Blog
/
/
October 3, 2023

Revealing ViperSoftX Intrusion: Detecting Malware

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
03
Oct 2023
Read how Darktrace effectively detects and responds to ViperSoftX malware across their customer base, even with its advanced evasion tactics. Learn more.

Fighting Info-Stealing Malware

The escalating threat posed by information-stealing malware designed to harvest and steal the sensitive data of individuals and organizations alike has become a paramount concern for security teams across the threat landscape. In direct response to security teams improving their threat detection and prevention capabilities, threat actors are forced to continually adapt and advance their techniques, striving for greater sophistication to ensure they can achieve the malicious goals.

What is ViperSoftX?

ViperSoftX is an information stealer and Remote Access Trojan (RAT) malware known to steal privileged information such as cryptocurrency wallet addresses and password information stored in browsers and password managers. It is commonly distributed via the download of cracked software from multiple sources such as suspicious domains, torrent downloads, and key generators (keygens) from third-party sites.

ViperSoftX was first observed in the wild in 2020 [1] but more recently, new strains were identified in 2022 and 2023 utilizing more sophisticated detection evasion techniques, making it more difficult for security teams to identify and analyze. This includes using more advanced encryption methods alongside monthly changes to command-and-control servers (C2) [2], using dynamic-link library (DLL) sideloading for execution techiques, and subsequently loading a malicious browser extension upon infection which works as an independent info-stealer named VenomSoftX [3].

Between February and June 2023, Darktrace detected activity related to the VipersoftX and VenomSoftX information stealers on the networks of more than 100 customers across its fleet. Darktrace DETECT™ was able to successfully identify the anomalous network activity surrounding these emerging information stealer infections and bring them to the attention of the customers, while Darktrace RESPOND™, when enabled in autonomous response mode, was able to quickly intervene and shut down malicious downloads and data exfiltration attempts.

ViperSoftX Attack & Darktrace Coverage

In cases of ViperSoftX information stealer activity observed by Darktrace, the initial infection was caused through the download of malicious files from multimedia sites, endpoints of cracked software like Adobe Illustrator, and torrent sites. Endpoint users typically unknowingly download the malware from these endpoints with a sideloaded DLL, posing as legitimate software executables.

Darktrace detected multiple downloads from such multimedia sites and endpoints related to cracked software and BitTorrent, which were likely representative of the initial source of ViperSoftX infection. Darktrace DETECT models such as ‘Anomalous File / Anomalous Octet Stream (No User Agent)’ breached in response to this activity and were brought to the immediate attention of customer security teams. In instances where Darktrace RESPOND was configured in autonomous response mode, Darktrace was able to enforce a pattern of life on offending devices, preventing them from downloading malicious files.  This ensures that devices are limited to conducting only their pre-established expected activit, minimizing disruption to the business whilst targetedly mitigating suspicious file downloads.

The downloads are then extracted, decrypted and begin to run on the device. The now compromised device will then proceed to make external connections to C2 servers to retrieve secondary PowerShell executable. Darktrace identified that infected devices using PowerShell user agents whilst making HTTP GET requests to domain generation algorithm (DGA) ViperSoftX domains represented new, and therefore unusual, activity in a large number of cases.

For example, Darktrace detected one customer device making an HTTP GET request to the endpoint ‘chatgigi2[.]com’, using the PowerShell user agent ‘Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.2364’. This new activity triggered a number of DETECT models, including ‘Anomalous Connection / PowerShell to Rare External’ and ‘Device / New PowerShell User Agent’. Repeated connections to these endpoints also triggered C2 beaconing models including:  

  • Compromise / Agent Beacon (Short Period)
  • Compromise / Agent Beacon (Medium Period)
  • Compromise / Agent Beacon (Long Period)
  • Compromise / Quick and Regular Windows HTTP Beaconing
  • Compromise / SSL or HTTP Beacon

Although a large number of different DGA domains were detected, commonalities in URI formats were seen across affected customers which matched formats previously identified as ViperSoftX C2 communication by open-source intelligence (OSINT), and in other Darktrace investigations.  

URI paths for example, were always of the format /api/, /api/v1/, /v2/, or /v3/, appearing to detail version number, as can be seen in Figure 1.

