Blog
/
/
August 5, 2020

Guarding Against Threats Beyond IT

We explore insights from a vast customer database, exposing the widespread adoption of ICS protocols within IT settings.
No items found.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
No items found.
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
05
Aug 2020

Key takeaways

  • Multiple well-known ICS attacks have been successful by gaining an initial foothold into the IT network, such as EKANS, Black Energy, and Havex
  • Stage One of the ICS Cyber Kill Chain is network reconnaissance, and so IT/OT network segregation is critical
  • Darktrace finds that many organizations’ networks have at least some level of IT/OT convergence
  • Visibility across ICS infrastructure, actions, and commands provides a better picture into potentially malicious internal activity

IT & OT Convergence Threats

Shipping, manufacturing, and other forms of heavy industry are seeing an ever-increasing convergence of IT and OT systems with the growth in Industrial Internet of Things (IIoT). At the same time, it remains critical to segment IT from OT networks, as the lack of segmentation could provide a malicious actor – either a hacker or rogue insider – easy access to pivot into the OT network.

High-profile attack campaigns such as Havex or Black Energy show traditional network security monitoring tools can be insufficient in preventing these intrusions. After the initial compromise, these ICS attacks progressed from IT to OT systems, showing that the convergence of IT and OT in cyber-physical ecosystems calls for technology that can understand how these two systems interact.

More recently, analysis of the EKANS ransomware revealed that attackers are attempting to use malware to actively disrupt OT as well as IT networks. The attack contained ICS processes on its ‘kill list,’ which allowed it to halt global manufacturing for large organizations like Honda.

More often than not, a lack of visibility is a major challenge in protecting critical ICS assets. Security specialists benefit when they have visibility over unusual or unexpected connections, or more crucially, when ICS commands are being sent by malicious actors attempting to perform industrial sabotage.

Investigation details

Darktrace analysts investigated the use of industrial protocols in the enterprise environments of various customers. The industries ranged from banking to government, retail to food manufacturing and beyond, and included companies with Industrial Control Systems that leverage Darktrace to defend their corporate networks.

In some cases, the security teams may not have been aware of IT/OT convergence within their enterprise environments. In other cases, the IT team may be aware of the ICS segments, but do not see them as a security priority because it does not fall directly within their remit.

The results revealed that hundreds of companies are using OT protocols in their enterprise environments, which suggests that IT/OT systems are not properly segmented. Specifically, Darktrace detected over 6,500 suspected instances of ICS protocol use across 1,000 environments. Note that this data was collected anonymously, only keeping track of the industry for analysis purposes.

Figure 1: A chart showing the percentage of ICS protocol use in enterprise environments

The ICS protocol which was detected the most was BacNet, seen in approximately 75% of instances. BacNet is used in Building Management Systems, so it is not surprising that it is widely used across multiple industries and within corporate networks. It is likely the security teams are aware that their BMS is part of the enterprise network, but may not appreciate how its use of the BacNet OT protocol increases the attack surface for the business and can be a blind spot for security teams.

Core ICS protocols

Darktrace also detected ‘core’ ICS protocols, Modbus and CIP (Common Industrial Protocol). These are normally associated with traditional ICS industries such as manufacturing, oil and gas, robotics, and utilities, and provides further evidence of IT/OT convergence.

This increased IT/OT convergence creates new blind spots on the network and sets up new pathways to disruption. This offers opportunities for attackers, and the public are now increasingly aware of attacks that have pivoted from IT into OT.

Improper segmentation between IT and OT systems can lead to highly unusual connections to ICS protocols. This can be seen in our recent analysis of industrial sabotage, with the timeline of the attack’s main events presented below.

Figure 2: A timeline showing the events of an incident of industrial sabotage

This is just one example of an attack that began in IT systems before affecting OT. More high-profile attacks that follow this pattern are presented below:

EKANS ransomware

The recent EKANS attack involved a strain of ransomware with close links to the MEGACORTEX variant, which gained infamy following an attack on Honda’s global operations in June 2020. Like many ransomware variants, EKANS encrypts files in IT systems and demands ransom in order to unlock the infected machines. However, the malware also has the ability to kill ICS processes on infected hosts. Notably, it is the first public example of ransomware that can target ICS operations.

