Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Brianna Leddy
Director of Analyst Operations
Share
20
Oct 2021
In the era of international-scale cyber-warfare, focus has started to move away from small-time cyber thieves toward well-known, well-funded and sometimes government-backed cyber-crime organizations. Cyber-attacks sometimes work on discordant scales, however, and it doesn’t always take big budgets or key players for considerable damage to be dealt.
Numerous stories detail how the criminal and the curious alike have single-handedly breached some of the most secure systems in the world. At the more amusing end, there’s the story of Kristoffer von Hassel who discovered a novel exploit in Microsoft’s Xbox Live system at just five years old. And then of course there are those who hack their way right into promising security careers by breaching systems at major organizations. However, genuine damage has been done by individual threat actors as well.
These might be criminals using second-hand offensive tools, buying botnet armies for as little as $10 on the Dark Web, or using ransomware files downloaded for free. But ultimately, even a single cyber-criminal can inflict crippling damage upon large organizations if they are given the opportunity.
This is especially the case when the tools in their possession have been developed by some of the most notorious names in cyber-crime.
Copycat criminals
In early 2021, Darktrace detected a new instance of the once notorious Ryuk ransomware being launched against a business in the APAC region. The detection was intriguing.
The developers of Ryuk, a prolific cyber-criminal organization given the name ‘Wizard Spider’, had long since abandoned it in favor of a successor called ‘Conti’. Wizard Spider have launched some of the largest cyber-attacks in recent history, allegedly with the support of the Russian government, and are under investigation by Interpol and the FBI. They are not known for using outdated tools.
It soon became clear that this attack was not being launched by Wizard Spider at all, but by small-scale threat actors picking up the tools Wizard Spider left behind. And as the new attackers proved, these tools are still far from defunct.
Ryuk ransomware: A city-stopper for sale
Ryuk ransomware is commonly used to target large enterprise environments, even taking down entire city councils in some instances. Lake City, Florida and the City of Onkaparinga in South Australia are two of its known victims, along with numerous schools and hospitals across the US.
Once active in a system, Ryuk uses a combination of symmetric (AES) and asymmetric (RSA) encryption to encrypt files, disabling Windows’ system restore feature as it does so, and generally demands payment via Bitcoin in return for a private decryption key.
Though Ryuk was not initially sold in the same manner as its predecessor, Hermes, on the Dark Web site ‘exploit[.]in’, it is now believed by some publications that the toolkit must be available somewhere for various threat actors to buy and tailor to their requirements. This explains its recurrence beyond Wizard Spider activities.
New dog, old tricks
Darktrace spotted the new instance of Ryuk during a trial with a real estate business in the APAC region. The first warning sign came when some basic .dat files were downloaded onto one of the business’ devices from an unknown Russian IP address. Darktrace immediately detected that this download was a likely breach and, had Antigena been set up in active mode, would have initiated a targeted response at this early stage.
The .dat files on the infected device allowed the attackers to use RDP (Remote Desktop Protocol) to spread further into the business’ network. Two days after the initial compromise, the threat actor had gained administrative credentials through a bruteforce attack and could begin scanning the network further.
Figure 1: Timeline of the attack
The witching hour
Just an hour after the attacker gained administrative credentials, at approximately 3:30am local time, ransomware files appeared in the business’ network. This timing was not accidental. The attackers knew that the security teams at the target business were home and asleep when the ransomware landed in the small hours of the morning, giving them plenty of time to conduct their attack.
This is precisely the kind of simple tactic which can multiply the scale of an attack without using large budgets or complex toolsets. The Ryuk ransomware rapidly began encrypting corporate files during the night, and by the time the security team returned in the morning, all they could do was shut down the entire network and hope to limit the spread of Ryuk, if only to save a few final devices.
The total attack time, from initial compromise to widespread data encryption, was just two and a half days. Whether due to understaffing or preoccupation, the security team did not find the time in that small window to respond to alerts, and, with Darktrace Antigena in passive mode, the attack was able to go ahead. This business’ need for Autonomous Response, which can protect against old and new attacks around the clock without the need for manual intervention, was painfully apparent.
Autonomous Response: Stop Ryuk before Ryuk stops you
Understanding Ryuk’s history and functionality does little good for organizations when it is still capable of eluding their defenses and catching security teams unawares. Darktrace’s Self-Learning AI is uniquely positioned to address these sophisticated threats, even as they evolve in the hands of different attackers and become unrecognizable to traditional rule-based security approaches.
