Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Director of ITIS
Finance (Guest Contributor)
Share
02
Feb 2023
As the Director of ITIS for a credit union in the American Pacific Northwest, I know that if malware breaches our internal systems, it will debilitate us and affect the financial wellbeing of our 10,000 members.
My security team must protect our cyber infrastructure, including our online banking, internal network, and employee email systems. As part of that effort, we are tasked heavily by the Credit Union National Association (CUNA) and the federal government to follow specific, regularly changing standards for our IT security.
To meet those compliance standards, we deployed Darktrace. Once its AI learned our digital landscape, we could customize the settings to react in specific ways that adhere to compliance frameworks, and we can easily adapt to all changes that we’ve seen.
Darktrace learns the usual behavior of every device and user within our digital landscape. It then uses this understanding to identify threats within seconds and make autonomous, precise decisions that neutralize attacks without disrupting our operations.
Since we have five locations with hundreds of computers, servers, and switches, I don’t have the capacity to watch every system. However, using network mapping and traffic moderating capabilities, Darktrace gathers all the information I could need. It then generates clear, detailed reports through Explainable AI.
With its autonomous capabilities, Darktrace helps us stay compliant and stop attacks faster and more reliably than humans, saving my team both time and money.
Stopping Email Threats with Nuanced Interventions
In my experience, most breaches happen through email. I can control most web traffic with firewall rules and third-party tools. I can’t control, however, if a user clicks on something in a malicious email.
Darktrace/Email uses AI to identify and stop malicious email activity before it ever reaches a user’s inbox. It can take more detailed actions beyond merely allowing or blocking emails. Instead, it will neutralize the threatening components of emails. I especially love its ability to flatten any attachment into a PDF.
Since deploying Darktrace, I haven’t had a security breach that I couldn’t explain or fix. Darktrace has even blocked malicious emails that made it through my outside spam folder and internal exchange filter.
The metrics it provides internally are amazing, too. I can tell who’s moving files, where they’re moving files, what files they’re moving, if they are plain text passwords or shares or other sensitive information. At a glance, Darktrace does everything that would take me hours to trace down.
With this comprehensive visibility, we’ve started using Darktrace/Email in some unique ways. For example, we pull Darktrace’s metric breakdown of email traffic and feed it into a datamining program to see the efficacy of our marketing email campaigns.
Beyond the metrics, Darktrace’s ability to autonomously respond to threats gives me peace of mind. I have a machine that watches our email and network around the clock. Beyond stopping breaches from originating in our email systems and shutting down malicious activity in our network, Darktrace brings our email and network data together to make its AI even smarter. I know that when we fall victim to a cyber-attack, Darktrace will handle it.
Preempting Attacks by Understanding Our External Footprint
External footprint monitoring is an integral part of internal security because detecting and stopping an attack once it is launched is one thing, but being able to preempt an attack is even better. That’s why I deployed Darktrace PREVENT/Attack Surface Management™ (ASM) as soon as I could. It enables me to take a proactive approach and minimize risk before an attack ever occurs.
PREVENT/ASM generates objective reports based entirely on my unique footprint. It took only 10 days from its implementation until it identified all the assets that were out there, including some we weren’t aware of.
Now, two months later, it continues to monitor our ever-changing attack surface, informing us of vulnerabilities such as shadow IT, misconfigurations, and brand abuse. When it identifies threats, it generates digestible reports that I pass along to our third-party contractor to handle.
However, PREVENT’s power is amplified when paired with Darktrace DETECT™ and Darktrace RESPOND™. These three tools work together in the Cyber AI Loop™ to harden our entire security stack.
Since PREVENT can see potential avenues of attack in advance, the Loop can leverage this data to increase sensitivity in DETECT and RESPOND around these critical access points and inform my security team where to prioritize our resources to have the highest impact.
It’s hard to choose which capability of Darktrace has helped my team the most, because with the feedback loop, I now think of it holistically. Darktrace simply provides the value that I’m paying for, and I’m glad that I have it. As far as security software goes, it’s probably the slickest piece of software I’ve seen in my life, and I’ve been doing this for 30 years.
My advice to other financial institutions is that if you don’t have an AI security system, you need it. Threat actors have started using AI in their attacks, so we need to use AI to protect against them. Otherwise, it’s like fighting a jet plane with a rock and a stick. With this proactive approach, especially with PREVENT, Darktrace is working all the time to protect our digital estate, harden our security posture, and meet our compliance standards.
