Blog
/
Network
/
August 2, 2023

Darktrace's Detection of Ransomware & Syssphinx

Read how Darktrace identified an attack technique by the threat group, Syssphinx. Learn how Darktrace's quick identification process can spot a threat.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Adam Potter
Senior Cyber Analyst
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
02
Aug 2023

Introduction

As the threat of costly cyber-attacks continues represent a real concern to security teams across the threat landscape, more and more organizations are strengthening their defenses with additional security tools to identify attacks and protect their networks. As a result, malicious actors are being forced to adapt their tactics, modify existing variants of malicious software, or utilize entirely new variants.  

Symantec recently released an article about Syssphinx, the financially motivated cyber threat group previously known for their point-of-sale attacks. Syssphinx attempts to deploy ransomware on customer networks via a modified version of their ‘Sardonic’ backdoor. Such activity highlights the ability of threat actors to alter the composition and presentation of payloads, tools, and tactics.

Darktrace recently detected some of the same indicators suggesting a likely Syssphinx compromise within the network of a customer trialing the Darktrace DETECT™ and RESPOND™ products. Despite the potential for variations in the construction of backdoors and payloads used by the group, Darktrace’s anomaly-based approach to threat detection allowed it to stitch together a detailed account of compromise activity and identify the malicious activity prior to disruptive events on the customer’s network.

What is Syssphinx?

Syssphinx is a notorious cyber threat entity known for its financially motivated compromises.  Also referred to as FIN8, Syssphinx has been observed as early as 2016 and is largely known to target private sector entities in the retail, hospitality, insurance, IT, and financial sectors.[1]

Although Syssphinx primarily began focusing on point-of-sale style attacks, the activity associated with the group has more recently incorporated ransomware variants into their intrusions in a potential bid to further extract funds from target organizations.[2]

Syssphinx Sardonic Backdoor

Given this gradual opportunistic incorporation of ransomware, it should not be surprising that Syssphinx has slowly expanded its repertoire of tools.  When primarily performing point-of-sale compromises, the group was known for its use of point-of-sale specific malwares including BadHatch, PoSlurp/PunchTrack, and PowerSniff/PunchBuggy/ShellTea.[3]

However, in a seeming response to updates in detection systems while using previous indicators of compromise (IoCs), Syssphinx began to modify its BadHatch malware.  This resulted in the use of a C++ derived backdoor known as “Sardonic”, which has the ability to aggregate host credentials, spawn additional command sessions, and deliver payloads to compromised devices via dynamic-link library (DLL).[4],[5]

Analysis of the latest version of Sardonic reveals further changes to the malware to elude detection. These shifts include the implementation of the backdoor in the C programming language, and additional over-the-network communication obfuscation techniques. [6]

During the post-exploitation phase, the group tends to rely on “living-off-the-land” tactics, whereby an attacker utilizes tools already present within the organization’s digital environment to avoid detection. Syssphinx seems to utilize system-native tools such as PowerShell and the Windows Management Instrumentation (WMI) interface.[7] It is also not uncommon to see Windows-based vulnerability exploits employed on compromised devices. This has been observed by researchers who have examined previous iterations of Syssphinx backdoors.[8] Syssphinx also appears to exhibit elements of strategic patience and discipline in its operations, with significant time gaps in operations noted by researchers. During this time, it appears likely that updates and tweaks were applied to Syssphinx payloads.

Compromise Details

In late April 2023, Darktrace identified an active compromise on the network of a prospective customer who was trialing Darktrace DETECT+RESPOND. The customer, a retailer in EMEA with hundreds of tracked devices, reached out to the Darktrace Analyst team via the Ask the Expert (ATE) service for support and further investigation, following the encryption of their server and backup data storage in an apparent ransomware attack. Although the encryption events fell outside Darktrace’s purview due to a limited set up of trial appliances, Darktrace was able to directly track early stages of the compromise before exfiltration and encryption events began. If a full deployment had been set up and RESPOND functionality had been configured in autonomous response mode, Darktrace may have helped mitigate such encryption events and would have aided in the early identification of this ransomware attack.

Initial Intrusion and Establishment of Command and Control (C2) Infrastructure

As noted by security researchers, Syssphinx largely relies on social engineering and phishing emails to deliver its backdoor payloads. As there were no Darktrace/Email™ products deployed for this customer, it would be difficult to directly observe the exact time and manner of initial payload delivery related to this compromise. This is compounded by the fact that the customer had only recently began using Darktrace’s products during their trial period. Given the penchant for patience and delay by Syssphinx, it is possible that the intrusion began well before Darktrace had visibility of the organization’s network.

