Why shadow AI is emerging  

Imagine you’re an employee under pressure, deadlines stacking up, repetitive tasks piling higher by the day. You find a free AI tool online that promises to automate the work in seconds; no approvals are needed. It feels like a simple win, paste in some data, write a quick prompt, and move faster.

But in that moment, something changed.  

Sensitive customer information is entered into a tool your organization doesn’t monitor, doesn’t govern, and can’t see and suddenly, that data is no longer where it should be, and no one knows where it’s gone.

This is the reality of Shadow AI: employees using unsanctioned AI tools to move faster, while unintentionally creating risk that exists entirely outside visibility and control.  

Research indicates that nearly half of employees report using unsanctioned AI tools, often prioritizing speed and productivity over security. Additionally, 51% of employees report connecting AI tools to work systems or apps without IT approval, creating significant operational risk where the average cost of security incidents in organizations with a high level of shadow AI usage can reach $670k.

While shadow AI is often top of mind for security professionals, it is just one component of how AI use can increase risk. Understanding and managing shadow AI use should be considered as part of a broader, comprehensive risk management strategy that aims to secure AI systems, including human and agent identities, interactions, human-AI partnerships, and behaviors operating across the digital enterprise from visibility and governance through detection, response, and recovery.  

Effective risk management calls for a layered and interdisciplinary strategy. It requires addressing issues across governance and visibility; identity, access and agent control, data security and privacy, secure MLOps / LLMOps, runtime security, behavior-based detection, autonomous response and recovery.  

This blog explores a specific governance and visibility use case linked to shadow AI and reveals the challenges it presents as well as the defensive strategies that security teams can adopt.

Why shadow AI is hard to detect  

When it comes to AI, what organizations can easily see does not always reflect the full scope of AI activity occurring within the tools, applications, and workflows used across an enterprise. As a result, organizations using traditional rule-based methods to flag unusual activity may struggle to distinguish unsanctioned AI usage from legitimate operational behavior, particularly as SaaS applications, APIs, and orchestration layers increasingly have AI embedded into normal business workflows. Identifying threats using previously observed intelligence or depending on hard to maintain allow and block lists does not provide a dynamic enough strategy to manage risk. Also, many organizations are focusing on identifying Shadow AI in their governed infrastructure, like gateways, endpoints, or SASE, which is foundational. But, organizations require visibility and Shadow AI detection across all networked infrastructure from on-prem, hybrid, data centers, and cloud infrastructure that may not have endpoint agent visibility. This uncovers the utilization of MCP, data flows, and autonomous agents across these domains.

For example, employees interact with AI assistants across approved SaaS platforms every day. However, browser extensions and other types of plug-ins can route prompts that include enterprise data to embedded AI services in ways that are not visible to the security team. AI enabled workflows may invoke multiple APIs, orchestration layers, and cloud services behind the scenes, making it difficult for traditional security tooling to determine where data is processed, stored, or retransmitted. Because much of this activity occurs within trusted browser sessions and encrypted SaaS traffic, conventional network monitoring, DLP, and application allowlisting controls often lack the context needed to accurately identify or govern these interactions

Identifying AI tools in the environment is one part of the equation. Understanding the behavior surrounding their use is where the real challenge lies. An AI application is not inherently risky, but the way users or other assets interact with it may be. Sensitive data exposure, abnormal access patterns, and misuse of AI-assisted workflows often appear legitimate in isolation and only become visible through behavioral analysis across the broader environment.  

What Shadow AI visibility does and doesn’t show

Comprehensive Shadow AI visibility allows organizations to answer several important questions:

• What types of AI are we using? What AI platforms, agents, MCP clients/servers, and services are active across the enterprise?  

• Who is using AI services? Which users, business units, or systems are interacting with those AI services?  

• Is our data safe? Is sensitive or regulated data being exposed through prompts, workflows, or integrations?  

