Blog
/
Network
/
July 27, 2023

Revealing Outlaw's Returning Features & New Tactics

Darktrace's investigation of the latest Outlaw crypto-mining operation, covering the resurgence of old tactics along with the emergence of new ones.
Written by
Adam Potter
Senior Cyber Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Adam Potter
Senior Cyber Analyst
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
27
Jul 2023

What is Outlaw Cryptocurrency Mining Operation?

The cybersecurity community has been aware of the threat of Outlaw cryptocurrency mining operation, and its affiliated activities since as early as 2018. Despite its prominence, Outlaw remains largely elusive to researchers and analysts due to its ability to adapt its tactics, procedures, and payloads.

Outlaw gained notoriety in 2018 as security researchers began observing the creation of affiliated botnets.[1][2]  Researchers gave Outlaw  its name based on the English translation of the “Haiduc” tool observed during their initial activity on compromised devices.[3],[4] By 2019, much of the initial Outlaw activity  focused on the targeting of Internet of Things (IoT) devices and other internet facing servers, reportedly focusing operations in China and on Chinese devices.[5],[6]  From the outset, mining operations featured as a core element of botnets created by the group.[7] This initial focus may have been a sign of caution by threat actors or a preliminary means of testing procedures and operation efficacy. Regardless, Outlaw actors inevitably expanded scope, targeting larger organizations and a wider range of internet facing devices across geographic scope.

Following a short period of inactivity, security researchers began to observe new Outlaw activity, showcasing additional capabilities such as the ability to kill existing crypto-mining processes on devices, thereby reclaiming devices already compromised by crypto-jacking. [8],[9]

Latest News on Outlaw

Although the more recently observed incidents of Outlaw did demonstrate some new tactics, many of its procedures remained the same, including its unique bundling of payloads that combine crypto-mining and botnet capabilities. [10] In conjunction, the continued use of mining-specific payloads and growth of affiliated botnets has bolstered the belief that Outlaw actors historically prioritizes financial gain, in lieu of overt political objectives.

Given the tendency for malicious actors to share tools and capabilities, true attribution of threat or threat group is extremely difficult in the wild. As such, a genuine survey of activity from the group across a customer base has not always been possible. Therefore, we will present an updated look into more recent activity associated with Outlaw detected across the Darktrace customer base.  

Darktrace vs Outlaw

Since late 2022, Darktrace has observed a rise in probable cyber incidents involving indicators of compromise (IoCs) associated with Outlaw. Given its continued prevalence and relative dearth of information, it is essential to take a renewed look at the latest campaign activity associated with threats like Outlaw to avoid making erroneous assumptions and to ensure the threat posed is correctly characterized.

While being aware of previous IoCs and tactics known to be employed in previous campaigns will go some way to protecting against future Outlaw attacks, it is paramount for organizations to arm themselves with an autonomous intelligent decision maker that can identify malicious activity, based on recognizing deviations from expected patterns of behavior, and take preventative action to effectively defend against such a versatile threat.

Darktrace’s anomaly-based approach to threat detection means it is uniquely positioned to detect novel campaign activity by recognizing subtle deviations in affected devices’ behavior that would have gone unnoticed by traditional security tools relying on rules, signatures and known IoCs.

Outlaw Attack Overview & Darktrace Coverage

From late 2022 through early 2023, Darktrace identified multiple cyber events involving IP addresses, domains, and payloads associated with Outlaw on customer networks. In this recent re-emergence of campaign activity, Darktrace identified numerous attack vectors and IoCs that had previously been associated with Outlaw, however it also observed significant deviations from previous campaigns.

Returning Features

As outlined in a previous blog, past iterations of Outlaw compromises include four identified, distinct phases:

1. Targeting of internet facing devices via SSH brute-forcing

2. Initiation of crypto-mining operations

3. Download of shell script and/or botnet malware payloads

4. Outgoing external SSH scanning to propagate the botnet

Nearly all affected devices analyzed by Darktrace were tagged as internet facing, as identified in previous campaigns, supporting the notion that Outlaw continues to focus on easily exposed devices. In addition to this, Darktrace observed three other core returning features from previous Outlaw campaigns in affected devices between late 2022 and early 2023:

1. Gzip and/or Script Download

2. Beaconing Activity (Command and Control)

3. Crypto-mining

Gzip and/or Script Download

Darktrace observed numerous devices downloading the Dota malware, a strain that is previously known to have been associated with the Outlaw botnet, as either a gzip file or a shell script from rare external hosts.

In some examples, IP addresses that provided the payload were flagged by open-source intelligence (OSINT) sources as having engaged in widespread SSH brute-forcing activities. While the timing of the payload transfer to the device was not consistent, download of gzip files featured prominently during directly observed or potentially affiliated activity. Moreover, Darktrace detected multiple devices performing HTTP requests for shell scripts (.sh) according to detected connection URIs. Darktrace DETECT was able to identify these anomalous connections due to the rarity of the endpoint, payloads, and connectivity for the devices.

