Blog
/
Network
/
March 13, 2024

Simulated vs. Real Malware: What You Need To Know

Learn how Darktrace distinguishes between simulated and real malware. Discover the advanced detection techniques used to protect your network.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Priya Thapa
Cyber Analyst
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
13
Mar 2024

Distinguishing attack simulations from the real thing

In an era marked by the omnipresence of digital technologies and the relentless advancement of cyber threats, organizations face an ongoing battle to safeguard their digital environment. Although red and blue team exercises have long served as cornerstones in evaluating organizational defenses, their reliance on manual processes poses significant constraints [1]. Led by seasoned security professionals, these tests offer invaluable insights into security readiness but can be marred by their resource-intensive and infrequent testing cycles. The gaps between assessments leave organizations open to undetected vulnerabilities, compromising the true state of their security environment. In response to the ever-changing threat landscape, organizations are adopting a proactive stance towards cyber security to fortify their defenses.

At the forefront, these efforts tend to revolve around simulated attacks, a process designed to test an organization's security posture against both known and emerging threats in a safe and controlled environment [2]. These meticulously orchestrated simulations imitate the tactics, techniques, and procedures (TTPs) employed by actual adversaries and provide organizations with invaluable insights into their security resilience and vulnerabilities. By immersing themselves in simulated attack scenarios, security teams can proactively probe for vulnerabilities, adopt a more aggressive defense posture, and stay ahead of evolving cyber threats.

Distinguishing between simulated malware observations and authentic malware activities stands as a critical imperative for organizations bolstering their cyber defenses. While simulated platforms offer controlled scenarios for testing known attack patterns, Darktrace’s Self-Learning AI can detect known and unknown threats, identify zero-day threats, and previously unseen malware variants, including attack simulations. Whereas simulated platforms focus on specific known attack vectors, Darktrace DETECT™ and Darktrace RESPOND™ can identify and contain both known and unknown threats across the entire attack surface, providing unparalleled protection of the cyber estate.

Darktrace’s Coverage of Simulated Attacks

In January 2024, the Darktrace Security Operations Center (SOC) received a high volume of alerts relating to an unspecified malware strain that was affecting multiple customers across the fleet, raising concerns, and prompting the Darktrace Analyst team to swiftly investigate the multitude of incident. Initially, these activities were identified as malicious, exhibiting striking resemblance to the characteristics of Remcos, a sophisticated remote access trojan (RAT) that can be used to fully control and monitor any Windows computer from XP and onwards [3]. However, further investigation revealed that these activities were intricately linked to a simulated malware provider.

This discovery underscores a pivotal insight into Darktrace’s capabilities. To this point, leveraging advanced AI, Darktrace operates with a sophisticated framework that extends beyond conventional threat detection. By analyzing network behavior and anomalies, Darktrace not only discerns between simulated threats, such as those orchestrated by breach and attack simulation platforms and genuine malicious activities but can also autonomously respond to these threats with RESPOND. This showcases Darktrace’s advanced capabilities in effectively mitigating cyber threats.

Attack Simulation Process: Initial Access and Intrusion

Darktrace initially observed devices breaching several DETECT models relating to the hostname “new-tech-savvy[.]com”, an endpoint that was flagged as malicious by multiple open-source intelligence (OSINT) vendors [4].

In addition, multiple HTML Application (HTA) file downloads were observed from the malicious endpoint, “new-tech-savvy[.]com/5[.]hta”. HTA files are often seen as part of the UAC-0050 campaign, known for its cyber-attacks against Ukrainian targets, which tends to leverage the Remcos RAT with advanced evasion techniques [5] [6]. Such files are often critical components of a malware operation, serving as conduits for the deployment of malicious payloads onto a compromised system. Often, within the HTA file resides a VBScript which, upon execution, triggers a PowerShell script. This PowerShell script is designed to facilitate the download of a malicious payload, namely “word_update.exe”, from a remote server. Upon successful execution, “word_update.exe” is launched, invoking cmd.exe and initiating the sharing of malicious data. This process results in the execution of explorer.exe, with the malicious RemcosRAT concealed within the memory of explorer.exe. [7].