Figure 1: A Packet Capture (PCAP) taken from Darktrace showing a connection made to a ViperSoftX C2 endpoint containing versioning information, consistent with ViperSoftX pattern of communication.  

Before the secondary PowerShell executables are loaded, ViperSoftX takes a digital fingerprint of the infected machine to gather its configuration details, and exfiltrates them to the C2 server. These include the computer name, username, Operating System (OS), and ensures there are no anti-virus or montoring tools on the device. If no security tool are detected, ViperSoftX then downloads, decrypts and executes the PowerShell file.

Following the GET requests Darktrace observed numerous devices performing HTTP POST requests and beaconing connections to ViperSoftX endpoints with varying globally unique identifiers (GUIDs) within the URIs. These connections represented the exfiltration of device configuration details, such as “anti-virus detected”, “app used”, and “device name”. As seen on another customer’s deployment, this caused the model ‘Anomalous Connection / Multiple HTTP POSTs to Rare Hostname’ to breach, which was also detected by Cyber AI Analyst as seen in Figure 2.

Figure 2: Cyber AI Analyst’s detection of HTTP POSTs being made to apibiling[.]com, a ViperSoftX C2 endpoint.

The malicious PowerShell download then crawls the infected device’s systems and directories looking for any cryptocurrency wallet information and password managers, and exfiltrates harvest data to the C2 infrastructure. The C2 server then provides further browser extensions to Chromium browsers to be downloaded and act as a separate stand-alone information stealer, also known as VenomSoftX.

Similar to the initial download of ViperSoftX, these malicious extensions are disguised as legitimate browser extensions to evade the detection of security teams. VenomSoft X, in turn, searches through and attempts to gather sensitive data from password managers and crypto wallets stored in user browsers. Using this information, VenomSoftX is able to redirect crypocurrency transactions by intercepting and manipulating API requests between the sender and the intended recipient, directing the cryptocurrency to the attacker instead [3].

Following investigation into VipersoftX activity across the customer base, Darktrace notified all affected customers and opened Ask the Expert (ATE) tickets through which customer’s could directly contact the analyst team for support and guidance in the face on the information stealer infection.

How did the attack bypass the rest of the security stack?

As previously mentioned, both the initial download of ViperSoftX and the subsequent download of the VenomX browser extension are disguised as legitimate software or browser downloads. This is a common technique employed by threat actors to infect target devices with malicious software, while going unnoticed by security teams traditional security measures. Furthermore, by masquerading as a legitimate piece of software endpoint users are more likely to trust and therefore download the malware, increasing the likelihood of threat actor’s successfully carrying out their objectives. Additionally, post-infection analysis of shellcode, the executable code used as the payload, is made significantly more difficult by VenomSoftX’s use of bytemapping. Bytemapping prevents the encryption of shellcodes without its corresponding byte map, meaning that the payloads cannot easily be decrypted and analysed by security researchers. [3]

ViperSoftX also takes numerous attempts to prevent their C2 infrastructure from being identified by blocking access to it on browsers, and using multiple DGA domains, thus renderring defunct traditional security measures that rely on threat intelligence and static lists of indicators of compromise (IoCs).

Fortunately for Darktrace customers, Darktrace’s anomaly-based approach to threat detection means that it was able to detect and alert customers to this suspicious activity that may have gone unnoticed by other security tools.

Insights/Conclusion

Faced with the challenge of increasingly competent and capable security teams, malicious actors are having to adopt more sophisticated techniques to successfully compromise target systems and achieve their nefarious goals.

ViperSoftX information stealer makes use of numerous tactics, techniques and procedures (TTPs) designed to fly under the radar and carry out their objectives without being detected. ViperSoftX does not rely on just one information stealing malware, but two with the subsequent injection of the VenomSoftX browser extension, adding an additional layer of sophistication to the informational stealing operation and increasing the potential yield of sensitive data. Furthermore, the use of evasion techniques like disguising malicious file downloads as legitimate software and frequently changing DGA domains means that ViperSoftX is well equipped to infiltrate target systems and exfiltrate confidential information without being detected.