• Are AI systems behaving as expected? Are AI systems behaving anomalously or operating outside approved governance processes?  

• Are our AI systems under attack? Is an attacker attempting to manipulate prompts, influence agent behavior, or abuse AI-enabled workflows?

Answering these questions is foundational to broader AI governance efforts. However, it is limited to helping teams understand initial interactions and fails to offer insight into dependencies and outcomes that are critical to securing AI across an enterprise.  

Deeper visibility that includes the ability to understand dependencies and outcomes are not always available in AI security point products. Answering the questions below requires understanding runtime behavior and operational outcomes:  

• What actions did the AI interaction trigger?  

• What systems, applications, or data did it access? Did the AI operate beyond its intended permissions or scope?  

• Could a low-risk interaction lead to high-risk outcomes?  

• What is the risk and context understanding of an anomalous activity to assist in prioritization of analysis and autonomous response action?

The distinction between these two sets of questions offers two different layers of AI security. The first set of questions focuses on discovery and interaction visibility. The second set focuses on providing visibility that includes the context and outcomes that are critical for managing follow-on risks associated with obfuscated downstream activities.  

Together, these layers help organizations move beyond simply identifying AI usage toward understanding how AI behaves operationally across the enterprise.

How organizations are addressing shadow AI

Most organizations still approach shadow AI as an application control problem, relying on policies, browser restrictions, and allow/block lists. However, AI adoption is evolving faster than most governance processes can realistically keep pace with. New assistants, plugins, and embedded AI features appear continuously, creating pressure to enable business productivity while simultaneously containing risk.  

Existing governance processes were designed for a more traditional SaaS adoption cycle, where new applications could be reviewed, approved, and monitored over longer time horizons. AI adoption operates differently. New capabilities can appear overnight inside existing platforms employees already use, making it difficult for security and governance teams to maintain an accurate understanding of enterprise AI exposure. This means that many organizations are experiencing significant operational overhead, particularly in large environments where AI usage is decentralized across teams, departments, and third-party services.  

Where should organizations start when securing their AI systems?

Shadow AI identification is an on-going critical component for AI Risk/Governance Boards as well as security organizations. As organizations seek AI certifications like ISO 42001 AI Management Systems, visibility into all AI adoption from enterprise use to custom innovation and development is crucial. Shadow AI identification provides organizations with the visibility needed to decide whether an AI tool should be brought into governed environments to reduce data loss (DLP) risks or whether policies should be established and enforced to restrict their use.

As organizations rapidly innovate and adopt AI, they are taking on more and more risk. Organizations need to have a strategy in place to mitigate the assumed risk, especially with third-party adoption. Visibility, monitoring, governance enforcement, behavioral-based detection of non-deterministic systems, and autonomous investigation and containment becomes critical to mitigating the risk of AI systems.  

How Darktrace secures AI and shadow AI

Attackers are using AI to move faster, scale tactics, and make threats more adaptive and convincing. Internally, organizations are grappling with new forms of risk created by generative AI, autonomous agents, shadow AI, and increasingly complex digital environments.

Darktrace helps organizations protect both people and AI in a world where AI is now central to how business gets done. Darktrace / SECURE AI helps organizations discover and control shadow AI by surfacing unsanctioned or unexpected AI activity where it appears – including MCP detections, distinguishing misuse of legitimate tools and unapproved services, and applying policy to contain data exposure while guiding users toward sanctioned options.

Stay up to date on AI security

Sign up for the Secure AI Readiness Program here: This gives you exclusive access to the latest news on the latest AI threats, updates on emerging approaches shaping AI security, and insights into the latest innovations, including Darktrace’s ongoing work in this area.

Ready to talk with a Darktrace expert on securing AI? Register here to receive practical guidance on the AI risks that matter most to your business, paired with clarity on where to focus first across governance, visibility, risk reduction, and long-term readiness.  

