Blog
/
OT
/
May 13, 2025

Revolutionizing OT Risk Prioritization with Darktrace 6.3

Darktrace / OT introduces IEC-62443 compliance reporting, expanded protocol visibility, and dynamic risk modeling, redefining how OT teams prioritize risks with contextual insights now additionally powered by firewall rule analysis and KEV scoring, all purpose-built to protect industrial operations and safety.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Pallavi Singh
Product Marketing Manager, OT Security & Compliance
man in hard hat on tabletDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
13
May 2025

Powering smarter protection for industrial systems

In industrial environments, security challenges are deeply operational. Whether you’re running a manufacturing line, a power grid, or a semiconductor fabrication facility (fab), you need to know: What risks can truly disrupt my operations, and what should I focus on first?

Teams need the right tools to shift from reactive defense, constantly putting out fires, to proactively thinking about their security posture. However, most OT teams are stuck using IT-centric tools that don’t speak the language of industrial systems, are consistently overwhelmed with static CVE lists, and offer no understanding of OT-specific protocols. The result? Compliance gaps, siloed insights, and risk models that don’t reflect real-world exposure, making risk prioritization seem like a luxury.

Darktrace / OT 6.3 was built in direct response to these challenges. Developed in close collaboration with OT operators and engineers, this release introduces powerful upgrades that deliver the context, visibility, and automation security teams need, without adding complexity. It’s everything OT defenders need to protect critical operations in one platform that understands the language of industrial systems.

additions to darktrace / ot 6/3

Contextual risk modeling with smarter Risk Scoring

Darktrace / OT 6.3 introduces major upgrades to OT Risk Management, helping teams move beyond generic CVE lists with AI-driven risk scoring and attack path modeling.

By factoring in real-world exploitability, asset criticality, and operational context, this release delivers a more accurate view of what truly puts critical systems at risk.

The platform now integrates:

  • CISA’s Known Exploited Vulnerabilities (KEV) database
  • End-of-life status for legacy OT devices
  • Firewall misconfiguration analysis
  • Incident response plan alignment

Most OT environments are flooded with vulnerability data that lacks context. CVE scores often misrepresent risk by ignoring how threats move through the environment or whether assets are even reachable. Firewalls are frequently misconfigured or undocumented, and EOL (End of Life) devices, some of the most vulnerable, often go untracked.

Legacy tools treat these inputs in isolation. Darktrace unifies them, showing teams exactly which attack paths adversaries could exploit, mapped to the MITRE ATT&CK framework, with visibility into where legacy tech increases exposure.

The result: teams can finally focus on the risks that matter most to uptime, safety, and resilience without wasting resources on noise.

Automating compliance with dynamic IEC-62443 reporting

Darktrace / OT now includes a purpose-built IEC-62443-3-3 compliance module, giving industrial teams real-time visibility into their alignment with regulatory standards. No spreadsheets required!

Industrial environments are among the most heavily regulated. However, for many OT teams, staying compliant is still a manual, time-consuming process.

Darktrace / OT introduces a dedicated IEC-62443-3-3 module designed specifically for industrial environments. Security and operations teams can now map their security posture to IEC standards in real time, directly within the platform. The module automatically gathers evidence across all four security levels, flags non-compliance, and generates structured reports to support audit preparation, all in just a few clicks.Most organizations rely on spreadsheets or static tools to track compliance, without clear visibility into which controls meet standards like IEC-62443. The result is hidden gaps, resource-heavy audits, and slow remediation cycles.

Even dedicated compliance tools are often built for IT, require complex setup, and overlook the unique devices found in OT environments. This leaves teams stuck with fragmented reporting and limited assurance that their controls are actually aligned with regulatory expectations.

By automating compliance tracking, surfacing what matters most, and being purpose built for industrial environments, Darktrace / OT empowers organizations to reduce audit fatigue, eliminate blind spots, and focus resources where they’re needed most.

Expanding protocol visibility with deep insights for specialized OT operations

Darktrace has expanded its Deep Packet Inspection (DPI) capabilities to support five industry-specific protocols, across healthcare, semiconductor manufacturing, and ABB control systems.

The new protocols build on existing capabilities across all OT industry verticals and protocol types to ensure the Darktrace Self-Learning AI TM can learn intelligently about even more assets in complex industrial environments. By enabling native, AI-driven inspection of these protocols, Darktrace can identify both security threats and operational issues without relying on additional appliances or complex integrations.

