Blog
/
Network
/
February 29, 2024

Protecting Against AlphV BlackCat Ransomware

Learn how Darktrace AI is combating AlphV BlackCat ransomware, including the details of this ransomware and how to protect yourself from it.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Sam Lister
SOC Analyst
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
29
Feb 2024

As-a-Service malware trending

Throughout the course of 2023, “as-a-Service” strains of malware remained the most consistently observed threat type to affect Darktrace customers, mirroring their overall prominence across the cyber threat landscape. With this trend expected to continue throughout 2024, organizations and their security teams should be prepared to defend their network against increasingly versatile and tailorable malware-as-a-service (MaaS) and ransomware-as-a-service (RaaS) strains [1].

What is ALPHV ransomware?

The ALPHV ransomware, also known as ‘BlackCat’ or ‘Noberus’, is one example of a RaaS strain that has been prominent across the threat landscape over the last few years.

ALPHV is a ransomware strain coded in the Rust programming language. The ransomware is sold as part of the RaaS economy [2], with samples of the ransomware being provided and sold by a criminal group (the RaaS ‘operator’) to other cybercriminals (the RaaS ‘affiliates’) who then gain entry to organizations' networks with the intention of detonating the ransomware and demanding ransom payments.

ALPHV was likely first used in the wild back in November 2021 [3]. Since then, it has become one of the most prolific ransomware strains, with the Federal Bureau of Investigation (FBI) reporting nearly USD 300 million in ALPHV ransom payments as of September 2023 [4].

In December 2023, the FBI and the US Department of Justice announced a successful disruption campaign against the ALPHV group, which included a takedown of the their data leak site, and the release of a decryption tool for the ransomware strain [5], and in February 2024, the US Department of State announced  a reward of up to USD 10 million for information leading to the identification or location of anyone occupying a key leadership position in the group operating the ALPHV ransomware strain [6].

The disruption campaign against the ransomware group appeared to have been successful, as evidenced by the recent, significant decline in ALPHV attacks, however, it would not be surprising for the group to simply return with new branding, in a similar vein to its apparent predecessors, DarkSide and BlackMatter [7].

How does ALPHV ransomware work?

ALPHV affiliates have been known to employ a variety of methods to progress towards their objective of detonating ALPHV ransomware [4]. In the latter half of 2023, ALPHV affiliates were observed using malicious advertising (i.e, malvertising) to deliver a Python-based backdoor-dropper known as 'Nitrogen' to users' devices [8][12]. These malvertising operations consisted in affiliates setting up malicious search engine adverts for tools such as WinSCP and AnyDesk.

Users' interactions with these adverts led them to sites resembling legitimate software distribution sites. Users' attempts to download software from these spoofed sites resulted in the delivery of a backdoor-dropping malware sample dubbed 'Nitrogen' to their devices. Nitrogen has been observed dropping a variety of command-and-control (C2) implants onto users' devices, including Cobalt Strike Beacon and Sliver C2. ALPHV affiliates often used the backdoor access afforded to them by these C2 implants to conduct reconnaissance and move laterally, in preparation for detonating ALPHV ransomware payloads.

Darktrace Detection of ALPHV Ransomware

During October 2023, Darktrace observed several cases of ALPHV affiliates attempting to infiltrate organizations' networks via the use of malvertising to socially engineer users into downloading and installing Nitrogen from impersonation websites such as 'wireshhark[.]com' and wìnscp[.]net (i.e, xn--wnscp-tsa[.]net).

While the attackers managed to bypass traditional security measures and evade detection by using a device from the customer’s IT team to perform its malicious activity, Darktrace DETECT™ swiftly identified the subtle indicators of compromise (IoCs) in the first instance. This swift detection of ALPHV, along with Cyber AI Analyst™ autonomously investigating the wide array of post-compromise activity, provided the customer with full visibility over the attack enabling them to promptly initiate their remediation and recovery efforts.

Unfortunately, in this incident, Darktrace RESPOND™ was not fully deployed within their environment, hindering its ability to autonomously counter emerging threats. Had RESPOND been fully operational here, it would have effectively contained the attack in its early stages, avoiding the eventual detonation of the ALPHV ransomware.

Figure 1: Timeline of the ALPHV ransomware attack.

In mid-October, a member of the IT team at a US-based Darktrace customer attempted to install the network traffic analysis software, Wireshark, onto their desktop. Due to the customer’s configuration, Darktrace's visibility over this device was limited to its internal traffic, despite this it was still able to identify and alert for a string of suspicious activity conducted by the device.

Initially, Darktrace observed the device making type A DNS requests for 'wiki.wireshark[.]org' immediately before making type A DNS requests for the domain names 'www.googleadservices[.]com', 'allpcsoftware[.]com', and 'wireshhark[.]com' (note the two 'h's). This pattern of activity indicates that the device’s user was redirected to the website, wireshhark[.]com, as a result of the user's interaction with a sponsored Google Search result pointing to allpcsoftware[.]com.

At the time of analysis, navigating to wireshhark[.]com directly from the browser search bar led to a YouTube video of Rick Astley's song "Never Gonna Give You Up". This suggests that the website, wireshhark[.]com, had been configured to redirect users to this video unless they had arrived at the website via the relevant sponsored Google Search result [8].

