Blog
/
Cloud
/
July 11, 2024

GuLoader: Evolving Tactics in Latest Campaign Targeting European Industry

Cado Security Labs identified a GuLoader campaign targeting European industrial companies via spearphishing emails with compressed batch files. This malware uses obfuscated PowerShell scripts and shellcode with anti-debugging techniques to establish persistence and inject into legitimate processes, to deliver Remote Access Trojans. GuLoader's ongoing evolution highlights the need for robust security.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Tara Gould
Malware Research Lead
Default blog image
11
Jul 2024

Introduction: GuLoader

Researchers from Cado Security Labs (now part of Darktrace) recently discovered a  campaign targeting European industrial and engineering companies. GuLoader is an evasive shellcode downloader used to deliver Remote Access Trojans (RAT) that has been used by threat actors since 2019 and continues to advance. 

Figure 1

Initial access

Cado identified a number of spearphishing emails sent to electronic manufacturing, engineering and industrial companies in European countries including Romania, Poland, Germany and Kazakhstan. The emails typically include order inquiries and contain an archive file attachment (iso, 7z, gzip, rar). The emails are sent from various email addresses including from fake companies and compromised accounts. The emails typically hijack an existing email thread or request information about an order. 

PowerShell  

The first stage of GuLoader is a batch file that is compressed in the archive from the email attachment. As shown in Image 2, the batch file contains an obfuscated PowerShell script, which is done to evade detection.

Batch file
Figure 2: Obfuscated PowerShell

The obfuscated script contains strings that are deobfuscated through a function “Boendes” (in this sample) that contains a for loop that takes every fifth character, with the rest of the characters being junk. After deobfuscating, the functionality of the script is clearer. These values can be retrieved by debugging the script, however deobfuscating with Script 1 in the Scripts section, makes it easier to read for static analysis.

Deobfuscated Powershell
Figure 3 - Deobfuscated PowerShell

This Powershell script contains the function “Aromastofs” that is used to invoke the provided expressions. A secondary file is downloaded from careerfinder[.]ro and saved as “Knighting.Pro” in the user’s AppData/Roaming folder. The content retrieved from “Kighting.Pro” is decoded from Base64, converted to ASCII and selected from position 324537, with the length 29555. This is stored as “$Nongalactic” and contains more Powershell. 

Second Powershell script
Figure 4 - Second PowerShell script
Deobfuscated Secondary Powershell
Figure 5 - Deobfuscated Secondary PowerShell

As seen in Image 5, the secondary PowerShell is obfuscated in the same manner as before with the function “Boendes”. The script begins with checking which PowerShell is being used 32 or 64 bit. If 64 bit is in use, a 32 bit PowerShell process is spawned to execute the script, and to enable 32 bit processes later in the chain. 

The function named “Brevsprkkernes” is a secondary obfuscation function. The function takes the obfuscated hex string, converts to a byte array, applies XOR with a key of 173 and converts to ASCII. This obfuscation is used to evade detection and analysis more difficult. Again, these values can be retrieved with debugging; however for readability, using Script 2 in the Scripts section makes it easier to read. 

Obfuscated Hex Strings
Figure 6: Obfuscated Hex Strings
Deobfuscated PowersShell Strings
Figure 7 - Deobfuscated PowerShell Strings
Deobfuscated Process Injection
Figure 8: Deobfuscated Process Injection

The second PowerShell script contains functionality to allocate memory via VirtualAlloc and to execute shellcode. VirtualAlloc is a native Windows API function that allows programs to allocate, reserve, or commit memory in a specified process. Threat actors commonly use VirtualAlloc to allocate memory for malicious code execution, making it harder for security solutions to detect or prevent code injection. The variable “$Bakteriekulturs” contains the bytes that were stored in “AppData/Roaming/Knighting.Pro” and converted from Base64 in the first part of the PowerShell Script. Marshall::Copy is used to copy the first 657 bytes of that file, which is the first shellcode. Marshall.Copy is a method that enables the transfer of data between unmanaged memory and managed arrays, allowing data exchange between managed and unmanaged code. Marshal.Copy is typically abused to inject or manipulate malicious payloads in memory, bypassing traditional detection by directly accessing and modifying memory regions used by applications. Marshall::Copy is used again to copy bytes 657 to 323880 as a second shellcode. 