Most security platforms lack native support for industry-specific protocols, creating critical visibility gaps in customer environments like healthcare, semiconductor manufacturing, and ABB-heavy industrial automation. Without deep protocol awareness, organizations struggle to accurately identify specialized OT and IoT assets, detect malicious activity concealed within proprietary protocol traffic, and generate reliable device risk profiles due to insufficient telemetry.

These blind spots result in incomplete asset inventories, and ultimately, flawed risk posture assessments which over-index for CVE patching and legacy equipment.

By combining protocol-aware detection with full-stack visibility across IT, OT, and IoT, Darktrace’s AI can correlate anomalies across domains. For example, connecting an anomaly from a Medical IoT (MIoT) device with suspicious behavior in IT systems, providing actionable, contextual insights other solutions often miss.

Conclusion

Together, these capabilities take OT security beyond alert noise and basic CVE matching, delivering continuous compliance, protocol-aware visibility, and actionable, prioritized risk insights, all inside a single, unified platform built for the realities of industrial environments.

[related-resource]

Map Darktrace to the IEC framework

Download the guide to learn what the standard means for your OT environment and how Darktrace / OT maps to key security requirements

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Pallavi Singh
Product Marketing Manager, OT Security & Compliance

More in this series

No items found.

Blog

/

Network

/

August 5, 2025

2025 Cyber Threat Landscape: Darktrace’s Mid-Year Review

cyberseucity 2025 half year threat report Default blog imageDefault blog image

2025: Threat landscape in review

The following is a retrospective of the first six months of 2025, highlighting key findings across the threat landscape impacting Darktrace customers.

Darktrace observed a wide range of tactics during this period, used by various types of threat actors including advanced persistent threats (APTs), Malware-as-a-Service (MaaS) and Ransomware-as-a-Service (RaaS) groups.

Methodology

Darktrace’s Analyst team conduct investigations and research into threats facing organizations and security teams across our customer base.  This includes direct investigations with our 24/7 Security Operations Centre (SOC), via services such as Managed Detection and Response (MDR) and Managed Threat Detection, as well as broader cross-fleet research through our Threat Research function.

At the core of our research is Darktrace’s anomaly-based detection, which the Analyst team contextualizes and analyzes to provide additional support to customers and deepen our understanding of the threats they face.

Threat actors are incorporating AI into offensive operations

Threat actors are continuously evolving their tactics, techniques, and procedures (TTPs), posing an ongoing challenge to effective defense hardening. Increasingly, many threat actors are adopting AI, particularly large language models (LLMs), into their operations to enhance the scale, sophistication, and efficacy of their attacks.

The evolving functionality of malware, such as the recently reported LameHug malware by CERT-UA, which uses an open-source LLM, exemplifies this observation [1].

Threat landscape trends in 2025

Threat actors applying AI to Email attacks

LLMs present a clear opportunity for attackers to take advantage of AI and create effective phishing emails at speed. While Darktrace cannot definitively confirm the use of AI to create the phishing emails observed across the customer base, the high volume of phishing emails and notable shifts in tactic could potentially be explained by threat actors adopting new tooling such as LLMs.

  • The total number of malicious emails detected by Darktrace from January to May 2025 was over 12.6 million
  • VIP users continue to face significant threat, with over 25% of all phishing emails targeting these users in the first five months of 2025
  • QR code-based phishing emails have remained a consistent tactic, with a similar proportion observed in January-May 2024 and 2025. The highest numbers were observed in February 2025, with over 1 million detected in that month alone.
  • Shifts towards increased sophistication within phishing emails are emerging, with a year-on-year increase in the proportion of phishing emails containing either a high text volume or multistage payloads. In the first five months of 2025, 32% of phishing emails contained a high volume of text.

The increase in proportion of phishing emails with a high volume of text in particular could point towards threat actors leveraging LLMs to create phishing emails with large, but believable, text in an easy and efficient way.

The above email statistics are derived from analysis of monitored Darktrace / EMAIL model data for all customer deployments hosted in the cloud between January 1 and May 31, 2025.

Campaign Spotlight: Simple, Quick - ClickFix

An interesting technique Darktrace observed multiple times throughout March and April was ClickFix social engineering, which exploits the intersection between humans and technology to trick users into executing malicious code on behalf of the attacker.

