BumbleBee C2 activity

Cobalt Strike Beacon payloads call home to C2 servers for instructions. In the cases observed, threat actors first instructed the Beacon payloads to perform reconnaissance tasks, such as SMB port scanning and SMB enumeration. It is likely that the threat actors performed these steps to inform the next stages of their operations.  The SMB enumeration activity was evidenced by the infected devices making NetrShareEnum and NetrShareGetInfo requests to the srvsvc RPC interface on internal systems.

Figure 6: The above figure, taken from Darktrace’s Advanced Search interface, depicts a spike in srvsvc requests coinciding with the infected device's Cobalt Strike C2 activity

After providing Cobalt Strike Beacon with reconnaissance tasks, the threat actors set out to obtain account password data in preparation for the lateral movement phase of their operation. To obtain account password data, the actors instructed Cobalt Strike Beacon to use the DCSync technique to replicate account password data from an internal domain controller. This activity was evidenced by the infected devices making DRSGetNCChanges requests to the drsuapi RPC interface on internal domain controllers. 

Figure 7: The above figure, taken from Darktrace’s Advanced Search interface, depicts a spike in DRSGetNCChanges requests coinciding with the infected device’s Cobalt Strike C2 activity

After leveraging the DCSync technique, the threat actors sought to broaden their presence within the targeted networks.  To achieve this, they instructed Cobalt Strike Beacon to get several specially selected internal systems to run a suspiciously named DLL (‘f.dll’). Cobalt Strike first established SMB sessions with target systems using compromised account credentials. During these sessions, Cobalt Strike uploaded the malicious DLL to a hidden network share. To execute the DLL, Cobalt Strike abused the Windows Service Control Manager (SCM) to remotely control and manipulate running services on the targeted internal hosts. Cobalt Strike first opened a binding handle to the svcctl interface on the targeted destination systems. It then went on to make an OpenSCManagerW request, a CreateServiceA request, and a StartServiceA request to the svcctl interface on the targeted hosts: 

·      Bind request – opens a binding handle to the relevant RPC interface (in this case, the svcctl interface) on the destination device

·      OpenSCManagerW request – establishes a connection to the Service Control Manager (SCM) on the destination device and opens a specified SCM database

·      CreateServiceA request – creates a service object and adds it to the specified SCM database 

·      StartServiceA request – starts a specified service

Figure 8: The above figure, taken from Darktrace’s Advanced Search interface, outlines an infected system’s lateral movement activities. After writing a file named ‘f.dll’ to the C$ share on an internal server, the infected device made several RPC requests to the svcctl interface on the targeted server

It is likely that the DLL file which the threat actors distributed was a Cobalt Strike payload. In one case, however, the threat actor was also seen distributing and executing a payload named ‘procdump64.exe’. This may suggest that the threat actor was seeking to use ProcDump to obtain authentication material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). Given that ProcDump is a legitimate Windows Sysinternals tool primarily used for diagnostics and troubleshooting, it is likely that threat actors leveraged it in order to evade detection. 

In all the cases which Darktrace observed, threat actors’ attempts to conduct follow-up activities after moving laterally were thwarted with the help of Darktrace’s SOC team. It is likely that the threat actors responsible for the reported activities were seeking to deploy ransomware within the targeted networks. The steps which the threat actors took to make progress towards achieving this objective resulted in highly unusual patterns of network traffic. Darktrace’s detection of these unusual network activities allowed security teams to prevent these threat actors from achieving their disruptive objectives. 

Darktrace Coverage

Once threat actors succeeded in tricking users into running BumbleBee on their devices, Darktrace’s Self-Learning AI immediately detected the command-and-control (C2) activity generated by the loader. BumbleBee’s C2 activity caused the following Darktrace models to breach:

·      Anomalous Connection / Anomalous SSL without SNI to New External

·      Anomalous Connection / Suspicious Self-Signed SSL

·      Anomalous Connection / Rare External SSL Self-Signed

·      Compromise / Suspicious TLS Beaconing To Rare External

·      Compromise / Beacon to Young Endpoint

·      Compromise / Beaconing Activity To External Rare

·      Compromise / Sustained SSL or HTTP Increase

·      Compromise / Suspicious TLS Beaconing To Rare External

·      Compromise / SSL Beaconing to Rare Destination

·      Compromise / Large Number of Suspicious Successful Connections

·      Device / Multiple C2 Model Breaches 

BumbleBee’s delivery of Cobalt Strike Beacon onto target systems resulted in those systems communicating with Cobalt Strike C2 servers. Cobalt Strike Beacon’s C2 communications resulted in breaches of the following models: 