Figure 1: Darktrace Cyber AI Analyst technical details summary from an incident during the analysis timeframe that highlights a breach device retrieving the anomalous shell scripts using wget.

Beaconing Activity – Command and Control (C2) Endpoint

Across all Outlaw activity identified by Darktrace, devices engaged in some form of beaconing behavior, rather than one-off connections to IPs associated with Outlaw. While the use of application protocol was not uniform, repeated connectivity to rare external IP addresses related to Outlaw occurred across many analyzed incidents. Darktrace’s Self-Learning AI understood that this beaconing activity represented devices deviating from their expected patterns of life and was able to bring it to the immediate attention of customer security teams.

Figure 2: Model breach log details showing sustained, repeated connectivity to Outlaw affiliated endpoint over port 443, indicating potential C2 activity.

Crypto-mining

In almost every incident of Outlaw identified across the fleet, Darktrace detected some form of cryptocurrency mining activity. Devices affected by Outlaw were consistently observed making anomalous connections to external endpoints associated with crypto-mining operations. Furthermore, the Minergate protocol appeared consistently across hosts; even when devices did not make direct crypto-mining commands, such hosts attempted connections to external entities that were known to support crypto-mining operations.

Figure 3: Advanced Search results showing a sudden spike in mining activity from a device observed connecting to Outlaw-affiliated IP addresses. Such crypto-mining activity was observed consistently across analyzed incidents.

Is Outlaw Using New Tactics?

While in the past, Outlaw activity was identified through a systematic kill chain, recent investigations conducted by Darktrace show significant deviations from this.

For instance, affected devices do not necessarily follow the previously outlined kill chain directly as they did previously. Instead, Darktrace observed affected devices exhibiting these phases in differing orders, repeating steps, or missing out attack phases entirely.

It is essential to study such variation in the kill chain to learn more about the threat of Outlaw and how threat actors are continuing to use it is varying ways. These discrepancies in kill chain elements are likely impacted by visibility into the networks and devices of Darktrace customers, with some relevant activity falling outside of Darktrace’s purview. This is particularly true for internet-exposed devices and hosts that repeatedly performed the same anomalous activity (such as making Minergate requests). Moreover, some devices involved in Outlaw activity may have already been compromised prior to Darktrace’s visibility into the network. As such, these conclusions must be evaluated with a degree of uncertainty.

SSH Activity

Although external SSH connectivity was apparent in some of the incidents detected by Darktrace, it was not directly related to brute-forcing activity. Affected devices did receive anomalous incoming SSH connections, however, wide ranging SSH failed connectivity following the initiation of mining operations by compromised devices was not readily apparent across analyzed compromises. Connections over port 22 were more frequently associated with beaconing and/or C2 activity to endpoints associated with Outlaw, than with potential brute-forcing. As such, Darktrace could not, with high confidence correlate such SSH activity to brute-forcing. This could suggest that threat actors are now portioning or rotation of botnet devices for different operations, for example dividing between botnet expansion and mining operations.

Command line tools

In cases of Outlaw investigated by Darktrace, there was also a degree of variability involving the tools used to retrieve payloads. On the networks of customers affected by Outlaw, Darktrace DETECT identified the use of user agents and command line tools that it considered to be out of character for the network and its devices.

When retrieving the Dota malware payload or shell script data, compromised devices frequently relied on numerous versions of wget and curl user agents. Although the use of such tools as a tactic cannot be definitively linked to the crypto-mining campaign, the employment of varying and/or outdated native command line tools attests to the procedural flexibility of Outlaw campaigns, and its potential for continued evolution.

Figure 4: Breach log data showing use of curl and wget tools to connect to IP addresses associated with Outlaw.

Outlaw in 2023

Given Outlaw’s widespread notoriety and its continued activities, it is likely to remain a prominent threat to organizations and security teams across the threat landscape in 2023 and beyond.

As Darktrace has observed within its customer base from late 2022 through early 2023, activity linked with the Outlaw cryptocurrency mining campaign continues to transpire, offering security teams and research a renewed look at how it has evolved and adapted over the years. While many of its features and tactics appear to have remained consistent, Darktrace has identified numerous signs of Outlaw deviating from its previously known activities.

While relying on previously established IoCs and known tactics from previous campaigns will go some way to protecting an organization’s network from Outlaw compromises, there is a greater need than ever to go further than this. Rather than depending on a list of known-bads or traditional signatures and rules, Darktrace’s anomaly-based approach to threat detection and unparallel autonomous response capabilities mean it is uniquely positioned to DETECT and RESPOND to Outlaw activity, regardless of how it evolves in the future.