  • While this technique has been around since 2024, Darktrace observed campaign activity in the first half of 2025 suggesting a resurgence.  
  • A range of threat actors – from APTs to MaaS and RaaS have adopted this technique to deliver secondary payloads, like information stealing malware.
  • Attackers use fraudulent or compromised legitimate websites to inject malicious plugins that masquerade as fake CAPTCHAs.
  • Targeted users believe they are completing human verification or resolving a website issue, unaware that they are being guided through a series of simple steps to execute PowerShell code on their system.
  • Darktrace observed campaign activity during the first half of 2025 across a range of sectors, including Government, Healthcare, Insurance, Retail and, Non-profit.

Not just AI: Automation is enabling Ransomware and SaaS exploitation

The rise of phishing kits like FlowerStorm and Mamba2FA, which enable phishing and abuse users’ trust by mimicking legitimate services to bypass multi-factor authentication (MFA), highlight how the barriers to entry for sophisticated attacks continue to fall, enabling new threat actors. Combined with Software-as-a-Service (SaaS) account compromise, these techniques make up a substantial portion of cybercriminal activity observed by Darktrace so far this year.

Credentials remain the weak link

A key theme across multiple cases of ransomware was threat actors abusing compromised credentials to gain initial entry into networks via:

  • Unauthorized access to internet-facing technology such as RDP servers and virtual private networks (VPNs).
  • Unauthorized access to SaaS accounts.

SaaS targeted ransomware is on the rise

The encryption of files within SaaS environments observed by Darktrace demonstrates a continued trend of ransomware actors targeting these platforms over traditional networks, potentially driven by a higher return on investment.

SaaS accounts are often less protected than traditional systems because of Single Sign-On (SSO).  Additionally, platforms like Salesforce often host sensitive data, including emails, financial records, customer information, and network configuration details. This stresses the need for robust identity management practices and continuous monitoring.

RaaS is adding complexity and speed to cyber attacks

RaaS has dominated the attack landscape, with groups like Qilin, RansomHub, and Lynx all appearing multiple times in cases across Darktrace’s customer base over the past six months. Detecting ransomware attacks before the encryption stage remains a significant challenge, particularly in RaaS operations where different affiliates often use varying techniques for initial entry and earlier stages of the attack. Darktrace’s recent analysis of Scattered Spider underscores the challenge of hardening defenses against such varying techniques.

CVE exploitation continues despite available patches

Darktrace has also observed ransomware gangs exploiting known Common Vulnerabilities and Exposures (CVEs), including the Medusa ransomware group’s use of the SimpleHelp vulnerabilities: CVE-2024-57727 and CVE-2024-57728 in March, despite patches being made available in January [2].

Misused tools + delayed patches = growing cyber risk

The exploitation of common remote management tools like SimpleHelp highlights the serious challenges defenders face when patch management cycles are suboptimal. As threat actors continue to abuse legitimate services for malicious purposes, the challenges facing defenders will only grow more complex.

Edge exploitation

It comes as no surprise that exploitation of internet-facing devices continued to feature prominently in Darktrace’s Threat Research investigations during the first half of 2025.

Observed CVE exploitation included:

Many of Darktrace’s observations of CVE exploitation so far in 2025 align with wider industry reporting, which suggests that Chinese-nexus threat actors were deemed to likely have exploited these technologies prior to public disclosure. In the case of CVE-2025-0994 - a vulnerability affecting Trimble Cityworks, an asset management system designed for use by local governments, utilities, airports, and public work agencies [3].

Darktrace observed signs of exploitation as early as January 19, well before vulnerability’s public disclosure on February 6 [4]. Darktrace’s early identification of the exploitation stemmed from the detection of a suspicious file download from 192.210.239[.]172:3219/z44.exe - later linked to Chinese-speaking threat actors in a campaign targeting the US government [5].

This case demonstrates the risks posed by the exploitation of internet-facing devices, not only those hosting more common technologies, but also software associated specifically tied to Critical National Infrastructure (CNI); a lucrative target for threat actors. This also highlights Darktrace’s ability to detect exploitation of internet-facing systems, even without a publicly disclosed CVE. Further examples of how Darktrace’s anomaly detection can uncover malicious activity ahead of public vulnerability disclosures can be found here.

