Learn how Darktrace leveraged generative AI tools to detect and combat phishing email campaigns. Discover how AI is reshaping cybersecurity strategies.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Germaine Tan
VP, Security & AI Strategy, Field CISO
Share
26
Sep 2023
Stopping the bad while allowing the good
Since its inception, email has been regarded as one of the most important tools for businesses, revolutionizing communication and allowing global teams to become even more connected. But besides organizations heavily relying on email for their daily operations, threat actors have also recognized that the inbox is one of the easiest ways to establish an initial foothold on the network.
Today, not only are phishing campaigns and social engineering attacks becoming more prevalent, but the level of sophistication of these attacks are also increasing with the help of generative AI tools that allow for the creation of hyper-realistic emails with minimal errors, effectively lowering the barrier to entry for threat actors. These diverse and stealthy types of attacks evade traditional email security tools based on rules and signatures, because they are less likely to contain the low-sophistication markers of a typical phishing attack.
In a situation where the sky is the limit for attackers and security teams are lean, how can teams equip themselves to tackle these threats? How can they accurately detect increasingly realistic malicious emails and neutralize these threats before it is too late? And importantly, how can email security block these threats while allowing legitimate emails to flow freely?
Instead of relying on past attack data, Darktrace’s Self-Learning AI detects the slightest deviation from a user’s pattern of life and responds autonomously to contain potential threats, stopping novel attacks in their tracks before damage is caused. It doesn’t define ‘good’ and ‘bad’ like traditional email tools, rather it understands each user and what is normal for them – and what’s not.
This blog outlines how Darktrace / EMAIL™ used its understanding of ‘normal’ to accurately detect and respond to a sustained phishing campaign targeting a real-life company.
Responding to a sustained phishing attack
Over the course of 24 hours, Darktrace detected multiple emails containing different subjects, all from different senders to different recipients in one organization. These emails were sent from different IP addresses, but all came from the same autonomous system number (ASN).
Figure 1: The sender freemail addresses and subject lines all followed a certain format. The subject lines followed the format of “<First name> <Last name>”, possibly to induce curiosity. The senders were all freemail accounts and contained first names, last names and some numbers, showing the attempts to make these email addresses appear legitimate.
The emails themselves had many suspicious indicators. All senders had no prior association with the recipient, and the emails generated a high general inducement score. This score is generated by structural and non-specific content analysis of the email – a high score indicates that the email is trying to induce the recipient into taking a particular action, which may lead to account compromise.
Additionally, each email contained a visually prominent link to a file storage service, hidden behind a shortened bit.ly link. The similarities across all these emails pointed to a sustained campaign targeting the organization by a single threat actor.
Figure 2: One of the emails is shown above. Like all the other emails, it contained a highly suspicious and shortened link.
Figure 3: In another one of the emails, the link observed had similar characteristics. But this email stands out from the rest. The sender's name seems to be randomly set – the 3 alphabets are close to each other on the keyboard.
With all these suspicious indicators, many models were breached. This drove up the anomaly score, causing Darktrace/Email to hold all suspicious emails from the recipients’ inboxes, safeguarding the recipients from potential account compromise and disallowing the threats from taking hold in the network.
Imagining a phishing attack without Darktrace/Email
So what could have happened if Darktrace had not withheld these emails, and the recipients had clicked on the links? File storage sites have a wide variety of uses that allow attackers to be creative in their attack strategy. If the user had clicked on the shortened link, the possible consequences are numerous. The link could have led to a login page for unsuspecting victims to input their credentials, or it could have hosted malware that would automatically download if the link was clicked. With the compromised credentials, threat actors could even bypass MFA, change email rules, or gain privileged access to a network. The downloaded malware might also be a keylogger, leading to cryptojacking, or could open a back door for threat actors to return to at a later time.
Figure 4: Darktrace / EMAIL highlights suspicious link characteristics and provides an option to preview the pages.
Figure 5: At the point of writing, both links could not be reached. This could be because they were one-time unique links created specifically for the user, and can no longer be accessed once the campaign has ceased.
The limits of traditional email security tools
Secure email gateways (SEGs) and static AI security tools may have found it challenging to detect this phishing campaign as malicious. While Darktrace was able to correlate these emails to determine that a sustained phishing campaign was taking place, the pattern among these emails is far too generic for specific rules as set in traditional security tools. If we take the characteristic of the freemail account sender as an example, setting a rule to block all emails from freemail accounts may lead to more legitimate emails being withheld, since these addresses have a variety of uses.