Utilizing 24/7 Autonomous Response to stop both new and old threats at machine speed gives security teams the best chance of leveling the playing field against attackers. With Darktrace Antigena, the size or status of the attacking organization and their toolset is irrelevant – any anomalous and threatening behavior will be neutralized quickly and accurately, before damage can be done.
Thanks to Darktrace analyst Thomas Nommensen for his insights on the above threat find.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Xillen Stealer Updates to Version 5 to Evade AI Detection
Xillen Stealer v4/v5 introduces advanced features to evade AI detection, steal credentials, cryptocurrency, and sensitive data across browsers, password managers, and cloud environments. With polymorphic engines, container persistence, and behavioral mimicking, this Python-based malware highlights evolving threats and future AI integration in cybercrime campaigns.
Earlier this year, Darktrace investigated the Vo1d malware campaign, tracing its activity from DGA-based DNS beaconing to major cloud infrastructure and ultimately to its C2 server communications. This blog explores how Darktrace detected Vo1d and presents a detailed timeline of Cyber AI Analyst’s investigation.
Darktrace Named the Only 2025 Gartner® Peer Insights™ Customers’ Choice for Network Detection and Response
Darktrace has been named the only Customers’ Choice in the 2025 Gartner® Peer Insights™ Voice of the Customer for Network Detection and Response, earning a 4.8/5 rating from 242 reviews and being named both Gartner Customers’ Choice and a Magic Quadrant Leader recognition.
Managing OT Remote Access with Zero Trust Control & AI Driven Detection
The shift toward IT-OT convergence
Recently, industrial environments have become more connected and dependent on external collaboration. As a result, truly air-gapped OT systems have become less of a reality, especially when working with OEM-managed assets, legacy equipment requiring remote diagnostics, or third-party integrators who routinely connect in.
This convergence, whether it’s driven by digital transformation mandates or operational efficiency goals, are making OT environments more connected, more automated, and more intertwined with IT systems. While this convergence opens new possibilities, it also exposes the environment to risks that traditional OT architectures were never designed to withstand.
The modernization gap and why visibility alone isn’t enough
The push toward modernization has introduced new technology into industrial environments, creating convergence between IT and OT environments, and resulting in a lack of visibility. However, regaining that visibility is just a starting point. Visibility only tells you what is connected, not how access should be governed. And this is where the divide between IT and OT becomes unavoidable.
Security strategies that work well in IT often fall short in OT, where even small missteps can lead to environmental risk, safety incidents, or costly disruptions. Add in mounting regulatory pressure to enforce secure access, enforce segmentation, and demonstrate accountability, and it becomes clear: visibility alone is no longer sufficient. What industrial environments need now is precision. They need control. And they need to implement both without interrupting operations. All this requires identity-based access controls, real-time session oversight, and continuous behavioral detection.
The risk of unmonitored remote access
This risk becomes most evident during critical moments, such as when an OEM needs urgent access to troubleshoot a malfunctioning asset.
Under that time pressure, access is often provisioned quickly with minimal verification, bypassing established processes. Once inside, there’s little to no real-time oversight of user actions whether they’re executing commands, changing configurations, or moving laterally across the network. These actions typically go unlogged or unnoticed until something breaks. At that point, teams are stuck piecing together fragmented logs or post-incident forensics, with no clear line of accountability.
In environments where uptime is critical and safety is non-negotiable, this level of uncertainty simply isn’t sustainable.
The visibility gap: Who’s doing what, and when?
The fundamental issue we encounter is the disconnect between who has access and what they are doing with it.
Traditional access management tools may validate credentials and restrict entry points, but they rarely provide real-time visibility into in-session activity. Even fewer can distinguish between expected vendor behavior and subtle signs of compromise, misuse or misconfiguration.
As a result, OT and security teams are often left blind to the most critical part of the puzzle, intent and behavior.
Closing the gaps with zero trust controls and AI‑driven detection
Managing remote access in OT is no longer just about granting a connection, it’s about enforcing strict access parameters while continuously monitoring for abnormal behavior. This requires a two-pronged approach: precision access control, and intelligent, real-time detection.
Zero Trust access controls provide the foundation.By enforcing identity-based, just-in-time permissions, OT environments can ensure that vendors and remote users only access the systems they’re explicitly authorized to interact with, and only for the time they need. These controls should be granular enough to limit access down to specific devices, commands, or functions. By applying these principles consistently across the Purdue Model, organizations can eliminate reliance on catch-all VPN tunnels, jump servers, and brittle firewall exceptions that expose the environment to excess risk.