Although it was not possible to confirm this with certainty, it is highly likely that users who visited the website via the appropriate sponsored Google Search result were led to a fake website (wireshhark[.]com) posing as the legitimate website, wireshark[.]com. It seems that the actors who set up this fake version of wireshark[.]com were inspired by the well-known bait-and-switch technique known as 'rickrolling', where users are presented with a desirable lure (typically a hyperlink of some kind) which unexpectedly leads them to a music video of Rick Astley's "Never Gonna Give You Up".

After being redirected to wireshhark[.]com, the user unintentionally installed a malware sample which dropped what appears to be Cobalt Strike onto their device. The presence of Cobalt Strike on the user's desktop was evidenced by the subsequent type A DNS requests which the device made for the domain name 'pse[.]ac'. These DNS requests were responded to with the likely Cobalt Strike C2 server address, 194.169.175[.]132. Given that Darktrace only had visibility over the device’s internal traffic, it did not observe any C2 connections to this Cobalt Strike endpoint. However, the desktop's subsequent behavior suggests that a malicious actor had gained 'hands-on-keyboard' control of the device via an established C2 channel.

Figure 2: Advanced Search data showing an customer device being tricked into visiting the fake website, wireshhark[.]com.

Since the malicious actor had gained control of an IT member's device, they were able to abuse the privileged account credentials to spread Python payloads across the network via SMB and the Windows Management Instrumentation (WMI) service. The actor was also seen distributing the Windows Sys-Internals tool, PsExec, likely in an attempt to facilitate their lateral movement efforts. It was normal for this IT member's desktop to distribute files across the network via SMB, which meant that this malicious SMB activity was not, at first glance, out of place.

Figure 3: Advanced Search data showing that it was normal for the IT member's device to distribute files over SMB.

However, Darktrace DETECT recognized that the significant spike in file writes being performed here was suspicious, even though, on the surface, it seemed ‘normal’ for the device. Furthermore, Darktrace identified that the executable files being distributed were attempting to masquerade as a different file type, potentially in an attempt to evade the detection of traditional security tools.

Figure 4: Event Log data showing several Model Breaches being created in response to the IT member's DEVICE's SMB writes of Python-based executables.

An addition to DETECT’s identification of this unusual activity, Darktrace’s Cyber AI Analyst launched an autonomous investigation into the ongoing compromise and was able to link the SMB writes and the sharing of the executable Python payloads, viewing the connections as one lateral movement incident rather than a string of isolated events. After completing its investigation, Cyber AI Analyst was able to provide a detailed summary of events on one pane of glass, ensuring the customer could identify the affected device and begin their remediation.

Figure 5: Cyber AI Analyst investigation summary highlighting the IT member's desktop’s lateral movement activities.

C2 Activity

The Python payloads distributed by the IT member’s device were likely related to the Nitrogen malware, as evidenced by the payloads’ names and by the network behaviours which they engendered.  

Figure 6: Advanced Search data showing the affected device reaching out to the C2 endpoint, pse[.]ac, and then distributing Python-based executable files to an internal domain controller.

The internal devices to which these Nitrogen payloads were distributed immediately went on to contact C2 infrastructure associated with Cobalt Strike. These C2 connections were made over SSL on ports 443 and 8443.  Darktrace identified the attacker moving laterally to an internal SQL server and an internal domain controller.

Figure 7: Advanced Search data showing an internal SQL server contacting the Cobalt Strike C2 endpoint, 194.180.48[.]169, after receiving Python payloads from the IT member’s device.
Figure 8: Event Log data showing several DETECT model breaches triggering in response to an internal SQL server’s C2 connections to 194.180.48[.]169.

Once more, Cyber AI Analyst launched its own investigation into this activity and was able to successfully identify a series of separate SSL connections, linking them together into one wider C2 incident.

Figure 9: Cyber AI Analyst investigation summary highlighting C2 connections from the SQL server.

Darktrace observed the attacker using their 'hands-on-keyboard' access to these systems to elevate their privileges, conduct network reconnaissance (primarily port scanning), spread Python payloads further across the network, exfiltrate data from the domain controller and transfer a payload from GitHub to the domain controller.

Figure 10: Cyber AI Analyst investigation summary an IP address scan carried out by an internal domain controller.
Figure 12: Event Log data showing an internal domain controller contacting GitHub around the time that it was in communication with the C2 endpoint, 194.180.48[.]169.
Figure 13: Event Log data showing a DETECT model breach being created in response to an internal domain controller's large data upload to the C2 endpoint, 194.180.48[.]169.

After conducting extensive reconnaissance and lateral movement activities, the attacker was observed detonating ransomware with the organization's VMware environment, resulting in the successful encryption of the customer’s VMware vCenter server and VMware virtual machines. In this case, the attacker took around 24 hours to progress from initial access to ransomware detonation.  

If the targeted organization had been signed up for Darktrace's Proactive Threat Notification (PTN) service, they would have been promptly notified of these suspicious activities by the Darktrace Security Operations Center (SOC) in the first instance, allowing them to quickly identify affected devices and quarantine them before the compromise could escalate.

Additionally, given the quantity of high-severe alerts that triggered in response to this attack, Darktrace RESPOND would, under normal circumstances, have inhibited the attacker's activities as soon as they were identified by DETECT. However, due to RESPOND not being configured to act on server devices within the customer’s network, the attacker was able to seamlessly move laterally through the organization's server environment and eventually detonate the ALPHV ransomware.