As the customers were subscribed to Darktrace’s Proactive Threat Notification (PTN) service, an Enhanced Monitoring model was breached upon detection of the malicious HTA file. Enhanced Monitoring models are high-fidelity DETECT models designed to identify activity likely to be indicative of compromise. These PTN alerts were swiftly investigated by Darktrace’s round the clock SOC team.

Following this successful detection, Darktrace RESPOND took immediate action by autonomously blocking connections to the malicious endpoint, effectively preventing additional download attempts. Similar activity may be seen in the case of a legitimate malware attack; however, in this instance, the hostname associated with the download confirmed the detected malicious activity was the result of an attack simulation.

Figure 1: The Breach Log displays the model breach, “Anomalous File/Incoming HTA File”, where a device was detected downloading the HTA file, “5.hta” from the endpoint, “new-tech-savvy[.]com”.
'
Figure 2: The Model Breach Event Log shows a device making connections to the endpoint, “new-tech-savvy[.]com”. As a result, theRESPOND model, “Antigena/Network/External Threat/Antigena File then New Outbound Block", breached and connections to this malicious endpoint were blocked.
Figure 3: The Breach Log further showcases another RESPOND model, “Antigena/Network/External Threat/Antigena Suspicious File Block", which was triggered when the device downloaded a  HTA file from the malicious endpoint, “new-tech-savvy[.]com".

In other cases, Darktrace observed SSL and HTTP connections also attributed to the same simulated malware provider, highlighting Darktrace’s capability to distinguish between legitimate and simulated malware attack activity.

Figure 4: The Model Breach “Anomalous Connection/Low and Slow Exfiltration" displays the hostname of a simulated malware provider, confirming the detected malicious activity as the result of an attack simulation.
Figure 5: The Model Breach Event Log shows the SSL connections made to an endpoint associated with the simulated malware provider.
Figure 6: Darktrace’s Advanced Search displays SSL connection logs to the endpoint of the simulated malware provider around the time the simulation activity was observed.

Upon detection of the malicious activity occurring within affected customer networks, Darktrace’s Cyber AI Analyst™ investigated and correlated the events at machine speed. Figure 8 illustrates the synopsis and additional technical information that AI Analyst generated on one customer’s environment, detailing that over 220 HTTP queries to 18 different endpoints for a single device were seen. The investigation process can also be seen in the screenshot, showcasing Darktrace’s ability to provide ‘explainable AI’ detail. AI Analyst was able to autonomously search for all HTTP connections made by the breach device and identified a single suspicious software agent making one HTTP request to the endpoint, 45.95.147[.]236.

Furthermore, the malicious endpoints, 45.95.147[.]236, previously observed in SSH attacks using brute-force or stolen credentials, and “tangible-drink.surge[.]sh”, associated with the Androxgh0st malware [8] [9] [10], were detected to have been requested by another device.

This highlights Darktrace’s ability to link and correlate seemingly separate events occurring on different devices, which could indicate a malicious attack spreading across the network.  AI Analyst was also able to identify a username associated with the simulated malware prior to the activity through Kerberos Authentication Service (AS) requests. The device in question was also tagged as a ‘Security Device’ – such tags provide human analysts with valuable context about expected device activity, and in this case, the tag corroborates with the testing activity seen. This exemplifies how Darktrace’s Cyber AI Analyst takes on the labor-intensive task of analyzing thousands of connections to hundreds of endpoints at a rapid pace, then compiling results into a single pane that provides customer security teams with the information needed to evaluate activities observed on a device.

All in all, this demonstrates how Darktrace’s Self-Learning AI is capable of offering an unparalleled level of awareness and visibility over any anomalous and potentially malicious behavior on the network, saving security teams and administrators a great deal of time.

Figure 7: Cyber AI Analyst Incident Log containing a summary of the attack simulation activity,, including relevant technical details, and the AI investigation process.

Conclusion

Simulated cyber-attacks represent the ever-present challenge of testing and validating security defenses, while the threat of legitimate compromise exemplifies the constant risk of cyber threats in today’s digital landscape. Darktrace emerges as the solution to this conflict, offering real-time detection and response capabilities that identify and mitigate simulated and authentic threats alike.