However, beginning on April 30, 2023, at 07:17:31 UTC, Darktrace observed the domain controller dc01.corp.XXXX  making repeated SSL connections to the endpoint 173-44-141-47[.]nip[.]io. In addition to the multiple open-source intelligence (OSINT) flags for this endpoint, the construction of the domain parallels that of the initial domain used to deliver a backdoor, as noted by Symantec in their analysis (37-10-71-215[.]nip[.]io). This activity likely represented the initial beaconing being performed by the compromised device. Additionally, an elevated level of incoming external data over port 443 was observed during this time, which may be associated with the delivery of the Sardonic backdoor payload. Given the unusual use of port 443 to perform SSH connections later seen in the kill chain of this attack, this activity could also parallel the employment of embedded backdoor payloads seen in the latest iteration of the Sardonic backdoor noted by Symantec.

Figure 1: Graph of the incoming external data surrounding the time of the initial establishment of command and control communication for the domain controller. As seen in the graph, the spike in incoming external data during this time may parallel the delivery of Syssphinx Sardonic backdoor.

Regardless, the domain controller proceeded to make repeated connections over port 443 to the noted domain.

Figure 2: Breach event log for the domain controller making repeated connections over port 443 to the rare external destination endpoint in constitute the establishment of C2 communication.

Internal Reconnaissance/Privilege Escalation

Following the establishment of C2 communication, Darktrace detected numerous elements of internal reconnaissance. On Apr 30, 2023, at 22:06:26 UTC, the desktop device desktop_02.corp.XXXX proceeded to perform more than 100 DRSGetNCChanges requests to the aforementioned domain controller. These commands, which are typically implemented over the RPC protocol on the DRSUAPI interface, are frequently utilized in Active Directory sync attacks to copy Active Directory information from domain controllers. Such activity, when not performed by new domain controllers to sync Active Directory contents, can indicate malicious domain or user enumeration, credential compromise or Active Directory enumeration.

Although the affected device made these requests to the previously noted domain controller, which was already compromised, such activity may have further enabled the compromise by allowing the threat actor to transfer these details to a more easily manageable device.

The device performing these DRSGetNCChanges requests would later be seen performing lateral movement activity and making connections to malicious endpoints.

Figure 3: Breach log highlighting the DRS operations performed by the corporate device to the destination domain controller. Such activity is rarely authorized for devices not tagged as administrative or as domain controllers.

Execution and Lateral Movement

At 23:09:53 UTC on April 30, 2023, the original domain server proceeded to make multiple uncommon WMI calls to a destination server on the same subnet (server01.corp.XXXX). Specifically, the device was observed making multiple RPC calls to IWbem endpoints on the server, which included login and ExecMethod (method execution) commands on the destination device. This destination device later proceeded to conduct additional beaconing activity to C2 endpoints and exfiltrate data.

Figure 4: Breach log for the domain controller performing WMI commands to the destination server during the lateral movement phase of the breach.

Similarly, beginning on May 1, 2023, at 00:11:09 UTC, the device desktop_02.corp.XXXX made multiple WMI requests to two additional devices, one server and one desktop, within the same subnet as the original domain controller. During this time, desktop_02.corp.XXXX  also utilized SMBv1, an outdated and typically non-compliant version communication protocol, to write the file rclone.exe to the same two destination devices. Rclone.exe, and its accompanying bat file, is a command-line tool developed by IT provider Rclone, to perform file management tasks. During this time, Darktrace also observed the device reading and deleting an unexpected numeric file on the ADMIN$ of the destination server, which may represent additional defense evasion techniques and tool staging.

Figure 5: Event log highlighting the writing of rclone.exe using the outdated SMBv1 communication protocol.
Figure 6: SMB logs indicating the reading and deletion of numeric string files on ADMIN$ shares of the destination devices during the time of the rclone.exe SMB writes. Such activity may be associated with tool staging and could indicate potential defense evasion techniques.

Given that the net loader sample analyzed by Symantec injects the backdoor into a WmiPrvSE.exe process, the use of WMI operations is not unexpected. Employment of WMI also correlates with the previously mentioned “living-off-the-land” tactics, as WMI services are commonly used for regular network and system administration purposes. Moreover, the staging of rclone.exe, a legitimate file management tool, for data exfiltration underscores attempts to blend into existing and expected network traffic and remain undetected on the customer’s network.

Data Exfiltration and Impact

Initial stages of data exfiltration actually began prior to some of the lateral movement events described above. On April 30, 2023, 23:09:47 the device server01.corp.XXXX, transferred nearly 11 GB of data to 173.44[.]141[.]47, as well as to the rare external IP address 170.130[.]55[.]77, which appears to have served as the main exfiltration destination during this compromise. Furthermore, the host made repeated connections to the same external IP associated with the initial suspicious beaconing activity (173.44[.]141[.]47) over SSL.