Credit to: Adam Potter, Cyber Analyst, Nahisha Nobregas, SOC Analyst, and Ryan Traill, Threat Content Lead

Relevant DETECT Model Breaches:

Compliance / Incoming SSH  

Device / New User Agent and New IP

Device / New User Agent  

Anomalous Connection / New User Agent to IP Without Hostname  

Compromise / Crypto Currency Mining Activity  

Anomalous File / Internet Facing System File Download  

Anomalous Server Activity / New User Agent from Internet Facing System  

Anomalous File / Zip or Gzip from Rare External Location  

Anomalous File / Script from Rare External Location  

Anomalous Connection / Multiple Failed Connections to Rare Endpoint  

Compromise / Large Number of Suspicious Failed Connections  

Anomalous Server Activity / Outgoing from Server  

Compromise / Sustained TCP Beaconing Activity To Rare Endpoint

Indicators of Compromise

Indicator - Type - Description

/dota3.tar.gz​

File  URI​

Outlaw  payload​

/tddwrt7s.sh​

File  URI​

Outlaw  payload​

73e5dbafa25946ed636e68d1733281e63332441d​

SHA1  Hash​

Outlaw  payload​

debian-package[.]center​

Hostname​

Outlaw  C2 endpoint​

161.35.236[.]24​

IP  address​

Outlaw  C2 endpoint​

138.68.115[.]96​

IP  address​

Outlaw C2  endpoint​

67.205.134[.]224​

IP  address​

Outlaw C2  endpoint​

138.197.212[.]204​

IP  address​

Outlaw C2  endpoint​

45.9.148[.]59 ​

IP  address​

Possible  Outlaw C2 endpoint​

45.9.148[.]117​

IP  address​

Outlaw C2  endpoint​

45.9.148[.]125​

IP  address​

Outlaw C2  endpoint​

45.9.148[.]129​

IP  address​

Outlaw C2  endpoint​

45.9.148[.]99 ​

IP  address​

Outlaw C2  endpoint​

45.9.148[.]234​

IP  address​

Possible  Outlaw C2 endpoint​

45.9.148[.]236​

IP  address​

Possible  Outlaw C2 endpoint​

159.203.102[.]122​

IP  address​

Outlaw C2  endpoint​

159.203.85[.]196​

IP  address​

Outlaw C2  endpoint​

159.223.235[.]198​

IP  address​

Outlaw C2  endpoint​

MITRE ATT&CK Mapping

Tactic -Technique

Initial Access -T1190  Exploit - Public Facing Application

Command and Control - T1071 - Application - Layer Protocol

T1071.001 - Application Layer Protocol: Web Protocols

Impact - T1496 Resource Hijacking

Written by
Adam Potter
Senior Cyber Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Adam Potter
Senior Cyber Analyst

Inside Akira’s SonicWall Campaign: Darktrace’s Detection and Response

Network
October 9, 2025
Emily Megan Lim
Cyber Analyst
Watch the NIS2 Webinar
Trending blogs
1
Pre-CVE Threat Detection: 10 Examples Identifying Malicious Activity Prior to Public Disclosure of a Vulnerability
Jul 2, 2025
2
Darktrace Recognized as a Leader in the 2025 Gartner® Magic Quadrant™ for Network Detection and Response
Jun 2, 2025
3
Evaluating Email Security: How to Select the Best Solution for Your Organization
May 21, 2025
4
2025 Cyber Threat Landscape: Darktrace’s Mid-Year Review
Aug 5, 2025
5
Introducing the AI Maturity Model for Cybersecurity
Jul 16, 2025

More in this series

No items found.
Continue reading
Network
October 9, 2025

Inside Akira’s SonicWall Campaign: Darktrace’s Detection and Response

Starting in July 2025, Akira ransomware attacks surged globally, targeting SonicWall SSL VPN devices. In August, Darktrace detected suspicious activity in a US network, including scanning, lateral movement, and data exfiltration. A compromised SonicWall VPN server linked the incident to the broader Akira campaign exploiting known vulnerabilities.
Emily Megan Lim
Cyber Analyst
Read more
Network
September 23, 2025

ShadowV2: An emerging DDoS for hire botnet

Darktrace exposed a cybercrime-as-a-service campaign using Python and Go-based malware, Docker containerization, and a full operator UI. With DDoS-as-a-service features, modular APIs, and advanced evasion, this platform highlights the need for defenders to monitor cloud workloads, container orchestration, and API activity to counter evolving threats.
Nate Bill
Threat Researcher
Read more
Network
September 11, 2025

SEO Poisoning and Fake PuTTY sites: Darktrace’s Investigation into the Oyster backdoor

SEO poisoning is a malicious tactic where threat actors manipulate search engine rankings to promote deceptive websites. These sites often mimic legitimate software downloads, delivering malware like the Oyster backdoor. Learn about Darktrace’s investigation into the tactics used to deliver Oyster via fake PuTTY sites and manipulate search visibility.
Christina Kreza
Cyber Analyst
Read more

Blog

/

AI

/

October 15, 2025

How a Major Civil Engineering Company Reduced MTTR across Network, Email and the Cloud with Darktrace

Default blog imageDefault blog image

Asking more of the information security team

“What more can we be doing to secure the company?” is a great question for any cyber professional to hear from their Board of Directors. After successfully defeating a series of attacks and seeing the potential for AI tools to supercharge incoming threats, a UK-based civil engineering company’s security team had the answer: Darktrace.

