Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Max Heinemeyer
Global Field CISO
Share
24
Oct 2018
Since July 2018, Darktrace has identified an increasing number of cyber-attacks targeting law firms. Concerningly, the attacks are emerging not from opportunistic malware, like banking trojans, but threat actors who actively conduct cyber-intrusions, seeking to exfiltrate data from these organizations.
Perfect targets
Law firms are actively pursued because their systems contain the sensitive data of many other organizations. The essence of a lawyer’s work involves managing confidential client information. Firms are privy to a huge variety of valuable data, from tax affairs, to intellectual property. Consequently, law firms’ ability to protect highly-sensitive information is critical; a successful cyber-attack might cause reputational damage resulting in the diminishing of their most valuable asset – clients’ trust.
Further challenges
As an industry, law is structured around sharing revenues among a minimal number of highly qualified professionals. As such, they can rarely employ large IT teams – and even smaller IT security departments. With the increased number of attacks seen in recent years, as well as the added risks of the cloud, and the Internet of Things, security teams lack the capacity to defend their networks against the sophisticated, machine-speed attacks which characterize today’s threat landscape.
In addition, lawyers often have to research obscure or potentially illegal activities, while communicating and receiving files from third parties. This complicates any attempt to impose and regulate highly restrictive security policies, placing a significant burden on small, overstretched security teams.
Living off the land
Interestingly, the recent surge of targeted attacks against law firms is unified by the methods used. The attacks were all performed using publicly available tools, including: Mimikatz (for credentials dumping), Powershell Empire (for Command & Control communication), Dameware (additional C2/backdoor), and PsExec variants such as the Impacket Python variant of PsExec (for lateral movement).
Perhaps surprisingly, using generic methods against such high-level targets is actually beneficial to the attacker. Adopting mainly publicly available tools, rather than individually crafted malware, makes attribution much harder.
Although some of these tools, such as Mimikatz, have to be downloaded into the environment; the stealthiest, like Dameware or PsExec, are able to use the infrastructure within their environment. Known as ‘living off the land’, these tools are almost undetectable by traditional security approaches, as their malicious activity is designed to blend in with legitimate system administration work.
Case study
In July 2018, Darktrace discovered the illegitimate use of Powershell Empire – a code capable of ‘living off the land’. When monitored by human surveillance alone, this extremely stealthy tool would normally go undetected, camouflaged by system behavior.
Unlike traditional security approaches, Darktrace does not use rules and signatures. Instead, it learns about the activity of the network, itself. This meant Darktrace was able to observe the initial download of the malware, subsequent reconnaissance and ensuing C2 traffic.
Consequently, we were able to report that an incident had occurred involving a probable Trickbot banking trojan infection and new use of a Remote Access Tool.
This was accompanied by the following visuals:
Graph showing all breaching connections from the source device over time, with breaches shown as colored dots. This begins with the download of the masqueraded executable file, and goes up to the present time. The vast majority of these model breaches are likely related to the suspected malicious activity.
Darktrace’s AI capability meant that the Enterprise Immune System detected this sophisticated and subtle threat immediately – before it had time to do any damage.
An excerpt from the Event Log at the time of the first Dameware activity from this device, shortly after this incident began.
AI securing the law sector
As seen above, cyber-attackers are constantly discovering novel ways of evading rule-based security systems. Attackers ‘living off the land’ are generally too subtly anomalous for humans to identify. Darktrace’s machine learning has the unique ability to learn the ‘pattern of life’ of any network which means it is able to distinguish this behavior, as it is still unusual compared to legitimate administrative functions.
Darktrace AI secures law firms all over the world. For small security teams, AI is a game changer. Through the use of machine learning, Darktrace does the heavy lifting of separating interesting anomalies from ordinary noise. Many firms also use Darktrace Antigena as a ‘virtual analyst’ to supplement the work of their staff.
Antigena acts at machine speed, autonomously responding to threats as they emerge in real time, even after hours and on the weekends. Antigena slows down, or even stops, traffic to the affected parts of the network before any data can be compromised. This buys security teams crucial time to fix the issue – before it’s too late.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
To observe adversary behavior in real time, Darktrace operates a global honeypot network known as “CloudyPots”, designed to capture malicious activity across a wide range of services, protocols, and cloud platforms. These honeypots provide valuable insights into the techniques, tools, and malware actively targeting internet‑facing infrastructure.