Access control is only one part of the equation
Darktrace / OT complements zero trust controls with continuous, AI-driven behavioral detection. Rather than relying on static rules or pre-defined signatures, Darktrace uses Self-Learning AI to build a live, evolving understanding of what’s “normal” in the environment, across every device, protocol, and user. This enables real-time detection of subtle misconfigurations, credential misuse, or lateral movement as they happen, not after the fact.
By correlating user identity and session activity with behavioral analytics, Darktrace gives organizations the full picture: who accessed which system, what actions they performed, how those actions compared to historical norms, and whether any deviations occurred. It eliminates guesswork around remote access sessions and replaces it with clear, contextual insight.
Importantly, Darktrace distinguishes between operational noise and true cyber-relevant anomalies. Unlike other tools that lump everything, from CVE alerts to routine activity, into a single stream, Darktrace separates legitimate remote access behavior from potential misuse or abuse. This means organizations can both audit access from a compliance standpoint and be confident that if a session is ever exploited, the misuse will be surfaced as a high-fidelity, cyber-relevant alert. This approach serves as a compensating control, ensuring that even if access is overextended or misused, the behavior is still visible and actionable.
If a session deviates from learned baselines, such as an unusual command sequence, new lateral movement path, or activity outside of scheduled hours, Darktrace can flag it immediately. These insights can be used to trigger manual investigation or automated enforcement actions, such as access revocation or session isolation, depending on policy.
This layered approach enables real-time decision-making, supports uninterrupted operations, and delivers complete accountability for all remote activity, without slowing down critical work or disrupting industrial workflows.
Where Zero Trust Access Meets AI‑Driven Oversight:
Granular Access Enforcement: Role-based, just-in-time access that aligns with Zero Trust principles and meets compliance expectations.
Context-Enriched Threat Detection: Self-Learning AI detects anomalous OT behavior in real time and ties threats to access events and user activity.
Automated Session Oversight: Behavioral anomalies can trigger alerting or automated controls, reducing time-to-contain while preserving uptime.
Full Visibility Across Purdue Layers: Correlated data connects remote access events with device-level behavior, spanning IT and OT layers.
Scalable, Passive Monitoring: Passive behavioral learning enables coverage across legacy systems and air-gapped environments, no signatures, agents, or intrusive scans required.
Complete security without compromise
We no longer have to choose between operational agility and security control, or between visibility and simplicity. A Zero Trust approach, reinforced by real-time AI detection, enables secure remote access that is both permission-aware and behavior-aware, tailored to the realities of industrial operations and scalable across diverse environments.
Because when it comes to protecting critical infrastructure, access without detection is a risk and detection without access control is incomplete.
Product Marketing Manager, OT Security & Compliance
Blog
/
Network
/
November 20, 2025
Xillen Stealer Updates to Version 5 to Evade AI Detection
Introduction
Python-based information stealer “Xillen Stealer” has recently released versions 4 and 5, expanding its targeting and functionality. The cross-platform infostealer, originally reported by Cyfirma in September 2025, targets sensitive data including credentials, cryptocurrency wallets, system information, browser data and employs anti-analysis techniques.
The update to v4/v5 includes significantly more functionality, including:
Persistence
Ability to steal credentials from password managers, social media accounts, browser data (history, cookies and passwords) from over 100 browsers, cryptocurrency from over 70 wallets
Kubernetes configs and secrets
Docker scanning
Encryption
Polymorphism
System hooks
Peer-to-Peer (P2P) Command-and-Control (C2)
Single Sign-On (SSO) collector
Time-Based One-Time Passwords (TOTP) and biometric collection
EDR bypass
AI evasion
Interceptor for Two-Factor Authentication (2FA)
IoT scanning
Data exfiltration via Cloud APIs
Xillen Stealer is marketed on Telegram, with different licenses available for purchase. Users who deploy the malware have access to a professional-looking GUI that enables them to view exfiltrated data, logs, infections, configurations and subscription information.
Figure 1: Screenshot of the Xillen Stealer portal.
Technical analysis
The following technical analysis examines some of the interesting functions of Xillen Stealer v4 and v5. The main functionality of Xillen Stealer is to steal cryptocurrency, credentials, system information, and account information from a range of stores.
Xillen Stealer specifically targets the following wallets and browsers:
AITargetDectection
Figure 2: Screenshot of Xillen Stealer’s AI Target detection function.