Havex

Havex utilized multiple attack vectors, including spear phishing, trojans, and infected vendor websites, often known as a ‘watering hole attack’. It targeted IT systems, Internet-connected workstations, or a combination of the two. With Havex, attackers leveraged lateral movement techniques to pivot into Level 3 of ICS networks. The attack’s motive was data exfiltration to a C2 server, likely as part of a government-backed espionage campaign.

Black Energy 3

Black Energy 3 favored macro-embedded MS Office documents delivered via spear phishing emails as attack vectors. Older variants of Black Energy targeted vulnerabilities in ICS HMIs (Human Machine Interfaces) which were connected to the Internet. The attack’s motive was industrial sabotage and is what was used against the Ukrainian electric grid in 2015, leading to power outages for over 225,000 civilians and requiring a switch to manual operations as substations were taken offline.

Lessons learned

Each of the attack campaigns detailed above was in some way enabled by IT/OT convergence. Attackers still favor targeting IT networks with their initial attack vectors, as IT networks have significantly more interaction with the Internet through emails, and various other interconnected technologies. Poor network segmentation allows attackers easy access to OT systems once an IT network has been compromised.

In all of these ICS cyber-attacks, devices deviated from their normal patterns of life at one or more points in the cyber kill chain. Indicators of compromise can include anything from new external connections, to network reconnaissance using active scanning, to lateral movement using privileged credentials, ICS reprogram commands, or ICS discovery requests. With proper enterprise-wide visibility, across both IT and OT systems, and security tools that are able to detect these deviations, a security team would be alerted to these compromises before an attacker could carry out their objectives.

Ultimately, visibility is crucial for cyber defenders to protect industrial property and processes. Darktrace/OT enables many Industrial Model Detections, a selection of which are listed below:

  • Anomalous IT to ICS Connection
  • Multiple Failed Connections to OT Device
  • Multiple New Action Commands
  • Uncommon ICS Reprogram
  • Suspicious Network Scanning Activity
  • Unusual Broadcast from ICS PLC
  • Unusual Admin RDP Session

It is clear that attackers continue to exploit increasing IT/OT convergence to carry out industrial sabotage. Still, as revealed by our analysis of our customer base, many organizations continue to unknowingly use ICS protocols in their corporate environments, both increasing their attack surface and creating dangerous blind spots. A new, holistic approach to cyber defense is needed – one that can reveal this convergence of IT and OT, provide visibility, and detect deviations indicative of emerging cyber-attacks against critical systems.

Thanks to Darktrace analyst Oakley Cox for his insights on the above investigation.

No items found.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
No items found.

More in this series

No items found.

Blog

/

/

August 6, 2025

How CDR & Automated Forensics Transform Cloud Incident Response

cloud security investigation guy on computer doing workDefault blog imageDefault blog image

Introduction: Cloud investigations

In cloud security, speed, automation and clarity are everything. However, for many SOC teams, responding to incidents in the cloud is often very difficult especially when attackers move fast, infrastructure is ephemeral, and forensic skills are scarce.

In this blog we will walk through an example that shows exactly how Darktrace Cloud Detection and Response (CDR) and automated cloud forensics together, solve these challenges, automating cloud detection, and deep forensic investigation in a way that’s fast, scalable, and deeply insightful.

The Problem: Cloud incidents are hard to investigate

Security teams often face three major hurdles when investigating cloud detections:

Lack of forensic expertise: Most SOCs and security teams aren’t natively staffed with forensics specialists.

Ephemeral infrastructure: Cloud assets spin up and down quickly, leaving little time to capture evidence.

Lack of existing automation: Gathering forensic-level data often requires manual effort and leaves teams scrambling around during incidents — accessing logs, snapshots, and system states before they disappear. This process is slow and often blocked by permissions, tooling gaps, or lack of visibility.

How Darktrace augments cloud investigations

1. Darktrace’s CDR finds anomalous activity in the cloud

An alert is generated for a large outbound data transfer from an externally facing EC2 instance to a rare external endpoint. It’s anomalous, unexpected, and potentially serious.

2. AI-led investigation stitches together the incident for a SOC analyst to look into

When a security incident unfolds, Darktrace’s Cyber AI Analyst TM is the first to surface it, automatically correlating behaviors, surfacing anomalies, and presenting a cohesive incident summary. It’s fast, detailed, and invaluable.