With these factors in mind, these emails could have easily slipped through traditional security filters and led to a devastating impact on the organization.
Conclusion
As threat actors step up their attacks in sophistication, prioritizing email security is more crucial than ever to preserving a safe digital environment. In response to these challenges, Darktrace / EMAIL offers a set-and-forget solution that continuously learns and adapts to changes in the organization.
Through an evolving understanding of every environment in which it is deployed, its threat response becomes increasingly precise in neutralizing only the bad, while allowing the good – delivering email security that doesn’t come at the expense of business growth.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
How email-delivered prompt injection attacks can target enterprise AI – and why it matters
Prompt injection is a newly emerging threat, with only a handful of confirmed victims so far – targeting how AI systems use data rather than exploiting traditional software vulnerabilities. As agentic AI becomes embedded across enterprise environments, attackers may attempt to manipulate these systems through hidden instructions in everyday email content.
Email-Borne Cyber Risk: A Core Challenge for the CISO in the Age of Volume and Sophistication
A former CISO shares his perspective on the challenge of securing the human layer, how existing security awareness training falls short, and how it can be improved to better prepare for high-volume, high-impact, human-centric threats.
Darktrace Unites Human Behavior and Threat Detection Across Email, Slack, Teams, and Zoom
Introducing the adaptive era of email security: a unified platform that connects personalized coaching, collaboration tools, and user behavior into a self-improving defense system.
AI Insider Threats: How Generative AI is Changing Insider Risk
How generative AI changes insider behavior
AI systems, especially generative platforms such as chatbots, are designed for engagement with humans. They are equipped with extraordinary human-like responses that can both confirm, and inflate, human ideas and ideology; offering an appealing cognitive partnership between machine and human. When considering this against the threat posed by insiders, the type of diverse engagement offered by AI can greatly increase the speed of an insider event, and can facilitate new attack platforms to carry out insider acts.
This article offers analysis on how to consider this new paradigm of insider risk, and outlines key governance principles for CISOs, CSOs and SOC managers to manage the threats inherent with AI-powered insider risk.
What is an insider threat?
There are many industry or government definitions of what constitutes insider threat. At its heart, it relates to the harm created when trusted access to sensitive information, assets or personnel is abused bywith malicious intent, or through negligent activities.
Traditional methodologies to manage insider threat have relied on two main concepts: assurance of individuals with access to sensitive assets, and a layered defense system to monitor for any breach of vulnerability. This is often done both before, and after access has been granted. In the pre-access state, assurance is gained through security or recruitment checks. Once access is granted, controls such as privileged access, and zero-trust architecture offer defensive layers.
How does AI change the insider threat paradigm?
While these two concepts remain central to the management of insider threats, the introduction of AI offers three key new aspects that will re-shape the paradigm:.
AI can act as a cognitive amplifier, influencing and affecting the motivations that can lead to insider-related activity. This is especially relevant for the deliberate insider - someone who is considering an act of insider harm. These individuals can now turn to AI systems to validate their thinking, provide unique insights, and, crucially, offer encouragement to act. With generative systems hard-wired to engage and agree with users, this can turn a helpful AI system into a dangerous AI hype machine for those with harmful insider intent.
AI can act as an operational enabler. AI can now develop and increase the range of tools needed to carry out insider acts. New social engineering platforms such as vishing and deepfakes give adversaries a new edge to create insider harm. AI can generate solutions and operational platforms at increasing speeds; often without the need for human subject matter expertise to execute the activities. As one bar for advanced AI capabilities continues to be raised, the bar needed to make use of those platforms has become significantly lower.
AI can act as a semi-autonomous insider, particularly when agentic AI systems or non-human identities are provided broad levels of autonomy; creating a vector of insider acts with little-to-no human oversight or control. As AI agents assume many of the orchestration layers once reserved for humans, they do so without some of the restricted permissions that generally bind service accounts. With broad levels of accessibility and authority, these non-human identities (NHIs) can themselves become targets of insider intent. Commonly, this refers to the increasing risks of prompt injection, poisoning, or other types of embedded bias. In many ways, this mirrors the risks of social engineering traditionally faced by humans. Even without deliberate or malicious efforts to corrupt them, AI systems and AI agents can carry out unintended actions; creating vulnerabilities and opportunities for insider harm.