“When things are coming at you at machine speed, you need machine speed to fight it off – it’s as simple as that,” said their Information Security Manager. “There were incidents where it took us a few hours to get to the bottom of what was going on. Darktrace changed that.”

Prevention was also the best cure. A peer organization in the same sector was still in business continuity measures 18 months after an attack, and the security team did not want to risk that level of business disruption.

Legacy tools were not meeting the team’s desired speed or accuracy

The company’s native SaaS email platform took between two and 14 days to alert on suspicious emails, with another email security tool flagging malicious emails after up to 24 days. After receiving an alert, responses often took a couple of days to coordinate. The team was losing precious time.

Beyond long detection and response times, the old email security platform was no longer performing: 19% of incoming spam was missed. Of even more concern: 6% of phishing emails reached users’ inboxes, and malware and ransomware email was also still getting through, with 0.3% of such email-borne payloads reaching user inboxes.

Choosing Darktrace

“When evaluating tools in 2023, only Darktrace had what I was looking for: an existing, mature, AI-based cybersecurity solution. ChatGPT had just come out and a lot of companies were saying ‘AI this’ and ‘AI that’. Then you’d take a look, and it was all rules- and cases-based, not AI at all,” their Information Security Manager.

The team knew that, with AI-enabled attacks on the horizon, a cybersecurity company that had already built, fielded, and matured an AI-powered cyber defense would give the security team the ability to fend off machine-speed attacks at the same pace as the attackers.

Darktrace accomplishes this with multi-layered AI that learns each organization’s normal business operations. With this detailed level of understanding, Darktrace’s Self-Learning AI can recognize unusual activity that may indicate a cyber-attack, and works to neutralize the threat with precise response actions. And it does this all at machine speed and with minimal disruption.

On the morning the team was due to present its findings, the session was cancelled – for a good reason. The Board didn’t feel further discussion was necessary because the case for Darktrace was so conclusive. The CEO described the Darktrace option as ‘an insurance policy we can’t do without’.

Saving time with Darktrace / EMAIL

Darktrace / EMAIL reduced the discovery, alert, and response process from days or weeks to seconds .

Darktrace / EMAIL automates what was originally a time-consuming and repetitive process. The team has recovered between eight and 10 working hours a week by automating much of this process using / EMAIL.

Today, Darktrace / EMAIL prevents phishing emails from reaching employees’ inboxes. The volume of hostile and unsolicited email fell to a third of its original level after Darktrace / EMAIL was set up.

Further savings with Darktrace / NETWORK and Darktrace / IDENTITY

Since its success with Darktrace / EMAIL, the company adopted two more products from the Darktrace ActiveAI Security Platform – Darktrace / NETWORK and Darktrace / IDENTITY.

These have further contributed to cost savings. An initial plan to build a 24/7 SOC would have required hiring and retaining six additional analysts, rather than the two that currently use Darktrace, costing an additional £220,000 per year in salary. With Darktrace, the existing analysts have the tools needed to become more effective and impactful.

An additional benefit: Darktrace adoption has lowered the company’s cyber insurance premiums. The security team can reallocate this budget to proactive projects.

Detection of novel threats provides reassurance

Darktrace’s unique approach to cybersecurity added a key benefit. The team’s previous tool took a rules-based approach – which was only good if the next attack featured the same characteristics as the ones on which the tool was trained.

“Darktrace looks for anomalous behavior, and we needed something that detected and responded based on use cases, not rules that might be out of date or too prescriptive,” their Information Security Manager. “Our existing provider could take a couple of days to update rules and signatures, and in this game, speed is of the essence. Darktrace just does everything we need - without delay.”

Where rules-based tools must wait for a threat to emerge before beginning to detect and respond to it, Darktrace identifies and protects against unknown and novel threats, speeding identification, response, and recovery, minimizing business disruption as a result.

Looking to the future

With Darktrace in place, the UK-based civil engineering company team has reallocated time and resources usually spent on detection and alerting to now tackle more sophisticated, strategic challenges. Darktrace has also equipped the team with far better and more regularly updated visibility into potential vulnerabilities.

“One thing that frustrates me a little is penetration testing; our ISO accreditation mandates a penetration test at least once a year, but the results could be out of date the next day,” their Information Security Manager. “Darktrace / Proactive Exposure Management will give me that view in real time – we can run it daily if needed - and that’s going to be a really effective workbench for my team.”

As the company looks to further develop its security posture, Darktrace remains poised to evolve alongside its partner.

Continue reading
About the author
The Darktrace Community

Blog

/

Network

/

October 14, 2025

Inside Akira’s SonicWall Campaign: Darktrace’s Detection and Response

akira sonicwallDefault blog imageDefault blog image

Introduction: Background on Akira SonicWall campaign

Between July and August 2025, security teams worldwide observed a surge in Akira ransomware incidents involving SonicWall SSL VPN devices [1]. Initially believed to be the result of an unknown zero-day vulnerability, SonicWall later released an advisory announcing that the activity was strongly linked to a previously disclosed vulnerability, CVE-2024-40766, first identified over a year earlier [2].