First Shellcode
Figure 9: First Shellcode

The first shellcode includes multiple anti-debugging techniques that make static and dynamic analysis difficult. There have been multiple evolutions of GuLoader’s evasive techniques that have been documented [1]. The main functionality of the first shellcode is to load and decrypt the second shellcode. The second shellcode adds the original PowerShell script as a Registry Key “Mannas” in HKCU/Software/Procentagiveless for persistence, with the path to PowerShell 32 bit executable stored as “Frenetic” in HKCU\Environment; however, these values change per sample. 

Registry Key created for PowerShell Script
Figure 10 - Registry Key created for PowerShell Script
PowerShell bit added to Registry
Figure 11 - PowerShell 32 bit added to Registry

The second shellcode is injected into the legitimate “msiexec.exe” process and appears to be reaching out to a domain to retrieve an additional payload, however at the time of analysis this request returns a 404. Based on previous research of GuLoader, the final payload is usually a RAT including Remcos, NetWire, and AgentTesla.[2]

msiexec abused to retrieve additional payload
Figure 12  - msiexec abused to retrieve additional payload

Key Takeaway

Guloader malware continues to adapt its techniques to evade detection to deliver RATs. Threat actors are continually targeting specific industries in certain countries. Its resilience highlights the need for proactive security measures. To counter Guloader and other threats, organizations must stay vigilant and employ a robust security plan.

Scripts

Script 1 to deobfuscate junk characters 

import re 
import argparse 
import os 
 
def deobfuscate_powershell(input_file, output_file): 
  try: 
      with open(input_file, 'r', encoding='utf-8') as f: 
          text = f.read() 
 
      function_name_match = re.search(r"function\s+(\w+)\s*\(", text) 
      if not function_name_match: 
          print("Could not find the obfuscation function name in the file.") 
          return 
      
      function_name = function_name_match.group(1) 
      print(f"Detected obfuscation function name: {function_name}") 
 
      obfuscated_pattern = rf"(?<={function_name} ')(.*?)(?=')" 
      matches = re.findall(obfuscated_pattern, text) 
 
      for match in matches: 
          deobfuscated = match[4::5] 
          full_obfuscated_call = f"{function_name} '{match}'" 
          text = text.replace(full_obfuscated_call, deobfuscated) 
 
      with open(output_file, 'w', encoding='utf-8') as f: 
          f.write(text) 
 
      print(f"Deobfuscation complete. Output saved to {output_file}") 
 
  except Exception as e: 
      print(f"An error occurred!: {e}") 
 
if __name__ == "__main__": 
  parser = argparse.ArgumentParser(description="Deobfuscate an obfuscated PowerShell file.") 
  parser.add_argument("input_file", help="Path to the obfuscated PowerShell file.") 
  parser.add_argument("output_file", nargs='?', help="Path to save the deobfuscated file. Default is 'deobfuscated_powershell.ps1' in the same directory.", default=None) 
 
  args = parser.parse_args() 
 
  if args.output_file is None: 
      output_file = os.path.splitext(args.input_file)[0] + "_deobfuscated.ps1" 
  else: 
      output_file = args.output_file 
 
  deobfuscate_powershell(args.input_file, output_file) 

Script 2 to deobfuscate hex strings obfuscation (note this will need values changed based on sample)

import re 
import argparse 
 
def brevsprkkernes(spackle): 
  if not all(c in'0123456789abcdefABCDEF'for c in spackle): 
      return f"Invalid hex: {spackle}" 
  paronomasian = 2 
  polyurethane = bytearray(len(spackle) // 2) 
 
  for forstyrrets in range(0, len(spackle), paronomasian): 
      try: 
          polyurethane[forstyrrets // 2] = int(spackle[forstyrrets:forstyrrets + 2], 16) 
          polyurethane[forstyrrets // paronomasian] ^= 173 
      except ValueError: 
          return f"Error processing hex: {spackle}" 
 
  return polyurethane.decode('ascii', errors='ignore') 
 
def process_file(input_file, output_file): 
  with open(input_file, 'r') as infile: 
      content = infile.read() 
 
  def replace_function(match): 
      hex_string = match.group(1).strip() 
      result = brevsprkkernes(hex_string) 
      return f"Brevsprkkernes '{result}'" 
 
