Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Max Heinemeyer
Global Field CISO
Share
03
Aug 2020
Cyber-criminals are increasingly impersonating trusted SaaS platforms and suppliers with their attacks. Recently, Darktrace has detected threats leveraging QuickBooks, WeTransfer and Microsoft Teams brand names. Many of these emails attempt to coax a recipient into clicking a malicious link that leads to a page containing credential-harvesting malware. This blog post demonstrates a possible next phase in an attack – what happens after an employee enters their details on this malicious webpage and has their account compromised.
Even just one compromised internal account can greatly increase the success rate of a phishing campaign. Attackers can use a compromised Microsoft 365 account to gain access to multiple other accounts within hours.
Darktrace’s AI was monitoring over 9,000 devices at a leading technology firm in the APAC region when one employee became victim to a Microsoft 365 account takeover over the weekend. This account was then used to send hundreds of phishing emails to both internal and external contacts. Darktrace detected the early signs of account compromise and raised a high-confidence alert to the security team well before these emails were sent. If the security team had acted quickly in response to the alert, the delivery of the phishing emails – and a second account compromise – could have been avoided.
Timeline of the attack
Figure 1: A timeline of the attack
We can see in the timeline that the attacker only spent three hours performing research before acting. This raises questions on the nature of this threat. Was the attack automated? Had the attacker done preliminary research? Did they know what they were after?
A bespoke and targeted attack
Darktrace first alerted to the security incident when the AI detected that someone was logging in from an unusual geographical location, promptly setting up new inbox rules, and viewing several shared files. The attacker then proceeded to send out over 200 phishing emails to internal and external recipients.
The emails contained a link to a Microsoft OneDrive landing page titled “Contract & Proposal – Customer,” indicating the page was specifically built for this attack. The page contained a phishing link hidden under the display text “Click to Review Fax Document.” Less than one hour after the phishing emails were sent, Darktrace’s AI detected an an unusual login from the same IP to a second account in the organization, indicating this account had likely also been compromised.
How did the attack bypass the rest of the security stack?
The attacker leveraged compromised M365 credentials, with the initial entry likely via compromised credentials from a previous phishing campaign before Darktrace’s AI was deployed;
Traditional email security software trusts internal emails;
Phishing emails contained a OneDrive link, a trusted SaaS platform, so other email security products would not have identified these links as suspicious.
AI Analyst investigates
The technology firm had deployed Darktrace’s Enterprise Immune System across their network and SaaS applications, and consequently had real-time visibility across every event in this attack as it unfolded. Additionally, when the unusual login location was detected, Darktrace’s Cyber AI Analyst immediately launched an automated investigation into the malicious activity, generating a natural language summary of the events and other crucial information to help with incident review.
Figure 2: An excerpt of Cyber AI Analyst’s report of the account hijack
Darktrace’s SaaS Console also reported on the event in the context of activity on that device over the previous week.
Figure 3: Darktrace’s SaaS dashboard displaying an overview of the incident
This attack is another example of the changing nature of cyber-threats in the context of digital transformation. It is not devices, but identities that are increasingly being targeted and attacked.
Darktrace’s real-time alerting on the evolving situation could have enabled the security team to isolate the initial compromised account and change the credentials before the attack escalated further. The initial rare login destination caused Darktrace’s Cyber AI Analyst to launch an ongoing investigation into the compromised account, such that an alert was raised just three minutes after new processing rules were set up by the attacker. With eyes on the technology, a more serious breach could have been avoided, and the breach remeditated in minutes.
Thanks to Darktrace analyst Stefan Rowe for his insights on the above threat find.
For eight more case studies of cyber-threats detected within SaaS environments, read the White Paper.
IoCs:
IoCCommentcovingtonok[.]buzzUsed to host fake login page
Darktrace model detections:
SaaS / Unusual External Source for SaaS Credential Use
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Mythos vs Ethos: Defending in an Era of AI‑Accelerated Vulnerability Discovery
Anthropic’s Mythos and what it means for security teams
Recent attention on systems such as Anthropic Mythos highlights a notable problem for defenders. Namely that disclosure’s role in coordinating defensive action is eroding.
As AI systems gain stronger reasoning and coding capability, their usefulness in analyzing complex software environments and identifying weaknesses naturally increases. What has changed is not attacker motivation, but the conditions under which defenders learn about and organize around risk. Vulnerability discovery and exploitation increasingly unfold in ways that turn disclosure into a retrospective signal rather than a reliable starting point for defense.