·      Compromise / Beaconing Activity To External Rare

·      Compromise / High Volume of Connections with Beacon Score

·      Compromise / Large Number of Suspicious Successful Connections

·      Compromise / Sustained SSL or HTTP Increase

·      Compromise / SSL or HTTP Beacon

·      Compromise / Slow Beaconing Activity To External Rare

·      Compromise / SSL Beaconing to Rare Destination 

The threat actors’ subsequent port scanning and SMB enumeration activities caused the following models to breach:

·      Device / Network Scan

·      Anomalous Connection / SMB Enumeration

·      Device / Possible SMB/NTLM Reconnaissance

·      Device / Suspicious Network Scan Activity  

The threat actors’ attempts to obtain account password data from domain controllers using the DCSync technique resulted in breaches of the following models: 

·      Compromise / Unusual SMB Session and DRS

·      Anomalous Connection / Anomalous DRSGetNCChanges Operation

Finally, the threat actors’ attempts to internally distribute and execute payloads resulted in breaches of the following models:

·      Compliance / SMB Drive Write

·      Device / Lateral Movement and C2 Activity

·      Device / SMB Lateral Movement

·      Device / Multiple Lateral Movement Model Breaches

·      Anomalous File / Internal / Unusual SMB Script Write

·      Anomalous File / Internal / Unusual Internal EXE File Transfer

·      Anomalous Connection / High Volume of New or Uncommon Service Control

If Darktrace/Network had been configured in the targeted environments, then it would have blocked BumbleBee’s C2 communications, which would have likely prevented the threat actors from delivering Cobalt Strike Beacon into the target networks. 

Figure 9: Attack timeline

Conclusion

Threat actors use loaders to smuggle more harmful payloads into target networks. Prior to March 2022, it was common to see threat actors using the BazarLoader loader to transfer their payloads into target environments. However, since the public disclosure of the Conti gang’s Jabber chat logs at the end of February, the cybersecurity world has witnessed a shift in tradecraft. Threat actors have seemingly transitioned from using BazarLoader to using a novel loader known as ‘BumbleBee’. Since BumbleBee first made an appearance in March 2022, a growing number of threat actors, in particular ransomware actors, have been observed using it.

It is likely that this trend will continue, which makes the detection of BumbleBee activity vital for the prevention of ransomware deployment within organisations’ networks. During April, Darktrace’s SOC team observed a particular pattern of threat actor activity involving the BumbleBee loader. After tricking users into running BumbleBee on their devices, threat actors were seen instructing BumbleBee to drop Cobalt Strike Beacon. Threat actors then leveraged Cobalt Strike Beacon to conduct network reconnaissance, obtain account password data from internal domain controllers, and distribute malicious payloads internally.  Darktrace’s detection of these activities prevented the threat actors from achieving their likely harmful objectives.  

Thanks to Ross Ellis for his contributions to this blog.

Appendices 

References 

[1] https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/ 

[2] https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/ 

[3] https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming

[4] https://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/ 

[5] https://research.nccgroup.com/2022/04/29/adventures-in-the-land-of-bumblebee-a-new-malicious-loader/ 

[6] https://www.bleepingcomputer.com/news/security/conti-ransomwares-internal-chats-leaked-after-siding-with-russia/ 

[7] https://therecord.media/conti-leaks-the-panama-papers-of-ransomware/ 

[8] https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships 

[9] https://www.prodaft.com/m/reports/Conti_TLPWHITE_v1.6_WVcSEtc.pdf 

[10] https://www.kroll.com/en/insights/publications/cyber/bumblebee-loader-linked-conti-used-in-quantum-locker-attacks 

[11] https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime 

[12] https://isc.sans.edu/diary/TA578+using+thread-hijacked+emails+to+push+ISO+files+for+Bumblebee+malware/28636 

[13] https://isc.sans.edu/diary/rss/28664 

[14] https://www.logpoint.com/wp-content/uploads/2022/05/buzz-of-the-bumblebee-a-new-malicious-loader-threat-report-no-3.pdf 

[15] https://ghoulsec.medium.com/mal-series-23-malware-loader-bumblebee-6ab3cf69d601 

[16]  https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/  

[17]  https://asec.ahnlab.com/en/35460/ 

[18] https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Sam Lister
SOC Analyst

More in this series

No items found.