Once the incident is created, more questions are raised.

  • How were the impacted resources compromised?
  • How did the attack unfold over time – what tools and malware were used?
  • What data was accessed and exfiltrated?

What you’ll see as a SOC analyst: The incident begins in Darktrace’s Threat Visualizer, where a Cyber AI Analyst incident has been generated automatically highlighting large anomalous data transfer to a suspicious external IP. This isn’t just another alert, it’s a high-fidelity signal backed by Darktrace’s Self-Learning AI.

Cyber AI Analyst incident created for anomalous outbound data transfer
Figure 1: Cyber AI Analyst incident created for anomalous outbound data transfer

The analyst can then immediately pivot to Darktrace / CLOUD’s architecture view (see below), gaining context on the asset’s environment, ingress/egress points, connected systems, potential attack paths and whether there are any current misconfigurations detected on the asset.

Darktrace / CLOUD architecture view providing critical cloud context
Figure 2: Darktrace / CLOUD architecture view providing critical cloud context

3. Automated forensic capture — No expertise required

Then comes the game-changer, Darktrace’s recent acquisition of Cado enhances its cloud forensics capabilities. From the first alert triggered, Darktrace has already kicked in and automatically processed and analyzed a full volume capture of the EC2. Everything, past and present, is preserved. No need for manual snapshots, CLI commands, or specialist intervention.

Darktrace then provides a clear timeline highlighting the evidence and preserving it. In our example we identify:

  • A brute-force attempt on a file management app, followed by a successful login
  • A reverse shell used to gain unauthorized remote access to the EC2
  • A reverse TCP connection to the same suspicious IP flagged by Darktrace
  • Attacker commands showing how the data was split and prepared for exfiltration
  • A file (a.tar) created from two sensitive archives: product_plans.zip and research_data.zip

All of this is surfaced through the timeline view, ranked by significance using machine learning. The analyst can pivot through time, correlate events, and build a complete picture of the attack — without needing cloud forensics expertise.

Darktrace even gives the ability to:

  • Download and inspect gathered files in full detail, enabling teams to verify exactly what data was accessed or exfiltrated.
  • Interact with the file system as if it were live, allowing investigators to explore directories, uncover hidden artifacts, and understand attacker movement with precision.
Figure 3 Cado critical forensic investigation automated insights
Figure 3: Cado critical forensic investigation automated insights
Figure 4: Cado forensic file analysis of reverse shell and download option
Figure 5: a.tar created from two sensitive archives: product_plans.zip and research_data.zip
Figure 6: Traverse the full file system of the asset

Why this matters?

This workflow solves the hardest parts of cloud investigation:

  1. Capturing evidence before it disappears
  2. Understanding attacker behavior in detail - automatically
  3. Linking detections to impact with full incident visibility

This kind of insight is invaluable for organizations especially regulated industries, where knowing exactly what data was affected is critical for compliance and reporting. It’s also a powerful tool for detecting insider threats, not just external attackers.

Darktrace / CLOUD and Cado together acts as a force multiplier helping with:

  • Reducing investigation time from hours to minutes
  • Preserving ephemeral evidence automatically
  • Empowering analysts with forensic-level visibility

Cloud threats aren’t slowing down. Your response shouldn’t either. Darktrace / CLOUD + Cado gives your SOC the tools to detect, contain, and investigate cloud incidents — automatically, accurately, and at scale.

[related-resource]

Continue reading
About the author
Adam Stevens
Director of Product, Cloud Security

Blog

/

Network

/

August 6, 2025

2025 Cyber Threat Landscape: Darktrace’s Mid-Year Review

cyberseucity 2025 half year threat report Default blog imageDefault blog image

2025: Threat landscape in review

The following is a retrospective of the first six months of 2025, highlighting key findings across the threat landscape impacting Darktrace customers.

Darktrace observed a wide range of tactics during this period, used by various types of threat actors including advanced persistent threats (APTs), Malware-as-a-Service (MaaS) and Ransomware-as-a-Service (RaaS) groups.

Methodology

Darktrace’s Analyst team conduct investigations and research into threats facing organizations and security teams across our customer base.  This includes direct investigations with our 24/7 Security Operations Centre (SOC), via services such as Managed Detection and Response (MDR) and Managed Threat Detection, as well as broader cross-fleet research through our Threat Research function.