How to defend against AI-powered insider threats
The increasing attack surfaces created or facilitated by AI is a growing concern. In Darktrace’s own AI cybersecurity research, the risks introduced, and acknowledged, through the proliferation of AI tools and systems continues to outstrip traditional policies and governance guardrails. 22% of respondents in the survey cited ‘insider misuse aided by generative AI’ as a major threat concern. And yet, in the same survey, only 37% of all respondents have formal policies in place to manage the safe and responsible use of AI. This draws a significant and worrying delta between the known risks and threat concerns, and the ability (and resources) to mitigate them.
What can CISOs and SOC leaders do to protect their organization from AI insider threats?
Given the rapid adaptation, adoption, and scale of AI systems, implementing the right levels of AI governance is non-negotiable. Getting the correct balance between AI-driven productivity gains and careful compliance will lead to long-term benefits. Adapting traditional insider threat structures to account for newer risks posed through the use of AI will be crucial. And understanding the value of AI systems that add to your cybersecurity resilience rather than imperil it will be essential.
For those responsible for the security and protection of their business assets and data holdings, the way AI has changed the paradigm of insider threats can seem daunting. Adopting strong, and suitable AI governance can become difficult to introduce due to the volume and complexity of systems needed to be monitored. As well as traditional insider threat mitigations such as user monitoring, access controls and active management, the speed and autonomy of some AI systems need different, as well as additional layers of control.
How Darktrace helps protect against AI-powered insider threats
Darktrace has demonstrated that, through platforms such as our proprietary Cyber AI Analyst, and our latest product Darktrace / SECURE AI, there are ways AI systems can be self-learning, self-critical and resilient to unpredictable AI behavior whilst still offering impressive returns; complementing traditional SOC and CISO strategies to combat insider threat.
With / SECURE AI, some of the ephemeral risks drawn through AI use can be more easily governed. Specifically, the ability to monitor conversational prompts (which can both affect AI outputs as well as highlight potential attempts at manipulation of AI; raising early flags of insider intent); the real-time observation of AI usage and development (highlighting potential blind-spots between AI development and deployment); shadow AI detection (surfacing unapproved tools and agents across your IT stack) and; the ability to know which identities (human or non-human) have permission access. All these features build on the existing foundations of strong insider threat management structures.
How to take a defense-in-depth approach to AI-powered insider threats
Even without these tools, there are four key areas where robust, more effective controls can mitigate AI-powered insider threat. Each of the below offers a defencce-in-depth approach: layering acknowledgement and understanding of an insider vector with controls that can bolster your defenses.
Identity and access controls
Having a clear understanding of the entities that can access your sensitive information, assets and personnel is the first step in understanding the landscape in which insider harm can occur. AI has shown that it is not just flesh and bone operators who can administer insider threats; Non-Human Identities (such as agentic AI systems) can operate with autonomy and freedom if they have the right credentials. By treating NHIs in the same way as human operators (rather than helpful machine-based tools), and adding similar mitigation and management controls, you can protect both your business, and your business-based identities from insider-related attention.
Visibility and shadow AI detection
Configuring AI systems carefully, as well as maintaining internal monitoring, can help identify ‘shadow AI’ usage; defined as the use of unsanctioned AI tools within the workplace1 (this topic was researched in Darktrace’s own paper on "How to secure AI in the enterprise". The adoption of shadow AI could be the result of deliberate preference, or ‘shortcutting’; where individuals use systems and models they are familiar with, even if unsanctioned. As well as some performance risks inherent with the use of shadow AI (such as data leakage and unwanted actions), it could also be a dangerous precursor for insider-related harm (either through deliberate attempts to subvert regular monitoring, or by opening vulnerabilities through unpatched or unaccredited tooling).
Prompt and Output Guardrails
The ability to introduce guardrails for AI systems offers something of a traditional “perimeter protection” layer in AI defense architecture; checking prompts and outputs against known threat vectors, or insider threat methodologies. Alone, such traditional guardrails offer limited assurance. But, if tied with behavior-centric threat detection, and an enforcement system that deters both malicious and accidental insider activities, this would offer considerable defense- in- depth containment.