Faster discovery was inevitable and is already visible
The acceleration of vulnerability discovery was already observable across the ecosystem. Publicly disclosed vulnerabilities (CVEs) have grown at double-digit rates for the past two years, including a 32% increase in 2024 according to NIST, driven in part by AI even prior to Anthropic’s Mythos model. Most notably XBOW topped the HackerOne US bug bounty leaderboard, marking the first time an autonomous penetration tester had done so.
The technical frontier for AI capabilities has been described elsewhere as jagged, and the implication is that Mythos is exceptional but not unique in this capability. While Mythos appears to make significant progress in complex vulnerability analysis, many other models are already able to find and exploit weaknesses to varying degrees.
What matters here is not which model performs best, but the fact that vulnerability discovery is no longer a scarce or tightly bounded capability.
The consequence of this shift is not simply earlier discovery. It is a change in the defender-attacker race condition. Disclosure once acted as a rough synchronization point. While attackers sometimes had earlier knowledge, disclosure generally marked the moment when risk became visible and defensive action could be broadly coordinated. Increasingly, that coordination will no longer exist. Exploitation may be underway well before a CVE is published, if it is published at all.
Why patch velocity alone is not the answer
The instinctive response to this shift is to focus on patching faster, but treating patch velocity as the primary solution misunderstands the problem. Most organizations are already constrained in how quickly they can remediate vulnerabilities. Asset sprawl, operational risk, testing requirements, uptime commitments, and unclear ownership all limit response speed, even when vulnerabilities are well understood.
If discovery and exploitation now routinely precede disclosure, then patching cannot be the first line of defense. It becomes one necessary control applied within a timeline that has already shifted. This does not imply that organizations should patch less. It means that patching cannot serve as the organizing principle for defense.
Defense needs a more stable anchor
If disclosure no longer defines when defense begins, then defense needs a reference point that does not depend on knowing the vulnerability in advance.
Every digital environment has a behavioral character. Systems authenticate, communicate, execute processes, and access resources in relatively consistent ways over time. These patterns are not static rules or signatures. They are learned behaviors that reflect how an organization operates.
When exploitation occurs, even via previously unknown vulnerabilities, those behavioral patterns change.
Attackers may use novel techniques, but they still need to gain access, create processes, move laterally, and will ultimately interact with systems in ways that diverge from what is expected. That deviation is observable regardless of whether the underlying weakness has been formally named.
In an environment where disclosure can no longer be relied on for timing or coordination, behavioral understanding is no longer an optional enhancement; it becomes the only consistently available defensive signal.
Detecting risk before disclosure
Darktrace’s threat research has consistently shown that malicious activity often becomes visible before public disclosure.
This reflects a defensive approach grounded in ‘Ethos’, in contrast to the unbounded exploration represented by ‘Mythos’. Here, Mythos describes continuous vulnerability discovery at speed and scale. Ethos reflects an understanding of what is normal and expected within a specific environment, grounded in observed behavior.
Revisiting assume breach
These conditions reinforce a principle long embedded in Zero Trust thinking: assume breach.
If exploitation can occur before disclosure, patching vulnerabilities can no longer act as the organizing principle for defense. Instead, effective defense must focus on monitoring for misuse and constraining attacker activity once access is achieved. Behavioral monitoring allows organizations to identify early‑stage compromise and respond while uncertainty remains, rather than waiting for formal verification.
AI plays a critical role here, not by predicting every exploit, but by continuously learning what normal looks like within a specific environment and identifying meaningful deviation at machine speed. Identifying that deviation enables defenders to respond by constraining activity back towards normal patterns of behavior.
Not an arms race, but an asymmetry
AI is often framed as fueling an arms race between attackers and defenders. In practice, the more important dynamic is asymmetry.
Attackers operate broadly, scanning many environments for opportunities. Defenders operate deeply within their own systems, and it’s this business context which is so significant. Behavioral understanding gives defenders a durable advantage. Attackers may automate discovery, but they cannot easily reproduce what belonging looks like inside a particular organization.
A changed defensive model
AI‑accelerated vulnerability discovery does not mean defenders have lost. It does mean that disclosure‑driven, patch‑centric models no longer provide a sufficient foundation for resilience.