New threats and returning adversaries

In the first half of 2025, Darktrace observed a wide range of threats, from sophisticated techniques employed by APT groups to large-scale campaigns involving phishing and information stealers.

BlindEagle (APT-C-36)

Among the observed APT activity, BlindEagle (APT-C-36) was seen targeting customers in Latin America (LATM), first identified in February, with additional cases seen as recently as June.

Darktrace also observed a customer targeted in a China-linked campaign involving the LapDogs ORB network, with activity spanning from December 2024 and June 2025. These likely nation-state attacks illustrate the continued adoption of cyber and AI capabilities into the national security goals of certain countries.

Sophisticated malware functionality

Further sophistication has been observed within specific malware functionality - such as the malicious backdoor Auto-Color, which has now been found to employ suppression tactics to cover its tracks if it is unable to complete its kill chain - highlighting the potential for advanced techniques across every layer of an attack.

Familiar foes

Alongside new and emerging threats, previously observed and less sophisticated tools, such as worms, Remote Access Trojans (RATs), and information stealers, continue to impact Darktrace customers.

The Raspberry Robin worm... First seen in 2021, has been repeatedly identified within Darktrace’s customer base since 2022. Most recently, Darktrace’s Threat Research team identified cases in April and May this year. Recent open-source intelligence (OSINT) reporting suggests that Raspberry Robin continues to evolve its role as an Initial Access Broker (IAB), paving the way for various attacks and remaining a concern [6].

RATs also remain a threat, with examples like AsyncRAT and Gh0st RAT impacting Darktrace customers.

In April multiple cases of MaaS were observed in Darktrace’s customer base, with information stealers Amadey and Stealc, as well as GhostSocks being distributed as a follow up payload after an initial Amadey infection.

Conclusion

As cyber threats evolve, attackers are increasingly harnessing AI to craft highly convincing email attacks, automating phishing campaigns at unprecedented scale and speed. This, coupled with rapid exploitation of vulnerabilities and the growing sophistication of ransomware gangs operating as organized crime syndicates, makes today’s threat landscape more dynamic and dangerous than ever. Cyber defenders collaborate to combat these threats – the coordinated takedown of Lumma Stealer in May was a notable win for both industry and law-enforcement [7], however OSINT suggests that this threat persists [8], and new threats will continue to arise.

Traditional security tools that rely on static rules or signature-based detection often struggle to keep pace with these fast-moving, adaptive threats. In this environment, anomaly-based detection tools are no longer optional—they are essential. By identifying deviations in normal user and system behavior, tools like Darktrace provide a proactive layer of defense capable of detecting novel and emerging threats, even those that bypass conventional security measures. Investing in anomaly-based detection is critical to staying ahead of attackers who now operate with automation, intelligence, and global coordination.

Credit to Emma Foulger (Global Threat Research Operations Lead), Nathaniel Jones (VP, Security & AI Strategy, Field CISO),  Eugene Chua (Principal Cyber Analyst & Analyst Team Lead), Nahisha Nobregas (Senior Cyber Analyst), Nicole Wong (Principal Cyber Analyst), Justin Torres (Senior Cyber Analyst), Matthew John (Director of Operations, SOC), Sam Lister (Specialist Security Researcher), Ryan Traill (Analyst Content Lead) and the Darktrace Incident Management team.

The information contained in this blog post is provided for general informational purposes only and represents the views and analysis of Darktrace as of the date of publication. While efforts have been made to ensure the accuracy and timeliness of the information, the cybersecurity landscape is dynamic, and new threats or vulnerabilities may have emerged since this report was compiled.

This content is provided “as is” and without warranties of any kind, either express or implied. Darktrace makes no representations or warranties regarding the completeness, accuracy, reliability, or suitability of the information, and expressly disclaims all warranties.

Nothing in this blog post should be interpreted as legal, technical, or professional advice. Users of this information assume full responsibility for any actions taken based on its content, and Darktrace shall not be liable for any loss or damage resulting from reliance on this material. Reference to any specific products, companies, or services does not constitute or imply endorsement, recommendation, or affiliation.