On August 20, 2025, Darktrace observed unusual activity on the network of a customer in the US. Darktrace detected a range of suspicious activity, including network scanning and reconnaissance, lateral movement, privilege escalation, and data exfiltration. One of the compromised devices was later identified as a SonicWall virtual private network (VPN) server, suggesting that the incident was part of the broader Akira ransomware campaign targeting SonicWall technology.

As the customer was subscribed to the Managed Detection and Response (MDR) service, Darktrace’s Security Operations Centre (SOC) team was able to rapidly triage critical alerts, restrict the activity of affected devices, and notify the customer of the threat. As a result, the impact of the attack was limited - approximately 2 GiB of data had been observed leaving the network, but any further escalation of malicious activity was stopped.

Threat Overview

CVE-2024-40766 and other misconfigurations

CVE-2024-40766 is an improper access control vulnerability in SonicWall’s SonicOS, affecting Gen 5, Gen 6, and Gen 7 devices running SonicOS version 7.0.1 5035 and earlier [3]. The vulnerability was disclosed on August 23, 2024, with a patch released the same day. Shortly after, it was reported to be exploited in the wild by Akira ransomware affiliates and others [4].

Almost a year later, the same vulnerability is being actively targeted again by the Akira ransomware group. In addition to exploiting unpatched devices affected by CVE-2024-40766, security researchers have identified three other risks potentially being leveraged by the group [5]:

*The Virtual Office Portal can be used to initially set up MFA/TOTP configurations for SSLVPN users.

Thus, even if SonicWall devices were patched, threat actors could still target them for initial access by reusing previously stolen credentials and exploiting other misconfigurations.

Akira Ransomware

Akira ransomware was first observed in the wild in March 2023 and has since become one of the most prolific ransomware strains across the threat landscape [6]. The group operates under a Ransomware-as-a-Service (RaaS) model and frequently uses double extortion tactics, pressuring victims to pay not only to decrypt files but also to prevent the public release of sensitive exfiltrated data.

The ransomware initially targeted Windows systems, but a Linux variant was later observed targeting VMware ESXi virtual machines [7]. In 2024, it was assessed that Akira would continue to target ESXi hypervisors, making attacks highly disruptive due to the central role of virtualisation in large-scale cloud deployments. Encrypting the ESXi file system enables rapid and widespread encryption with minimal lateral movement or credential theft. The lack of comprehensive security protections on many ESXi hypervisors also makes them an attractive target for ransomware operators [8].

Victimology

Akira is known to target organizations across multiple sectors, most notably those in manufacturing, education, and healthcare. These targets span multiple geographic regions, including North America, Latin America, Europe and Asia-Pacific [9].

Geographical distribution of organization’s affected by Akira ransomware in 2025 [9].
Figure 1: Geographical distribution of organization’s affected by Akira ransomware in 2025 [9].

Common Tactics, Techniques and Procedures (TTPs) [7][10]

Initial Access
Targets remote access services such as RDP and VPN through vulnerability exploitation or stolen credentials.

Reconnaissance
Uses network scanning tools like SoftPerfect and Advanced IP Scanner to map the environment and identify targets.

Lateral Movement
Moves laterally using legitimate administrative tools, typically via RDP.

Persistence
Employs techniques such as Kerberoasting and pass-the-hash, and tools like Mimikatz to extract credentials. Known to create new domain accounts to maintain access.

Command and Control
Utilizes remote access tools including AnyDesk, RustDesk, Ngrok, and Cloudflare Tunnel.

Exfiltration
Uses tools such as FileZilla, WinRAR, WinSCP, and Rclone. Data is exfiltrated via protocols like FTP and SFTP, or through cloud storage services such as Mega.

Darktrace’s Coverage of Akira ransomware

Reconnaissance

Darktrace first detected of unusual network activity around 05:10 UTC, when a desktop device was observed performing a network scan and making an unusual number of DCE-RPC requests to the endpoint mapper (epmapper) service. Network scans are typically used to identify open ports, while querying the epmapper service can reveal exposed RPC services on the network.

Multiple other devices were also later seen with similar reconnaissance activity, and use of the Advanced IP Scanner tool, indicated by connections to the domain advanced-ip-scanner[.]com.

Lateral movement

Shortly after the initial reconnaissance, the same desktop device exhibited unusual use of administrative tools. Darktrace observed the user agent “Ruby WinRM Client” and the URI “/wsman” as the device initiated a rare outbound Windows Remote Management (WinRM) connection to two domain controllers (REDACTED-dc1 and REDACTED-dc2). WinRM is a Microsoft service that uses the WS-Management (WSMan) protocol to enable remote management and control of network devices.

Darktrace also observed the desktop device connecting to an ESXi device (REDACTED-esxi1) via RDP using an LDAP service credential, likely with administrative privileges.

Credential access

At around 06:26 UTC, the desktop device was seen fetching an Active Directory certificate from the domain controller (REDACTED-dc1) by making a DCE-RPC request to the ICertPassage service. Shortly after, the device made a Kerberos login using the administrative credential.