As vulnerability volumes grow and exploitation timelines compress, effective defense increasingly depends on continuous behavioral understanding, detection that does not rely on prior disclosure, and rapid containment to limit impact. In this model, CVEs confirm risk rather than define when defense begins.
The industry has already seen this approach work in practice. As AI continues to reshape both offense and defense, behavioral detection will move from being complementary to being essential.
To observe adversary behavior in real time, Darktrace operates a global honeypot network known as “CloudyPots”, designed to capture malicious activity across a wide range of services, protocols, and cloud platforms. These honeypots provide valuable insights into the techniques, tools, and malware actively targeting internet‑facing infrastructure.
How attackers used a Jenkins honeypot to deploy the botnet
One such software honeypotted by Darktrace is Jenkins, a CI build system that allows developers to build code and run tests automatically. The instance of Jenkins in Darktrace’s honeypot is intentionally configured with a weak password, allowing attackers to obtain remote code execution on the service.
In one instance observed by Darktrace on March 18, 2026, a threat actor seemingly attempted to target Darktrace’s Jenkins honeypot to deploy a distributed denial-of-service (DDoS) botnet. Further analysis by Darktrace’s Threat Research team revealed the botnet was intended to specifically target video game servers.
How the Jenkins scriptText endpoint was used for remote code execution
The Jenkins build system features an endpoint named scriptText, which enables users to programmatically send new jobs, in the form of a Groovy script. Groovy is a programming language with similar syntax to Java and runs using the Java Virtual Machine (JVM). An attacker can abuse the scriptText endpoint to run a malicious script, achieving code execution on the victim host.
Figure 1: Request sent to the scriptText endpoint containing the malicious script.
The malicious script is sent using the form-data content type, which results in the contents of the script being URL encoded. This encoding can be decoded to recover the original script, as shown in Figure 2, where Darktrace Analysts decoded the script using CyberChef,
Figure 2: The malicious script decoded using CyberChef.
What happens after Jenkins is compromised
As Jenkins can be deployed on both Microsoft Windows and Linux systems, the script includes separate branches to target each platform.
In the case of Windows, the script performs the following actions:
Downloads a payload from 103[.]177.110.202/w.exe and saves it to C:\Windows\Temp\update.dat.
Renames the “update.dat” file to “win_sys.exe” (within the same folder)
Runs the Unblock-File command is used to remove security restrictions typically applied to files downloaded from the internet.
Adds a firewall allow rule is added for TCP port 5444, which the payload uses for command-and-control (C2) communications.
On Linux systems, the script will instead use a Bash one-liner to download the payload from 103[.]177.110.202/bot_x64.exe to /tmp/bot and execute it.
Why this botnet uses a single IP for delivery and command and control
The IP 103[.]177.110.202 belongs to Webico Company Limited, specifically its Tino brand, a Vietnamese company that offers domain registrar services and server hosting. Geolocation data indicates that the IP is located in Ho Chi Minh City. Open-source intelligence (OSINT) analysis revealed multiple malicious associations tied to the IP [1].
Darktrace’s analysis found that the IP 103[.]177.110.202 is used for multiple stages of an attack, including spreading and initial access, delivering payloads, and C2 communication. This is an unusual combination, as many malware families separate their spreading servers from their C2 infrastructure. Typically, malware distribution activity results in a high volume of abuse complaints, which may result in server takedowns or service suspension by internet providers. Separate C2 infrastructure ensures that existing infections remain controllable even if the spreading server is disrupted.
How the malware evades detection and maintains persistence
Analysis of the Linux payload (bot _x64)
The sample begins by setting the environmental variables BUILD_ID and JENKINS_NODE_COOKIE to “dontKillMe”. By default, Jenkins terminates long-running scripts after a defined timeout period; however, setting these variables to “dontKillMe” bypasses this check, allowing the script to continue running uninterrupted.
The script then performs several stealth behaviors to evade detection. First, it deletes the original executable from disk and then renames itself to resemble the legitimate kernel processes “ksoftirqd/0” or “kworker”, which are found on Linux installations by default. It then uses a double fork to daemonize itself, enabling it to run in the background, before redirecting standard input, standard output, and standard error to /dev/null, hiding any logging from the malware. Finally, the script creates a signal handler for signals such as SIGTERM, causing them to be ignored and making it harder to stop the process.
Figure 3: Stealth component of the main function
How the botnet communicates with command and control (C2)
The sample then connects to the C2 server and sends the detected architecture of the system on which the agent was installed. The malware then enters a loop to handle incoming commands.