While simulations are crafted to mimic legitimate threats within predefined parameters and controlled environments, the capabilities of Darktrace DETECT transcend these limitations. Even in scenarios where intent is not malicious, Darktrace’s ability to identify anomalies and raise alerts remains unparalleled. Moreover, Darktrace’s AI Analyst and autonomous response technology, RESPOND, underscore Darktrace’s indispensable role in safeguarding organizations against emerging threats.

Credit to Priya Thapa, Cyber Analyst, Tiana Kelly, Cyber Analyst & Analyst Team Lead

Appendices

Model Breaches

Darktrace DETECT Model Breach Coverage

Anomalous File / Incoming HTA File

Anomalous Connection / Low and Slow Exfiltration

Darktrace RESPOND Model Breach Coverage

§  Antigena / Network/ External Threat/ Antigena File then New Outbound Block

Cyber AI Analyst Incidents

• Possible HTTP Command and Control

• Suspicious File Download

List of IoCs

IP Address

38.52.220[.]2 - Malicious Endpoint

46.249.58[.]40 - Malicious Endpoint

45.95.147[.]236 - Malicious Endpoint

Hostname

tangible-drink.surge[.]sh - Malicious Endpoint

new-tech-savvy[.]com - Malicious Endpoint

References

1.     https://xmcyber.com/glossary/what-are-breach-and-attack-simulations/

2.     https://www.picussecurity.com/resource/glossary/what-is-an-attack-simulation

3.     https://success.trendmicro.com/dcx/s/solution/1123281-remcos-malware-information?language=en_US&sfdcIFrameOrigin=null

4.     https://www.virustotal.com/gui/url/c145cf7010545791602e9585f447347c75e5f19a0850a24e12a89325ded88735

5.     https://www.virustotal.com/gui/url/7afd19e5696570851e6413d08b6f0c8bd42f4b5a19d1e1094e0d1eb4d2e62ce5

6.     https://thehackernews.com/2024/01/uac-0050-group-using-new-phishing.html

7.     https://www.uptycs.com/blog/remcos-rat-uac-0500-pipe-method

8.     https://www.virustotal.com/gui/ip-address/45.95.147.236/community

9.     https://www.virustotal.com/gui/domain/tangible-drink.surge.sh/community

10.  https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-016a

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Priya Thapa
Cyber Analyst

More in this series

No items found.

Blog

/

Cloud

/

August 7, 2025

How CDR & Automated Forensics Transform Cloud Incident Response

cloud security investigation guy on computer doing workDefault blog imageDefault blog image

Introduction: Cloud investigations

In cloud security, speed, automation and clarity are everything. However, for many SOC teams, responding to incidents in the cloud is often very difficult especially when attackers move fast, infrastructure is ephemeral, and forensic skills are scarce.

In this blog we will walk through an example that shows exactly how Darktrace Cloud Detection and Response (CDR) and automated cloud forensics together, solve these challenges, automating cloud detection, and deep forensic investigation in a way that’s fast, scalable, and deeply insightful.

The Problem: Cloud incidents are hard to investigate

Security teams often face three major hurdles when investigating cloud detections:

Lack of forensic expertise: Most SOCs and security teams aren’t natively staffed with forensics specialists.

Ephemeral infrastructure: Cloud assets spin up and down quickly, leaving little time to capture evidence.

Lack of existing automation: Gathering forensic-level data often requires manual effort and leaves teams scrambling around during incidents — accessing logs, snapshots, and system states before they disappear. This process is slow and often blocked by permissions, tooling gaps, or lack of visibility.

How Darktrace augments cloud investigations

1. Darktrace’s CDR finds anomalous activity in the cloud

An alert is generated for a large outbound data transfer from an externally facing EC2 instance to a rare external endpoint. It’s anomalous, unexpected, and potentially serious.

2. AI-led investigation stitches together the incident for a SOC analyst to look into

When a security incident unfolds, Darktrace’s Cyber AI Analyst TM is the first to surface it, automatically correlating behaviors, surfacing anomalies, and presenting a cohesive incident summary. It’s fast, detailed, and invaluable.

Once the incident is created, more questions are raised.

  • How were the impacted resources compromised?
  • How did the attack unfold over time – what tools and malware were used?
  • What data was accessed and exfiltrated?