Blog

/

Network

/

June 27, 2025

Patch and Persist: Darktrace’s Detection of Blind Eagle (APT-C-36)

login on laptop dual factor authenticationDefault blog imageDefault blog image

What is Blind Eagle?

Since 2018, APT-C-36, also known as Blind Eagle, has been observed performing cyber-attacks targeting various sectors across multiple countries in Latin America, with a particular focus on Colombian organizations.

Blind Eagle characteristically targets government institutions, financial organizations, and critical infrastructure [1][2].

Attacks carried out by Blind Eagle actors typically start with a phishing email and the group have been observed utilizing various Remote Access Trojans (RAT) variants, which often have in-built methods for hiding command-and-control (C2) traffic from detection [3].

What we know about Blind Eagle from a recent campaign

Since November 2024, Blind Eagle actors have been conducting an ongoing campaign targeting Colombian organizations [1].

In this campaign, threat actors have been observed using phishing emails to deliver malicious URL links to targeted recipients, similar to the way threat actors have previously been observed exploiting CVE-2024-43451, a vulnerability in Microsoft Windows that allows the disclosure of a user’s NTLMv2 password hash upon minimal interaction with a malicious file [4].

Despite Microsoft patching this vulnerability in November 2024 [1][4], Blind Eagle actors have continued to exploit the minimal interaction mechanism, though no longer with the intent of harvesting NTLMv2 password hashes. Instead, phishing emails are sent to targets containing a malicious URL which, when clicked, initiates the download of a malicious file. This file is then triggered by minimal user interaction.

Clicking on the file triggers a WebDAV request, with a connection being made over HTTP port 80 using the user agent ‘Microsoft-WebDAV-MiniRedir/10.0.19044’. WebDAV is a transmission protocol which allows files or complete directories to be made available through the internet, and to be transmitted to devices [5]. The next stage payload is then downloaded via another WebDAV request and malware is executed on the target device.

Attackers are notified when a recipient downloads the malicious files they send, providing an insight into potential targets [1].

Darktrace’s coverage of Blind Eagle

In late February 2025, Darktrace observed activity assessed with medium confidence to be  associated with Blind Eagle on the network of a customer in Colombia.

Within a period of just five hours, Darktrace / NETWORK detected a device being redirected through a rare external location, downloading multiple executable files, and ultimately exfiltrating data from the customer’s environment.

Since the customer did not have Darktrace’s Autonomous Response capability enabled on their network, no actions were taken to contain the compromise, allowing it to escalate until the customer’s security team responded to the alerts provided by Darktrace.

Darktrace observed a device on the customer’s network being directed over HTTP to a rare external IP, namely 62[.]60[.]226[.]112, which had never previously been seen in this customer’s environment and was geolocated in Germany. Multiple open-source intelligence (OSINT) providers have since linked this endpoint with phishing and malware campaigns [9].

The device then proceeded to download the executable file hxxp://62[.]60[.]226[.]112/file/3601_2042.exe.

Darktrace’s detection of the affected device connecting to an unusual location based in Germany.
Figure 1: Darktrace’s detection of the affected device connecting to an unusual location based in Germany.
Darktrace’s detection of the affected device downloading an executable file from the suspicious endpoint.
Figure 2: Darktrace’s detection of the affected device downloading an executable file from the suspicious endpoint.

The device was then observed making unusual connections to the rare endpoint 21ene.ip-ddns[.]com and performing unusual external data activity.

This dynamic DNS endpoint allows a device to access an endpoint using a domain name in place of a changing IP address. Dynamic DNS services ensure the DNS record of a domain name is automatically updated when the IP address changes. As such, malicious actors can use these services and endpoints to dynamically establish connections to C2 infrastructure [6].

Further investigation into this dynamic endpoint using OSINT revealed multiple associations with previous likely Blind Eagle compromises, as well as Remcos malware, a RAT commonly deployed via phishing campaigns [7][8][10].

Darktrace’s detection of the affected device connecting to the suspicious dynamic DNS endpoint, 21ene.ip-ddns[.]com.
Figure 3: Darktrace’s detection of the affected device connecting to the suspicious dynamic DNS endpoint, 21ene.ip-ddns[.]com.

Shortly after this, Darktrace observed the user agent ‘Microsoft-WebDAV-MiniRedir/10.0.19045’, indicating usage of the aforementioned transmission protocol WebDAV. The device was subsequently observed connected to an endpoint associated with Github and downloading data, suggesting that the device was retrieving a malicious tool or payload. The device then began to communicate to the malicious endpoint diciembrenotasenclub[.]longmusic[.]com over the new TCP port 1512 [11].