Introduction

Darktrace’s Threat Research team is publishing this analysis to help defenders understand an active pattern of macOS tradecraft observed in multiple customer environments. This post summarizes the behaviors observed, how they were assessed, and what defenders can do now.

Across multiple environments, Darktrace observed a consistent MacOS intrusion pattern beginning with ClickFix-style user-assisted “update” execution and transitioning into AppleScript-driven post-compromise activity and sustained outbound signaling.

While individual indicators were low-confidence, the repeated convergence of weak behavioral signals — including HTTP POST beaconing, rare or IP-only destinations, SSL anomalies, and abnormal client characteristics — provided a defensible indication of command-and-control establishment Darktrace detection and response in these cases was driven by behavior over artifacts. In the highest-confidence instances, automated containment disrupted outbound signaling before sustained tasking could occur.

Background

ClickFix-style activity typically relies on user-assisted execution and plausible “update” pretexting, followed by post-execution use of native tools to keep the footprint light. In MacOS environments, AppleScript and other built-in scripting mechanisms enable flexible post-compromise workflows while minimizing stable file-based indicators.

Following execution, affected devices exhibited a consistent behavioral pattern. AppleScript or equivalent native scripting activity was observed initiating follow-on workflows, after which outbound communications began to establish a structured rhythm.

These communications were characterized by repeated HTTP POST requests to low-prevalence or IP-only endpoints, often combined with unusual SSL properties and client identifiers that diverged from baseline device behavior. Individually, these signals were weak. When correlated across time and devices, they formed a pattern consistent with control establishment rather than benign software activity.

In higher-confidence cases, Autonomous Response actions were able to reduce or halt outbound signaling, interrupting the attacker’s ability to maintain control.

Detection Timeline

In representative cases, the sequence unfolded as follows:

Stage 1 – Initial Execution

Initial activity began with suspicious or masqueraded execution on a MacOS endpoint, consistent with ClickFix-style user deception.

Stage 2 – Post-Execution Scripting

This was followed closely by native scripting activity, most commonly AppleScript, indicating the transition into post-execution workflow.

Stage 3 – Outbound Communications

Outbound communications then emerged, initially sporadic but quickly forming a consistent cadence of HTTP POST requests to rare external endpoints.

Stage 4 – Anomaly Convergence

As activity persisted, additional anomalies became visible — unusual SSL characteristics, abnormal user agents, and connections to infrastructure with no prior network prevalence.

Stage 5 – Autonomous Response

In the most mature stages of the activity, automated containment actions disrupted outbound communications on affected devices, limiting the attacker’s ability to continue tasking while investigations progressed.

Darktrace coverage and detections

The following use-case highlights systems likely affected by malicious macOS intrusion activity linked by Microsoft to the Democratic People’s Republic of Korea (DPRK) [1], with indications of suspicious behavior observed between March 1 and May 3, 2026. The activity overlaps with patterns described in recent reporting on DPRK-nexus MacOS intrusions [1], though attribution confidence in this case remains moderate and based on behavioral alignment rather than solely infrastructure linkage.

Analyst confidence emerged through the correlation of multiple weak signals across time and devices. This included model coverage for rare external communications, sustained beaconing patterns, repeated HTTP POSTs, and anomalous client characteristics. Where enabled, Autonomous Response actions disrupted the most active outbound paths to reduce the attacker’s ability to maintain control while Darktrace’s investigation continued.

Notably, this highly anomalous behavior included:

• Outbound connections to the rare external endpoint, zoom[.]uswebob[.]us associated with IP address, 148.72.73[.]98 [2][3] over port 443
• Outbound connections to the rare external endpoint, check02id[.]com associated with IP address, 83.136.210[.]180 [4] over port 7365
• Outbound connections to the rare external endpoints, 104.145.210[.]107 [5] over port 8443 and 83.136.208[.]48 [6] over port 443
• Outbound connections to the rare external endpoint, 83.136.208[.]246 [7] over port 6783 with observed URI `/api/daemon` and a PowerShell user agent

Darktrace’s detection initially highlighted a desktop device (running MacOS) engaging in anomalous behavior as early as March 12, 2026. Starting on March 12, the source device triggered a ‘Possible Doppelganger Attack’ alert including connectivity to the hostname "zoom[.]uswebob[.]us · 148.72.73[.]98" over port 443 (TCP, HTTPS, H2). This model highlights a device connecting to a location that is rare but masquerades as legitimate software, such as Zoom in this case, a commonly used technique to blend into expected traffic [2] [3].