  updated_content = re.sub(r"Brevsprkkernes\s*['\"]?([0-9A-Fa-f]+)['\"]?", replace_function, content) 
 
  with open(output_file, 'w') as outfile: 
      outfile.write(updated_content) 
 
if __name__ == "__main__": 
  parser = argparse.ArgumentParser(description="Process a PowerShell file and replace hex strings.") 
  parser.add_argument("input_file", help="Path to the input file.") 
  parser.add_argument("output_file", help="Path to save the deobufuscated file.") 
  args = parser.parse_args() 
 
  process_file(args.input_file, args.output_file) 

Indicators of compromise (IoCs)

GuLoader scripts

ZW_PCCE-010023024001.bat  36a9a24404963678edab15248ca95a4065bdc6a84e32fcb7a2387c3198641374  

ORDER_1ST.bat  26500af5772702324f07c58b04ff703958e7e0b57493276ba91c8fa87b7794ff  

IMG465244247443 GULF ORDER Opmagasinering.cmd  40b46bae5cca53c55f7b7f941b0a02aeb5ef5150d9eff7258c48f92de5435216  

EXSP 5634 HISP9005 ST MSDS DOKUME74247linierelet.bat  e0d9ebe414aca4f6d28b0f1631a969f9190b6fb2cf5599b99ccfc6b7916ed8b3  

LTEXSP 5634 HISP9005 ST MSDS DOKUME74247liniereletbrunkagerne.bat 4c697bdcbe64036ba8a79e587462960e856a37e3b8c94f9b3e7875aeb2f91959  

Quotation_final_buy_order_list_2024_po_nos_ART125673211020240000000000024.bat661f5870a5d8675719b95f123fa27c46bfcedd45001ce3479a9252b653940540  

MEC20241022001.bat  33ed102236533c8b01a224bd5ffb220cecc32900285d2984d4e41803f1b2b58d  

nMEC20241022001.iso  9617fa7894af55085e09a06b1b91488af37b8159b22616dfd5c74e6b9a081739  

Gescanneerde lijst met artikelen nr. 654398.bat  f5feabf1c367774dc162c3e29b88bf32e48b997a318e8dd03a081d7bfe6d3eb5  

DHL_Shipping_Invoices_Awb_BL_000000000102220242247820020031808174Global180030010222024.cmd f78319fcb16312d69c6d2e42689254dff3cb875315f7b2111f5c3d2b4947ab50  

Order Confirmation.bat  949cdd89ed5fb2da03c53b0e724a4d97c898c62995e03c48cbd8456502e39e57  

SKM_0001810-01-2024-GL-3762.bat  9493ad437ea4b55629ee0a8d18141977c2632de42349a995730112727549f40e  

21102024_0029_18102024_SKM_0001810-01-2024-GL-3762.iso  535dd8d9554487f66050e2f751c9f9681dadae795120bb33c3db9f71aafb472c  

\Device\CdRom1\MARSS-FILTRY_ZW015010024.BAT  e5ebe4d8925853fc1f233a5a6f7aa29fd8a7fa3a8ad27471c7d525a70f4461b6  

Myologist.cmd  51244e77587847280079e7db8cfdff143a16772fb465285b9098558b266c6b3f  

SKU_0001710-1-2024-SX-3762.bat  643cd5ba1ac50f5aa2a4c852b902152ffc61916dc39bd162f20283a0ecef39fe  

Stamcafeernes.cmd  54b8b9c01ce6f58eb6314c67f3acb32d7c3c96e70c10b9d35effabb7e227952e  

C:\Users\user\AppData\Local\Temp\j4phhdbc.lti\Bank details Form.bat  c1f810194395ff53044e3ef87829f6dff63a283c568be4a83088483b6c043ec8  

SKGCRO COMANDA FAB SRL M60_647746748846748347474.bat  8dd5fd174ee703a43ab5084fdaba84d074152e46b84d588bf63f9d5cd2f673d1  

DHL_Shipping_Invoices_Awb_BL_000000000101620242247820020031808174Global180030010162024.bat bde5f995304e327d522291bf9886c987223a51a299b80ab62229fcc5e9d09f62  