Figure 3: Darktrace’s detection of the of anomalous certificate download and subsequent Kerberos login.

Further investigation into the device’s event logs revealed a chain of connections that Darktrace’s researchers believe demonstrates a credential access technique known as “UnPAC the hash.”

This method begins with pre-authentication using Kerberos’ Public Key Cryptography for Initial Authentication (PKINIT), allowing the client to use an X.509 certificate to obtain a Ticket Granting Ticket (TGT) from the Key Distribution Center (KDC) instead of a password.

The next stage involves User-to-User (U2U) authentication when requesting a Service Ticket (ST) from the KDC. Within Darktrace's visibility of this traffic, U2U was indicated by the client and service principal names within the ST request being identical. Because PKINIT was used earlier, the returned ST contains the NTLM hash of the credential, which can then be extracted and abused for lateral movement or privilege escalation [11].

Flowchart of Kerberos PKINIT pre-authentication and U2U authentication [12].
Figure 4: Flowchart of Kerberos PKINIT pre-authentication and U2U authentication [12]
Figure 5: Device event log showing the Kerberos Login and Kerberos Ticket events

Analysis of the desktop device’s event logs revealed a repeated sequence of suspicious activity across multiple credentials. Each sequence included a DCE-RPC ICertPassage request to download a certificate, followed by a Kerberos login event indicating PKINIT pre-authentication, and then a Kerberos ticket event consistent with User-to-User (U2U) authentication.

Darktrace identified this pattern as highly unusual. Cyber AI Analyst determined that the device used at least 15 different credentials for Kerberos logins over the course of the attack.

By compromising multiple credentials, the threat actor likely aimed to escalate privileges and facilitate further malicious activity, including lateral movement. One of the credentials obtained via the “UnPAC the hash” technique was later observed being used in an RDP session to the domain controller (REDACTED-dc2).

C2 / Additional tooling

At 06:44 UTC, the domain controller (REDACTED-dc2) was observed initiating a connection to temp[.]sh, a temporary cloud hosting service. Open-source intelligence (OSINT) reporting indicates that this service is commonly used by threat actors to host and distribute malicious payloads, including ransomware [13].

Shortly afterward, the ESXi device was observed downloading an executable named “vmwaretools” from the rare external endpoint 137.184.243[.]69, using the user agent “Wget.” The repeated outbound connections to this IP suggest potential command-and-control (C2) activity.

Cyber AI Analyst investigation into the suspicious file download and suspected C2 activity between the ESXI device and the external endpoint 137.184.243[.]69.
Figure 6: Cyber AI Analyst investigation into the suspicious file download and suspected C2 activity between the ESXI device and the external endpoint 137.184.243[.]69.
Packet capture (PCAP) of connections between the ESXi device and 137.184.243[.]69.
Figure 7: Packet capture (PCAP) of connections between the ESXi device and 137.184.243[.]69.

Data exfiltration

The first signs of data exfiltration were observed at around 7:00 UTC. Both the domain controller (REDACTED-dc2) and a likely SonicWall VPN device were seen uploading approximately 2 GB of data via SSH to the rare external endpoint 66.165.243[.]39 (AS29802 HVC-AS). OSINT sources have since identified this IP as an indicator of compromise (IoC) associated with the Akira ransomware group, known to use it for data exfiltration [14].

Cyber AI Analyst incident view highlighting multiple unusual events across several devices on August 20. Notably, it includes the “Unusual External Data Transfer” event, which corresponds to the anomalous 2 GB data upload to the known Akira-associated endpoint 66.165.243[.]39.
Figure 8: Cyber AI Analyst incident view highlighting multiple unusual events across several devices on August 20. Notably, it includes the “Unusual External Data Transfer” event, which corresponds to the anomalous 2 GB data upload to the known Akira-associated endpoint 66.165.243[.]39.

Cyber AI Analyst

Throughout the course of the attack, Darktrace’s Cyber AI Analyst autonomously investigated the anomalous activity as it unfolded and correlated related events into a single, cohesive incident. Rather than treating each alert as isolated, Cyber AI Analyst linked them together to reveal the broader narrative of compromise. This holistic view enabled the customer to understand the full scope of the attack, including all associated activities and affected assets that might otherwise have been dismissed as unrelated.

Overview of Cyber AI Analyst’s investigation, correlating all related internal and external security events across affected devices into a single pane of glass.
Figure 9: Overview of Cyber AI Analyst’s investigation, correlating all related internal and external security events across affected devices into a single pane of glass.

Containing the attack

In response to the multiple anomalous activities observed across the network, Darktrace's Autonomous Response initiated targeted mitigation actions to contain the attack. These included:

  • Blocking connections to known malicious or rare external endpoints, such as 137.184.243[.]69, 66.165.243[.]39, and advanced-ip-scanner[.]com.
  • Blocking internal traffic to sensitive ports, including 88 (Kerberos), 3389 (RDP), and 49339 (DCE-RPC), to disrupt lateral movement and credential abuse.
  • Enforcing a block on all outgoing connections from affected devices to contain potential data exfiltration and C2 activity.
Autonomous Response actions taken by Darktrace on an affected device, including the blocking of malicious external endpoints and internal service ports.
Figure 10: Autonomous Response actions taken by Darktrace on an affected device, including the blocking of malicious external endpoints and internal service ports.