However, the anomaly-based detection capabilities of Darktrace DETECT allows it to identify subtle changes in a device’s behavior, that could be indicative of an emerging compromise, and bring it to the customer’s security team. Darktrace RESPOND is then autonomously able to take action against suspicious activity and shut it down without latency, minimizing disruption to the business and preventing potentially significant financial losses.

Credit to: Zoe Tilsiter, Senior Cyber Analyst, Nathan Lorenzo, Cyber Analyst.

Appendices

References

[1] https://www.fortinet.com/blog/threat-research/vipersoftx-new-javascript-threat

[2] https://www.trendmicro.com/en_us/research/23/d/vipersoftx-updates-encryption-steals-data.html

[3] https://decoded.avast.io/janrubin/vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx/

Darktrace DETECT Model Detections

·       Anomalous File / Anomalous Octet Stream (No User Agent)

·       Anomalous Connection / PowerShell to Rare External

·       Anomalous Connection / Multiple HTTP POSTs to Rare Hostname

·       Anomalous Connection / Lots of New Connections

·       Anomalous Connection / Multiple Failed Connections to Rare Endpoint

·       Anomalous Server Activity / Outgoing from Server

·       Compromise / Large DNS Volume for Suspicious Domain

·       Compromise / Quick and Regular Windows HTTP Beaconing

·       Compromise / Beacon for 4 Days

·       Compromise / Suspicious Beaconing Behaviour

·       Compromise / Large Number of Suspicious Failed Connections

·       Compromise / Large Number of Suspicious Successful Connections

·       Compromise / POST and Beacon to Rare External

·       Compromise / DGA Beacon

·       Compromise / Agent Beacon (Long Period)

·       Compromise / Agent Beacon (Medium Period)

·       Compromise / Agent Beacon (Short Period)

·       Compromise / Fast Beaconing to DGA

·       Compromise / SSL or HTTP Beacon

·       Compromise / Slow Beaconing Activity To External Rare

·       Compromise / Beaconing Activity To External Rare

·       Compromise / Excessive Posts to Root

·       Compromise / Connections with Suspicious DNS

·       Compromise / HTTP Beaconing to Rare Destination

·       Compromise / High Volume of Connections with Beacon Score

·       Compromise / Sustained SSL or HTTP Increase

·       Device / New PowerShell User Agent

·       Device / New User Agent and New IP

Darktrace RESPOND Model Detections

·       Antigena / Network / External Threat / Antigena Suspicious File Block

·       Antigena / Network / External Threat / Antigena File then New Outbound Block

·       Antigena / Network / External Threat / Antigena Watched Domain Block

·       Antigena / Network / Significant Anomaly / Antigena Significant Anomaly from Client Block

·       Antigena / Network / External Threat / Antigena Suspicious Activity Block

·       Antigena / Network / Significant Anomaly / Antigena Breaches Over Time Block

·       Antigena / Network / Insider Threat / Antigena Large Data Volume Outbound Block

·       Antigena / Network / External Threat / Antigena Suspicious File Pattern of Life Block

·       Antigena / Network / Significant Anomaly / Antigena Controlled and Model Breach