Ciwies.cmd  b1be65efa06eb610ae0426ba7ac7f534dcb3090cd763dc8642ca0ede7a339ce7  

Zamówienie Agotech Begyndelsesord.cmd  18c0a772f0142bc8e5fb0c8931c0ba4c9e680ff97d7ceb8c496f68dea376f9da  

SKM_0001810-01-2024-GL-3762.iso  4a4c0918bdacd60e792a814ddacc5dc7edb83644268611313cb9b453991ac628  

C:\Users\user\AppData\Local\Temp\Stemmeslugerens.bat  8bedbdaa09eefac7845278d83a08b17249913e484575be3a9c61cf6c70837fd2  

Agotech Zamówienie Fjeldkammes325545235562377.bat  ff6c4c8d899df66b551c84124e73c1f3ffa04a4d348940f983cf73b2709895d3  

Agotech Zamówienie Fjeldkammes3255452355623.bat  f3e046a7769b9c977053dd32ebc1b0e1bbfe3c61789d2b8d54e51083c3d0bed5  

SKU_0001710-1-2024-SX-3762.iso  0546b035a94953d33a5c6d04bdc9521b49b2a98a51d38481b1f35667f5449326  

SKU_0001710-1-2024-SX-3762.bat  4f1b5d4bb6d0a7227948fb7ebb7765f3eb4b26288b52356453b74ea530111520  

DOKUMENTEN_TOBIAS.bat  038113f802ef095d8036e86e5c6b2cb8bc1529e18f34828bcf5f99b4cc012d6a  

IMEG238668289485293885823085802835025Urfjeld.bat  6977043d30d8c1c5024669115590b8fd154905e01ab1f2832b2408d1dc811164  

SKM_C250i24100408500.iso  6370cbcb1ac3941321f93dd0939d5daba0658fb8c85c732a6022cc0ec8f0f082  

SKU_0001710-1-2024-SX-3762.iso  7f06382b781a8ba0d3f46614f8463f8857f0ade67e0f77606b8d918909ad37c2  

\Device\CdRom1\ORDINE ELECTRICAS BC CORP PO EDC0969388.BAT  e98fa3828fa02209415640c41194875c1496bc6f0ca15902479b012243d37c47  

Quote Request #2359 Bogota.msg  0f0dfe8c5085924e5ab722fa01ea182569872532a6162547a2e87a1d2780f902  

ORDER.1ST.bat  48dca5f3a12d3952531b05b556c30accafbf9a3c6cda3ec517e4700d5845ab61  

Fortryl105.cmd  f43b78e4dc3cba2ee9c6f0f764f97841c43419059691d670ca930ce84fb7143b  

SMX-0002607-1-2024-UP-3762.iso  a60dbbe88a1c4857f009a3c06a2641332d41dfd89726dd5f2c6e500f7b25b751

Quotation_final_buy_order_list_2024_po_nos_ART1256731610202400000000000.cmd efd80337104f2acde5c8f3820549110ad40f1aa9b494da9a356938103bda82e7

a60dbbe88a1c4857f009a3c06a2641332d41dfd89726dd5f2c6e500f7b25b751.iso 0327db7b754a16a7ae29265e7d8daed7a1caa4920d5151d779e96cd1536f2fbe  

MARSS-FILTRY_ZW015010024.iso c415127bde80302a851240a169fff0592e864d2f93e9a21c7fd775fdb4788145

SKM_C250i24100408500.bat 36c464519a4cce8d0fcdb22a8974923fd51d915075eba9e62ade54a9c396844d  

UPM-0002607-1-2024-UP-3762.iso  e9fc754844df1a7196a001ac3dfbcf28b80397a718a3ceb8d397378a6375ff62  

Comanda KOMARON TRADE SRL 435635Lukketid.bat 1bf09bcb5bfa440fc6ce5c1d3f310fb274737248bf9acdd28bea98c9163a745a  

311861751714730477170144.bat f87448d722e160584e40feaad0769e170056a21588679094f7d58879cdb23623  

Estimate_buy_product_purchase_order_import_list_10_10_2024_000000101024.cmd f20670ed0cdc2d9a2a75884548e6e6a3857bbf66cfbfb4afe04a3354da9067c9  