What you’ll see as a SOC analyst: The incident begins in Darktrace’s Threat Visualizer, where a Cyber AI Analyst incident has been generated automatically highlighting large anomalous data transfer to a suspicious external IP. This isn’t just another alert, it’s a high-fidelity signal backed by Darktrace’s Self-Learning AI.

Cyber AI Analyst incident created for anomalous outbound data transfer
Figure 1: Cyber AI Analyst incident created for anomalous outbound data transfer

The analyst can then immediately pivot to Darktrace / CLOUD’s architecture view (see below), gaining context on the asset’s environment, ingress/egress points, connected systems, potential attack paths and whether there are any current misconfigurations detected on the asset.

Darktrace / CLOUD architecture view providing critical cloud context
Figure 2: Darktrace / CLOUD architecture view providing critical cloud context

3. Automated forensic capture — No expertise required

Then comes the game-changer, Darktrace’s recent acquisition of Cado enhances its cloud forensics capabilities. From the first alert triggered, Darktrace has already kicked in and automatically processed and analyzed a full volume capture of the EC2. Everything, past and present, is preserved. No need for manual snapshots, CLI commands, or specialist intervention.

Darktrace then provides a clear timeline highlighting the evidence and preserving it. In our example we identify:

  • A brute-force attempt on a file management app, followed by a successful login
  • A reverse shell used to gain unauthorized remote access to the EC2
  • A reverse TCP connection to the same suspicious IP flagged by Darktrace
  • Attacker commands showing how the data was split and prepared for exfiltration
  • A file (a.tar) created from two sensitive archives: product_plans.zip and research_data.zip

All of this is surfaced through the timeline view, ranked by significance using machine learning. The analyst can pivot through time, correlate events, and build a complete picture of the attack — without needing cloud forensics expertise.

Darktrace even gives the ability to:

  • Download and inspect gathered files in full detail, enabling teams to verify exactly what data was accessed or exfiltrated.
  • Interact with the file system as if it were live, allowing investigators to explore directories, uncover hidden artifacts, and understand attacker movement with precision.
Figure 3 Cado critical forensic investigation automated insights
Figure 3: Cado critical forensic investigation automated insights
Figure 4: Cado forensic file analysis of reverse shell and download option
Figure 5: a.tar created from two sensitive archives: product_plans.zip and research_data.zip
Figure 6: Traverse the full file system of the asset

Why this matters?

This workflow solves the hardest parts of cloud investigation:

  1. Capturing evidence before it disappears
  2. Understanding attacker behavior in detail - automatically
  3. Linking detections to impact with full incident visibility

This kind of insight is invaluable for organizations especially regulated industries, where knowing exactly what data was affected is critical for compliance and reporting. It’s also a powerful tool for detecting insider threats, not just external attackers.

Darktrace / CLOUD and Cado together acts as a force multiplier helping with:

  • Reducing investigation time from hours to minutes
  • Preserving ephemeral evidence automatically
  • Empowering analysts with forensic-level visibility

Cloud threats aren’t slowing down. Your response shouldn’t either. Darktrace / CLOUD + Cado gives your SOC the tools to detect, contain, and investigate cloud incidents — automatically, accurately, and at scale.

[related-resource]

Continue reading
About the author
Adam Stevens
Director of Product, Cloud Security

Blog

/

Network

/

August 6, 2025

2025 Cyber Threat Landscape: Darktrace’s Mid-Year Review

cyberseucity 2025 half year threat report Default blog imageDefault blog image

2025: Threat landscape in review

The following is a retrospective of the first six months of 2025, highlighting key findings across the threat landscape impacting Darktrace customers.

Darktrace observed a wide range of tactics during this period, used by various types of threat actors including advanced persistent threats (APTs), Malware-as-a-Service (MaaS) and Ransomware-as-a-Service (RaaS) groups.

Methodology

Darktrace’s Analyst team conduct investigations and research into threats facing organizations and security teams across our customer base.  This includes direct investigations with our 24/7 Security Operations Centre (SOC), via services such as Managed Detection and Response (MDR) and Managed Threat Detection, as well as broader cross-fleet research through our Threat Research function.

At the core of our research is Darktrace’s anomaly-based detection, which the Analyst team contextualizes and analyzes to provide additional support to customers and deepen our understanding of the threats they face.