List of IoCs

Indicator - Type - Description

ahoravideo-blog[.]com - Hostname - ViperSoftX C2 endpoint

ahoravideo-blog[.]xyz - Hostname - ViperSoftX C2 endpoint

ahoravideo-cdn[.]com - Hostname - ViperSoftX C2 endpoint

ahoravideo-cdn[.]xyz - Hostname - ViperSoftX C2 endpoint

ahoravideo-chat[.]com - Hostname - ViperSoftX C2 endpoint

ahoravideo-chat[.]xyz - Hostname - ViperSoftX C2 endpoint

ahoravideo-endpoint[.]xyz - Hostname - ViperSoftX C2 endpoint

ahoravideo-schnellvpn[.]com - Hostname - ViperSoftX C2 endpoint

ahoravideo-schnellvpn[.]xyz - Hostname - ViperSoftX C2 endpoint

apibilng[.]com - Hostname - ViperSoftX C2 endpoint

arrowlchat[.]com - Hostname - ViperSoftX C2 endpoint

bideo-blog[.]com - Hostname - ViperSoftX C2 endpoint

bideo-blog[.]xyz - Hostname - ViperSoftX C2 endpoint

bideo-cdn[.]com - Hostname - ViperSoftX C2 endpoint

bideo-cdn[.]xyz - Hostname - ViperSoftX C2 endpoint

bideo-chat[.]com - Hostname - ViperSoftX C2 endpoint

bideo-chat[.]xyz - Hostname - ViperSoftX C2 endpoint

bideo-endpoint[.]com - Hostname - ViperSoftX C2 endpoint

bideo-endpoint[.]xyz - Hostname - ViperSoftX C2 endpoint

bideo-schnellvpn[.]com - Hostname - ViperSoftX C2 endpoint

chatgigi2[.]com - Hostname - ViperSoftX C2 endpoint

counter[.]wmail-service[.]com - Hostname - ViperSoftX C2 endpoint

fairu-cdn[.]xyz - Hostname - ViperSoftX C2 endpoint

fairu-chat[.]xyz - Hostname - ViperSoftX C2 endpoint

fairu-endpoint[.]com - Hostname - ViperSoftX C2 endpoint

fairu-schnellvpn[.]com - Hostname - ViperSoftX C2 endpoint

fairu-schnellvpn[.]xyz - Hostname - ViperSoftX C2 endpoint

privatproxy-blog[.]com - Hostname - ViperSoftX C2 endpoint

privatproxy-blog[.]xyz - Hostname - ViperSoftX C2 endpoint

privatproxy-cdn[.]com - Hostname - ViperSoftX C2 endpoint

privatproxy-cdn[.]xyz - Hostname - ViperSoftX C2 endpoint

privatproxy-endpoint[.]xyz - Hostname - ViperSoftX C2 endpoint

privatproxy-schnellvpn[.]com - Hostname - ViperSoftX C2 endpoint

privatproxy-schnellvpn[.]xyz - Hostname - ViperSoftX C2 endpoint

static-cdn-349[.]net - Hostname - ViperSoftX C2 endpoint

wmail-blog[.]com - Hostname - ViperSoftX C2 endpoint

wmail-cdn[.]xyz - Hostname - ViperSoftX C2 endpoint

wmail-chat[.]com - Hostname - ViperSoftX C2 endpoint

wmail-schnellvpn[.]com - Hostname - ViperSoftX C2 endpoint

wmail-schnellvpn[.]xyz - Hostname - ViperSoftX C2 endpoint

Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.2364 - User Agent -PowerShell User Agent

MITRE ATT&CK Mapping

Tactic - Technique - Notes

Command and Control - T1568.002 Dynamic Resolution: Domain Generation Algorithms

Command and Control - T1321 Data Encoding

Credential Access - T1555.005 Credentials from Password Stores: Password Managers

Defense Evasion - T1027 Obfuscated Files or Information

Execution - T1059.001 Command and Scripting Interpreter: PowerShell

Execution - T1204 User Execution T1204.002 Malicious File

Persistence - T1176 Browser Extensions - VenomSoftX specific

Persistence, Privilege Escalation, Defense Evasion - T1574.002 Hijack Execution Flow: DLL Side-Loading

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Author
Zoe Tilsiter
Cyber Analyst
Book a 1-1 meeting with one of our experts
Share this article

More in this series

No items found.

Blog

/

Network

/

March 21, 2025

Cyberhaven Supply Chain Attack: Exploiting Browser Extensions

Default blog imageDefault blog image

The evolution of supply chain attacks

Supply chain attacks are becoming increasingly sophisticated. As network defenses improve, threat actors continuously adapt and refine their tactics, techniques, and procedures (TTPs) to achieve their goals. In recent years, this has led to a rise in the exploitation of trusted services and software, including legitimate browser extensions. Exploitation of these extensions can provide adversaries with a stealthy means to infiltrate target networks and access high-value accounts undetected.

A notable example of this trend was the compromise of the Cyberhaven Chrome extension at the end of 2024. This incident appeared to be part of a broader campaign targeting multiple Chrome browser extensions, highlighting the evolving nature of supply chain attacks [1].

What is Cyberhaven?