PAYMENT TERM.bat 4c90504c86f1e77b0a75a1c7408adf1144f2a0e3661c20f2bf28d168e3408429  

Arbitrre.cmd  8ef4cb5ad7d5053c031690b9d04d64ba5d0d90f7bf8ba5e74cb169b5388e92c5  

KZЗапрос продукта SKM_32532667622352352Arvehygiejnikernes.bat 4ddd3369a51621b0009b6d993126fcb74b52e72f8cacd71fcbc401cda03108cb  

Order_AP568.bat fda4e04894089be87f520144d8a6141074d63d33b29beb28fd042b0ecc06fbbc  

C:\Users\user\Documents\ConnectWiseControl\Temp\Blodprocenternes.cmd e5f5d9855be34b44ad4c9b1c5722d1a6dff2f4a6878a874df1209d813aea7094  

Productivenesses.cmd a7268e906b86f7c1bb926278bf88811cb12189de0db42616e5bbb3dc426a4ef5  

Doktriner.cmd 74d468acd0493a6c5d72387c8e225cc0243ae1a331cd1e2d38f75ed8812347dd  

final_buy_product_purchase_order_import_list_11_10_2024_000000111024.cmd a2127d63bc0204c17d4657e5ae6930cab6ab33ae3e65b82e285a8757f39c4da9  

ORDER_U769.bat b45d9b5dbe09b2ca45d66432925842b0f698c9d269d3c7b5148cc26bdc2a92d0  

Beschwerde-Rechtsanwalt.bat 229c4ce294708561801b16eed5a155c8cfe8c965ea99ac3cfb4717a35a1492f3  

upit nr5634 10_08_2024.cmd 5854d9536371389fb0f1152ebc1479266d36ec4e06b174619502a6db1b593d71  

C:\Users\user\AppData\Local\Temp\Doktriner.cmd 140dcb39308d044e3e90610c65a08e0abc6a3ac22f0c9797971f0c652bb29add  

Fedtsyresammenstning.cmd 0b1c44b202ede2e731b2d9ee64c2ce333764fbff17273af831576a09fc9debfa  

HENIKENPLANT PROJECT PROPOSAL BID_24-0976·pdf.cmd 31a72d94b14bf63b07d66d023ced28092b9253c92b6e68397469d092c2ffb4a6  

MAIN ORDER.bat 85d1877ceda7c04125ca6383228ee158062301ae2b4e4a4a698ef8ed94165c7c  

Narudzba ACH0036173.bat 8d7324d66484383eba389bc2a8a6d4e9c4cb68bfec45d887b7766573a306af68  

Sludger.cmd 45b7b8772d9fe59d7df359468e3510df1c914af41bd122eeb5a408d045399a14  

Glasmester.bat b0e69f895f7b0bc859df7536d78c2983d7ed0ac1d66c243f44793e57d346049d  

PERMINTAAN ANGGARAN (Universitas IPB) ID177888·pdf.cmd 09a3bb4be0a502684bd37135a9e2cbaa3ea0140a208af680f7019811b37d28d6  

C:\Users\user\Documents\ConnectWiseControl\Temp\Bidcock.cmd 0996e7b37e8b41ff0799996dd96b5a72e8237d746c81e02278d84aa4e7e8534e  

PO++380.101483.bat a9af33c8a9050ee6d9fe8ce79d734d7f28ebf36f31ad8ee109f9e3f992a8d110  

Network IOCs

91[.]109.20.161

137[.]184.191.215

185[.]248.196.6

hxxps://filedn[.]com/lK8iuOs2ybqy4Dz6sat9kSz/Frihandelsaftalen40.fla

hxxps://careerfinder[.]ro/vn/Traurigheder[.]sea

hxxp://inversionesevza[.]com/wp-includes/blocks_/Dekupere.pcz

hxxps://rareseeds[.]zendesk[.]com/attachments/token/G9SQnykXWFAnrmBcy8MzhciEs/?name=PO++380.101483.bat