Managed Detection and Response

As this customer was an MDR subscriber, multiple Enhanced Monitoring alerts—high-fidelity models designed to detect activity indicative of compromise—were triggered across the network. These alerts prompted immediate investigation by Darktrace’s SOC team.

Upon determining that the activity was likely linked to an Akira ransomware attack, Darktrace analysts swiftly acted to contain the threat. At around 08:05 UTC, devices suspected of being compromised were quarantined, and the customer was promptly notified, enabling them to begin their own remediation procedures without delay.

A wider campaign?

Darktrace’s SOC and Threat Research teams identified at least three additional incidents likely linked to the same campaign. All targeted organizations were based in the US, spanning various industries, and each have indications of using SonicWall VPN, indicating it had likely been targeted for initial access.

Across these incidents, similar patterns emerged. In each case, a suspicious executable named “vmwaretools” was downloaded from the endpoint 85.239.52[.]96 using the user agent “Wget”, bearing some resemblance to the file downloads seen in the incident described here. Data exfiltration was also observed via SSH to the endpoints 107.155.69[.]42 and 107.155.93[.]154, both of which belong to the same ASN also seen in the incident described in this blog: S29802 HVC-AS. Notably, 107.155.93[.]154 has been reported in OSINT as an indicator associated with Akira ransomware activity [15]. Further recent Akira ransomware cases have been observed involving SonicWall VPN, where no similar executable file downloads were observed, but SSH exfiltration to the same ASN was. These overlapping and non-overlapping TTPs may reflect the blurring lines between different affiliates operating under the same RaaS.

Lessons from the campaign

This campaign by Akira ransomware actors underscores the critical importance of maintaining up-to-date patching practices. Threat actors continue to exploit previously disclosed vulnerabilities, not just zero-days, highlighting the need for ongoing vigilance even after patches are released. It also demonstrates how misconfigurations and overlooked weaknesses can be leveraged for initial access or privilege escalation, even in otherwise well-maintained environments.

Darktrace’s observations further reveal that ransomware actors are increasingly relying on legitimate administrative tools, such as WinRM, to blend in with normal network activity and evade detection. In addition to previously documented Kerberos-based credential access techniques like Kerberoasting and pass-the-hash, this campaign featured the use of UnPAC the hash to extract NTLM hashes via PKINIT and U2U authentication for lateral movement or privilege escalation.

Credit to Emily Megan Lim (Senior Cyber Analyst), Vivek Rajan (Senior Cyber Analyst), Ryan Traill (Analyst Content Lead), and Sam Lister (Specialist Security Researcher)

Appendices

Darktrace Model Detections

Anomalous Connection / Active Remote Desktop Tunnel

Anomalous Connection / Data Sent to Rare Domain

Anomalous Connection / New User Agent to IP Without Hostname

Anomalous Connection / Possible Data Staging and External Upload

Anomalous Connection / Rare WinRM Incoming

Anomalous Connection / Rare WinRM Outgoing

Anomalous Connection / Uncommon 1 GiB Outbound

Anomalous Connection / Unusual Admin RDP Session

Anomalous Connection / Unusual Incoming Long Remote Desktop Session

Anomalous Connection / Unusual Incoming Long SSH Session

Anomalous Connection / Unusual Long SSH Session

Anomalous File / EXE from Rare External Location

Anomalous Server Activity / Anomalous External Activity from Critical Network Device

Anomalous Server Activity / Outgoing from Server

Anomalous Server Activity / Rare External from Server

Compliance / Default Credential Usage

Compliance / High Priority Compliance Model Alert

Compliance / Outgoing NTLM Request from DC

Compliance / SSH to Rare External Destination

Compromise / Large Number of Suspicious Successful Connections

Compromise / Sustained TCP Beaconing Activity To Rare Endpoint

Device / Anomalous Certificate Download Activity

Device / Anomalous SSH Followed By Multiple Model Alerts

Device / Anonymous NTLM Logins

Device / Attack and Recon Tools

Device / ICMP Address Scan

Device / Large Number of Model Alerts

Device / Network Range Scan

Device / Network Scan

Device / New User Agent To Internal Server

Device / Possible SMB/NTLM Brute Force

Device / Possible SMB/NTLM Reconnaissance

Device / RDP Scan

Device / Reverse DNS Sweep

Device / Suspicious SMB Scanning Activity

Device / UDP Enumeration

Unusual Activity / Unusual External Data to New Endpoint

Unusual Activity / Unusual External Data Transfer

User / Multiple Uncommon New Credentials on Device

User / New Admin Credentials on Client

User / New Admin Credentials on Server

Enhanced Monitoring Models

Compromise / Anomalous Certificate Download and Kerberos Login

Device / Initial Attack Chain Activity

Device / Large Number of Model Alerts from Critical Network Device

Device / Multiple Lateral Movement Model Alerts

Device / Suspicious Network Scan Activity

Unusual Activity / Enhanced Unusual External Data Transfer

Antigena/Autonomous Response Models

Antigena / Network / External Threat / Antigena File then New Outbound Block

Antigena / Network / External Threat / Antigena Suspicious Activity Block

Antigena / Network / External Threat / Antigena Suspicious File Block

Antigena / Network / Insider Threat / Antigena Large Data Volume Outbound Block

Antigena / Network / Insider Threat / Antigena Network Scan Block

Antigena / Network / Insider Threat / Antigena Unusual Privileged User Activities Block