How attackers used a Jenkins honeypot to deploy the botnet
One such software honeypotted by Darktrace is Jenkins, a CI build system that allows developers to build code and run tests automatically. The instance of Jenkins in Darktrace’s honeypot is intentionally configured with a weak password, allowing attackers to obtain remote code execution on the service.
In one instance observed by Darktrace on March 18, 2026, a threat actor seemingly attempted to target Darktrace’s Jenkins honeypot to deploy a distributed denial-of-service (DDoS) botnet. Further analysis by Darktrace’s Threat Research team revealed the botnet was intended to specifically target video game servers.
How the Jenkins scriptText endpoint was used for remote code execution
The Jenkins build system features an endpoint named scriptText, which enables users to programmatically send new jobs, in the form of a Groovy script. Groovy is a programming language with similar syntax to Java and runs using the Java Virtual Machine (JVM). An attacker can abuse the scriptText endpoint to run a malicious script, achieving code execution on the victim host.
Figure 1: Request sent to the scriptText endpoint containing the malicious script.
The malicious script is sent using the form-data content type, which results in the contents of the script being URL encoded. This encoding can be decoded to recover the original script, as shown in Figure 2, where Darktrace Analysts decoded the script using CyberChef,
Figure 2: The malicious script decoded using CyberChef.
What happens after Jenkins is compromised
As Jenkins can be deployed on both Microsoft Windows and Linux systems, the script includes separate branches to target each platform.
In the case of Windows, the script performs the following actions:
Downloads a payload from 103[.]177.110.202/w.exe and saves it to C:\Windows\Temp\update.dat.
Renames the “update.dat” file to “win_sys.exe” (within the same folder)
Runs the Unblock-File command is used to remove security restrictions typically applied to files downloaded from the internet.
Adds a firewall allow rule is added for TCP port 5444, which the payload uses for command-and-control (C2) communications.
On Linux systems, the script will instead use a Bash one-liner to download the payload from 103[.]177.110.202/bot_x64.exe to /tmp/bot and execute it.
Why this botnet uses a single IP for delivery and command and control
The IP 103[.]177.110.202 belongs to Webico Company Limited, specifically its Tino brand, a Vietnamese company that offers domain registrar services and server hosting. Geolocation data indicates that the IP is located in Ho Chi Minh City. Open-source intelligence (OSINT) analysis revealed multiple malicious associations tied to the IP [1].
Darktrace’s analysis found that the IP 103[.]177.110.202 is used for multiple stages of an attack, including spreading and initial access, delivering payloads, and C2 communication. This is an unusual combination, as many malware families separate their spreading servers from their C2 infrastructure. Typically, malware distribution activity results in a high volume of abuse complaints, which may result in server takedowns or service suspension by internet providers. Separate C2 infrastructure ensures that existing infections remain controllable even if the spreading server is disrupted.
How the malware evades detection and maintains persistence
Analysis of the Linux payload (bot _x64)
The sample begins by setting the environmental variables BUILD_ID and JENKINS_NODE_COOKIE to “dontKillMe”. By default, Jenkins terminates long-running scripts after a defined timeout period; however, setting these variables to “dontKillMe” bypasses this check, allowing the script to continue running uninterrupted.
The script then performs several stealth behaviors to evade detection. First, it deletes the original executable from disk and then renames itself to resemble the legitimate kernel processes “ksoftirqd/0” or “kworker”, which are found on Linux installations by default. It then uses a double fork to daemonize itself, enabling it to run in the background, before redirecting standard input, standard output, and standard error to /dev/null, hiding any logging from the malware. Finally, the script creates a signal handler for signals such as SIGTERM, causing them to be ignored and making it harder to stop the process.
Figure 3: Stealth component of the main function
How the botnet communicates with command and control (C2)
The sample then connects to the C2 server and sends the detected architecture of the system on which the agent was installed. The malware then enters a loop to handle incoming commands.
The sample features two types of commands, utility commands used to manage the malware, and commands to trigger attacks. Three special commands are defined: “PING” (which replies with PONG as a keep-alive mechanism), “!stop” which causes the malware to exit, and “!update”, which triggers the malware to download a new version from the C2 server and restart itself.
Figure 4: Initial connection to the C2 sever.