Forensic logging and incident readiness response
The need for detection, data capture, forensics, and investigation are inherent elements of any good insider threat strategy. To fully understand the extent or scope of any suspected insider activity (such as understanding if it was deliberate, targeted, or likely to occur again), this rich vein of analysis could prove invaluable. As the nature of business increasingly turns ephemeral; with assets secured in remote containers, information parsed through temporary or cloud-based architecture, and access nodes distributed beyond the immediate visibility of internal security teams, the development of AI governance through containment, detection, and enforcement will grow ever more important.
Enabling these controls can offer visibility and supervision over some of the often-expressed risks about AI management. With the right kind of data analytics, and with appropriate human oversight for high-risk actions, it can illuminate the core concerns expressed through a new paradigm of AI-powered insider threats by:
Ensuring deliberately mis-configured AI systems are exposed through regular monitoring.
Highlighting changes in systems-based activity that might indicate harmful insider actions; whether malicious or accidental.
Promoting a secure-by-design process that discourages and deters insider-related ambitions.
Ensuring the control plane for identity-based access spans humans, NHIs and AI models, and:
Offering positive containment strategies that will help curate the extent of AI control, and minimize unwanted activities.
Why insider threat remains a human challenge
At its root, and however it has been configured, AI is still an algorithmic tool; something designed to automate, process and manage computational functions at machine speed, and boost productivity. Even with the best cybersecurity defenses in place, the success of an insider threat management program will still depend on the ability of human operators to identify, triage, and manage the insider threat attack surface.
AI governance policies, human-in-the-loop break points, and automated monitoring functions will not guard against acts of insider harm unless there is intention to manage this proactively, and through a strong culture of how to guard against abuses of trust and responsibility.
Chinese APT Campaign Targets Entities with Updated FDMTP Backdoor
Darktrace have identified activity consistent with Chinese-nexus operations, a Twill Typhoon-linked campaign targeting customer environments, primarily within the Asia-Pacific & Japan (APJ) region
Beginning in late September 2025, multiple affected hosts were observed making requests to domains impersonating content delivery networks (CDNs), including infrastructure masquerading as Yahoo- and Apple-affiliated services. Across these cases, Darktrace identified a consistent behavioral execution pattern: the retrieval of legitimate binaries alongside malicious Dynamic Link Libraries (DLLs), enabling sideloading and execution of a modular .NET-based Remote Access Trojan (RAT) framework.
The activity aligns with patterns described in Darktrace’s previous Chinese-nexus operations report, Crimson Echo. In this case, observed modular intrusion chains built on legitimate software, and staged payload delivery. Threat actors retrieve legitimate binaries alongside configuration files and malicious DLLs to enable sideloading of a .NET-based RAT.
Observed Campaign
Across cases, the same ordered sequence appears: retrieval of a legitimate executable, (2) retrieval of a matching .config file, (3) retrieval of the malicious
DLL, (4) repeated DLL downloads over time, and (5) command-and-control (C2) communication. The .config file retrieves a malicious binary, while the legitimate binary provides a legitimate process to run it in.
Darktrace assesses with moderate confidence that this activity aligns with publicly reported Twill Typhoon tradecraft. The observed use of FDMTP, DLL sideloading, and overlapping infrastructure is consistent with previously observed operations, though not unique to a single actor. While initial access was not directly observed, previous Twill Typhoon campaigns have typically involved spear-phishing.
What Darktrace Observed
Since late September 2025, Darktrace has observed multiple customer environments making HTTP GET requests to infrastructure presenting as “CDN” endpoints for well-known platforms (including Yahoo and Apple lookalikes). Across cases, the affected hosts retrieved legitimate executables, then matching .config files (same base filename), then DLLs intended for sideloading. The sequencing of a legitimate binary + configuration + DLL has been previously observed in campaigns linked to China-nexus threat actors.
In several cases, affected hosts also issued outbound requests to a /GetCluster endpoint, including the protocol=Dotnet-Tcpdmtp parameter. This activity was repeatedly followed by retrieval of DLL content that was subsequently used for search-order hijacking within legitimate processes.