The ‘AITargetDetection’ class is intended to use AI to detect high-value targets based on weighted indicators and relevant keywords defined in a dictionary. These indicators include “high value targets”, like cryptocurrency wallets, banking data, premium accounts, developer accounts, and business emails. Location indicators include high-value countries such as the United States, United Kingdom, Germany and Japan, along with cryptocurrency-friendly countries and financial hubs. Wealth indicators such as keywords like CEO, trader, investor and VIP have also been defined in a dictionary but are not in use at this time, pointing towards the group’s intent to develop further in the future.
While the class is named ‘AITargetDetection’ and includes placeholder functions for initializing and training a machine learning model, there is no actual implementation of machine learning. Instead, the system relies entirely on rule-based pattern matching for detection and scoring. Even though AI is not actually implemented in this code, it shows how malware developers could use AI in future malicious campaigns.
Figure 3: Screenshot of dead code function.
AI Evasion
Figure 4: Screenshot of AI evasion function to create entropy variance.
‘AIEvasionEngine’ is a module designed to help malware evade AI-based or behavior-based detection systems, such as EDRs and sandboxes. It mimics legitimate user and system behavior, injects statistical noise, randomizes execution patterns, and camouflages resource usage. Its goal is to make the malware appear benign to machine learning detectors. The techniques used to achieve this are:
Noise Injection: Performs random memory, CPU, file, and network operations to confuse behavioral classifiers
Timing Randomization: Introduces irregular delays and sleep patterns to avoid timing-based anomaly detection
Resource Camouflage: Adjusts CPU and memory usage to imitate normal apps (such as browsers, text editors)
API Call Obfuscation: Random system API calls and pattern changes to hide malicious intent
Memory Access Obfuscation: Alters access patterns and entropy to bypass ML models monitoring memory behavior
PolymorphicEngine
As part of the “Rust Engine” available in Xillen Stealer is the Polymorphic Engine. The ‘PolymorphicEngine’ struct implements a basic polymorphic transformation system designed for obfuscation and detection evasion. It uses predefined instruction substitutions, control-flow pattern replacements, and dead code injection to produce varied output. The mutate_code() method scans input bytes and replaces recognized instruction patterns with randomized alternatives, then applies control flow obfuscation and inserts non-functional code to increase variability. Additional features include string encryption via XOR and a stub-based packer.
Collectors
DevToolsCollector
Figure 5: Screenshot of Kubernetes data function.
The ‘DevToolsCollector’ is designed to collect sensitive data related to a wide range of developer tools and environments. This includes:
IDE configurations
VS Code, VS Code Insiders, Visual Studio
JetBrains: Intellij, PyCharm, WebStorm
Sublime
Atom
Notepad++
Eclipse
Cloud credentials and configurations
AWS
GCP
Azure
Digital Ocean
Heroku
SSH keys
Docker & Kubernetes configurations
Git credentials
Database connection information
HeidiSQL
Navicat
DBeaver
MySQL Workbench
pgAdmin
API keys from .env files
FTP configs
FileZilla
WinSCP
Core FTP
VPN configurations
OpenVPN
WireGuard
NordVPN
ExpressVPN
CyberGhost
Container persistence
Figure 6: Screenshot of Kubernetes inject function.
Biometric Collector
Figure 7: Screenshot of the ‘BiometricCollector’ function.
The ‘BiometricCollector’ attempts to collect biometric information from Windows systems by scanning the C:\Windows\System32\WinBioDatabase directory, which stores Windows Hello and other biometric configuration data. If accessible, it reads the contents of each file, encodes them in Base64, preparing them for later exfiltration. While the data here is typically encrypted by Windows, its collection indicates an attempt to extract sensitive biometric data.
Password Managers
The ‘PasswordManagerCollector’ function attempts to steal credentials stored in password managers including, OnePass, LastPass, BitWarden, Dashlane, NordPass and KeePass. However, this function is limited to Windows systems only.
SSOCollector
The ‘SSOCollector’ class is designed to collect authentication tokens related to SSO systems. It targets three main sources: Azure Active Directory tokens stored under TokenBroker\Cache, Kerberos tickets obtained through the klist command, and Google Cloud authentication data in user configuration folders. For each source, it checks known directories or commands, reads partial file contents, and stores the results as in a dictionary. Once again, this function is limited to Windows systems.