Nevertheless, Darktrace was able to successfully weave together multiple Cyber AI Analyst incidents which it generated into a thread representing the chain of behavior that made up this attack. The thread of Incident Events created by Cyber AI Analyst provided a substantial account of the attack and the steps involved in it, which significantly facilitated the customer’s post-incident investigation efforts.  

Figure 14: Darktrace's AI Analyst weaved together 33 of the Incident Events it created together into a thread representing the attacker’s chain of behavior.

Conclusion

It is expected for malicious cyber actors to revise and upgrade their methods to evade organizations’ improving security measures. The continued improvement of email security tools, for example, has likely created a need for attackers to develop new means of Initial Access, such as the use of Microsoft Teams-based malware delivery.

This fast-paced ALPHV ransomware attack serves as a further illustration of this trend, with the actor behind the attack using malvertising to convince an unsuspecting user to download the Python-based malware, Nitrogen, from a fake Wireshark site. Unbeknownst to the user, this stealthy malware dropped a C2 implant onto the user’s device, giving the malicious actor the ‘hands-on-keyboard’ access they needed to move laterally, conduct network reconnaissance, and ultimately detonate ALPHV ransomware.

Despite the non-traditional initial access methods used by this ransomware actor, Darktrace DETECT was still able to identify the unusual patterns of network traffic caused by the attacker’s post-compromise activities. The large volume of alerts created by Darktrace DETECT were autonomously investigated by Darktrace’s Cyber AI Analyst, which was able to weave together related activities of different devices into a comprehensive timeline of the attacker’s operation. Given the volume of DETECT alerts created in response to this ALPHV attack, it is expected that Darktrace RESPOND would have autonomously inhibited the attacker’s operation had the capability been appropriately configured.

As the first post-compromise activities Darktrace observed in this ALPHV attack were seemingly performed by a member of the customer’s IT team, it may have looked normal to a human or traditional signature and rules-based security tools. To Darktrace’s Self-Learning AI, however, the observed activities represented subtle deviations from the device’s normal pattern of life. This attack, and Darktrace’s detection of it, is therefore a prime illustration of the value that Self-Learning AI can bring to the task of detecting anomalies within organizations’ digital estates.

Credit to Sam Lister, Senior Cyber Analyst, Emma Foulger, Principal Cyber Analyst

Get the latest insights on emerging cyber threats

Attackers are adapting, are you ready? This report explores the latest trends shaping the cybersecurity landscape and what defenders need to know in 2025.

  • Identity-based attacks: How attackers are bypassing traditional defenses
  • Zero-day exploitation: The rise of previously unknown vulnerabilities
  • AI-driven threats: How adversaries are leveraging AI to outmaneuver security controls

Stay ahead of evolving threats with expert analysis from Darktrace. Download the report here.

Appendices

Darktrace DETECT Model Breaches

- Compliance / SMB Drive Write

- Compliance / High Priority Compliance Model Breach

- Anomalous File / Internal / Masqueraded Executable SMB Write

- Device / New or Uncommon WMI Activity

- Anomalous Connection / New or Uncommon Service Control

- Anomalous Connection / High Volume of New or Uncommon Service Control

- Device / New or Uncommon SMB Named Pipe

- Device / Multiple Lateral Movement Model Breaches

- Device / Large Number of Model Breaches  

- SMB Writes of Suspicious Files (Cyber AI Analyst)

- Suspicious Remote WMI Activity (Cyber AI Analyst)

- Suspicious DCE-RPC Activity (Cyber AI Analyst)

- Compromise / Connection to Suspicious SSL Server

- Compromise / High Volume of Connections with Beacon Score

- Anomalous Connection / Suspicious Self-Signed SSL

- Anomalous Connection / Anomalous SSL without SNI to New External

- Compromise / Suspicious TLS Beaconing To Rare External

- Compromise / Beacon to Young Endpoint

- Compromise / SSL or HTTP Beacon

- Compromise / Agent Beacon to New Endpoint

- Device / Long Agent Connection to New Endpoint

- Compromise / SSL Beaconing to Rare Destination

- Compromise / Large Number of Suspicious Successful Connections

- Compromise / Slow Beaconing Activity To External Rare

- Anomalous Server Activity / Outgoing from Server

- Device / Multiple C2 Model Breaches

- Possible SSL Command and Control (Cyber AI Analyst)

- Unusual Repeated Connections (Cyber AI Analyst)

- Device / ICMP Address Scan

- Device / RDP Scan

- Device / Network Scan

- Device / Suspicious Network Scan Activity

- Scanning of Multiple Devices (Cyber AI Analyst)

- ICMP Address Scan (Cyber AI Analyst)

- Device / Anomalous Github Download

- Unusual Activity / Unusual External Data Transfer

- Device / Initial Breach Chain Compromise

MITRE ATT&CK Mapping

Resource Development techniques:

- Acquire Infrastructure: Malvertising (T1583.008)

Initial Access techniques:

- Drive-by Compromise (T1189)

Execution techniques:

- User Execution: Malicious File (T1204.002)

- System Services: Service Execution (T1569.002)

- Windows Management Instrumentation (T1047)

Defence Evasion techniques:

- Masquerading: Match Legitimate Name or Location (T1036.005)

Discovery techniques:

- Remote System Discovery (T1018)

- Network Service Discovery (T1046)

Lateral Movement techniques:

- Remote Services: SMB/Windows Admin Shares

- Lateral Tool Transfer (T1570)

Command and Control techniques:

- Application Layer Protocol: Web Protocols (T1071.001)

- Encrypted Channel: Asymmetric Cryptography (T1573.002)

- Non-Standard Port (T1571)

- Ingress Tool Channel (T1105)

Exfiltration techniques:

- Exfiltration Over C2 Channel (T1041)

Impact techniques:

- Data Encrypted for Impact (T1486)

List of Indicators of Compromise

- allpcsoftware[.]com

- wireshhark[.]com

- pse[.]ac • 194.169.175[.]132

- 194.180.48[.]169

- 193.42.33[.]14

- 141.98.6[.]195

References  

[1] https://darktrace.com/threat-report-2023

[2] https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/

[3] https://www.bleepingcomputer.com/news/security/alphv-blackcat-this-years-most-sophisticated-ransomware/

[4] https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-353a

[5] https://www.justice.gov/opa/pr/justice-department-disrupts-prolific-alphvblackcat-ransomware-variant

[6] https://www.state.gov/u-s-department-of-state-announces-reward-offers-for-criminal-associates-of-the-alphv-blackcat-ransomware-variant/

[7] https://www.bleepingcomputer.com/news/security/blackcat-alphv-ransomware-linked-to-blackmatter-darkside-gangs/

[8] https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html

[9] https://news.sophos.com/en-us/2023/07/26/into-the-tank-with-nitrogen/

[10] https://www.esentire.com/blog/persistent-connection-established-nitrogen-campaign-leverages-dll-side-loading-technique-for-c2-communication

[11] https://www.esentire.com/blog/nitrogen-campaign-2-0-reloads-with-enhanced-capabilities-leading-to-alphv-blackcat-ransomware

[12] https://www.esentire.com/blog/the-notorious-alphv-blackcat-ransomware-gang-is-attacking-corporations-and-public-entities-using-google-ads-laced-with-malware-warns-esentire

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Sam Lister
SOC Analyst

More in this series

No items found.

Blog

/

Identity

/

August 29, 2025

From VPS to Phishing: How Darktrace Uncovered SaaS Hijacks through Virtual Infrastructure Abuse

VPS phishingDefault blog imageDefault blog image

What is a VPS and how are they abused?

A Virtual Private Server (VPS) is a virtualized server that provides dedicated resources and control to users on a shared physical device.  VPS providers, long used by developers and businesses, are increasingly misused by threat actors to launch stealthy, scalable attacks. While not a novel tactic, VPS abuse is has seen an increase in Software-as-a-Service (SaaS)-targeted campaigns as it enables attackers to bypass geolocation-based defenses by mimicking local traffic, evade IP reputation checks with clean, newly provisioned infrastructure, and blend into legitimate behavior [3].

VPS providers like Hyonix and Host Universal offer rapid setup and minimal open-source intelligence (OSINT) footprint, making detection difficult [1][2]. These services are not only fast to deploy but also affordable, making them attractive to attackers seeking anonymous, low-cost infrastructure for scalable campaigns. Such attacks tend to be targeted and persistent, often timed to coincide with legitimate user activity, a tactic that renders traditional security tools largely ineffective.

Darktrace’s investigation into Hyonix VPS abuse

In May 2025, Darktrace’s Threat Research team investigated a series of incidents across its customer base involving VPS-associated infrastructure. The investigation began with a fleet-wide review of alerts linked to Hyonix (ASN AS931), revealing a noticeable spike in anomalous behavior from this ASN in March 2025. The alerts included brute-force attempts, anomalous logins, and phishing campaign-related inbox rule creation.

Darktrace identified suspicious activity across multiple customer environments around this time, but two networks stood out. In one instance, two internal devices exhibited mirrored patterns of compromise, including logins from rare endpoints, manipulation of inbox rules, and the deletion of emails likely used in phishing attacks. Darktrace traced the activity back to IP addresses associated with Hyonix, suggesting a deliberate use of VPS infrastructure to facilitate the attack.

On the second customer network, the attack was marked by coordinated logins from rare IPs linked to multiple VPS providers, including Hyonix. This was followed by the creation of inbox rules with obfuscated names and attempts to modify account recovery settings, indicating a broader campaign that leveraged shared infrastructure and techniques.

Darktrace’s Autonomous Response capability was not enabled in either customer environment during these attacks. As a result, no automated containment actions were triggered, allowing the attack to escalate without interruption. Had Autonomous Response been active, Darktrace would have automatically blocked connections from the unusual VPS endpoints upon detection, effectively halting the compromise in its early stages.

Case 1

Timeline of activity for Case 1 - Unusual VPS logins and deletion of phishing emails.
Figure 1: Timeline of activity for Case 1 - Unusual VPS logins and deletion of phishing emails.