In the September–October 2025 cases, Darktrace alerting commonly surfaced early-stage registration and C2 setup behaviors, followed by retrieval of a DLL (e.g., Client.dll) from the same external host, sometimes repeatedly over multiple days, consistent with establishing and maintaining the execution chain.
In April 2026, a finance-sector endpoint initiated a series of GET requests to yahoo-cdn[.]it[.]com, first fetching legitimate binaries (including vshost.exe and dfsvc.exe), then repeatedly retrieving associated configuration and DLL components (including dfsvc.exe.config and dnscfg.dll) over an 11-day window. The use of both Visual Studio hosting and OneClick (dfsvc.exe) paths are used to ensure the malware can run in the targeted environment.
Technical Analysis
Initial staging and execution
While the initial access method is unknown, Darktrace security researchers identified multiple archives containing the malware.
A representative example includes a ZIP archive (“test.zip”) containing:
A legitimate executable: biz_render.exe (Sogou Pinyin IME)
A malicious DLL: browser_host.dll
Contained within the zip archive named “test.zip” is the legitimate binary “biz_render.exe”, a popular Chinese Input Method Editor (IME) Sogou Pinyin.
Alongside the legitimate binary is a malicious DLL named “browser_host.dll”. As the legitimate binary loads a legitimate DLL named “browser_host.dll” via LoadLibraryExW, the malicious DLL has been named the same to sideload the malicious DLL into biz_render.exe. By supplying a malicious DLL with an identical name, the actor hijacks execution flow, enabling the payload to execute within a trusted process.
The legitimate binary invokes the function GetBrowserManagerInstance from the sideloaded “browser_host.dll”, which then performs XOR-based decryption of embedded strings (key 0x90) to resolve and dynamically load mscoree.dll.
The DLL uses the Windows Common Language Runtime (CLR) to execute managed .NET code inside the process rather than relying solely on native binaries. During execution, the loader loads a payload directly into memory as .NET assemblies, enabling an in-memory execution.
C2 Registration
A GET request is made to:
GET /GetCluster?protocol=DotNet-TcpDmtp&tag={0}&uid={1}
with the custom header:
Verify_Token: Dmtp
This returns Base64-encoded and gzip-compressed IP addresses used for subsequent communication.
Figure 2: Decoded IPs.
Staged payload retrieval
Subsequent activity includes retrieval of multiple components from yahoo-cdn.it[.]com. The following GET requests are made:
Dfsvc.exe is the legitimate Windows ClickOnce Engine, part of the .NET framework used for updating ClickOnce Applications. Accompanying dfsvc.exe is a legitimate dfsvc.exe.config file that is used to store configuration data for the application. However, in this instance the malware has replaced the legitimate dfsvc.exe.config with the one retrieved from the server in: C:\Windows\Microsoft.NET\Framework64\v4.0.30319.
Additionally, vhost.exe the legitimate Visual Studio hosting process is retrieved from the server, along with “Microsoft.VisualStudio.HostingProcess.Utilities.Sync.dll” and “config.etl”. The DLL is used to decrypt the AES encrypted payload in config.etl and load it. The encrypted payload is dnscfg.dll, which can be loaded into vshost instead of dfsvc, and may be used if the environment does not support .NET.
Figure 3: ClickOnce configuration.
The malicious configuration disables logging, forces the application to load dnscfg.dll from the remote server, and uses a custom AppDomainManager to ensure the DLL is executed during initialization of dfsvc.exe. To ensure persistence, a scheduled task is added for %APPDATA%\Local\Microsoft\WindowsApps\dfsvc.exe.
Core payload
The DLL dnscfg.dll is a .NET binary named Client.TcpDmtp.dll. The payload is a heavily obfuscated backdoor that generates its logic at runtime and communicates with the command and control (C2) over custom TCP, DMTP (Duplex Message Transport Protocol) and appears to be an updated version of FDMTP to version 3.2.5.1
Once connected, the malware enters a persistent loop (LoopMessage), enabling it to receive commands from the remote server.
Figure 5: DMTP Connect function.
Rather than referencing values directly, they are retrieved through containers that are resolved at runtime. String values are stored in an encrypted byte array (_0) and decrypted by a custom XOR-based string decryption routine (dcsoft). The lower 16 bits of the provided key are XORed with 0xA61D (42525) to derive the initial XOR key, while subsequent bits define the string length and offset into the encrypted byte array. Each character is reconstructed from two encrypted bytes and XORed with the incrementing key value, producing the plaintext string used by the payload.