TOTP Collector
The ‘TOTP Collector’ class attempts to collect TOTPs from:
Authy Desktop by locating and reading from Authy.db SQLite databases
Microsoft Authenticator by scanning known application data paths for stored binary files
TOTP-related Chrome extensions by searching LevelDB files for identifiable keywords like “gauth” or “authenticator”.
Each method attempts to locate relevant files, parse or partially read their contents, and store them in a dictionary under labels like authy, microsoft_auth, or chrome_extension. However, as before, this is limited to Windows, and there is no handling for encrypted tokens.
Enterprise Collector
The ‘EnterpriseCollector’ class is used to extract credentials related to an enterprise Windows system. It targets configuration and credential data from:
The files and directories are located based on standard environment variables with their contents read in binary mode and then encoded in Base64.
Super Extended Application Collector
The ‘SuperExtendedApplication’ Collector class is designed to scan an environment for 160 different applications on a Windows system. It iterates through the paths of a wide range of software categories including messaging apps, cryptocurrency wallets, password managers, development tools, enterprise tools, gaming clients, and security products. The list includes but is not limited to Teams, Slack, Mattermost, Zoom, Google Meet, MS Office, Defender, Norton, McAfee, Steam, Twitch, VMWare, to name a few.
Bypass
AppBoundBypass
This code outlines a framework for bypassing App Bound protections, Google Chrome' s cookie encryption. The ‘AppBoundBypass’ class attempts several evasion techniques, including memory injection, dynamic-link library (DLL) hijacking, process hollowing, atom bombing, and process doppelgänging to impersonate or hijack browser processes. As of the time of writing, the code contains multiple placeholders, indicating that the code is still in development.
Steganography
The ‘SteganographyModule’ uses steganography (hiding data within an image) to hide the stolen data, staging it for exfiltration. Multiple methods are implemented, including:
Image steganography: LSB-based hiding
NTFS Alternate Data Streams
Windows Registry Keys
Slack space: Writing into unallocated disk cluster space
Polyglot files: Appending archive data to images
Image metadata: Embedding data in EXIF tags
Whitespace encoding: Hiding binary in trailing spaces of text files
Exfiltration
CloudProxy
Figure 8: Screenshot of the ‘CloudProxy’ class.
The CloudProxy class is designed for exfiltrating data by routing it through cloud service domains. It encodes the input data using Base64, attaches a timestamp and SHA-256 signature, and attempts to send this payload as a JSON object via HTTP POST requests to cloud URLs including AWS, GCP, and Azure, allowing the traffic to blend in. As of the time of writing, these public facing URLs do not accept POST requests, indicating that they are placeholders meant to be replaced with attacker-controlled cloud endpoints in a finalized build.
P2PEngine
Figure 9: Screenshot of the P2PEngine.
The ‘P2PEngine’ provides multiple methods of C2, including embedding instructions within blockchain transactions (such as Bitcoin OP_RETURN, Ethereum smart contracts), exfiltrating data via anonymizing networks like Tor and I2P, and storing payloads on IPFS (a distributed file system). It also supports domain generation algorithms (DGA) to create dynamic .onion addresses for evading detection.
After a compromise, the stealer creates both HTML and TXT reports containing the stolen data. It then sends these reports to the attacker’s designated Telegram account.
Xillen Killers
FIgure 10: Xillen Killers.
Xillen Stealer appears to be developed by a self-described 15-year-old “pentest specialist” “Beng/jaminButton” who creates TikTok videos showing basic exploits and open-source intelligence (OSINT) techniques. The group distributing the information stealer, known as “Xillen Killers”, claims to have 3,000 members. Additionally, the group claims to have been involved in:
Analysis of Project DDoSia, a tool reportedly used by the NoName057(16) group, revealing that rather functioning as a distributed denial-of-service (DDos) tool, it is actually a remote access trojan (RAT) and stealer, along with the identification of involved individuals.
Compromise of doxbin.net in October 2025.
Discovery of vulnerabilities on a Russian mods site and a Ukrainian news site
The group, which claims to be part of the Russian IT scene, use Telegram for logging, marketing, and support.
Conclusion
While some components of XillenStealer remain underdeveloped, the range of intended feature set, which includes credential harvesting, cryptocurrency theft, container targeting, and anti-analysis techniques, suggests that once fully developed it could become a sophisticated stealer. The intention to use AI to help improve targeting in malware campaigns, even though not yet implemented, indicates how threat actors are likely to incorporate AI into future campaigns. Credit to Tara Gould (Threat Research Lead)