Appendices

Indicators of Compromise (IoCs)

IoC - Type - Description + Probability

LapDogs ORB network, December 2024-June 2025

www.northumbra[.]com – Hostname – Command and Control (C2) server

103.131.189[.]2 – IP Address - C2 server, observed December 2024 & June 2025

103.106.230[.]31 – IP Address - C2 server, observed December 2024

154.223.20[.]56 – IP Address – Possible C2 server, observed December 2024

38.60.214[.]23 – IP Address – Possible C2 server, observed January & February 2025

154.223.20[.]58:1346/systemd-log – URL – Possible ShortLeash payload, observed December 2024

CN=ROOT,OU=Police department,O=LAPD,L=LA,ST=California,C=US - TLS certificate details for C2 server

CVE-2025-0994, Trimble Cityworks exploitation, January 2025

192.210.239[.]172:3219/z44.exe – URL - Likely malicious file download

AsyncRAT, February-March 2025

windows-cam.casacam[.]net – Hostname – Likely C2 server

88.209.248[.]141 – IP Address – Likely C2 server

207.231.105[.]51 – IP Address – Likely C2 server

163.172.125[.]253 – IP Address – Likely C2 server

microsoft-download.ddnsfree[.]com – Hostname – Likely C2 server

95.217.34[.]113 – IP Address – Likely C2 server

vpnl[.]net – Hostname – Likely C2 server

157.20.182[.]16 – IP Address - Likely C2 server

185.81.157[.]19 – IP Address – Likely C2 server

dynamic.serveftp[.]net – IP Address – Likely C2 server

158.220.96.15 – IP Address – Likely C2 server

CVE-2024-57727 & CVE-2024-57728, SimpleHelp RMM exploitation, March 2025

213.183.63[.]41 – IP Address - C2 server

213.183.63[.]41/access/JWrapper-Windows64JRE-version.txt?time=3512082867 – URL - C2 server

213.183.63[.]41/access/JWrapper-Windows64JRE-00000000002-archive.p2.l2 – URL - C2 server

pruebas.pintacuario[.]mx – Hostname – Possible C2 server

144.217.181[.]205 – IP Address – Likely C2 server

erp.ranasons[.]com – Hostname – Possible destination for exfiltration

143.110.243[.]154 – IP Address – Likely destination for exfiltration

Blind Eagle, April-June 2025

sostenermio2024.duckdns[.]org/31agosto.vbs – URL – Possible malicious file download