At the core of our research is Darktrace’s anomaly-based detection, which the Analyst team contextualizes and analyzes to provide additional support to customers and deepen our understanding of the threats they face.

Threat actors are incorporating AI into offensive operations

Threat actors are continuously evolving their tactics, techniques, and procedures (TTPs), posing an ongoing challenge to effective defense hardening. Increasingly, many threat actors are adopting AI, particularly large language models (LLMs), into their operations to enhance the scale, sophistication, and efficacy of their attacks.

The evolving functionality of malware, such as the recently reported LameHug malware by CERT-UA, which uses an open-source LLM, exemplifies this observation [1].

Threat landscape trends in 2025

Threat actors applying AI to Email attacks

LLMs present a clear opportunity for attackers to take advantage of AI and create effective phishing emails at speed. While Darktrace cannot definitively confirm the use of AI to create the phishing emails observed across the customer base, the high volume of phishing emails and notable shifts in tactic could potentially be explained by threat actors adopting new tooling such as LLMs.

  • The total number of malicious emails detected by Darktrace from January to May 2025 was over 12.6 million
  • VIP users continue to face significant threat, with over 25% of all phishing emails targeting these users in the first five months of 2025
  • QR code-based phishing emails have remained a consistent tactic, with a similar proportion observed in January-May 2024 and 2025. The highest numbers were observed in February 2025, with over 1 million detected in that month alone.
  • Shifts towards increased sophistication within phishing emails are emerging, with a year-on-year increase in the proportion of phishing emails containing either a high text volume or multistage payloads. In the first five months of 2025, 32% of phishing emails contained a high volume of text.

The increase in proportion of phishing emails with a high volume of text in particular could point towards threat actors leveraging LLMs to create phishing emails with large, but believable, text in an easy and efficient way.

The above email statistics are derived from analysis of monitored Darktrace / EMAIL model data for all customer deployments hosted in the cloud between January 1 and May 31, 2025.

Campaign Spotlight: Simple, Quick - ClickFix

An interesting technique Darktrace observed multiple times throughout March and April was ClickFix social engineering, which exploits the intersection between humans and technology to trick users into executing malicious code on behalf of the attacker.

  • While this technique has been around since 2024, Darktrace observed campaign activity in the first half of 2025 suggesting a resurgence.  
  • A range of threat actors – from APTs to MaaS and RaaS have adopted this technique to deliver secondary payloads, like information stealing malware.
  • Attackers use fraudulent or compromised legitimate websites to inject malicious plugins that masquerade as fake CAPTCHAs.
  • Targeted users believe they are completing human verification or resolving a website issue, unaware that they are being guided through a series of simple steps to execute PowerShell code on their system.
  • Darktrace observed campaign activity during the first half of 2025 across a range of sectors, including Government, Healthcare, Insurance, Retail and, Non-profit.

Not just AI: Automation is enabling Ransomware and SaaS exploitation

The rise of phishing kits like FlowerStorm and Mamba2FA, which enable phishing and abuse users’ trust by mimicking legitimate services to bypass multi-factor authentication (MFA), highlight how the barriers to entry for sophisticated attacks continue to fall, enabling new threat actors. Combined with Software-as-a-Service (SaaS) account compromise, these techniques make up a substantial portion of cybercriminal activity observed by Darktrace so far this year.

Credentials remain the weak link

A key theme across multiple cases of ransomware was threat actors abusing compromised credentials to gain initial entry into networks via:

  • Unauthorized access to internet-facing technology such as RDP servers and virtual private networks (VPNs).
  • Unauthorized access to SaaS accounts.

SaaS targeted ransomware is on the rise

The encryption of files within SaaS environments observed by Darktrace demonstrates a continued trend of ransomware actors targeting these platforms over traditional networks, potentially driven by a higher return on investment.

SaaS accounts are often less protected than traditional systems because of Single Sign-On (SSO).  Additionally, platforms like Salesforce often host sensitive data, including emails, financial records, customer information, and network configuration details. This stresses the need for robust identity management practices and continuous monitoring.