Initial Intrusion

On May 19, 2025, Darktrace observed two internal devices on one customer environment initiating logins from rare external IPs associated with VPS providers, namely Hyonix and Host Universal (via Proton VPN). Darktrace recognized that these logins had occurred within minutes of legitimate user activity from distant geolocations, indicating improbable travel and reinforcing the likelihood of session hijacking. This triggered Darktrace / IDENTITY model “Login From Rare Endpoint While User Is Active”, which highlights potential credential misuse when simultaneous logins occur from both familiar and rare sources.  

Shortly after these logins, Darktrace observed the threat actor deleting emails referring to invoice documents from the user’s “Sent Items” folder, suggesting an attempt to hide phishing emails that had been sent from the now-compromised account. Though not directly observed, initial access in this case was likely achieved through a similar phishing or account hijacking method.

 Darktrace / IDENTITY model "Login From Rare Endpoint While User Is Active", which detects simultaneous logins from both a common and a rare source to highlight potential credential misuse.
Figure 2: Darktrace / IDENTITY model "Login From Rare Endpoint While User Is Active", which detects simultaneous logins from both a common and a rare source to highlight potential credential misuse.

Case 2

Timeline of activity for Case 2 – Coordinated inbox rule creation and outbound phishing campaign.
Figure 3: Timeline of activity for Case 2 – Coordinated inbox rule creation and outbound phishing campaign.

In the second customer environment, Darktrace observed similar login activity originating from Hyonix, as well as other VPS providers like Mevspace and Hivelocity. Multiple users logged in from rare endpoints, with Multi-Factor Authentication (MFA) satisfied via token claims, further indicating session hijacking.

Establishing control and maintaining persistence

Following the initial access, Darktrace observed a series of suspicious SaaS activities, including the creation of new email rules. These rules were given minimal or obfuscated names, a tactic often used by attackers to avoid drawing attention during casual mailbox reviews by the SaaS account owner or automated audits. By keeping rule names vague or generic, attackers reduce the likelihood of detection while quietly redirecting or deleting incoming emails to maintain access and conceal their activity.

One of the newly created inbox rules targeted emails with subject lines referencing a document shared by a VIP at the customer’s organization. These emails would be automatically deleted, suggesting an attempt to conceal malicious mailbox activity from legitimate users.

Mirrored activity across environments

While no direct lateral movement was observed, mirrored activity across multiple user devices suggested a coordinated campaign. Notably, three users had near identical similar inbox rules created, while another user had a different rule related to fake invoices, reinforcing the likelihood of a shared infrastructure and technique set.

Privilege escalation and broader impact

On one account, Darktrace observed “User registered security info” activity was shortly after anomalous logins, indicating attempts to modify account recovery settings. On another, the user reset passwords or updated security information from rare external IPs. In both cases, the attacker’s actions—including creating inbox rules, deleting emails, and maintaining login persistence—suggested an intent to remain undetected while potentially setting the stage for data exfiltration or spam distribution.

On a separate account, outbound spam was observed, featuring generic finance-related subject lines such as 'INV#. EMITTANCE-1'. At the network level, Darktrace / NETWORK detected DNS requests from a device to a suspicious domain, which began prior the observed email compromise. The domain showed signs of domain fluxing, a tactic involving frequent changes in IP resolution, commonly used by threat actors to maintain resilient infrastructure and evade static blocklists. Around the same time, Darktrace detected another device writing a file named 'SplashtopStreamer.exe', associated with the remote access tool Splashtop, to a domain controller. While typically used in IT support scenarios, its presence here may suggest that the attacker leveraged it to establish persistent remote access or facilitate lateral movement within the customer’s network.

Conclusion

This investigation highlights the growing abuse of VPS infrastructure in SaaS compromise campaigns. Threat actors are increasingly leveraging these affordable and anonymous hosting services to hijack accounts, launch phishing attacks, and manipulate mailbox configurations, often bypassing traditional security controls.

Despite the stealthy nature of this campaign, Darktrace detected the malicious activity early in the kill chain through its Self-Learning AI. By continuously learning what is normal for each user and device, Darktrace surfaced subtle anomalies, such as rare login sources, inbox rule manipulation, and concurrent session activity, that likely evade traditional static, rule-based systems.

As attackers continue to exploit trusted infrastructure and mimic legitimate user behavior, organizations should adopt behavioral-based detection and response strategies. Proactively monitoring for indicators such as improbable travel, unusual login sources, and mailbox rule changes, and responding swiftly with autonomous actions, is critical to staying ahead of evolving threats.

Credit to Rajendra Rushanth (Cyber Analyst), Jen Beckett (Cyber Analyst) and Ryan Traill (Analyst Content Lead)

References

·      1: https://cybersecuritynews.com/threat-actors-leveraging-vps-hosting-providers/

·      2: https://threatfox.abuse.ch/asn/931/

·      3: https://www.cyfirma.com/research/vps-exploitation-by-threat-actors/

Appendices

Darktrace Model Detections

•   SaaS / Compromise / Unusual Login, Sent Mail, Deleted Sent

•   SaaS / Compromise / Suspicious Login and Mass Email Deletes

•   SaaS / Resource / Mass Email Deletes from Rare Location

•   SaaS / Compromise / Unusual Login and New Email Rule

•   SaaS / Compliance / Anomalous New Email Rule

•   SaaS / Resource / Possible Email Spam Activity

•   SaaS / Unusual Activity / Multiple Unusual SaaS Activities

•   SaaS / Unusual Activity / Multiple Unusual External Sources For SaaS Credential