Antigena / Network / Manual / Quarantine Device

Antigena / Network / Significant Anomaly / Antigena Alerts Over Time Block

Antigena / Network / Significant Anomaly / Antigena Controlled and Model Alert

Antigena / Network / Significant Anomaly / Antigena Enhanced Monitoring from Client Block

Antigena / Network / Significant Anomaly / Antigena Enhanced Monitoring from Server Block

Antigena / Network / Significant Anomaly / Antigena Significant Anomaly from Client Block

Antigena / Network / Significant Anomaly / Antigena Significant Server Anomaly Block

Antigena / Network / Significant Anomaly / Repeated Antigena Alerts

List of Indicators of Compromise (IoCs)

·      66.165.243[.]39 – IP Address – Data exfiltration endpoint

·      107.155.69[.]42 – IP Address – Probable data exfiltration endpoint

·      107.155.93[.]154 – IP Address – Likely Data exfiltration endpoint

·      137.184.126[.]86 – IP Address – Possible C2 endpoint

·      85.239.52[.]96 – IP Address – Likely C2 endpoint

·      hxxp://85.239.52[.]96:8000/vmwarecli  – URL – File download

·      hxxp://137.184.126[.]86:8080/vmwaretools – URL – File download

MITRE ATT&CK Mapping

Initial Access – T1190 – Exploit Public-Facing Application

Reconnaissance – T1590.002 – Gather Victim Network Information: DNS

Reconnaissance – T1590.005 – Gather Victim Network Information: IP Addresses

Reconnaissance – T1592.004 – Gather Victim Host Information: Client Configurations

Reconnaissance – T1595 – Active Scanning

Discovery – T1018 – Remote System Discovery

Discovery – T1046 – Network Service Discovery

Discovery – T1083 – File and Directory Discovery

Discovery – T1135 – Network Share Discovery

Lateral Movement – T1021.001 – Remote Services: Remote Desktop Protocol

Lateral Movement – T1021.004 – Remote Services: SSH

Lateral Movement – T1021.006 – Remote Services: Windows Remote Management

Lateral Movement – T1550.002 – Use Alternate Authentication Material: Pass the Hash

Lateral Movement – T1550.003 – Use Alternate Authentication Material: Pass the Ticket

Credential Access – T1110.001 – Brute Force: Password Guessing

Credential Access – T1649 – Steal or Forge Authentication Certificates

Persistence, Privilege Escalation – T1078 – Valid Accounts

Resource Development – T1588.001 – Obtain Capabilities: Malware

Command and Control – T1071.001 – Application Layer Protocol: Web Protocols

Command and Control – T1105 – Ingress Tool Transfer

Command and Control – T1573 – Encrypted Channel

Collection – T1074 – Data Staged

Exfiltration – T1041 – Exfiltration Over C2 Channel

Exfiltration – T1048 – Exfiltration Over Alternative Protocol

References

[1] https://thehackernews.com/2025/08/sonicwall-investigating-potential-ssl.html

[2] https://www.sonicwall.com/support/notices/gen-7-and-newer-sonicwall-firewalls-sslvpn-recent-threat-activity/250804095336430

[3] https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0015

[4] https://arcticwolf.com/resources/blog/arctic-wolf-observes-akira-ransomware-campaign-targeting-sonicwall-sslvpn-accounts/

[5] https://www.rapid7.com/blog/post/dr-akira-ransomware-group-utilizing-sonicwall-devices-for-initial-access/

[6] https://www.ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf

[7] https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a

[8] https://blog.talosintelligence.com/akira-ransomware-continues-to-evolve/

[9] https://www.ransomware.live/map?year=2025&q=akira

[10] https://attack.mitre.org/groups/G1024/
[11] https://labs.lares.com/fear-kerberos-pt2/#UNPAC

[12] https://www.thehacker.recipes/ad/movement/kerberos/unpac-the-hash

[13] https://www.s-rminform.com/latest-thinking/derailing-akira-cyber-threat-intelligence)

[14] https://fieldeffect.com/blog/update-akira-ransomware-group-targets-sonicwall-vpn-appliances

[15] https://arcticwolf.com/resources/blog/arctic-wolf-observes-july-2025-uptick-in-akira-ransomware-activity-targeting-sonicwall-ssl-vpn/

Continue reading
About the author
Emily Megan Lim
Cyber Analyst
Your data. Our AI.
Elevate your network security with Darktrace AI