Cyberhaven, a US-based data security organization, experienced a security breach on December 24, 2024, when a phishing attack reportedly compromised one of their employee's credentials [2]. This allowed attackers to publish a malicious version of the Cyberhaven Chrome extension, which exfiltrated cookies and authenticated sessions from targeted websites. The malicious extension was active from December 25 to December 26 – a time when most businesses and employees were out of office and enjoying the festive period, a fact not lost on threat actors. The attackers, likely a well-organized and financially motivated group, compromised more than 30 additional Chrome extensions, affecting more than 2.6 million users [3]. They used sophisticated phishing techniques to authorize malicious OAuth applications, bypassing traditional security measures and exploiting vulnerabilities in OAuth authorizations. The primary motive appeared to be financial gain, targeting high-value platforms like social media advertising and AI services [4].

In late December 2024, multiple Darktrace customers were compromised via the Cyberhaven Chrome extension; this blog will primarily focus on Darktrace / NETWORK detections from one affected customer.

Darktrace’s coverage of Cyberhaven compromises

On December 26, 2024, Darktrace identified a series of suspicious activities across multiple customer environments, uncovering a structured attack sequence that progressed from initial intrusion to privilege escalation and data exfiltration. The attack was distributed through a malicious update to the Cyberhaven Chrome extension [2]. The malicious update established a foothold in customer environments almost immediately, leading to further anomalies.

As with other Chrome browser extensions, Cyberhaven Chrome extensions were updated automatically with no user interaction required. However, in this instance, the automatic update included a malicious version which was deployed to customer environments. This almost immediately introduced unauthorized activity, allowing attackers to establish a foothold in customer networks. The update allowed attackers to execute their objectives in the background, undetected by traditional security tools that rely on known indicators of compromise (IoCS) rather than identifying anomalies.

While multiple customer devices were seen connecting to cyberhaven[.]io, a legitimate Cyberhaven domain, Darktrace detected persistent beaconing behavior to cyberhavenext[.]pro, which appeared to be attempting to masquerade as another legitimate Cyberhaven domain. Darktrace recognized this activity as unusual, triggering several model alerts in Darktrace / NETWORK to highlight the persistent outbound connections to the suspicious domain.

Further analysis of external connectivity patterns indicated  an increase in anomalous HTTP requests alongside this beaconing activity. Multiple open-source intelligence (OSINT) sources also suggest that the cyberhavenext[.]pro endpoint is associated with malicious activities [5].

Darktrace / NETWORK’s detection of beaconing activity to cyberhavenext[.]pro
Figure 1: Darktrace / NETWORK’s detection of beaconing activity to cyberhavenext[.]pro

Analysis using Darktrace’s Advanced Search revealed that some of these connections were directed to the suspicious external IP address 149.28.124[.]84. Further investigation confirmed that the IP correlated with two SSL hostnames, including the malicious cyberhavenext[.]pro, further reinforcing its connection to the attack infrastructure.

Darktrace Advanced Search analysis showing the IP address 149.28.124[.]84 correlating to two SSL hostnames, one of which is cyberhavenext[.]pro.
Figure 2: Darktrace Advanced Search analysis showing the IP address 149.28.124[.]84 correlating to two SSL hostnames, one of which is cyberhavenext[.]pro.

Between December 23 and December 27, Darktrace observed sustained beaconing-like activity from affected devices on the customer’s network.

Darktrace’s detection of beaconing activities from a customer device to the endpoint 149.28.124[.]84 between December 23 and December 27.
Figure 3: Darktrace’s detection of beaconing activities from a customer device to the endpoint 149.28.124[.]84 between December 23 and December 27.

Darktrace observed 27 unique devices connecting to the malicious command-and-control (C2) infrastructure as far back as December 3. While most connections were brief, they represented an entry point for malicious activity. Over a two-day period, two devices transmitted 5.57 GiB of incoming data and 859.37 MiB of outgoing data, generating over 3 million log events across SSL, HTTP, and connection data.

Subsequent analysis identified a significant increase in unauthorized data transfers to the aforementioned 149.28.124[.]84 IP on another customer network, highlighting the potential broader impact of this compromise. The volume and frequency of these transfers suggested that attackers were leveraging automated data collection techniques, further underscoring the sophistication of the attack.