Detection

Yara rule

rule GuLoader_Obfuscated_Powershell 
{ 
   meta: 
       description = "Detects Obfuscated GuLoader Powershell Scripts" 
       author = "[email protected]" 
       date = "2024-10-14" 
   strings: 
      $hidden_window = { 7374617274202f6d696e20706f7765727368656c6c2e657865202d77696e646f777374796c652068696464656e2022 } 
      $for_loop = /for\s*\(\s*\$[a-zA-Z0-9_]+\s*=\s*\d+;\s*\$[a-zA-Z0-9_]+\s*-lt\s*\$[a-zA-Z0-9_]+\s*;\s*\$[a-zA-Z0-9_]+\s*\+=\s*\d+\s*\)/ 
   condition: 
      $for_loop and $hidden_window 

MITRE ATT&CK

T1566.001  Phishing: Malicious Attachment  

T1055 Process Injection  

T1204.002  User Execution: Malicious File  

T1547.001  Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder  

T1140  Deobfuscate/Decode Files or Information  

T1622  Debugger Evasion  

T1001.001  Junk Code  

T1105  Ingress Tool Transfer  

T1059.001  Command and Scripting Interpreter: Powershell  

T1497.003  Virtualization/Sandbox Evasion: Time Based Evasion  

T1071.001  Application Layer Protocol: Web Protocols

References:

[1] https://www.crowdstrike.com/en-us/blog/guloader-dissection-reveals-new-anti-analysis-techniques-and-code-injection-redundancy/  

[2] https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/guloader-malware/

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Tara Gould
Malware Research Lead

More in this series

No items found.

Blog

/

AI

/

July 6, 2026

NIST Just Proved It: AI Security Can’t Be Solved With Rules

ai security nistDefault blog imageDefault blog image

Static AI guardrails are inherently limited

As organizations adopt generative AI, many still assume that the right set of guardrails will be enough. The problem is you can’t anticipate every way these systems might be misused, abused or attacked. What NIST has done is put a mathematical foundation under that intuition.

In recent research building on Gödel’s incompleteness theorems, which showed that any system built on a fixed set of rules will always have gaps, NIST demonstrates that there is no finite set of guardrails that can be universally robust against adversarial prompts. In plain terms, if your defense is based on a fixed set of rules, there will always be inputs that bypass them. Not because the rules are badly written, but because the problem space is bigger than static rules can ever cover.

This is not new in cybersecurity - detection rules have always had to live with this trade-off. What is different with GenAI is the scale and shape of that problem. These systems are built on human language, and human language is not bounded. It is fluid, contextual and deliberately ambiguous. The number of ways intent can be hidden is effectively limitless. You are not defending against a defined protocol or a fixed exploit chain. You are defending against the entire expressive capacity of people.

So attempting to create a complete set of rules is the wrong starting point. It assumes the problem can be deterministically described. NIST’s work shows that it cannot. Organizations still need a way to manage AI risk, but the traditional approach of defining allowed and disallowed patterns is always going to lag behind what is actually happening. The same input can be benign in one context and risky in another, and static rules struggle to capture that distinction.

The question then is what fills that gap?

AI security must shift from rules to behavior

What's required is a shift in what you are trying to understand. Rules try to describe what should and shouldn't happen. Behavior shows you what is happening. Or to put it another way, if inputs are unbounded and adversaries adapt, the only stable signal is behavior.

In a GenAI context, that means analyzing how an AI model is being used, how prompts evolve over time, how outputs are shaped, and where AI agent interactions start to drift from what is expected. It means moving from static definitions of bad to a more dynamic understanding of intent.

Instead of trying to predict every bad prompt, you focus on identifying when behavior starts to move outside expected norms. Instead of asking whether a single input matches a rule, you ask whether the overall pattern of activity makes sense for the system and how it’s being used.

Guardrails remain important but they are only one layer

This does not eliminate the need for guardrails. They still play a role. But they will never address the entire problem space and are simply one part of your defense in depth approach.

NIST’s proof is useful because it makes this explicit. It removes the assumption that with enough effort, a complete rule set is achievable. It isn’t.

Once you accept that, the shift becomes unavoidable. This is no longer a problem of writing better rules, but of understanding behavior in a space where the possible inputs are effectively unbounded.

For security leaders, that changes the nature of the problem. It is less about defining what should be allowed, and more about recognizing when something is no longer consistent with expected behavior.

That does not remove the need for guardrails, but it does change their role. They set boundaries, but they do not define understanding. The gap between the two is where risk now sits.