•   SaaS / Access / Unusual External Source for SaaS Credential Use

•   SaaS / Compromise / High Priority Login From Rare Endpoint

•   SaaS / Compromise / Login From Rare Endpoint While User Is Active

List of Indicators of Compromise (IoCs)

Format: IoC – Type – Description

•   38.240.42[.]160 – IP – Associated with Hyonix ASN (AS931)

•   103.75.11[.]134 – IP – Associated with Host Universal / Proton VPN

•   162.241.121[.]156 – IP – Rare IP associated with phishing

•   194.49.68[.]244 – IP – Associated with Hyonix ASN

•   193.32.248[.]242 – IP – Used in suspicious login activity / Mullvad VPN

•   50.229.155[.]2 – IP – Rare login IP / AS 7922 ( COMCAST-7922 )

•   104.168.194[.]248 – IP – Rare login IP / AS 54290 ( HOSTWINDS )

•   38.255.57[.]212 – IP – Hyonix IP used during MFA activity

•   103.131.131[.]44 – IP – Hyonix IP used in login and MFA activity

•   178.173.244[.]27 – IP – Hyonix IP

•   91.223.3[.]147 – IP – Mevspace Poland, used in multiple logins

•   2a02:748:4000:18:0:1:170b[:]2524 – IPv6 – Hivelocity VPS, used in multiple logins and MFA activity

•   51.36.233[.]224 – IP – Saudi ASN, used in suspicious login

•   103.211.53[.]84 – IP – Excitel Broadband India, used in security info update

MITRE ATT&CK Mapping

Tactic – Technique – Sub-Technique

•   Initial Access – T1566 – Phishing

                       T1566.001 – Spearphishing Attachment

•   Execution – T1078 – Valid Accounts

•   Persistence – T1098 – Account Manipulation

                       T1098.002 – Exchange Email Rules

•   Command and Control – T1071 – Application Layer Protocol

                       T1071.001 – Web Protocols

•   Defense Evasion – T1036 – Masquerading

•   Defense Evasion – T1562 – Impair Defenses

                       T1562.001 – Disable or Modify Tools

•   Credential Access – T1556 – Modify Authentication Process

                       T1556.004 – MFA Bypass

•   Discovery – T1087 – Account Discovery

•      Impact – T1531 – Account Access Removal

The content provided in this blog is published by Darktrace for general informational purposes only and reflects our understanding of cybersecurity topics, trends, incidents, and developments at the time of publication. While we strive to ensure accuracy and relevance, the information is provided “as is” without any representations or warranties, express or implied. Darktrace makes no guarantees regarding the completeness, accuracy, reliability, or timeliness of any information presented and expressly disclaims all warranties.

Nothing in this blog constitutes legal, technical, or professional advice, and readers should consult qualified professionals before acting on any information contained herein. Any references to third-party organizations, technologies, threat actors, or incidents are for informational purposes only and do not imply affiliation, endorsement, or recommendation.

Darktrace, its affiliates, employees, or agents shall not be held liable for any loss, damage, or harm arising from the use of or reliance on the information in this blog.

The cybersecurity landscape evolves rapidly, and blog content may become outdated or superseded. We reserve the right to update, modify, or remove any content without notice.

Continue reading
About the author
Rajendra Rushanth
Cyber Analyst

Blog

/

Network

/

August 15, 2025

From Exploit to Escalation: Tracking and Containing a Real-World Fortinet SSL-VPN Attack

Fortinet SSL-VPN AttackDefault blog imageDefault blog image

Threat actors exploiting Fortinet CVEs

Over the years, Fortinet has issued multiple alerts about a wave of sophisticated attacks targeting vulnerabilities in its SSL-VPN infrastructure. Despite the release of patches to address these vulnerabilities, threat actors have continued to exploit a trio of Common Vulnerabilities and Exposures (CVEs) disclosed between 2022 and 2024 to gain unauthorized access to FortiGate devices.

Which vulnerabilities are exploited?

The vulnerabilities—CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762—affect Fortinet’s SSL-VPN services and have been actively exploited by threat actors to establish initial access into target networks.

The vulnerabilities affect core components of FortiOS, allowing attackers to execute remote code on affected systems.

CVE-2022-42475

Type: Heap-Based Buffer Overflow in FortiOS SSL-VPN

Impact: Remote Code Execution (Actively Exploited)

This earlier vulnerability also targets the SSL-VPN interface and has been actively exploited in the wild. It allows attackers to execute arbitrary code remotely by overflowing a buffer in memory, often used to deploy malware or establish persistent backdoors [6].

CVE-2023-27997

Type: Heap-Based Buffer Overflow in FortiOS and FortiProxy

Impact: Remote Code Execution

This flaw exists in the SSL-VPN component of both FortiOS and FortiProxy. By exploiting a buffer overflow in the heap memory, attackers can execute malicious code remotely. This vulnerability is particularly dangerous because it can be triggered without authentication, making it ideal for an initial compromise [5].

CVE-2024-21762

Type: Out-of-Bounds Write in sslvpnd

Impact: Remote Code Execution

This vulnerability affects the SSL-VPN daemon (sslvpnd) in FortiOS. It allows unauthenticated remote attackers to send specially crafted HTTP requests that write data outside of allocated memory bounds. This can lead to arbitrary code execution, giving attackers full control over a device [4].