This was followed roughly seven later by a connection to 104.145.210[.]107 over port 8443, during which approximately 250 KiB of data of inbound data and 30 MiB of outbound data was observed, triggering the ‘Unusual Activity / Unusual External Data to New Endpoint’ in Darktrace.

Quickly after this connection, Darktrace’s Autonomous Response intervened, blocking the device’s access to the unusual external location and halting the data exfiltration attempt.

The device continued to consistently trigger model alerts relating to unusual external connectivity, including 'Posting HTTP to IP Without Hostname', 'Anomalous Connection / Rare External SSL Self-Signed' alerts, until well after 3 PM that day.

From March 13 to March 28, the device continued exhibit unusual connectivity to various endpoints (e.g., 83.136.208[.]48, 83.136.208[.]246, check02id[.]com · 83.136.210[.]180), with the 'Multiple HTTP POSTs to Rare Hostname' model consistently triggering.

Windows OS Case

Pivoting over to an additional device, this time running Windows OS, anomalous behavior was also observed between March 30 and April 20. Notably, on March 30, the device was observed making a large number of suspicious external connection attempts to 83.136.208[.]246 over port 6783, all of which failed.

A further indicator was observed on April 1 with PowerShell connectivity to the same rare endpoint (83.136.208[.]246, port 6783), using the URI '/api/daemon' and the user agent 'Mozilla/5.0 (Windows NT; Windows NT 10.0; fr-FR) WindowsPowerShell/5.1.26100.7920'.  Additional alerts included 'New User Agent to IP Without Hostname' and 'Anomalous Github Download', alongside activity involving the same endpoint.

The device continued triggering 'Posting HTTP to IP Without Hostname' & 'PowerShell to External Rare' alerts between April 4 and April 20 across multiple related endpoints (i.e., 83.136.208[.]48, 83.136.208[.]246, check02id[.]com · 83.136.210[.]180).

Darktrace’s Autonomous Response capability was able to block suspicious PowerShell attempts to unusual external locations, as shown below in an example from April 20.

Cyber AI Analyst investigations

In higher-confidence instances, Darktrace’s Cyber AI Analyst investigations helped connect otherwise separate model alerts into a single incident narrative, highlighting the attacker’s progression from post-execution scripting into sustained outbound signaling. This contextual stitching is particularly valuable in macOS scenarios where static artefacts are limited, and behavioral sequencing defines the intrusion.

Cyber AI Analyst investigations highlighted alerts on March 12, including unusual repeated connections and possible SSL command-and-control (C2) to multiple endpoints:

Autonomous Response

In addition to the containment actions detailed earlier, Autonomous Response implemented multiple additional measures to contain suspicious activity throughout the course of this attack. Whenever unusual external connectivity was detected, Darktrace blocked it, closing down potential C2 channels. Likewise, when data exfiltration attempts were identified, these connections were stopped to prevent the potential loss of sensitive data.

Furthermore, in cases where a device was deemed to have carried out a significant number of anomalous activities, Darktrace enforced a “pattern of life” on the device, preventing it from deviating from its expected behavior while allowing legitimate business operations to continue uninterrupted.

Conclusion

macOS intrusion tradecraft continues to shift toward native tooling and lightweight control channels designed to evade signature-led controls.

The repeated convergence of rare destinations, POST-based signaling, and anomalous client behavior — observed across time and across devices — provided sufficient evidence to act early and with confidence.