The sample features two types of commands, utility commands used to manage the malware, and commands to trigger attacks. Three special commands are defined: “PING” (which replies with PONG as a keep-alive mechanism), “!stop” which causes the malware to exit, and “!update”, which triggers the malware to download a new version from the C2 server and restart itself.
Figure 4: Initial connection to the C2 sever.
What DDoS attack techniques this botnet uses
The attack commands consist of the following:
Many of these commands invoke the same function despite appearing to be different attack techniques. For example, specialized attacks such as Cloudflare bypass (cfbypass, uam) use the exact same function as a standard HTTP attack. This may indicate the threat actor is attempting to make the botnet look like it has more capabilities than it actually has, or it could suggest that these commands are placeholders for future attack functionality that has yet to be implemented
All the commands take three arguments: IP, port to attack, and the duration of the attack.
attack_udp and attack_udp_pps
The attack_udp and attack_udp_pps functions both use a basic loop and sendto system call to send UDP packets to the victim’s IP, either targeting a predetermined port or a random port. The attack_udp function sends packets with 1,450 bytes of data, aimed at bandwidth saturation, while the attack_udp_pps function sends smaller 64-byte packets. In both cases, the data body of the packet consists of entirely random data.
Figure 5: Code for the UDP attack method
attack_dayz
The attack_dayz function follows a similar structure to the attack_udp function; however, instead of sending random data, it will instead send a TSource Engine Query. This command is specific to Valve Source Engine servers and is designed to return a large volume of data about the targeted server. By repeatedly flooding this request, an attacker can exhaust the resources of a server using a comparatively small amount of data.
The Valve Source Engine server, also called Source Engine Dedicated server, is a server developed by video game company Valve that enables multiplayer gameplay for titles built using the Source game engine, which is also developed by Valve. The Source engine is used in games such as Counterstrike and Team Fortress 2. Curiously, the function attack_dayz, appears to be named after another popular online multiplayer game, DayZ; however, DayZ does not use the Valve Source Engine, making it unclear why this name was chosen.
Figure 6: The code for the “attack_dayz” attack function.
attack_tcp_push
The attack_tcp_push function establishes a TCP socket with the non-blocking flag set, allowing it to rapidly call functions such as connect() and send() without waiting for their completion. For the duration of the attack, it enters a while loop in which it repeatedly connects to the victim, sends 1,024 bytes of random data, and then closes the connection. This process repeats until the attack duration ends. If the mode flag is set to 1, the function also configures the socket with TCP no-delay enabled, allowing for packets to be sent immediately without buffering, resulting in a higher packet rate and a more effective attack.
Figure 7: The code for the TCP attack function.
attack_http
Similar to attach_tcp_push, attack_http configures a socket with no-delay enabled and non-blocking set. After establishing the connection, it sends 64 HTTP GET requests before closing the socket.
Figure 8: The code for the HTTP attack function.
attack_special
The attack_special function creates a UDP socket and sets the port and payload based on the value of the mode flag:
Mode 0: Port 53 (DNS), sending a 10-byte malformed data packet.
Mode 1: Port 27015 (Valve Source Engine), sending the previously observed TSource Engine Query packet.
Mode 2: Port 123 (NTP), sending the start of an NTP control request.
Figure 9: The code for the attack_special function.
What this botnet reveals about opportunistic attacks on internet-facing systems
Jenkins is one of the less frequently exploited services honeypotted by Darktrace, with only a handful campaigns observed. Nonetheless, the emergence of this new DDoS botnet demonstrates that attackers continue to opportunistically exploit any internet-facing misconfiguration at scale to grow the botnet strength.
While the hosts most commonly affected by these opportunistic attacks are usually “lower-value” systems, this distinction is largely irrelevant for botnets, where numbers alone are more important to overall effectiveness
The presence of game-specific DoS techniques further highlights that the gaming industry continues to be extensively targeted by cyber attackers, with Cloudflare reporting it as the fourth most targeted industry [2]. This botnet has likely already been used against game servers, serving as a reminder for server operators to ensure appropriate mitigations are in place.
Credit to Nathaniel Bill (Malware Research Engineer) Edited by Ryan Traill (Content Manager)
Indicators of Compromise (IoCs)
103[.]177.110.202 - Attacker and command-and-control IP