Darktrace’s free Proof of Value gives you the opportunity to speak directly with a Darktrace customer in a 1-1 reference call. Start a trial today.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Why attack-centric approaches to email security can’t cope with modern threats
Despite evolving email threats, many organizations still rely on SEGs or outdated, attack-focused methods. These approaches can’t counter advanced, AI-driven attacks. The solution? Business-centric email security that understands users and inbox behavior, not just threats.
Evaluating Email Security: How to Select the Best Solution for Your Organization
In today’s saturated market for email security, it can be difficult to cut through the noise of AI hype and vendor claims. CISOs should be using a structured evaluation framework to support informed, objective comparisons of different vendors – to allow them to make the best decision for their organization.
Why Data Classification Isn’t Enough to Prevent Data Loss
In a world of growing data volume and diversity, protecting and keeping track of your organization’s sensitive information is increasingly complex – particularly when 63% of breaches stem from malicious insiders or human error. This blog explores how security teams can achieve visibility beyond the limits of data classification, without adding to the burden of data management.
Modernising UK Cyber Regulation: Implications of the Cyber Security and Resilience Bill
The need for security and continued cyber resilience
The UK government has made national security a key priority, and the new Cyber Security and Resilience Bill (CSRB) is a direct reflection of that focus. In introducing the Bill, Secretary of State for Science, Innovation and Technology, Peter Kyle, recognised that the UK is “desperately exposed” to cyber threats—from criminal groups to hostile nation-states that are increasingly targeting the UK's digital systems and critical infrastructure[1].
Context and timeline for the new legislation
First announced during the King’s Speech of July 2024, and elaborated in a Department for Science, Innovation and Technology (DSIT) policy statement published in April 2025, the CSRB is expected to be introduced in Parliament during the 2025-26 legislative session.
For now, organisations in the UK remain subject to the 2018 Network and Information Systems (NIS) Regulations – an EU-derived law which was drafted before today’s increasing digitisation of critical services, rise in cloud adoption and emergence of AI-powered threats.
Why modernisation is critical
Without modernisation, the Government believes UK’s infrastructure and economy risks falling behind international peers. The EU, which revised its cybersecurity regulation under the NIS2 Directive, already imposes stricter requirements on a broader set of sectors.
The urgency of the Bill is also underscored by recent high-impact incidents, including the Synnovis attack which targeted the National Health Service (NHS) suppliers and disrupted thousands of patient appointments and procedures[2]. The Government has argued that such events highlight a systemic failure to keep pace with a rapidly evolving threat landscape[3].
What the Bill aims to achieve
This Bill represents a decisive shift. According to the Government, it will modernise and future‑proof the UK’s cyber laws, extending oversight to areas where risk has grown but regulation has not kept pace[4]. While the legislation builds on previous consultations and draws lessons from international frameworks like the EU’s NIS2 directive, it also aims to tailor solutions to the UK’s unique threat environment.
Importantly, the Government is framing cybersecurity not as a barrier to growth, but as a foundation for it. The policy statement emphasises that strong digital resilience will create the stability businesses need to thrive, innovate, and invest[5]. Therefore, the goals of the Bill will not only be to enhance security but also act as an enabler to innovation and economic growth.
Recognition that AI changes cyber threats
The CSRB policy statement recognises that AI is fundamentally reshaping the threat landscape, with adversaries now leveraging AI and commercial cyber tools to exploit vulnerabilities in critical infrastructure and supply chains. Indeed, the NCSC has recently assessed that AI will almost certainly lead to “an increase in the frequency and intensity of cyber threats”[6]. Accordingly, the policy statement insists that the UK’s regulatory framework “must keep pace and provide flexibility to respond to future threats as and when they emerge”[7].
To address the threat, the Bill signals new obligations for MSPs and data centres, timely incident reporting and dynamic guidance that can be refreshed without fresh primary legislation, making it essential for firms to follow best practices.
What might change in day-to-day practice?
New organisations in scope of regulation
Under the existing Network and Information Systems (NIS) Regulations[8], the UK already supervises operators in five critical sectors—energy, transport, drinking water, health (Operators of Essential Services, OES) and digital infrastructure (Relevant Digital Service Providers, RDSPs).