In the end, this is what “can’t be solved with rules” really means. Rules will always leave gaps, and those gaps are not theoretical. They show up in how systems actually behave Not what we expect them to do, or what we intended them to do, but what they are doing in practice. That is where the signal is, and increasingly, that is where the security problem sits.

References:

https://www.nist.gov/news-events/news/2026/06/nist-mathematical-proof-supports-transition-continuous-monitor-and-update

https://ieeexplore.ieee.org/document/11475847

Continue reading
About the author
Andrew Hollister
Principal Solutions Engineer, Cyber Technician

Blog

/

AI

/

July 1, 2026

5 Ways AI is changing traditional security models according to modern CISOs

Default blog imageDefault blog image

The Reality of Securing AI in Motion

Traditional security tools were built for environments defined by fixed rules and predictable workflows. But AI behavior is non-deterministic. The same prompt can produce different outcomes, and risk often emerges gradually as AI behavior adapts, and permissions drift over time. This creates a constantly shifting environment where security teams are working to define control in a system that resists stability. “In AI security, yesterday's priorities can become tomorrow's blind spots. The landscape shifts that fast,” warned the SVP and Head of Technology and Cybersecurity of a real estate investment trust. Conventional approaches, which rely on establishing and maintaining a steady baseline, struggle to keep up with that level of change.

At the same time, AI adoption is accelerating across organizations, often faster than security teams can implement the controls needed to manage it. “The car is being built while it’s already on the road,” explained the CISO of a global private fund administrator. “The threats we're securing against today won't be the threats we're facing tomorrow. What kept us up three months ago looks nothing like what we're dealing with today.”

As businesses move quickly to unlock value from AI, security teams are left closing gaps in real time, while also facing adversaries who are using AI to make their attacks more scalable, adaptive, and difficult to detect. In this recent roundtable discussion of CISOs and security leaders, five themes emerged around AI cyber risk.  

1. AI agents with human access but no human judgment

In Darktrace’s 2026 State of AI Cybersecurity report, 96% of the surveyed security professionals agree that AI significantly improves the speed and efficiency with which they work. Yet, 92% admitted that they’re concerned with the security implications of the use of AI agents across their workforce.

AI agents now operate with human-level permissions across systems, acting at machine speed, orchestrating actions across platforms, and making decisions without the judgment or caution a person would apply. Unlike human users, they cannot be expected to pause and question whether a given action is appropriate.

Their identities are also difficult to inventory, govern, and audit. As agents become easier to deploy than legacy IT systems ever were, organizations are quickly losing track of what is running, what it has access to, and what it is doing. This creates a growing class of highly privileged, autonomous actors operating without the visibility or oversight that traditional identity and access controls were designed to provide.“While AI adoption is critical to running a modern business, AI alone can’t solve all our cybersecurity challenges,” said a global financial sector CISO. “We still need think critically and use human judgement. Those are two things AI can’t do.”

This lack of human judgment becomes especially risky as new architectures, such as Model Context Protocol (MCP), can expand how agents connect to data, tools, and external systems. By design, MCP enables agents to dynamically discover and interact with new resources, increasing flexibility but also introducing new pathways for unintended access, data exposure, or abuse if not properly governed.

The CISO of a fund administrator highlighted one emerging vector as an example: rogue MCP servers. “Our developers want to move quickly and bring value to the business, but technologies like these can unintentionally expose sensitive data in ways that would never have happened before.”

2. Increased digital complexity and expanded attack surface

AI activity rarely stays contained. A single prompt can trigger a chain of actions across networks, email, cloud infrastructure, SaaS platforms, endpoints, identity systems, and development environments, spanning systems that were never designed to be secured as a single, connected flow. This expands both the scale and complexity of what security teams need to monitor and defend.

Yet no single control has visibility across that entire chain. “You can’t defend effectively what you can’t see,” cautioned the private fund administrator CISO. As AI-driven activity moves fluidly across environments, gaps in coverage become inevitable, creating blind spots that attackers can exploit.

Threat actors are already capitalizing on this lack of visibility. “Threat actors have advanced their use of generative AI to launch more convincing phishing campaigns, automate social engineering, and scale attacks with greater precision down to the individual level,” said the SVP of Technology and Cybersecurity for the real estate investment trust. What was once manual and targeted can now be automated and personalized at scale, making attacks harder to detect and easier to execute.