Darktrace’s detection of the likely exfiltration of 859.37 MiB to the endpoint 149.28.124[.]84.
Figure 4: Darktrace’s detection of the likely exfiltration of 859.37 MiB to the endpoint 149.28.124[.]84.

External research suggested that once active, the Cyberhaven extension would begin silently collecting session cookies and authentication tokens, specifically targeting high-value accounts such as Facebook Ads accounts [4]. Darktrace’s analysis of another affected customer noted many HTTP POST connections directed to a specific URI ("ai-cyberhaven"), while GET requests contained varying URIs prefixed with "/php/urlblock?args=AAAh....--redirect." This activity indicated an exfiltration mechanism, consistent with techniques observed in other compromised Chrome extensions. By compromising session cookies, attackers could potentially gain administrative access to connected accounts, further escalating their privileges [4].

Conclusion

This incident highlights the importance of monitoring not just endpoint security, but also cloud and browser-based security solutions, as attackers increasingly target these trusted and oft overlooked vectors.

Ultimately, by focusing on anomaly detection and behavioral analysis rather than static signatures and lists of ‘known bads’, Darktrace was able to successfully detect devices affected by the Cyberhaven Chrome browser extension compromise, by identifying activity that would likely have been considered legitimate and benign by traditional security solutions.

This compromise also serves as a reminder that supply chain attacks are not limited to traditional software vendors. Browser extensions, cloud-based applications, and SaaS services are equally vulnerable, as evidenced by Darktrace's detection of Balada Injector malware exploiting WordPress vulnerabilities to gain unauthorized network access [6]. Therefore, increased targeting of browser-based security tools, and a greater exploitation of OAuth and session hijacking techniques are to be expected. Attackers will undoubtedly refine their methods to infiltrate legitimate vendors and distribute malicious updates through trusted channels. By staying informed, vigilant, and proactive, organizations can mitigate exposure to evolving supply chain threats and safeguard their critical assets from emerging browser-based attack techniques.

Credit to Rajendra Rushanth (Cyber Analyst) Justin Torres (Senior Cyber Analyst) and Ryan Traill (Analyst Content Lead)

Appendices

Darktrace Model Detections

·       Compromise / Beaconing Activity To External Rare (AP: C2 Comms)

·       Compromise / Beacon for 4 Days (AP: C2 Comms)

·       Compromise / HTTP Beaconing to Rare Destination (AP: C2 Comms)

·       Device / Suspicious Domain (AP: C2 Comms, AP: Tooling)

·       Compromise / Sustained TCP Beaconing Activity To Rare Endpoint (AP: C2 Comms)

·       Anomalous Server Activity / Rare External from Server (AP: C2 Comms)

·       Anomalous Connection / Multiple Failed Connections to Rare Endpoint (AP: C2 Comms)

·       Anomalous Server Activity / Anomalous External Activity from Critical Network Device (AP: C2 Comms)

·       Compromise / Slow Beaconing Activity To External Rare (AP: C2 Comms)

·       Compromise / Repeating Connections Over 4 Days (AP: C2 Comms)

·       Anomalous Connection / Multiple HTTP POSTs to Rare Hostname (AP: C2 Comms)

·       Anomalous Server Activity / Outgoing from Server (AP: C2 Comms)

·       Compromise / High Volume of Connections with Beacon Score (AP: C2 Comms)

·       Compromise / Large Number of Suspicious Failed Connections (AP: C2 Comms)

·       Email Nexus / Connection to Hijacked Correspondent Link

·       Compromise / Suspicious TLS Beaconing To Rare External (AP: C2 Comms)

·       Compromise / Quick and Regular Windows HTTP Beaconing (AP: C2 Comms)

List of IoCs

IoC - Type - Description + Confidence

cyberhavenext[.]pro - Hostname - Used for C2 communications and data exfiltration (cookies and session tokens)