What DDoS attack techniques this botnet uses
The attack commands consist of the following:
Many of these commands invoke the same function despite appearing to be different attack techniques. For example, specialized attacks such as Cloudflare bypass (cfbypass, uam) use the exact same function as a standard HTTP attack. This may indicate the threat actor is attempting to make the botnet look like it has more capabilities than it actually has, or it could suggest that these commands are placeholders for future attack functionality that has yet to be implemented
All the commands take three arguments: IP, port to attack, and the duration of the attack.
attack_udp and attack_udp_pps
The attack_udp and attack_udp_pps functions both use a basic loop and sendto system call to send UDP packets to the victim’s IP, either targeting a predetermined port or a random port. The attack_udp function sends packets with 1,450 bytes of data, aimed at bandwidth saturation, while the attack_udp_pps function sends smaller 64-byte packets. In both cases, the data body of the packet consists of entirely random data.
Figure 5: Code for the UDP attack method
attack_dayz
The attack_dayz function follows a similar structure to the attack_udp function; however, instead of sending random data, it will instead send a TSource Engine Query. This command is specific to Valve Source Engine servers and is designed to return a large volume of data about the targeted server. By repeatedly flooding this request, an attacker can exhaust the resources of a server using a comparatively small amount of data.
The Valve Source Engine server, also called Source Engine Dedicated server, is a server developed by video game company Valve that enables multiplayer gameplay for titles built using the Source game engine, which is also developed by Valve. The Source engine is used in games such as Counterstrike and Team Fortress 2. Curiously, the function attack_dayz, appears to be named after another popular online multiplayer game, DayZ; however, DayZ does not use the Valve Source Engine, making it unclear why this name was chosen.
Figure 6: The code for the “attack_dayz” attack function.
attack_tcp_push
The attack_tcp_push function establishes a TCP socket with the non-blocking flag set, allowing it to rapidly call functions such as connect() and send() without waiting for their completion. For the duration of the attack, it enters a while loop in which it repeatedly connects to the victim, sends 1,024 bytes of random data, and then closes the connection. This process repeats until the attack duration ends. If the mode flag is set to 1, the function also configures the socket with TCP no-delay enabled, allowing for packets to be sent immediately without buffering, resulting in a higher packet rate and a more effective attack.
Figure 7: The code for the TCP attack function.
attack_http
Similar to attach_tcp_push, attack_http configures a socket with no-delay enabled and non-blocking set. After establishing the connection, it sends 64 HTTP GET requests before closing the socket.
Figure 8: The code for the HTTP attack function.
attack_special
The attack_special function creates a UDP socket and sets the port and payload based on the value of the mode flag:
Mode 0: Port 53 (DNS), sending a 10-byte malformed data packet.
Mode 1: Port 27015 (Valve Source Engine), sending the previously observed TSource Engine Query packet.
Mode 2: Port 123 (NTP), sending the start of an NTP control request.
Figure 9: The code for the attack_special function.
What this botnet reveals about opportunistic attacks on internet-facing systems
Jenkins is one of the less frequently exploited services honeypotted by Darktrace, with only a handful campaigns observed. Nonetheless, the emergence of this new DDoS botnet demonstrates that attackers continue to opportunistically exploit any internet-facing misconfiguration at scale to grow the botnet strength.
While the hosts most commonly affected by these opportunistic attacks are usually “lower-value” systems, this distinction is largely irrelevant for botnets, where numbers alone are more important to overall effectiveness
The presence of game-specific DoS techniques further highlights that the gaming industry continues to be extensively targeted by cyber attackers, with Cloudflare reporting it as the fourth most targeted industry [2]. This botnet has likely already been used against game servers, serving as a reminder for server operators to ensure appropriate mitigations are in place.
Credit to Nathaniel Bill (Malware Research Engineer) Edited by Ryan Traill (Content Manager)
Indicators of Compromise (IoCs)
103[.]177.110.202 - Attacker and command-and-control IP
In part 1 of this blog series, we explored how AI is remaking the attack surface, with new tools, models, agents — and vulnerabilities — popping up just about everywhere. Now embedded in workflows across the enterprise, and often with far-reaching access to sensitive data, AI systems are quickly becoming a favorite target of cyber threat actors.
Among bad actors, though, AI is more often used as a tool than a target. Nearly 62% of organizations experienced a social engineering attack involving a deepfake, or an incident in which bad actors used AI-generated video or audio to try to trick a biometric authentication system, compared to 32% that reported an AI prompt injection attack.