The Cyber Security and Resilience Bill retains this foundation and adds Managed Service Providers (MSPs) and data centres to the scope of regulation to “better recognise the increasing reliance on digital services and the vulnerabilities posed by supply chains”[9]. It also grants the Secretary of State for Science, Innovation and Technology the power to add new sectors or sub‑sectors via secondary legislation, following consultation with Parliament and industry.
Managed service providers (MSPs)
MSPs occupy a central position within the UK’s enterprise information‑technology infrastructure. Because they remotely run or monitor clients’ systems, networks and data, they hold privileged, often continuous access to multiple environments. This foothold makes them an attractive target for malicious actors.
The Bill aims to bring MSPs in scope of regulation by making them subject to the same duties as those placed on firms that provide digital services under the 2018 NIS Regulations. By doing so, the Bill seeks to raise baseline security across thousands of customer environments and to provide regulators with better visibility of supply‑chain risk.
The proposed definition for MSPs is a service which:
Is provided to another organisation
Relies on the use of network and information systems to deliver the service
Relates to ongoing management support, active administration and/or monitoring of AI systems, IT infrastructure, applications, and/or IT networks, including for the purpose of activities relating to cyber security.
Involves a network connection and/or access to the customer’s network and information systems.
Data centres
Building on the September 2024 designation of data centres as critical national infrastructure, the CSRB will fold data infrastructure into the NIS-style regime by naming it an “relevant sector" and data centres as “essential service”[10].
About 182 colocation facilities run by 64 operators will therefore come under statutory duties to notify the regulator, maintain proportionate CAF-aligned controls and report significant incidents, regardless of who owns them or what workloads they host.
New requirements for regulated organisations
Incident reporting processes
There could be stricter timelines or broader definitions of what counts as a reportable incident. This might nudge organisations to formalise detection, triage, and escalation procedures.
The Government is proposing to introduce a new two-stage incident reporting process. This would include an initial notification which would be submitted within 24 hours of becoming aware of a significant incident, followed by a full incident report which should be submitted within 72 hours of the same.
Supply chain assurance requirements
Supply chains for the UK's most critical services are becoming increasingly complex and present new and serious vulnerabilities for cyber-attacks. The recent Synnovis ransomware attacks on the NHS[11] exemplify the danger posed by attacks against the supply chains of important services and organisations. This is concerning when reflecting on the latest Cyber Security Breaches survey conducted by DSIT, which highlights that fewer than 25% of large businesses review their supply chain risks[12].
Despite these risks, the UK’s legacy cybersecurity regulatory regime does not explicitly cover supply chain risk management. The UK instead relies on supporting and non-statutory guidance to close this gap, such as the NCSC’s Cyber Assessment Framework (CAF)[13].
The CSRB policy statement acts on this regulatory shortcoming and recognises that “a single supplier’s disruption can have far-reaching impacts on the delivery of essential or digital services”[14].
To address this, the Bill would make in-scope organisations (OES and RDPS) directly accountable for the cybersecurity of their supply chains. Secondary legislation would spell out these duties in detail, ensuring that OES and RDSPs systematically assess and mitigate third-party cyber risks.
Updated and strengthened security requirements
By placing the CAF into a firmer footing and backing it with a statutory Code of Practice, the Government is setting clearer expectations about government expectations on technical standards and methods organisations will need to follow to prove their resilience.
How Darktrace can help support affected organizations
Demonstrate resilience
Darktrace’s Self-Learning AITM continuously monitors your digital estate across cloud, network, OT, email, and endpoint to detect, investigate, and autonomously respond to emerging threats in real time. This persistent visibility and defense posture helps organizations demonstrate cyber resilience to regulators with confidence.
Streamline incident reporting and compliance
Darktrace surfaces clear alerts and automated investigation reports, complete with timeline views and root cause analysis. These insights reduce the time and complexity of regulatory incident reporting and support internal compliance workflows with auditable, AI-generated evidence.
Improve supply chain visibility
With full visibility across connected systems and third-party activity, Darktrace detects early indicators of lateral movement, account compromise, and unusual behavior stemming from vendor or partner access, reducing the risk of supply chain-originated cyber-attacks.
Ensure MSPs can meet new standards
For managed service providers, Darktrace offers native multi-tenant support and autonomous threat response that can be embedded directly into customer environments. This ensures consistent, scalable security standards across clients—helping MSPs address increasing regulatory obligations.
Unpacking ClickFix: Darktrace’s detection of a prolific social engineering tactic
What is ClickFix and how does it work?