Threat actors are incorporating AI into offensive operations

Threat actors are continuously evolving their tactics, techniques, and procedures (TTPs), posing an ongoing challenge to effective defense hardening. Increasingly, many threat actors are adopting AI, particularly large language models (LLMs), into their operations to enhance the scale, sophistication, and efficacy of their attacks.

The evolving functionality of malware, such as the recently reported LameHug malware by CERT-UA, which uses an open-source LLM, exemplifies this observation [1].

Threat landscape trends in 2025

Threat actors applying AI to Email attacks

LLMs present a clear opportunity for attackers to take advantage of AI and create effective phishing emails at speed. While Darktrace cannot definitively confirm the use of AI to create the phishing emails observed across the customer base, the high volume of phishing emails and notable shifts in tactic could potentially be explained by threat actors adopting new tooling such as LLMs.

  • The total number of malicious emails detected by Darktrace from January to May 2025 was over 12.6 million
  • VIP users continue to face significant threat, with over 25% of all phishing emails targeting these users in the first five months of 2025
  • QR code-based phishing emails have remained a consistent tactic, with a similar proportion observed in January-May 2024 and 2025. The highest numbers were observed in February 2025, with over 1 million detected in that month alone.
  • Shifts towards increased sophistication within phishing emails are emerging, with a year-on-year increase in the proportion of phishing emails containing either a high text volume or multistage payloads. In the first five months of 2025, 32% of phishing emails contained a high volume of text.

The increase in proportion of phishing emails with a high volume of text in particular could point towards threat actors leveraging LLMs to create phishing emails with large, but believable, text in an easy and efficient way.

The above email statistics are derived from analysis of monitored Darktrace / EMAIL model data for all customer deployments hosted in the cloud between January 1 and May 31, 2025.

Campaign Spotlight: Simple, Quick - ClickFix

An interesting technique Darktrace observed multiple times throughout March and April was ClickFix social engineering, which exploits the intersection between humans and technology to trick users into executing malicious code on behalf of the attacker.

  • While this technique has been around since 2024, Darktrace observed campaign activity in the first half of 2025 suggesting a resurgence.  
  • A range of threat actors – from APTs to MaaS and RaaS have adopted this technique to deliver secondary payloads, like information stealing malware.
  • Attackers use fraudulent or compromised legitimate websites to inject malicious plugins that masquerade as fake CAPTCHAs.
  • Targeted users believe they are completing human verification or resolving a website issue, unaware that they are being guided through a series of simple steps to execute PowerShell code on their system.
  • Darktrace observed campaign activity during the first half of 2025 across a range of sectors, including Government, Healthcare, Insurance, Retail and, Non-profit.

Not just AI: Automation is enabling Ransomware and SaaS exploitation

The rise of phishing kits like FlowerStorm and Mamba2FA, which enable phishing and abuse users’ trust by mimicking legitimate services to bypass multi-factor authentication (MFA), highlight how the barriers to entry for sophisticated attacks continue to fall, enabling new threat actors. Combined with Software-as-a-Service (SaaS) account compromise, these techniques make up a substantial portion of cybercriminal activity observed by Darktrace so far this year.

Credentials remain the weak link

A key theme across multiple cases of ransomware was threat actors abusing compromised credentials to gain initial entry into networks via:

  • Unauthorized access to internet-facing technology such as RDP servers and virtual private networks (VPNs).
  • Unauthorized access to SaaS accounts.

SaaS targeted ransomware is on the rise

The encryption of files within SaaS environments observed by Darktrace demonstrates a continued trend of ransomware actors targeting these platforms over traditional networks, potentially driven by a higher return on investment.

SaaS accounts are often less protected than traditional systems because of Single Sign-On (SSO).  Additionally, platforms like Salesforce often host sensitive data, including emails, financial records, customer information, and network configuration details. This stresses the need for robust identity management practices and continuous monitoring.

RaaS is adding complexity and speed to cyber attacks

RaaS has dominated the attack landscape, with groups like Qilin, RansomHub, and Lynx all appearing multiple times in cases across Darktrace’s customer base over the past six months. Detecting ransomware attacks before the encryption stage remains a significant challenge, particularly in RaaS operations where different affiliates often use varying techniques for initial entry and earlier stages of the attack. Darktrace’s recent analysis of Scattered Spider underscores the challenge of hardening defenses against such varying techniques.