Around this time, the device was also observed uploading data to the endpoints 21ene.ip-ddns[.]com and diciembrenotasenclub[.]longmusic[.]com, with transfers of 60 MiB and 5.6 MiB observed respectively.

Figure 4: UI graph showing external data transfer activity.

This chain of activity triggered an Enhanced Monitoring model alert in Darktrace / NETWORK. These high-priority model alerts are designed to trigger in response to higher fidelity indicators of compromise (IoCs), suggesting that a device is performing activity consistent with a compromise.

 Darktrace’s detection of initial attack chain activity.
Figure 5: Darktrace’s detection of initial attack chain activity.

A second Enhanced Monitoring model was also triggered by this device following the download of the aforementioned executable file (hxxp://62[.]60[.]226[.]112/file/3601_2042.exe) and the observed increase in C2 activity.

Following this activity, Darktrace continued to observe the device beaconing to the 21ene.ip-ddns[.]com endpoint.

Darktrace’s Cyber AI Analyst was able to correlate each of the individual detections involved in this compromise, identifying them as part of a broader incident that encompassed C2 connectivity, suspicious downloads, and external data transfers.

Cyber AI Analyst’s investigation into the activity observed on the affected device.
Figure 6: Cyber AI Analyst’s investigation into the activity observed on the affected device.
Figure 7: Cyber AI Analyst’s detection of the affected device’s broader connectivity throughout the course of the attack.

As the affected customer did not have Darktrace’s Autonomous Response configured at the time, the attack was able to progress unabated. Had Darktrace been properly enabled, it would have been able to take a number of actions to halt the escalation of the attack.

For example, the unusual beaconing connections and the download of an unexpected file from an uncommon location would have been shut down by blocking the device from making external connections to the relevant destinations.

Conclusion

The persistence of Blind Eagle and ability to adapt its tactics, even after patches were released, and the speed at which the group were able to continue using pre-established TTPs highlights that timely vulnerability management and patch application, while essential, is not a standalone defense.

Organizations must adopt security solutions that use anomaly-based detection to identify emerging and adapting threats by recognizing deviations in user or device behavior that may indicate malicious activity. Complementing this with an autonomous decision maker that can identify, connect, and contain compromise-like activity is crucial for safeguarding organizational networks against constantly evolving and sophisticated threat actors.

Credit to Charlotte Thompson (Senior Cyber Analyst), Eugene Chua (Principal Cyber Analyst) and Ryan Traill (Analyst Content Lead)

Appendices

IoCs

IoC – Type - Confidence
Microsoft-WebDAV-MiniRedir/10.0.19045 – User Agent

62[.]60[.]226[.]112 – IP – Medium Confidence

hxxp://62[.]60[.]226[.]112/file/3601_2042.exe – Payload Download – Medium Confidence

21ene.ip-ddns[.]com – Dynamic DNS Endpoint – Medium Confidence

diciembrenotasenclub[.]longmusic[.]com  - Hostname – Medium Confidence

Darktrace’s model alert coverage

Anomalous File / Suspicious HTTP Redirect
Anomalous File / EXE from Rare External Location
Anomalous File / Multiple EXE from Rare External Location
Anomalous Server Activity / Outgoing from Server
Unusual Activity / Unusual External Data to New Endpoint
Device / Anomalous Github Download
Anomalous Connection / Multiple Connections to New External TCP Port
Device / Initial Attack Chain Activity
Anomalous Server Activity / Rare External from Server
Compromise / Suspicious File and C2
Compromise / Fast Beaconing to DGA
Compromise / Large Number of Suspicious Failed Connections
Device / Large Number of Model Alert

Mitre Attack Mapping:

Tactic – Technique – Technique Name

Initial Access - T1189 – Drive-by Compromise
Initial Access - T1190 – Exploit Public-Facing Application
Initial Access ICS - T0862 – Supply Chain Compromise
Initial Access ICS - T0865 – Spearphishing Attachment
Initial Access ICS - T0817 - Drive-by Compromise
Resource Development - T1588.001 – Malware
Lateral Movement ICS - T0843 – Program Download
Command and Control - T1105 - Ingress Tool Transfer
Command and Control - T1095 – Non-Application Layer Protocol
Command and Control - T1571 – Non-Standard Port
Command and Control - T1568.002 – Domain Generation Algorithms
Command and Control ICS - T0869 – Standard Application Layer Protocol
Evasion ICS - T0849 – Masquerading
Exfiltration - T1041 – Exfiltration Over C2 Channel
Exfiltration - T1567.002 – Exfiltration to Cloud Storage