Amid heightened security awareness, threat actors continue to seek stealthy methods to infiltrate target networks, often finding the human end user to be the most vulnerable and easily exploited entry point.
ClickFix baiting is an exploitation of the end user, making use of social engineering techniques masquerading as error messages or routine verification processes, that can result in malicious code execution.
Since March 2024, the simplicity of this technique has drawn attention from a range of threat actors, from individual cybercriminals to Advanced Persistent Threat (APT) groups such as APT28 and MuddyWater, linked to Russia and Iran respectively, introducing security threats on a broader scale [1]. ClickFix campaigns have been observed affecting organizations in across multiple industries, including healthcare, hospitality, automotive and government [2][3].
Actors carrying out these targeted attacks typically utilize similar techniques, tools and procedures (TTPs) to gain initial access. These include spear phishing attacks, drive-by compromises, or exploiting trust in familiar online platforms, such as GitHub, to deliver malicious payloads [2][3]. Often, a hidden link within an email or malvertisements on compromised legitimate websites redirect the end user to a malicious URL [4]. These take the form of ‘Fix It’ or fake CAPTCHA prompts [4].
From there, users are misled into believing they are completing a human verification step, registering a device, or fixing a non-existent issue such as a webpage display error. As a result, they are guided through a three-step process that ultimately enables the execution of malicious PowerShell commands:
Open a Windows Run dialog box [press Windows Key + R]
Automatically or manually copy and paste a malicious PowerShell command into the terminal [press CTRL+V]
And run the prompt [press ‘Enter’] [2]
Once the malicious PowerShell command is executed, threat actors then establish command and control (C2) communication within the targeted environment before moving laterally through the network with the intent of obtaining and stealing sensitive data [4]. Malicious payloads associated with various malware families, such as XWorm, Lumma, and AsyncRAT, are often deployed [2][3].
Based on investigations conducted by Darktrace’s Threat Research team in early 2025, this blog highlights Darktrace’s capability to detect ClickFix baiting activity following initial access.
Darktrace’s coverage of a ClickFix attack chain
Darktrace identified multiple ClickFix attacks across customer environments in both Europe, the Middle East, and Africa (EMEA) and the United States. The following incident details a specific attack on a customer network that occurred on April 9, 2025.
Although the initial access phase of this specific attack occurred outside Darktrace’s visibility, other affected networks showed compromise beginning with phishing emails or fake CAPTCHA prompts that led users to execute malicious PowerShell commands.
Darktrace’s visibility into the compromise began when the threat actor initiated external communication with their C2 infrastructure, with Darktrace / NETWORK detecting the use of a new PowerShell user agent, indicating an attempt at remote code execution.
Figure 1: Darktrace / NETWORK's detection of a device making an HTTP connection with new PowerShell user agent, indicating PowerShell abuse for C2 communications.
Download of Malicious Files for Lateral Movement
A few minutes later, the compromised device was observed downloading a numerically named file. Numeric files like this are often intentionally nondescript and associated with malware. In this case, the file name adhered to a specific pattern, matching the regular expression: /174(\d){7}/. Further investigation into the file revealed that it contained additional malicious code designed to further exploit remote services and gather device information.
Figure 2: Darktrace / NETWORK's detection of a numeric file, one minute after the new PowerShell User Agent alert.
The file contained a script that sent system information to a specified IP address using an HTTP POST request, which also processed the response. This process was verified through packet capture (PCAP) analysis conducted by the Darktrace Threat Research team.
By analyzing the body content of the HTTP GET request, it was observed that the command converts the current time to Unix epoch time format (i.e., 9 April 2025 13:26:40 GMT), resulting in an additional numeric file observed in the URI: /1744205200.
Figure 3: PCAP highlighting the HTTP GET request that sends information to the specific IP, 193.36.38[.]237, which then generates another numeric file titled per the current time.
Across Darktrace’s investigations into other customers' affected by ClickFix campaigns, both internal information discovery events and further execution of malicious code were observed.
Data Exfiltration
By following the HTTP stream in the same PCAP, the Darktrace Threat Research Team assessed the activity as indicative of data exfiltration involving system and device information to the same command-and-control (C2) endpoint, , 193.36.38[.]237. This endpoint was flagged as malicious by multiple open-source intelligence (OSINT) vendors [5].
Figure 4: PCAP highlighting HTTP POST connection with the numeric file per the URI /1744205200 that indicates data exfiltration to 193.36.38[.]237.