As macOS tradecraft continues to evolve, the defender advantage increasingly lies not in signatures, but in the ability to reason from behavior.

‍

Credit to Justin Torres (Senior Cyber Analyst), Nathaniel Jones (VP, Security & AI Strategy, FCISO)

Edited by Ryan Traill (Content Manager)

Appendices

Darktrace Model Alert Coverage:

/ NETWORK-based model alerts:

·       Anomalous Connection::Multiple HTTP POSTs to Rare Hostname

·       Anomalous Connection::Rare External SSL Self-Signed

·       Anomalous Connection::Powershell to Rare External

·       Anomalous Connection::New User Agent to IP Without Hostname

·       Anomalous Connection::Posting HTTP to IP Without Hostname

·       Compromise::Fast Beaconing to DGA

·       Compromise::Large Number of Suspicious Failed Connections

·       Device::Anomalous Github Download

·       Device::New PowerShell User Agent

·       Unusual Activity::Unusual External Data to New Endpoint

/ NETWORK-based Autonomous Response model alerts:

·       Antigena / Network::Significant Anomaly::Antigena Significant Anomaly from Client Block

·       Antigena / Network::Significant Anomaly::Antigena Controlled and Model Breach

·       Antigena / Network::Significant Anomaly::Antigena Breaches Over Time Block

Indicators of Compromise (IoCs)

IP/Hostname:

·       zoom[.]uswebob[.]us · 148.72.73[.]98

·       83.136.208[.]246

·       check02id[.]com · 83.136.210[.]180

·       83.136.208[.]48

·       104.145.210[.]107

URIs:

·       /api/daemon

Destination Port Usage:

·       6783

·       5202

·       443

·       7365

·       8443

ASN:

·       AS400897 PETROSKY

·       AS398256 AS-ULTAHOST

User agents:

·       Mozilla/5.0 (Windows NT; Windows NT 10.0; fr-FR) WindowsPowerShell/5.1.26100.7920

·       Go-http-client/1.1

·       curl/8.7.1

MITRE ATT&CK Mapping

(Technique Name - Tactic - ID - Sub-Technique of)

·       Browser Session Hijacking - COLLECTION - T1185

·       Web Protocols - COMMAND AND CONTROL - T1071.001 - T1071

·       Install Digital Certificate - RESOURCE DEVELOPMENT - T1608.003 - T1608

·       PowerShell - EXECUTION - T1059.001 - T1059

·       Domain Generation Algorithms - COMMAND AND CONTROL - T1568.002 - T1568

·       Non-Standard Port - COMMAND AND CONTROL - T1571

·       Malware - RESOURCE DEVELOPMENT - T1588.001 - T1588

·       Web Service - COMMAND AND CONTROL - T1102

·       Code Repositories - COLLECTION - T1213.003 - T1213

·       Exploitation of Remote Services - LATERAL MOVEMENT - T1210

·       Exfiltration Over C2 Channel - EXFILTRATION - T1041

·       Exfiltration to Cloud Storage - EXFILTRATION - T1567.002 - T1567

References:

[1] https://www.microsoft.com/en-us/security/blog/2026/04/16/dissecting-sapphire-sleets-macos-intrusion-from-lure-to-compromise/

[2] https://radar.securityalliance.org/advisory-on-dprk-unc1069-fake-microsoft-teams-and-zoom-calls/

[3] https://www.virustotal.com/gui/domain/uswebob.us

[4] https://www.virustotal.com/gui/ip-address/83.136.210.180/community

[5] https://www.virustotal.com/gui/ip-address/104.145.210.107/community

[6] https://www.virustotal.com/gui/ip-address/83.136.208.48/community

[7] https://www.virustotal.com/gui/ip-address/83.136.208.246/community

[8] https://www.darktrace.com/blog/applescript-abuse-unpacking-a-macos-phishing-campaign