In short, these flaws enable remote attackers to execute arbitrary code without authentication by exploiting memory corruption issues such as buffer overflows and out-of-bounds writes. Once inside, threat actors use symbolic link (symlink) in order to maintain persistence on target devices across patches and firmware updates. This persistence then enables them to bypass security controls and manipulate firewall configurations, effectively turning patched systems into long-term footholds for deeper network compromise [1][2][3].

Darktrace’s Coverage

Darktrace detected a series of suspicious activities originating from a compromised Fortinet VPN device, including anomalous HTTP traffic, internal network scanning, and SMB reconnaissance, all indicative of post-exploitation behavior. Following initial detection by Darktrace’s real-time models, its Autonomous Response capability swiftly acted on the malicious activity, blocking suspicious connections and containing the threat before further compromise could occur.

Further investigation by Darktrace’s Threat Research team uncovered a stealthy and persistent attack that leveraged known Fortinet SSL-VPN vulnerabilities to facilitate lateral movement and privilege escalation within the network.

Phase 1: Initial Compromise – Fortinet VPN Exploitation

The attack on a Darktrace customer likely began on April 11 with the exploitation of a Fortinet VPN device running an outdated version of FortiOS. Darktrace observed a high volume of HTTP traffic originating from this device, specifically targeting internal systems. Notably, many of these requests were directed at the /cgi-bin/ directory,  a common target for attackers attempting to exploit web interfaces to run unauthorized scripts or commands. This pattern strongly indicated remote code execution attempts via the SSL-VPN interface [7].

Once access was gained, the threat actor likely modified existing firewall rules, a tactic often used to disable security controls or create hidden backdoors for future access. While Darktrace does not have direct visibility into firewall configuration changes, the surrounding activity and post-exploitation behavior indicated that such modifications were made to support long-term persistence within the network.

HTTP activity from the compromised Fortinet device, including repeated requests to /cgi-bin/ over port 8080.
Figure 1: HTTP activity from the compromised Fortinet device, including repeated requests to /cgi-bin/ over port 8080

Phase 2: Establishing Persistence & Lateral Movement

Shortly after the initial compromise of the Fortinet VPN device, the threat actor began to expand their foothold within the internal network. Darktrace detected initial signs of network scanning from this device, including the use of Nmap to probe the internal environment, likely in an attempt to identify accessible services and vulnerable systems.

Darktrace’s detection of unusual network scanning activities on the affected device.
Figure 2: Darktrace’s detection of unusual network scanning activities on the affected device.

Around the same time, Darktrace began detecting anomalous activity on a second device, specifically an internal firewall interface device. This suggested that the attacker had established a secondary foothold and was leveraging it to conduct deeper reconnaissance and move laterally through the network.

In an effort to maintain persistence within the network, the attackers likely deployed symbolic links in the SSL-VPN language file directory on the Fortinet device. While Darktrace did not directly observe symbolic link abuse, Fortinet has identified this as a known persistence technique in similar attacks [2][3]. Based on the observed post-exploitation behavior and likely firewall modifications, it is plausible that such methods were used here.

Phase 3: Internal Reconnaissance & Credential Abuse

With lateral movement initiated from the internal firewall interface device, the threat actor proceeded to escalate their efforts to map the internal network and identify opportunities for privilege escalation.

Darktrace observed a successful NTLM authentication from the internal firewall interface to the domain controller over the outdated protocol SMBv1, using the account ‘anonymous’. This was immediately followed by a failed NTLM session connection using the hostname ‘nmap’, further indicating the use of Nmap for enumeration and brute-force attempts. Additional credential probes were also identified around the same time, including attempts using the credential ‘guest’.

Darktrace detection of a series of login attempts using various credentials, with a mix of successful and unsuccessful attempts.
Figure 3: Darktrace detection of a series of login attempts using various credentials, with a mix of successful and unsuccessful attempts.

The attacker then initiated DCE_RPC service enumeration, with over 300 requests to the Endpoint Mapper endpoint on the domain controller. This technique is commonly used to discover available services and their bindings, often as a precursor to privilege escalation or remote service manipulation.

Over the next few minutes, Darktrace detected more than 1,700 outbound connections from the internal firewall interface device to one of the customer’s subnets. These targeted common services such as FTP (port 21), SSH (22), Telnet (23), HTTP (80), and HTTPS (443). The threat actor also probed administrative and directory services, including ports 135, 137, 389, and 445, as well as remote access via RDP on port 3389.

Further signs of privilege escalation attempts were observed with the detection of over 300 Netlogon requests to the domain controller. Just over half of these connections were successful, indicating possible brute-force authentication attempts, credential testing, or the use of default or harvested credentials.

Netlogon and DCE-RPC activity from the affected device, showing repeated service bindings to epmapper and Netlogon, followed by successful and failed NetrServerAuthenticate3 attempts.
Figure 4: Netlogon and DCE-RPC activity from the affected device, showing repeated service bindings to epmapper and Netlogon, followed by successful and failed NetrServerAuthenticate3 attempts.

Phase 4: Privilege Escalation & Remote Access

A few minutes later, the attacker initiated an RDP session from the internal firewall interface device to an internal server. The session lasted over three hours, during which more than 1.5MB of data was uploaded and over 5MB was downloaded.