CVE exploitation continues despite available patches

Darktrace has also observed ransomware gangs exploiting known Common Vulnerabilities and Exposures (CVEs), including the Medusa ransomware group’s use of the SimpleHelp vulnerabilities: CVE-2024-57727 and CVE-2024-57728 in March, despite patches being made available in January [2].

Misused tools + delayed patches = growing cyber risk

The exploitation of common remote management tools like SimpleHelp highlights the serious challenges defenders face when patch management cycles are suboptimal. As threat actors continue to abuse legitimate services for malicious purposes, the challenges facing defenders will only grow more complex.

Edge exploitation

It comes as no surprise that exploitation of internet-facing devices continued to feature prominently in Darktrace’s Threat Research investigations during the first half of 2025.

Observed CVE exploitation included:

Many of Darktrace’s observations of CVE exploitation so far in 2025 align with wider industry reporting, which suggests that Chinese-nexus threat actors were deemed to likely have exploited these technologies prior to public disclosure. In the case of CVE-2025-0994 - a vulnerability affecting Trimble Cityworks, an asset management system designed for use by local governments, utilities, airports, and public work agencies [3].

Darktrace observed signs of exploitation as early as January 19, well before vulnerability’s public disclosure on February 6 [4]. Darktrace’s early identification of the exploitation stemmed from the detection of a suspicious file download from 192.210.239[.]172:3219/z44.exe - later linked to Chinese-speaking threat actors in a campaign targeting the US government [5].

This case demonstrates the risks posed by the exploitation of internet-facing devices, not only those hosting more common technologies, but also software associated specifically tied to Critical National Infrastructure (CNI); a lucrative target for threat actors. This also highlights Darktrace’s ability to detect exploitation of internet-facing systems, even without a publicly disclosed CVE. Further examples of how Darktrace’s anomaly detection can uncover malicious activity ahead of public vulnerability disclosures can be found here.

New threats and returning adversaries

In the first half of 2025, Darktrace observed a wide range of threats, from sophisticated techniques employed by APT groups to large-scale campaigns involving phishing and information stealers.

BlindEagle (APT-C-36)

Among the observed APT activity, BlindEagle (APT-C-36) was seen targeting customers in Latin America (LATM), first identified in February, with additional cases seen as recently as June.

Darktrace also observed a customer targeted in a China-linked campaign involving the LapDogs ORB network, with activity spanning from December 2024 and June 2025. These likely nation-state attacks illustrate the continued adoption of cyber and AI capabilities into the national security goals of certain countries.

Sophisticated malware functionality

Further sophistication has been observed within specific malware functionality - such as the malicious backdoor Auto-Color, which has now been found to employ suppression tactics to cover its tracks if it is unable to complete its kill chain - highlighting the potential for advanced techniques across every layer of an attack.

Familiar foes

Alongside new and emerging threats, previously observed and less sophisticated tools, such as worms, Remote Access Trojans (RATs), and information stealers, continue to impact Darktrace customers.

The Raspberry Robin worm... First seen in 2021, has been repeatedly identified within Darktrace’s customer base since 2022. Most recently, Darktrace’s Threat Research team identified cases in April and May this year. Recent open-source intelligence (OSINT) reporting suggests that Raspberry Robin continues to evolve its role as an Initial Access Broker (IAB), paving the way for various attacks and remaining a concern [6].

RATs also remain a threat, with examples like AsyncRAT and Gh0st RAT impacting Darktrace customers.

In April multiple cases of MaaS were observed in Darktrace’s customer base, with information stealers Amadey and Stealc, as well as GhostSocks being distributed as a follow up payload after an initial Amadey infection.

Conclusion

As cyber threats evolve, attackers are increasingly harnessing AI to craft highly convincing email attacks, automating phishing campaigns at unprecedented scale and speed. This, coupled with rapid exploitation of vulnerabilities and the growing sophistication of ransomware gangs operating as organized crime syndicates, makes today’s threat landscape more dynamic and dangerous than ever. Cyber defenders collaborate to combat these threats – the coordinated takedown of Lumma Stealer in May was a notable win for both industry and law-enforcement [7], however OSINT suggests that this threat persists [8], and new threats will continue to arise.