RaaS is adding complexity and speed to cyber attacks

RaaS has dominated the attack landscape, with groups like Qilin, RansomHub, and Lynx all appearing multiple times in cases across Darktrace’s customer base over the past six months. Detecting ransomware attacks before the encryption stage remains a significant challenge, particularly in RaaS operations where different affiliates often use varying techniques for initial entry and earlier stages of the attack. Darktrace’s recent analysis of Scattered Spider underscores the challenge of hardening defenses against such varying techniques.

CVE exploitation continues despite available patches

Darktrace has also observed ransomware gangs exploiting known Common Vulnerabilities and Exposures (CVEs), including the Medusa ransomware group’s use of the SimpleHelp vulnerabilities: CVE-2024-57727 and CVE-2024-57728 in March, despite patches being made available in January [2].

Misused tools + delayed patches = growing cyber risk

The exploitation of common remote management tools like SimpleHelp highlights the serious challenges defenders face when patch management cycles are suboptimal. As threat actors continue to abuse legitimate services for malicious purposes, the challenges facing defenders will only grow more complex.

Edge exploitation

It comes as no surprise that exploitation of internet-facing devices continued to feature prominently in Darktrace’s Threat Research investigations during the first half of 2025.

Observed CVE exploitation included:

Many of Darktrace’s observations of CVE exploitation so far in 2025 align with wider industry reporting, which suggests that Chinese-nexus threat actors were deemed to likely have exploited these technologies prior to public disclosure. In the case of CVE-2025-0994 - a vulnerability affecting Trimble Cityworks, an asset management system designed for use by local governments, utilities, airports, and public work agencies [3].

Darktrace observed signs of exploitation as early as January 19, well before vulnerability’s public disclosure on February 6 [4]. Darktrace’s early identification of the exploitation stemmed from the detection of a suspicious file download from 192.210.239[.]172:3219/z44.exe - later linked to Chinese-speaking threat actors in a campaign targeting the US government [5].

This case demonstrates the risks posed by the exploitation of internet-facing devices, not only those hosting more common technologies, but also software associated specifically tied to Critical National Infrastructure (CNI); a lucrative target for threat actors. This also highlights Darktrace’s ability to detect exploitation of internet-facing systems, even without a publicly disclosed CVE. Further examples of how Darktrace’s anomaly detection can uncover malicious activity ahead of public vulnerability disclosures can be found here.

New threats and returning adversaries

In the first half of 2025, Darktrace observed a wide range of threats, from sophisticated techniques employed by APT groups to large-scale campaigns involving phishing and information stealers.

BlindEagle (APT-C-36)

Among the observed APT activity, BlindEagle (APT-C-36) was seen targeting customers in Latin America (LATM), first identified in February, with additional cases seen as recently as June.

Darktrace also observed a customer targeted in a China-linked campaign involving the LapDogs ORB network, with activity spanning from December 2024 and June 2025. These likely nation-state attacks illustrate the continued adoption of cyber and AI capabilities into the national security goals of certain countries.

Sophisticated malware functionality

Further sophistication has been observed within specific malware functionality - such as the malicious backdoor Auto-Color, which has now been found to employ suppression tactics to cover its tracks if it is unable to complete its kill chain - highlighting the potential for advanced techniques across every layer of an attack.

Familiar foes

Alongside new and emerging threats, previously observed and less sophisticated tools, such as worms, Remote Access Trojans (RATs), and information stealers, continue to impact Darktrace customers.

The Raspberry Robin worm... First seen in 2021, has been repeatedly identified within Darktrace’s customer base since 2022. Most recently, Darktrace’s Threat Research team identified cases in April and May this year. Recent open-source intelligence (OSINT) reporting suggests that Raspberry Robin continues to evolve its role as an Initial Access Broker (IAB), paving the way for various attacks and remaining a concern [6].

RATs also remain a threat, with examples like AsyncRAT and Gh0st RAT impacting Darktrace customers.

In April multiple cases of MaaS were observed in Darktrace’s customer base, with information stealers Amadey and Stealc, as well as GhostSocks being distributed as a follow up payload after an initial Amadey infection.

Conclusion

As cyber threats evolve, attackers are increasingly harnessing AI to craft highly convincing email attacks, automating phishing campaigns at unprecedented scale and speed. This, coupled with rapid exploitation of vulnerabilities and the growing sophistication of ransomware gangs operating as organized crime syndicates, makes today’s threat landscape more dynamic and dangerous than ever. Cyber defenders collaborate to combat these threats – the coordinated takedown of Lumma Stealer in May was a notable win for both industry and law-enforcement [7], however OSINT suggests that this threat persists [8], and new threats will continue to arise.