In the hands of attackers, AI can do many things. It’s being used across the entire kill chain: to supercharge reconnaissance, personalize phishing, accelerate lateral movement, and automate data exfiltration. Evidence from Anthropic demonstrates that threat actors have harnessed AI to orchestrate an entire cyber espionage campaign from end to end, allegedly running it with minimal human involvement.
CISOs inhabit a world where these increasingly sophisticated attacks are ubiquitous. Naturally, combatting AI-powered threats is top of mind among security professionals, but many worry about whether their capabilities are up to the challenge.
AI-powered threats at scale: no longer hypothetical
AI-driven threats share signature characteristics. They operate at speed and scale. Automated tools can probe multiple attack paths, search for multiple vulnerabilities and send out a barrage of phishing emails, all within seconds. The ability to attack everywhere at once, at a pace that no human operator could sustain, is the hallmark of an AI-powered threat. AI-powered threats are also dynamic. They can adapt their behavior to spread across a network more efficiently or rewrite their own code to evade detection.
Security teams are seeing the signs that they’re fighting AI-powered threats at every stage of the kill chain, and the sophistication of these threats is testing their resolve and their resources.
73% say that AI-powered cyber threats are having a significant impact on their organization
92% agree that these threats are forcing them to upgrade their defenses
87% agree that AI is significantly increasing the sophistication and success rate of malware
87% say AI is significantly increasing the workload of their security operations team
Up all night: Security professionals’ worry list is long
Traditional security methods were never built to handle the complexity and subtlety of AI-driven behavior. Working in the trenches, defenders have deep firsthand experience of how difficult it can be to detect and stop AI-assisted threats.
Increasingly effective social engineering attacks are among their top concerns. 50% of security leaders mentioned hyper-personalized phishing campaigns as one of their biggest worries, while 40% voiced apprehension about deepfake voice fraud. These concerns are legitimate: AI-generated phishing emails are increasingly tailored to individual organizations, business activities, or individuals. Gone are the telltale signs – like grammar or spelling mistakes – that once distinguished malicious communications. Notably, 33% of the malicious emails Darktrace observed in 2025 contained over 1,000 characters, indicating probable LLM usage.
Security leaders also worry about how bad actors can leverage AI to make attacks even faster and more dynamic. 45% listed automated vulnerability scanning and exploit chaining among their biggest concerns, while 40% mentioned adaptive malware.
Confidence is lacking
Protecting against AI demands capabilities that many organizations have not yet built. It requires interpreting new indicators, uncovering the subtle intent within interactions, and recognizing when AI behavior – human or machine – could be suspicious. Leaders know that their current tools aren’t prepared for this. Nearly half don’t feel confident in their ability to defend against AI-powered attacks.
We’ve asked participants in our survey about their confidence for the last three years now. In 2024, 60% said their organizations were not adequately prepared to defend against AI-driven threats. Last year, that percentage shrunk to 45%, a possible indicator that security programs were making progress. Since then, however, the progress has apparently stalled. 46% of security leaders now feel inadequately prepared to protect their organizations amidst the current threat landscape.
Some of these differences are accentuated across different cultures. Respondents in Japan are far less confident (77% say they are not adequately prepared) than respondents in Brazil (where only 21% don’t feel prepared).
Where security programs are falling short
It’s no longer the case that cybersecurity is overlooked or underfunded by executive leadership. Across industries, management recognizes that AI-powered threats are a growing problem, and insufficient budget is near the bottom of most CISO’s list of reasons that they struggle to defend against AI-powered threats.
It’s the things that money can’t buy – experience, knowledge, and confidence – that are holding programs back. Near the top of the list of inhibitors that survey participants mention is “insufficient knowledge or use of AI-driven countermeasures.” As bad actors embrace AI technologies en masse, this challenge is coming into clearer focus: attack-centric security tools, which rely on static rules, signatures, and historical attack patterns, were never designed to handle the complexity and subtlety of AI-driven attacks. These challenges feel new to security teams, but they are the core problems Darktrace was built to solve.
Our Self-Learning AI develops a deep understanding of what “normal” looks like for your organization –including unique traffic patterns, end user habits, application and device profiles – so that it can detect and stop novel, dynamic threats at the first encounter. By focusing on learning the business, rather than the attack, our AI can keep pace with AI-powered threats as they evolve.
Explore the full State of AI Cybersecurity 2026 report for deeper insights into how security leaders are responding to AI-driven risks.