149.28.124[.]84 - IP - Associated with malicious infrastructure

45.76.225[.]148 - IP - Associated with malicious infrastructure

136.244.115[.]219 - IP - Associated with malicious infrastructure

MITRE ATT&CK Mapping

Tactic – Technique – Sub-Technique

INITIAL ACCESS - T1176 - Browser Extensions

EXECUTION - T1204.002 - Malicious Browser Extensions

PERSISTENCE - T1176 - Browser Extensions

COMMAND AND CONTROL - T1071.001 - Web Protocols

COMMAND AND CONTROL - T1001 - Data Obfuscation

CREDENTIAL ACCESS - T1539 - Steal Web Session Cookie

DISCOVERY - T1518.001 - Security Software Discovery

LATERAL MOVEMENT - T1557.003 - Man-in-the-Browser

EXFILTRATION - T1041 - Exfiltration Over C2 Channel

EXFILTRATION - T1567.002 - Exfiltration to Cloud Storage

IMPACT - T1583.006 - Session Hijacking

References

[1] https://thehackernews.com/2024/12/16-chrome-extensions-hacked-exposing.html

[2] https://www.cyberhaven.com/blog/cyberhavens-chrome-extension-security-incident-and-what-were-doing-about-it

[3] https://www.infosecurity-magazine.com/news/chrome-browser-extensions-hijacked/

[4] https://www.theverge.com/2024/12/28/24330758/chrome-extension-cyberhaven-hijack-phishing-cyberattack-facebook-ads-authentication-theft

[5] https://www.virustotal.com/gui/domain/cyberhavenext.pro

[6] https://darktrace.com/blog/balada-injector-darktraces-investigation-into-the-malware-exploiting-wordpress-vulnerabilities

Continue reading
About the author
Rajendra Rushanth
Cyber Analyst

Blog

/

Email

/

March 19, 2025

Global Technology Provider Transforms Email Threat Detection with Darktrace

Default blog imageDefault blog image

At a glance

  • Within just one month of using Darktrace / EMAIL, the volume of suspicious emails requiring analyst attention dropped by 75%, saving analysts 45 hours per month on analysis and investigation.
  • By offloading most manual, repetitive tasks to Darktrace / EMAIL, the company’s skilled security analysts can focus on developing new capabilities and tackling more complex, rewarding projects.
  • Darktrace recently detected and blocked a highly sophisticated and personalized phishing email that spoofed a Microsoft SharePoint and Teams website and used advanced engineering to impersonate the school of an employee’s family member.
  • The transition from the incumbent solution to Darktrace / EMAIL was seamless and undetectable to the company’s vast of customers and partners, reinforcing the security organization’s role as a business enabler—protecting the company and reducing risk without adding friction.

Securing a complex, distributed business without disruption

The company remains at the forefront of technological innovation and transformation; however, its success and ambitions come with the challenges of managing a distributed global business—balancing digital advancements, existing technology investments, and evolving compliance requirements.

Optimizing a complex tech stack for scalable growth

The organization operates a diverse technology stack spanning Windows, Mac, Linux, and multiple cloud environments, creating a complex and challenging IT landscape. The company’s Chief Information Security Officer (CISO) emphasizes the need for efficiency and agility. “Our goal is to scale and deliver new capabilities without increasing headcount, ensuring that costs remain proportionate to growth.”

Balancing security, governance, and business agility

Committed to responsible practices, this industry leader prioritizes secure and trustworthy technology for its customers who rely on its solutions. “Balancing business agility with governance is a constant challenge," said the CISO. "There’s always a natural push and pull, which I believe is healthy—but achieving the right balance is delicate.”

Protecting critical workflows without impacting productivity

For the organization, email is much more than just a communication tool. “Email plays a critical role in our engineering workflows and is fundamental to how we build our products.” Because of this, the company is extremely cautious about implementing any solution that could introduce friction or disrupt productivity. “There is zero tolerance for disruption, which is why we take a deliberate and methodical approach when evaluating, selecting, and deploying our tools and solutions,” he said.  

More than a vendor: A security partner invested in success

To ensure an optimal security infrastructure, the enterprise security team regularly evaluates market technologies to their existing solutions. With the rapidly evolving threat landscape, the CISO said they “wanted to validate whether we still had best-in-class protection and the right controls in place to secure our organization. It was about assessing whether we could do better in our ongoing effort to fine-tuning our approach to achieve the best possible outcome.”