Traditional security tools that rely on static rules or signature-based detection often struggle to keep pace with these fast-moving, adaptive threats. In this environment, anomaly-based detection tools are no longer optional—they are essential. By identifying deviations in normal user and system behavior, tools like Darktrace provide a proactive layer of defense capable of detecting novel and emerging threats, even those that bypass conventional security measures. Investing in anomaly-based detection is critical to staying ahead of attackers who now operate with automation, intelligence, and global coordination.

Credit to Emma Foulger (Global Threat Research Operations Lead), Nathaniel Jones (VP, Security & AI Strategy, Field CISO),  Eugene Chua (Principal Cyber Analyst & Analyst Team Lead), Nahisha Nobregas (Senior Cyber Analyst), Nicole Wong (Principal Cyber Analyst), Justin Torres (Senior Cyber Analyst), Matthew John (Director of Operations, SOC), Sam Lister (Specialist Security Researcher), Ryan Traill (Analyst Content Lead) and the Darktrace Incident Management team.

The information contained in this blog post is provided for general informational purposes only and represents the views and analysis of Darktrace as of the date of publication. While efforts have been made to ensure the accuracy and timeliness of the information, the cybersecurity landscape is dynamic, and new threats or vulnerabilities may have emerged since this report was compiled.

This content is provided “as is” and without warranties of any kind, either express or implied. Darktrace makes no representations or warranties regarding the completeness, accuracy, reliability, or suitability of the information, and expressly disclaims all warranties.

Nothing in this blog post should be interpreted as legal, technical, or professional advice. Users of this information assume full responsibility for any actions taken based on its content, and Darktrace shall not be liable for any loss or damage resulting from reliance on this material. Reference to any specific products, companies, or services does not constitute or imply endorsement, recommendation, or affiliation.

Appendices

Indicators of Compromise (IoCs)

IoC - Type - Description + Probability

LapDogs ORB network, December 2024-June 2025

www.northumbra[.]com – Hostname – Command and Control (C2) server

103.131.189[.]2 – IP Address - C2 server, observed December 2024 & June 2025

103.106.230[.]31 – IP Address - C2 server, observed December 2024

154.223.20[.]56 – IP Address – Possible C2 server, observed December 2024

38.60.214[.]23 – IP Address – Possible C2 server, observed January & February 2025

154.223.20[.]58:1346/systemd-log – URL – Possible ShortLeash payload, observed December 2024

CN=ROOT,OU=Police department,O=LAPD,L=LA,ST=California,C=US - TLS certificate details for C2 server

CVE-2025-0994, Trimble Cityworks exploitation, January 2025

192.210.239[.]172:3219/z44.exe – URL - Likely malicious file download

AsyncRAT, February-March 2025

windows-cam.casacam[.]net – Hostname – Likely C2 server

88.209.248[.]141 – IP Address – Likely C2 server

207.231.105[.]51 – IP Address – Likely C2 server

163.172.125[.]253 – IP Address – Likely C2 server

microsoft-download.ddnsfree[.]com – Hostname – Likely C2 server

95.217.34[.]113 – IP Address – Likely C2 server

vpnl[.]net – Hostname – Likely C2 server

157.20.182[.]16 – IP Address - Likely C2 server

185.81.157[.]19 – IP Address – Likely C2 server

dynamic.serveftp[.]net – IP Address – Likely C2 server

158.220.96.15 – IP Address – Likely C2 server

CVE-2024-57727 & CVE-2024-57728, SimpleHelp RMM exploitation, March 2025

213.183.63[.]41 – IP Address - C2 server

213.183.63[.]41/access/JWrapper-Windows64JRE-version.txt?time=3512082867 – URL - C2 server

213.183.63[.]41/access/JWrapper-Windows64JRE-00000000002-archive.p2.l2 – URL - C2 server

pruebas.pintacuario[.]mx – Hostname – Possible C2 server

144.217.181[.]205 – IP Address – Likely C2 server

erp.ranasons[.]com – Hostname – Possible destination for exfiltration

143.110.243[.]154 – IP Address – Likely destination for exfiltration

Blind Eagle, April-June 2025

sostenermio2024.duckdns[.]org/31agosto.vbs – URL – Possible malicious file download