Traditional security tools that rely on static rules or signature-based detection often struggle to keep pace with these fast-moving, adaptive threats. In this environment, anomaly-based detection tools are no longer optional—they are essential. By identifying deviations in normal user and system behavior, tools like Darktrace provide a proactive layer of defense capable of detecting novel and emerging threats, even those that bypass conventional security measures. Investing in anomaly-based detection is critical to staying ahead of attackers who now operate with automation, intelligence, and global coordination.

Credit to Emma Foulger (Global Threat Research Operations Lead), Nathaniel Jones (VP, Security & AI Strategy, Field CISO),  Eugene Chua (Principal Cyber Analyst & Analyst Team Lead), Nahisha Nobregas (Senior Cyber Analyst), Nicole Wong (Principal Cyber Analyst), Justin Torres (Senior Cyber Analyst), Matthew John (Director of Operations, SOC), Sam Lister (Specialist Security Researcher), Ryan Traill (Analyst Content Lead) and the Darktrace Incident Management team.

The information contained in this blog post is provided for general informational purposes only and represents the views and analysis of Darktrace as of the date of publication. While efforts have been made to ensure the accuracy and timeliness of the information, the cybersecurity landscape is dynamic, and new threats or vulnerabilities may have emerged since this report was compiled.

This content is provided “as is” and without warranties of any kind, either express or implied. Darktrace makes no representations or warranties regarding the completeness, accuracy, reliability, or suitability of the information, and expressly disclaims all warranties.

Nothing in this blog post should be interpreted as legal, technical, or professional advice. Users of this information assume full responsibility for any actions taken based on its content, and Darktrace shall not be liable for any loss or damage resulting from reliance on this material. Reference to any specific products, companies, or services does not constitute or imply endorsement, recommendation, or affiliation.

Appendices

Indicators of Compromise (IoCs)

IoC - Type - Description + Probability

LapDogs ORB network, December 2024-June 2025

www.northumbra[.]com – Hostname – Command and Control (C2) server

103.131.189[.]2 – IP Address - C2 server, observed December 2024 & June 2025

103.106.230[.]31 – IP Address - C2 server, observed December 2024

154.223.20[.]56 – IP Address – Possible C2 server, observed December 2024

38.60.214[.]23 – IP Address – Possible C2 server, observed January & February 2025

154.223.20[.]58:1346/systemd-log – URL – Possible ShortLeash payload, observed December 2024

CN=ROOT,OU=Police department,O=LAPD,L=LA,ST=California,C=US - TLS certificate details for C2 server

CVE-2025-0994, Trimble Cityworks exploitation, January 2025

192.210.239[.]172:3219/z44.exe – URL - Likely malicious file download

AsyncRAT, February-March 2025

windows-cam.casacam[.]net – Hostname – Likely C2 server

88.209.248[.]141 – IP Address – Likely C2 server

207.231.105[.]51 – IP Address – Likely C2 server

163.172.125[.]253 – IP Address – Likely C2 server

microsoft-download.ddnsfree[.]com – Hostname – Likely C2 server

95.217.34[.]113 – IP Address – Likely C2 server

vpnl[.]net – Hostname – Likely C2 server

157.20.182[.]16 – IP Address - Likely C2 server

185.81.157[.]19 – IP Address – Likely C2 server

dynamic.serveftp[.]net – IP Address – Likely C2 server

158.220.96.15 – IP Address – Likely C2 server

CVE-2024-57727 & CVE-2024-57728, SimpleHelp RMM exploitation, March 2025

213.183.63[.]41 – IP Address - C2 server

213.183.63[.]41/access/JWrapper-Windows64JRE-version.txt?time=3512082867 – URL - C2 server

213.183.63[.]41/access/JWrapper-Windows64JRE-00000000002-archive.p2.l2 – URL - C2 server

pruebas.pintacuario[.]mx – Hostname – Possible C2 server

144.217.181[.]205 – IP Address – Likely C2 server

erp.ranasons[.]com – Hostname – Possible destination for exfiltration

143.110.243[.]154 – IP Address – Likely destination for exfiltration

Blind Eagle, April-June 2025

sostenermio2024.duckdns[.]org/31agosto.vbs – URL – Possible malicious file download