The team evaluated 15 different email security vendors based on the following criteria:

  1. Efficacy to detect threats
  2. Ability to integrate with existing tooling
  3. Ease of use
  4. A vendor’s approach to partnership  

They initially narrowed the list to five vendors, conducting demo sessions for deeper evaluations before selecting three finalists for a proof of value (POV). We analyzed actual malicious emails with each vendor to assess the accuracy of their detections, allowing for an objective comparison,” said the CISO. Through this rigorous process, the Darktrace / EMAIL security solution emerged as the best fit for their business. “Darktrace’s product performed well and showed a genuine commitment to partnering with us in the long-term to ensure our success.”

The team objectively understood where there were gaps across the different vendors, where they were strong, and where they could use improvement. “Based on the analysis, we knew that Darktrace / EMAIL could deliver as the data supported it, in our specific use cases.  

Partnership, integrity and respect

Throughout the evaluation process, the importance of partnership and mutual respect remained an essential factor to the CISO. “I wanted a company we could develop a long-term strategic partnership with, one that could extend far deeper than just email.” A key factor in choosing Darktrace was the commitment and engagement of its team at every level of the organization. “Darktrace showed integrity, patience and a genuine investment in building a strong relationship with my team.  That's why we're here today.”

“Together, we've delivered some fantastic outcomes”

For the organization, Darktrace / EMAIL has played a crucial role in reducing risk, empowering analysts, and enabling a lean, effective security strategy. “Together, we've delivered some fantastic outcomes,” said the CISO.  

Reducing risk. Empowering analysts

“Within that first month, we saw a 75% drop in suspicious emails that that required manual review, which reduced the time my team spent analyzing and investigating by 45 hours per month,” said the CISO. The security team values Darktrace / EMAIL not only for its ease of use but also for the time it frees up for more meaningful work. “Giving my team the opportunity to tackle complex challenges they enjoy and find more stimulating is important to me.” As they continue to fine-tune and optimize balance levels within Darktrace / EMAIL, he expects even greater efficiency gains in the coming months.

Maximizing protection while staying lean

It’s important for the security group to be proportionate with their spending, said the CISO. “It's all about what is enough security to enable the business. And that means, as our organization grows, it's important that we are as lean and as efficient as possible to deliver the best outcomes for the business.”  Embracing an AI-powered automated approach is an essential component to achieving that goal. By offloading most manual, repetitive tasks to Darktrace / EMAIL, the company’s skilled security analysts can focus on more strategic and proactive initiatives that enable the business.  

Protecting employees from advanced social engineering threats

Recently, Darktrace detected a malicious email targeting an employee, disguised as a spoofed Microsoft SharePoint and Teams website. What made this attack particularly sophisticated was its personalization — it impersonated the school where the employee’s family member attended. Unlike mass malicious emails sent to thousands of people, this was a highly targeted attack, leveraging advanced social engineering tactics to exploit connections within the education system and between family members.  

Protecting without disrupting

A seamless migration is often overlooked but is critical to success for any organization, said the CISO. With a wide ecosystem of partners, email is a highly visible, business-critical function for the organization — "any friction or downtime would have an immediate impact and could throttle the entire business,” he said. However, the transition from their previous solution to Darktrace / EMAIL was exceptionally smooth. “No one realized we changed providers because there was no disruption — no incidents at all. I cannot emphasize just how important that is when I'm trying to position our security organization as an enabling function for the business that protects and reduces risk without adding friction.”

A security partnership for the future

“To survive as a business over the next few years, adopting AI is no longer optional—it’s essential,” said the CISO. However, with the cybersecurity market becoming increasingly saturated, selecting the right solutions and vendors can be overwhelming. He stresses the importance of choosing strategic partners who not only deliver the outcomes you need, but also deeply understand your organization’s unique environment. “You’re only as strong as your partners. Technology innovation and the cybersecurity market are always changing.  At some point every solution will face a challenge—it’s inevitable. The differentiator will be how people respond when that happens.”  

Continue reading
About the author
The Darktrace Community
Your data. Our AI.
Elevate your network security with Darktrace AI