Stealc, April 2025

88.214.48[.]93/ea2cb15d61cc476f[.]php – URL – C2 server

Amadey & GhostSocks, April 2025

195.82.147[.]98 – IP Address - Amadey C2 server

195.82.147[.]98/0Bdh3sQpbD/index.php – IP Address – Likely Amadey C2 activity

194.28.226.181 – IP Address – Likely GhostSocks C2 server

RaspberryRobin, May 2025

4j[.]pm – Hostname – C2 server

4xq[.]nl – Hostname – C2 server

8t[.]wf – Hostname – C2 server

Gh0stRAT, May 2025

lu.dssiss[.]icu  - Hostname – Likely C2 server

192.238.133[.]162:7744/1-111.exe – URL – Possible addition payload

8e9dec3b028f2406a8c546a9e9ea3d50609c36bb - SHA1 - Possible additional payload

f891c920f81bab4efbaaa1f7a850d484 - MD5 – Possible additional payload

192.238.133[.]162:7744/c3p.exe – URL - Possible additional payload

03287a15bfd67ff8c3340c0bae425ecaa37a929f - SHA1 - Possible additional payload

02aa02aee2a6bd93a4a8f4941a0e6310 - MD5 - Possible additional payload

192.238.133[.]162:7744/1-1111.exe – URL - Possible additional payload

1473292e1405882b394de5a5857f0b6fa3858fd1 - SHA1 - Possible additional payload

69549862b2d357e1de5bab899ec0c817 - MD5 - Possible additional payload

192.238.133[.]162:7744/1-25.exe – URL -  Possible additional payload

20189164c4cd5cac7eb76ba31d0bd8936761d7a7  - SHA1 - Possible additional payload

f42aa5e68b28a3f335f5ea8b6c60cb57 – MD5 - Possible additional payload

192.238.133[.]162:7744/Project1_se.exe – URL - Possible additional payload

fea1e30dfafbe9fa9abbbdefbcbe245b6b0628ad - SHA1 - Possible additional payload

5ea622c630ef2fd677868cbe8523a3d5 - MD5 - Possible additional payload

192.238.133[.]162:7744/Project1_se.exe - URL - Possible additional payload

aa5a5d2bd610ccf23e58bcb17d6856d7566d71b9  - SHA1 - Possible additional payload

9d33029eaeac1c2d05cf47eebb93a1d0 - MD5 - Possible additional payload

References and further reading

1.        https://cip.gov.ua/en/news/art28-atakuye-sektor-bezpeki-ta-oboroni-za-dopomogoyu-programnogo-zasobu-sho-vikoristovuye-shtuchnii-intelekt?utm_medium=email&_hsmi=113619842&utm_content=113619842&utm_source=hs_email

2.        https://www.s-rminform.com/latest-thinking/cyber-threat-advisory-medusa-and-the-simplehelp-vulnerability

3.        https://assetlifecycle.trimble.com/en/products/software/cityworks

4.     https://nvd.nist.gov/vuln/detail/CVE-2025-0994

5.     https://blog.talosintelligence.com/uat-6382-exploits-cityworks-vulnerability/

6.        https://www.silentpush.com/blog/raspberry-robin/

7.        https://blogs.microsoft.com/on-the-issues/2025/05/21/microsoft-leads-global-action-against-favored-cybercrime-tool/

8.     https://www.trendmicro.com/en_sg/research/25/g/lumma-stealer-returns.html

Related Darktrace investigations

-              ClickFix

-              FlowerStorm

-              Mamba 2FA

-              Qilin Ransomware

-              RansomHub Ransomware

-              RansomHub Revisited

-              Lynx Ransomware

-              Scattered Spider

-              Medusa Ransomware

-              Legitimate Services Malicious Intentions

-              CVE-2025-0282 and CVE-2025-0283 – Ivanti CS, PS and ZTA

-              CVE-2025-31324 – SAP Netweaver

-              Pre-CVE Threat Detection

-              BlindEagle (APT-C-36)

-              Raspberry Robin Worm

-              AsyncRAT

-              Amadey

-              Lumma Stealer

Continue reading
About the author
Emma Foulger
Global Threat Research Operations Lead
Your data. Our AI.
Elevate your network security with Darktrace AI