References

1)    https://research.checkpoint.com/2025/blind-eagle-and-justice-for-all/

2)    https://assets.kpmg.com/content/dam/kpmgsites/in/pdf/2025/04/kpmg-ctip-blind-eagle-01-apr-2025.pdf.coredownload.inline.pdf

3)    https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-remote-access-trojan/#:~:text=They%20might%20be%20attached%20to,remote%20access%20or%20system%20administration

4)    https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43451

5)    https://www.ionos.co.uk/digitalguide/server/know-how/webdav/

6)    https://vercara.digicert.com/resources/dynamic-dns-resolution-as-an-obfuscation-technique

7)    https://threatfox.abuse.ch/ioc/1437795

8)    https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/remcos-malware/

9)    https://www.virustotal.com/gui/url/b3189db6ddc578005cb6986f86e9680e7f71fe69f87f9498fa77ed7b1285e268

10) https://www.virustotal.com/gui/domain/21ene.ip-ddns.com

11) https://www.virustotal.com/gui/domain/diciembrenotasenclub.longmusic.com/community

Continue reading
About the author
Charlotte Thompson
Cyber Analyst

Blog

/

Email

/

June 18, 2025

Darktrace Collaborates with Microsoft: Unifying Email Security with a Shared Vision

Default blog imageDefault blog image

In today’s threat landscape, email remains the most targeted vector for cyberattacks. Organizations require not only multi-layered defenses but also advanced, integrated systems that work collaboratively to proactively mitigate threats before they cause damage

That’s why we’re proud to announce a new integration between Darktrace / EMAIL and Microsoft Defender for Office 365, delivering a Unified Quarantine experience that empowers security teams with seamless visibility, control, and response across both platforms.

This announcement builds on a strong and growing collaboration. In 2024, Darktrace was honored as Microsoft UK Partner of the Year and recognized as a Security Trailblazer at the annual Microsoft Security 20/20 Awards, a testament to our shared commitment to innovation and customer-centric security.

A Shared Mission: Stopping Threats at Machine Speed

This integration is more than a technical milestone,as it’s a reflection of a shared mission: to protect organizations from both known and unknown threats, with efficiency, accuracy, and transparency.

  • Microsoft Defender for Office 365 delivers a comprehensive security framework that safeguards Microsoft 365 email and collaboration workloads leveraging advanced AI, global threat intelligence and information on known attack infrastructure.
  • Darktrace / EMAIL complements this with Self-Learning AI that understands the unique communication patterns within each organization, detecting subtle anomalies that evade traditional detection methods.

Together, we’re delivering multi-layered, adaptive protection that’s greater than the sum of its parts.

“Our integration with Microsoft gives security teams the tools they need to act faster and more precisely to detect and respond to threats,” said Jill Popelka, CEO of Darktrace. “Together, we’re strengthening defenses where it matters most to our customers: at the inbox.”

Unified Quarantine: One View, Total Clarity

The new Unified Quarantine experience gives customers a single pane of glass to view and manage email threatsregardless of which product took action. This means:

  • Faster investigations with consolidated visibility
  • Clear attribution of actions and outcomes across both platforms
  • Streamlined workflows for security teams managing complex environments

“This integration is a testament to the power of combining Microsoft’s global threat intelligence with Darktrace’s unique ability to understand the ‘self’ of an organization,” said Jack Stockdale, CTO of Darktrace. “Together, we’re delivering a new standard in proactive, adaptive email security.”

A New Era of Collaborative Cyber Defense

This collaboration represents a broader shift in cybersecurity: from siloed tools to integrated ecosystems. As attackers become more sophisticated, defenders must move faster, smarter, and in unison.

Through this integration, Darktrace and Microsoft establish a new standard for collaboration between native and third-party security solutions, enhancing not only threat detection but also comprehensive understanding and proactive measures against threats.

We’re excited to bring this innovation to our customers and continue building a future where AI and human expertise collaborate to secure the enterprise.

[related-resource]

Continue reading
About the author
Carlos Gray
Senior Product Marketing Manager, Email
Your data. Our AI.
Elevate your network security with Darktrace AI