Stealc, April 2025

88.214.48[.]93/ea2cb15d61cc476f[.]php – URL – C2 server

Amadey & GhostSocks, April 2025

195.82.147[.]98 – IP Address - Amadey C2 server

195.82.147[.]98/0Bdh3sQpbD/index.php – IP Address – Likely Amadey C2 activity

194.28.226.181 – IP Address – Likely GhostSocks C2 server

RaspberryRobin, May 2025

4j[.]pm – Hostname – C2 server

4xq[.]nl – Hostname – C2 server

8t[.]wf – Hostname – C2 server

Gh0stRAT, May 2025

lu.dssiss[.]icu  - Hostname – Likely C2 server

192.238.133[.]162:7744/1-111.exe – URL – Possible addition payload

8e9dec3b028f2406a8c546a9e9ea3d50609c36bb - SHA1 - Possible additional payload

f891c920f81bab4efbaaa1f7a850d484 - MD5 – Possible additional payload

192.238.133[.]162:7744/c3p.exe – URL - Possible additional payload

03287a15bfd67ff8c3340c0bae425ecaa37a929f - SHA1 - Possible additional payload

02aa02aee2a6bd93a4a8f4941a0e6310 - MD5 - Possible additional payload

192.238.133[.]162:7744/1-1111.exe – URL - Possible additional payload

1473292e1405882b394de5a5857f0b6fa3858fd1 - SHA1 - Possible additional payload

69549862b2d357e1de5bab899ec0c817 - MD5 - Possible additional payload

192.238.133[.]162:7744/1-25.exe – URL -  Possible additional payload

20189164c4cd5cac7eb76ba31d0bd8936761d7a7  - SHA1 - Possible additional payload

f42aa5e68b28a3f335f5ea8b6c60cb57 – MD5 - Possible additional payload

192.238.133[.]162:7744/Project1_se.exe – URL - Possible additional payload

fea1e30dfafbe9fa9abbbdefbcbe245b6b0628ad - SHA1 - Possible additional payload

5ea622c630ef2fd677868cbe8523a3d5 - MD5 - Possible additional payload

192.238.133[.]162:7744/Project1_se.exe - URL - Possible additional payload

aa5a5d2bd610ccf23e58bcb17d6856d7566d71b9  - SHA1 - Possible additional payload

9d33029eaeac1c2d05cf47eebb93a1d0 - MD5 - Possible additional payload

References and further reading

1.        https://cip.gov.ua/en/news/art28-atakuye-sektor-bezpeki-ta-oboroni-za-dopomogoyu-programnogo-zasobu-sho-vikoristovuye-shtuchnii-intelekt?utm_medium=email&_hsmi=113619842&utm_content=113619842&utm_source=hs_email

2.        https://www.s-rminform.com/latest-thinking/cyber-threat-advisory-medusa-and-the-simplehelp-vulnerability

3.        https://assetlifecycle.trimble.com/en/products/software/cityworks

4.     https://nvd.nist.gov/vuln/detail/CVE-2025-0994

5.     https://blog.talosintelligence.com/uat-6382-exploits-cityworks-vulnerability/

6.        https://www.silentpush.com/blog/raspberry-robin/

7.        https://blogs.microsoft.com/on-the-issues/2025/05/21/microsoft-leads-global-action-against-favored-cybercrime-tool/

8.     https://www.trendmicro.com/en_sg/research/25/g/lumma-stealer-returns.html

Related Darktrace investigations

-              ClickFix

-              FlowerStorm

-              Mamba 2FA

-              Qilin Ransomware

-              RansomHub Ransomware

-              RansomHub Revisited

-              Lynx Ransomware

-              Scattered Spider

-              Medusa Ransomware

-              Legitimate Services Malicious Intentions

-              CVE-2025-0282 and CVE-2025-0283 – Ivanti CS, PS and ZTA

-              CVE-2025-31324 – SAP Netweaver

-              Pre-CVE Threat Detection

-              BlindEagle (APT-C-36)

-              Raspberry Robin Worm

-              AsyncRAT

-              Amadey

-              Lumma Stealer

Continue reading
About the author
Emma Foulger
Global Threat Research Operations Lead

Blog

/

AI

/

August 5, 2025

Darktrace's Cyber AI Analyst in Action: 4 Real-World Investigations into Advanced Threat Actors

Man looking at computer doing work, cybersecurity, AI, AI analystDefault blog imageDefault blog image

From automation to intelligence

There’s a lot of attention around AI in cybersecurity right now, similar to how important automation felt about 15 years ago. But this time, the scale and speed of change feel different.

In the context of cybersecurity investigations, the application of AI can significantly enhance an organization's ability to detect, respond to, and recover from incidents. It enables a more proactive approach to cybersecurity, ensuring a swift and effective response to potential threats.

At Darktrace, we’ve learned that no single AI technique can solve cybersecurity on its own. We employ a multi-layered AI approach, strategically integrating a diverse set of techniques both sequentially and hierarchically. This layered architecture allows us to deliver proactive, adaptive defense tailored to each organization’s unique environment.

Darktrace uses a range of AI techniques to perform in-depth analysis and investigation of anomalies identified by lower-level alerts, in particular automating Levels 1 and 2 of the Security Operations Centre (SOC) team’s workflow. This saves teams time and resources by automating repetitive and time-consuming tasks carried out during investigation workflows. We call this core capability Cyber AI Analyst.

How Darktrace’s Cyber AITM Analyst works

Cyber AI Analyst mimics the way a human carries out a threat investigation: evaluating multiple hypotheses, analyzing logs for involved assets, and correlating findings across multiple domains. It will then generate an alert with full technical details, pulling relevant findings into a single pane of glass to track the entire attack chain.

Learn more about how Cyber AI Analyst accomplishes this here:

This blog will highlight four examples where Darktrace’s agentic AI, Cyber AI Analyst, successfully identified the activity of sophisticated threat actors, including nation state adversaries. The final example will include step-by-step details of the investigations conducted by Cyber AI Analyst.

[related-resource]

Case 1: Cyber AI Analyst vs. ShadowPad Malware: East Asian Advanced Persistent Threat (APT)

In March 2025, Darktrace detailed a lengthy investigation into two separate threads of likely state-linked intrusion activity in a customer network, showcasing Cyber AI Analyst’s ability to identify different activity threads and piece them together.