Figure 6: Decrypted strings.
Embedded in the resources section are multiple compressed binaries, the majority of which are library files. The only exceptions are client.core.dll and client.dmtpframe.dll.
Figure 7: Resources.
Modular framework and plugins
The payload embeds multiple compressed libraries, notably:
client.core.dll
client.dmtpframe.dll
Client.core.dll is a core library used for system profiling, C2 communication and plugin execution. The implant has the functionality to retrieve information including antivirus products, domain name, HWID, CLR version, administrator status, hardware details, network details, operating system, and user.
Figure 8: Client.Core.Info functions.
Additionally, the component is responsible for loading plugins, with support for both binary and JSON-based plugin execution. This allows plugins to receive commands and parameters in different formats depending on the task being performed.
The framework handles details such as plugin hashes, method names, task identifiers, caller tracking, and argument processing, allowing plugins to be executed consistently within the environment. In addition to execution management, the library also provides plugins with access to common runtime functionality such as logging, communication, and process handling.
Figure 9: Client.core functions.
client.dmtpframe.dll handles:
DMTP communication
Heartbeats and reconnection
Plugin persistence via registry:
HKCU\Software\Microsoft\IME\{id}
Client.dmtpframe.dll is built on the TouchSocket DMTP networking library and continues to manage the remote plugins. The DLL implements remote communication features including heartbeat maintenance, reconnection handling, RPC-style messaging, SSL support, and token-based verification. The DLL also has the ability to add plugins to the registry under HKCU/Software/Microsoft/IME/{id} for persistence.
Plugins observed
While the full set of plugins remains unknown, researchers were able to identify four plugins, including:
Persist.WpTask.dll - used to create, remove and trigger scheduled Windows tasks remotely.
Persist.registry.dll - used to manage registry persistence with the ability to create, and delete registry values, along with hidden persistence keys.
Persist.extra.dll - used to load and persist the main framework.
Assist.dll - used to remotely retrieve files or commands, as well as manipulate system processes.
Figure 10: Plugins stored in IME registry.
Figure 11: Obfuscated script in plugin resources.
Persist.extra.dll is a module that is used to load a script “setup.log” to load and persist the main framework. Stored within the resources section of the binary is an obfuscated script that creates a .NET COM object that is added to the registry key HKCU\Software\Classes\TypeLib\ {9E175B61-F52A-11D8-B9A5-505054503030} \1.0\1\Win64 for persistence. After deobfuscating this script, another DLL is revealed named “WindowsBase.dll”.
Figure 12: Registry entry for script.
The binary checks in with icloud-cdn[.]net every five minutes, retrieves a version string, downloads an encrypted payload named checksum.bin, saves it locally as C:\ProgramData\USOShared\Logs\checksum.etl, decrypts it with AES using the hardcoded key POt_L[Bsh0=+@0a., and loads the decrypted assembly directly from memory via Assembly.Load(byte[]). The version.txt file acts as an update marker so it only re-downloads when the remote version changes, while the mutex prevents duplicate instances.
Figure 13: USOShared/Logs.
Checksum.etl is decrypted with AES and loaded into memory, loading another .NET DLL named “Client.dll”. This binary is the same as “dnscfg.dll” mentioned at the start and allows the threat actors to update the main framework based on the version.
Conclusion
Across cases, Darktrace consistently observed the following sequence:
Retrieval of legitimate executables
Retrieval of DLLs for sideloading
C2 registration via /GetCluster
This approach is consistent with broader China-nexus tradecraft. As outlined in Darktrace’s Crimson Echo report, the stable feature of this activity is behavioral. Infrastructure rotates and payloads can change, but the execution model persists. For defenders, the implication is straightforward: detection anchored to individual indicators will degrade quickly. Detection anchored to a behavioral sequence offer a far more durable approach.
Credit to Tara Gould (Malware Research Lead), Adam Potter (Senior Cyber Analyst), Emma Foulger (Global Threat Research Operations Lead), Nathaniel Jones (VP, Security & AI Strategy)
Edited by Ryan Traill (Content Manager)
Appendices
A detailed list of detection models and triggered indicators is provided alongside IoCs.
_11zon.avif)