Notably, no RDP cookie was observed during this session, suggesting manual access, tool-less exploitation, or a deliberate attempt to evade detection. While RDP cookie entries were present on other occasions, none were linked to this specific session—reinforcing the likelihood of stealthy remote access.

Additionally, multiple entries during and after this session show SSL certificate validation failures on port 3389, indicating that the RDP connection may have been established using self-signed or invalid certificates, a common tactic in unauthorized or suspicious remote access scenarios.

Darktrace’s detection of an RDP session from the firewall interface device to the server, lasting over 3 hours.
Figure 5: Darktrace’s detection of an RDP session from the firewall interface device to the server, lasting over 3 hours.

Darktrace Autonomous Response

Throughout the course of this attack, Darktrace’s Autonomous Response capability was active on the customer’s network. This enabled Darktrace to autonomously intervene by blocking specific connections and ports associated with the suspicious activity, while also enforcing a pre-established “pattern of life” on affected devices to ensure they were able to continue their expected business activities while preventing any deviations from it. These actions were crucial in containing the threat and prevent further lateral movement from the compromised device.

Darktrace’s Autonomous Response targeted specific connections and restricted affected devices to their expected patterns of life.
Figure 6: Darktrace’s Autonomous Response targeted specific connections and restricted affected devices to their expected patterns of life.

Conclusion

This incident highlights the importance of important staying on top of patching and closely monitoring VPN infrastructure, especially for internet-facing systems like Fortinet devices. Despite available patches, attackers were still able to exploit known vulnerabilities to gain access, move laterally and maintain persistence within the customer’s network.

Attackers here demonstrated a high level of stealth and persistence. Not only did they gain access to the network and carry out network scans and lateral movement, but they also used techniques such as symbolic link abuse, credential probing, and RDP sessions without cookies to avoid detection.  Darktrace’s detection of the post-exploitation activity, combined with the swift action of its Autonomous Response technology, successfully blocked malicious connections and contained the attack before it could escalate

Credit to Priya Thapa (Cyber Analyst), Vivek Rajan (Cyber Analyst), and Ryan Traill (Analyst Content Lead)

Appendices

Real-time Detection Model Alerts

·      Device / Suspicious SMB Scanning Activity

·      Device / Anomalous Nmap Activity

·      Device / Network Scan

·      Device / RDP Scan

·      Device / ICMP Address Scan

Autonomous Response Model Alerts:  

·      Antigena / Network / Insider Threat / Antigena Network Scan Block

·       Antigena / Network / Significant Anomaly / Antigena Significant Anomaly from Client Block

MITRE ATT&CK Mapping

Initial Access – External Remote Services – T1133

Initial Access – Valid Accounts – T1078

Execution – Exploitation for Client Execution – T1203

Persistence – Account Manipulation – T1098

Persistence – Application Layer Protocol – T1071.001

Privilege Escalation – Exploitation for Privilege Escalation – T1068

Privilege Escalation – Valid Accounts – T1078

Defense Evasion – Masquerading – T1036

Credential Access – Brute Force – T1110

Discovery – Network Service Scanning – T1046

Discovery – Remote System Discovery – T1018

Lateral Movement – Remote Services – T1021

Lateral Movement – Software Deployment Tools – T1072

Collection – Data from Local System – T1005

Collection – Data Staging – T1074

Exfiltration – Exfiltration Over Alternative Protocol – T1048

References

[1]  https://www.tenable.com/blog/cve-2024-21762-critical-fortinet-fortios-out-of-bound-write-ssl-vpn-vulnerability

[2] https://thehackernews.com/2025/04/fortinet-warns-attackers-retain.html

[3] https://www.cisa.gov/news-events/alerts/2025/04/11/fortinet-releases-advisory-new-post-exploitation-technique-known-vulnerabilities

[4] https://www.fortiguard.com/psirt/FG-IR-24-015

[5] https://www.tenable.com/blog/cve-2023-27997-heap-based-buffer-overflow-in-fortinet-fortios-and-fortiproxy-ssl-vpn-xortigate

[6]  https://www.tenable.com/blog/cve-2022-42475-fortinet-patches-zero-day-in-fortios-ssl-vpns

[7] https://www.fortiguard.com/encyclopedia/ips/12475

The content provided in this blog is published by Darktrace for general informational purposes only and reflects our understanding of cybersecurity topics, trends, incidents, and developments at the time of publication. While we strive to ensure accuracy and relevance, the information is provided “as is” without any representations or warranties, express or implied. Darktrace makes no guarantees regarding the completeness, accuracy, reliability, or timeliness of any information presented and expressly disclaims all warranties.

Nothing in this blog constitutes legal, technical, or professional advice, and readers should consult qualified professionals before acting on any information contained herein. Any references to third-party organizations, technologies, threat actors, or incidents are for informational purposes only and do not imply affiliation, endorsement, or recommendation.

Darktrace, its affiliates, employees, or agents shall not be held liable for any loss, damage, or harm arising from the use of or reliance on the information in this blog.

The cybersecurity landscape evolves rapidly, and blog content may become outdated or superseded. We reserve the right to update, modify, or remove any content without notice.

Continue reading
About the author
Priya Thapa
Cyber Analyst
Your data. Our AI.
Elevate your network security with Darktrace AI