The first of these threads...

occurred in July 2024 and involved a malicious actor establishing a foothold in the customer’s virtual private network (VPN) environment, likely via the exploitation of an information disclosure vulnerability (CVE-2024-24919) affecting Check Point Security Gateway devices.

Using compromised service account credentials, the actor then moved laterally across the network via RDP and SMB, with files related to the modular backdoor ShadowPad being delivered to targeted internal systems. Targeted systems went on to communicate with a C2 server via both HTTPS connections and DNS tunnelling.

The second thread of activity...

Which occurred several months earlier in October 2024, involved a malicious actor infiltrating the customer's desktop environment via SMB and WMI.

The actor used these compromised desktops to discriminately collect sensitive data from a network share before exfiltrating such data to a web of likely compromised websites.

For each of these threads of activity, Cyber AI Analyst was able to identify and piece together the relevant intrusion steps by hypothesizing, analyzing, and then generating a singular view of the full attack chain.

Cyber AI Analyst identifying and piecing together the various steps of the ShadowPad intrusion activity.
Figure 1: Cyber AI Analyst identifying and piecing together the various steps of the ShadowPad intrusion activity.
Cyber AI Analyst Incident identifying and piecing together the various steps of the data theft activity.
Figure 2: Cyber AI Analyst Incident identifying and piecing together the various steps of the data theft activity.

These Cyber AI Analyst investigations enabled a quicker understanding of the threat actor’s sequence of events and, in some cases, led to faster containment.

Read the full detailed blog on Darktrace’s ShadowPad investigation here!

Case 2: Cyber AI Analyst vs. Blind Eagle: South American APT

Since 2018, APT-C-36, also known as Blind Eagle, has been observed performing cyber-attacks targeting various sectors across multiple countries in Latin America, with a particular focus on Colombia.

In February 2025, Cyber AI Analyst provided strong coverage of a Blind Eagle intrusion targeting a South America-based public transport provider, identifying and correlating various stages of the attack, including tooling.

Cyber AI Analyst investigation linking likely Remcos C2 traffic, a suspicious file download, and eventual data exfiltration.Type image caption here (optional)
Figure 3: Cyber AI Analyst investigation linking likely Remcos C2 traffic, a suspicious file download, and eventual data exfiltration.Type image caption here (optional)
Cyber AI Analyst identifying unusual data uploads to another likely Remcos C2 endpoint and correlated each of the individual detections involved in this compromise, identifying them as part of a broader incident that encompassed C2 connectivity, suspicious downloads, and external data transfers.
Figure 4: Cyber AI Analyst identifying unusual data uploads to another likely Remcos C2 endpoint and correlated each of the individual detections involved in this compromise, identifying them as part of a broader incident that encompassed C2 connectivity, suspicious downloads, and external data transfers.

In this campaign, threat actors have been observed using phishing emails to deliver malicious URL links to targeted recipients, similar to the way threat actors have previously been observed exploiting CVE-2024-43451, a vulnerability in Microsoft Windows that allows the disclosure of a user’s NTLMv2 password hash upon minimal interaction with a malicious file [4].

In late February 2025, Darktrace observed activity assessed with medium confidence to be associated with Blind Eagle on the network of a customer in Colombia. Darktrace observed a device on the customer’s network being directed over HTTP to a rare external IP, namely 62[.]60[.]226[.]112, which had never previously been seen in this customer’s environment and was geolocated in Germany.

Read the full Blind Eagle threat story here!

Case 3: Cyber AI Analyst vs. Ransomware Gang

In mid-March 2025, a malicious actor gained access to a customer’s network through their VPN. Using the credential 'tfsservice', the actor conducted network reconnaissance, before leveraging the Zerologon vulnerability and the Directory Replication Service to obtain credentials for the high-privilege accounts, ‘_svc_generic’ and ‘administrator’.

The actor then abused these account credentials to pivot over RDP to internal servers, such as DCs. Targeted systems showed signs of using various tools, including the remote monitoring and management (RMM) tool AnyDesk, the proxy tool SystemBC, the data compression tool WinRAR, and the data transfer tool WinSCP.

The actor finally collected and exfiltrated several gigabytes of data to the cloud storage services, MEGA, Backblaze, and LimeWire, before returning to attempt ransomware detonation.