Further analysis of Darktrace’s Advanced Search logs showed that the attacker’s malicious code scanned for internal system information, which was then sent to a C2 server via an HTTP POST request, indicating data exfiltration
Figure 5: Advanced Search further highlights Darktrace's observation of the HTTP POST request, with the second numeric file representing data exfiltration.
Actions on objectives
Around ten minutes after the initial C2 communications, the compromised device was observed connecting to an additional rare endpoint, 188.34.195[.]44. Further analysis of this endpoint confirmed its association with ClickFix campaigns, with several OSINT vendors linking it to previously reported attacks [6].
In the final HTTP POST request made by the device, Darktrace detected a file at the URI /init1234 in the connection logs to the malicious endpoint 188.34.195[.]44, likely depicting the successful completion of the attack’s objective, automated data egress to a ClickFix C2 server.
Darktrace / NETWORK grouped together the observed indicators of compromise (IoCs) on the compromised device and triggered an Enhanced Monitoring model alert, a high-priority detection model designed to identify activity indicative of the early stages of an attack. These models are monitored and triaged 24/7 by Darktrace’s Security Operations Center (SOC) as part of the Managed Threat Detection service, ensuring customers are promptly notified of malicious activity as soon as it emerges.
Figure 6: Darktrace correlated the separate malicious connections that pertained to a single campaign.
Darktrace Autonomous Response
In the incident outlined above, Darktrace was not configured in Autonomous Response mode. As a result, while actions to block specific connections were suggested, they had to be manually implemented by the customer’s security team. Due to the speed of the attack, this need for manual intervention allowed the threat to escalate without interruption.
However, in a different example, Autonomous Response was fully enabled, allowing Darktrace to immediately block connections to the malicious endpoint (138.199.156[.]22) just one second after the initial connection in which a numerically named file was downloaded [7].
Figure 7: Darktrace Autonomous Response blocked connections to a suspicious endpoint following the observation of the numeric file download.
This customer was also subscribed to our Managed Detection and Response service, Darktrace’s SOC extended a ‘Quarantine Device’ action that had already been autonomously applied in order to buy their security team additional time for remediation.
Figure 8: Autonomous Response blocked connections to malicious endpoints, including 138.199.156[.]22, 185.250.151[.]155, and rkuagqnmnypetvf[.]top, and also quarantined the affected device. These actions were later manually reinforced by the Darktrace SOC.
Conclusion
ClickFix baiting is a widely used tactic in which threat actors exploit human error to bypass security defenses. By tricking end point users into performing seemingly harmless, everyday actions, attackers gain initial access to systems where they can access and exfiltrate sensitive data.
Darktrace’s anomaly-based approach to threat detection identifies early indicators of targeted attacks without relying on prior knowledge or IoCs. By continuously learning each device’s unique pattern of life, Darktrace detects subtle deviations that may signal a compromise. In this case, Darktrace's Autonomous Response, when operating in a fully autonomous mode, was able to swiftly contain the threat before it could progress further along the attack lifecycle.
Credit to Keanna Grelicha (Cyber Analyst) and Jennifer Beckett (Cyber Analyst)
Appendices
NETWORK Models
Device / New PowerShell User Agent
Anomalous Connection / New User Agent to IP Without Hostname
Anomalous Connection / Posting HTTP to IP Without Hostname
Anomalous Connection / Powershell to Rare External
Device / Suspicious Domain
Device / New User Agent and New IP
Anomalous File / New User Agent Followed By Numeric File Download (Enhanced Monitoring Model)
.jpg)
.jpg)
![PCAP highlighting the HTTP GET request that sends information to the specific IP, 193.36.38[.]237, which then generates another numeric file titled per the current time.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/684068fac1b4368f672c17cc_Screenshot%202025-06-04%20at%208.40.32%E2%80%AFAM.png)
![PCAP highlighting HTTP POST connection with the numeric file per the URI /1744205200 that indicates data exfiltration to 193.36.38[.]237.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/6840694509d92b6220ccf5f1_Screenshot%202025-06-04%20at%208.41.48%E2%80%AFAM.png)
![Autonomous Response blocked connections to malicious endpoints, including 138.199.156[.]22, 185.250.151[.]155, and rkuagqnmnypetvf[.]top, and also quarantined the affected device. These actions were later manually reinforced by the Darktrace SOC.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/68406a1f723c9d6fda9c5268_Screenshot%202025-06-04%20at%208.45.23%E2%80%AFAM.png)