Stealc, April 2025

88.214.48[.]93/ea2cb15d61cc476f[.]php – URL – C2 server

Amadey & GhostSocks, April 2025

195.82.147[.]98 – IP Address - Amadey C2 server

195.82.147[.]98/0Bdh3sQpbD/index.php – IP Address – Likely Amadey C2 activity

194.28.226.181 – IP Address – Likely GhostSocks C2 server

RaspberryRobin, May 2025

4j[.]pm – Hostname – C2 server

4xq[.]nl – Hostname – C2 server

8t[.]wf – Hostname – C2 server

Gh0stRAT, May 2025

lu.dssiss[.]icu  - Hostname – Likely C2 server

192.238.133[.]162:7744/1-111.exe – URL – Possible addition payload

8e9dec3b028f2406a8c546a9e9ea3d50609c36bb - SHA1 - Possible additional payload

f891c920f81bab4efbaaa1f7a850d484 - MD5 – Possible additional payload

192.238.133[.]162:7744/c3p.exe – URL - Possible additional payload

03287a15bfd67ff8c3340c0bae425ecaa37a929f - SHA1 - Possible additional payload

02aa02aee2a6bd93a4a8f4941a0e6310 - MD5 - Possible additional payload

192.238.133[.]162:7744/1-1111.exe – URL - Possible additional payload

1473292e1405882b394de5a5857f0b6fa3858fd1 - SHA1 - Possible additional payload

69549862b2d357e1de5bab899ec0c817 - MD5 - Possible additional payload

192.238.133[.]162:7744/1-25.exe – URL -  Possible additional payload

20189164c4cd5cac7eb76ba31d0bd8936761d7a7  - SHA1 - Possible additional payload

f42aa5e68b28a3f335f5ea8b6c60cb57 – MD5 - Possible additional payload

192.238.133[.]162:7744/Project1_se.exe – URL - Possible additional payload

fea1e30dfafbe9fa9abbbdefbcbe245b6b0628ad - SHA1 - Possible additional payload

5ea622c630ef2fd677868cbe8523a3d5 - MD5 - Possible additional payload

192.238.133[.]162:7744/Project1_se.exe - URL - Possible additional payload

aa5a5d2bd610ccf23e58bcb17d6856d7566d71b9  - SHA1 - Possible additional payload

9d33029eaeac1c2d05cf47eebb93a1d0 - MD5 - Possible additional payload

References and further reading

1.        https://cip.gov.ua/en/news/art28-atakuye-sektor-bezpeki-ta-oboroni-za-dopomogoyu-programnogo-zasobu-sho-vikoristovuye-shtuchnii-intelekt?utm_medium=email&_hsmi=113619842&utm_content=113619842&utm_source=hs_email

2.        https://www.s-rminform.com/latest-thinking/cyber-threat-advisory-medusa-and-the-simplehelp-vulnerability

3.        https://assetlifecycle.trimble.com/en/products/software/cityworks

4.     https://nvd.nist.gov/vuln/detail/CVE-2025-0994

5.     https://blog.talosintelligence.com/uat-6382-exploits-cityworks-vulnerability/

6.        https://www.silentpush.com/blog/raspberry-robin/

7.        https://blogs.microsoft.com/on-the-issues/2025/05/21/microsoft-leads-global-action-against-favored-cybercrime-tool/

8.     https://www.trendmicro.com/en_sg/research/25/g/lumma-stealer-returns.html

Related Darktrace investigations

-              ClickFix

-              FlowerStorm

-              Mamba 2FA

-              Qilin Ransomware

-              RansomHub Ransomware

-              RansomHub Revisited

-              Lynx Ransomware

-              Scattered Spider

-              Medusa Ransomware

-              Legitimate Services Malicious Intentions

-              CVE-2025-0282 and CVE-2025-0283 – Ivanti CS, PS and ZTA

-              CVE-2025-31324 – SAP Netweaver

-              Pre-CVE Threat Detection

-              BlindEagle (APT-C-36)

-              Raspberry Robin Worm

-              AsyncRAT

-              Amadey

-              Lumma Stealer

Continue reading
About the author
Emma Foulger
Global Threat Research Operations Lead
Your data. Our AI.
Elevate your network security with Darktrace AI