Figure 5: Cyber AI Analyst detailing its full investigation, linking 34 related Incident Events in a single pane of glass.

Cyber AI Analyst identified, analyzed, and reported on all corners of this attack, resulting in a threat tray made up of 34 Incident Events into a singular view of the attack chain.

Cyber AI Analyst identified activity associated with the following tactics across the MITRE attack chain:

  • Initial Access
  • Persistence
  • Privilege Escalation
  • Credential Access
  • Discovery
  • Lateral Movement
  • Execution
  • Command and Control
  • Exfiltration

Case 4: Cyber AI Analyst vs Ransomhub

Cyber AI Analyst presenting its full investigation into RansomHub, correlating 38 Incident Events.
Figure 6: Cyber AI Analyst presenting its full investigation into RansomHub, correlating 38 Incident Events.

A malicious actor appeared to have entered the customer’s network their VPN, using a likely attacker-controlled device named 'DESKTOP-QIDRDSI'. The actor then pivoted to other systems via RDP and distributed payloads over SMB.

Some systems targeted by the attacker went on to exfiltrate data to the likely ReliableSite Bare Metal server, 104.194.10[.]170, via HTTP POSTs over port 5000. Others executed RansomHub ransomware, as evidenced by their SMB-based distribution of ransom notes named 'README_b2a830.txt' and their addition of the extension '.b2a830' to the names of files in network shares.

Through its live investigation of this attack, Cyber AI Analyst created and reported on 38 Incident Events that formed part of a single, wider incident, providing a full picture of the threat actor’s behavior and tactics, techniques, and procedures (TTPs). It identified activity associated with the following tactics across the MITRE attack chain:

  • Execution
  • Discovery
  • Lateral Movement
  • Collection
  • Command and Control
  • Exfiltration
  • Impact (i.e., encryption)
Step-by-step details of one of the network scanning investigations performed by Cyber AI Analyst in response to an anomaly alerted by Darktrace.
Figure 7: Step-by-step details of one of the network scanning investigations performed by Cyber AI Analyst in response to an anomaly alerted by Darktrace.
Step-by-step details of one of the administrative connectivity investigations performed by Cyber AI Analyst in response to an anomaly alerted by Darktrace.
Figure 8: Step-by-step details of one of the administrative connectivity investigations performed by Cyber AI Analyst in response to an anomaly alerted by Darktrace.
 Step-by-step details of one of the external data transfer investigations performed by Cyber AI Analyst in response to an anomaly alerted by Darktrace. Step-by-step details of one of the external data transfer investigations performed by Cyber AI Analyst in response to an anomaly alerted by Darktrace.
Figure 9: Step-by-step details of one of the external data transfer investigations performed by Cyber AI Analyst in response to an anomaly alerted by Darktrace.
Step-by-step details of one of the data collection and exfiltration investigations performed by Cyber AI Analyst in response to an anomaly alerted by Darktrace.
Figure 10: Step-by-step details of one of the data collection and exfiltration investigations performed by Cyber AI Analyst in response to an anomaly alerted by Darktrace.
Step-by-step details of one of the ransomware encryption investigations performed by Cyber AI Analyst in response to an anomaly alerted by Darktrace.
Figure 11: Step-by-step details of one of the ransomware encryption investigations performed by Cyber AI Analyst in response to an anomaly alerted by Darktrace.

Conclusion

Security teams are challenged to keep up with a rapidly evolving cyber-threat landscape, now powered by AI in the hands of attackers, alongside the growing scope and complexity of digital infrastructure across the enterprise.

Traditional security methods, even those that use some simple machine learning, are no longer sufficient, as these tools cannot keep pace with all possible attack vectors or respond quickly enough machine-speed attacks, given their complexity compared to known and expected patterns. Security teams require a step up in their detection capabilities, leveraging machine learning to understand the environment, filter out the noise, and take action where threats are identified. This is where Cyber AI Analyst steps in to help.

Credit to Nathaniel Jones (VP, Security & AI Strategy, FCISO), Sam Lister (Security Researcher), Emma Foulger (Global Threat Research Operations Lead), and Ryan Traill (Analyst Content Lead)

[related-resource]

Continue reading
About the author
Nathaniel Jones
VP, Security & AI Strategy, Field CISO
Your data. Our AI.
Elevate your network security with Darktrace AI