At the same time, the pace of exploitation is accelerating. As a global CISO operating across 40+ countries described it: “Zero-day vulnerabilities are no longer zero day; it’s minus one day. By the time you get to it and address it, it’s already a problem.” By the time risk is identified, it has often already been realized.

The result is a rapidly expanding and increasingly interconnected attack surface that challenges security teams to maintain visibility, context, and control across AI-driven activity.

3. Shadow AI is already everywhere

76% of organizations now cite shadow AI as a problem, one that is spreading through organizations in ways that are hard to track and even harder to control.

Employees are experimenting with publicly available Gen AI tools. Teams are spinning up low-code automations on their own. SaaS providers are quietly embedding AI into existing products. Developers are plugging AI services directly into workflows, often without pausing to consider what that exposure means.

The result is a lack of visibility into:

  • What AI tools are being used
  • What data those tools can access
  • Where prompts and outputs are going
  • Which AI agents are interacting with enterprise systems

The SVP of Cybersecurity at a real estate investment trust described the shift: “Before, I was worried about someone sending data erroneously to their personal email. Now we have all these agents online that people are utilizing, and we’re looking at those vectors as well.” For security teams, this means operating without a complete view of how AI is being used, what it can access, and where risk may already be emerging.

4. Built-in guardrails are not enough

Organizations often assume that native AI guardrails or provider-level controls are sufficient to manage AI risk. But securing AI requires ongoing visibility, oversight, and governance, not just controls configured at deployment. "It’s a misconception that adopting AI is going to solve all your problems,” warns a global financial services CISO.

Security leaders are increasingly recognizing the limitations of these controls as:

  • Fragmented and difficult to enforce consistently across multiple AI systems, workflows, and environments
  • Ambiguous in terms of accountability due to shared responsibility for AI governance between IT, security, developers, business teams, and third-party providers
  • Limited in end-to-end oversight, leaving gaps that stretch from the initial prompt all the way through to the downstream impact of an agent's actions

Securing AI demands more than simple prompt filtering or static policy enforcement. It requires understanding intent, behavior, and context across both human and AI activity.

The next phase of cybersecurity: securing AI

To safely and responsibly adopt AI at scale, organizations need a new operational model for cybersecurity that’s capable of:

• Understanding AI behavior

• Identifying risk in real time

• Maintaining governance without slowing innovation

The CSO of a $10 billion municipal utility organization described the challenge with precision: “We have to move at the speed of innovation and risk, because both are accelerating faster than ever.”

Embrace AI with confidence with Darktrace / SECURE AI

Darktrace has introduced Darktrace / SECURE AI™, a new product within the Darktrace ActiveAI Security Platform™  ,designed to provide enterprise-wide security for AI by applying industry leading behavioral analysis to how prompts, agents, and AI systems are used.

Darktrace / SECURE AITM delivers real-time visibility and control across Enterprise and SaaS GenAI prompts, AI agent identities, development and production environments, and Shadow AI - detecting even subtle misuse, misconfiguration, and drift that traditional, rule-based controls simply do not understand. By interpreting context and intent across humans and machines, Darktrace enables organizations to adopt AI at scale without introducing unmanaged risk

What makes this possible is Darktrace’s decade-long maturity and expertise in behavioral understanding and AI-native cybersecurity. Achieved with Self-Learning AI that has been proven across more than 10,000 organizations, Darktrace understands what “normal” looks like for a business, across its users, systems, and now AI, so that meaningful deviations can be detected and acted on before they become incidents.

With one CISO describing Darktrace’s Self-Learning AI as “a leap forward compared to other tools” and another as a “force multiplier,” the technology can interpret ambiguous interactions, understand how access accumulates over time, and recognize when behavior, human or machine, begins to drift.

“Strategically, we’re looking to gain more visibility into how AI is operating across the environment and achieve greater control over what AI should be allowed to access and do,” shared the CISO at a private fund administrator.  

“What I’ve seen from Darktrace / SECURE AI is extremely promising. I have tremendous confidence in Darktrace’s vision for where this is headed and its ability to execute on this new solution.”

Continue reading
About the author
The Darktrace Community
Your data. Our AI.
Elevate your network security with Darktrace AI