While the data exfiltration event unfolded, the device, server01.corp.XXXX, made multiple HTTP requests to 37.10[.]71[.]215, which featured URIs requesting the rclone.exe and rclone.bat files. This IP address was directly involved in the sample analyzed by Symantec. Furthermore, one of the devices that received the SMB file writes of rclone.exe and the WMI commands from desktop_02.corp.XXXX also performed SSL beaconing to endpoints associated with the compromise.

Between 01:20:45 - 03:31:41 UTC on May 1, 2023, a Darktrace detected a series of devices on the network performing a repeated pattern of activity, namely external connectivity followed by suspicious file downloads and external data transfer operations. Specifically, each affected device made multiple HTTP requests to 37.10[.]71[.]215 for rclone files. The devices proceeded to download the executable and/or binary files, and then transfer large amounts of data to the aforementioned endpoints, 170.130[.]55[.]77 and or 173-44-141-47[.]nip[.]io. Although the devices involved in data exfiltration utilized port 443 as a destination port, the connections actually used the SSH protocol. Darktrace recognized this behavior as unusual as port 443 is typically associated with the SSL protocol, while port 22 is reserved for SSH. Therefore, this activity may represent the threat actor’s attempts to remain undetected by security tools.

This unexpected use of SSH over port 443 also correlates with the descriptions of the new Sardonic backdoor according to threat researchers. Further beaconing and exfiltration activity was performed by an additional host one day later whereby the device made suspicious repeated connections to the aforementioned external hosts.

Figure 7: Connection details highlighting the use of port 443 for SSH connections during the exfiltration events.

In total, nine separate devices were involved in this pattern of activity. Five of these devices were labeled as ‘administrative’ devices according to their hostnames. Over the course of the entire exfiltration event, the attackers exfiltrated almost 61 GB of data from the organization’s environment.

Figure 8: Graph showing the levels of external data transfer from a breach device for one day on either side of the breach time. There is a large spike in such activity during the time of the breach that underscores the exfiltration events.

In addition to the individual anomaly detections by DETECT, Darktrace’s Cyber AI Analyst™ launched an autonomous investigation into the unusual behavior carried out by affected devices, connecting and collating multiple security events into one AI Analyst Incident. AI Analyst ensures that Darktrace can recognize and link the individual steps of a wider attack, rather than just identifying isolated incidents. While traditional security tools may mistake individual breaches as standalone activity, Darktrace’s AI allows it to provide unparalleled visibility over emerging attacks and their kill chains. Furthermore, Cyber AI Analyst’s instant autonomous investigations help to save customer security teams invaluable time in triaging incidents in comparison with human teams who would have to commit precious time and resources to conduct similar pattern analysis.

In this specific case, AI Analyst identified 44 separate security events from 18 different devices and was able to tie them together into one incident. The events that made up this AI Analyst Incident included:

  • Possible SSL Command and Control
  • Possible HTTP Command and Control
  • Unusual Repeated Connections
  • Suspicious Directory Replication ServiceActivity
  • Device / New or Uncommon WMI Activity
  • SMB Write of Suspicious File
  • Suspicious File Download
  • Unusual External Data Transfer
  • Unusual External Data Transfer to MultipleRelated Endpoints
Figure 9: Cyber AI Incident log highlighting multiple unusual anomalies and connecting them into one incident.

Had Darktrace RESPOND been enabled in autonomous response mode on the network of this prospective customer, it would have been able to take rapid mitigative action to block the malicious external connections used for C2 communication and subsequent data exfiltration, ideally halting the attack at this stage. As previously discussed, the limited network configuration of this trial customer meant that the encryption events unfortunately took place outside of Darktrace’s scope. When fully configured on a customer environment, Darktrace DETECT can identify such encryption attempts as soon as they occur. Darktrace RESPOND, in turn, would be able to immediately intervene by applying preventative actions like blocking internal connections that may represent file encryption, or limiting potentially compromised devices to a previously established pattern of life, ensuring they cannot carry out any suspicious activity.

Conclusion

Despite the limitations posed by the customer’s trial configuration, Darktrace demonstrated its ability to detect malicious activity associated with Syssphinx and track it across multiple stages of the kill chain.

Darktrace’s ability to identify the early stages of a compromise and various steps of the kill chain, highlights the necessity for machine learning-enabled, anomaly-based detection. In the face of threats such as Syssphinx, that exhibit the propensity to recast backdoor payloads and incorporate on “living-off-the-land” tactics, signatures and rules-based detection may not prove as effective. While Syssphinx and other threat groups will continue to adopt new tools, methods, and techniques, Darktrace’s Self-Learning AI is uniquely positioned to meet the challenge of such threats.

Appendix

DETECT Model Breaches Observed

•      Anomalous Server Activity / Anomalous External Activity from Critical Network Device

•      Anomalous Connection / Anomalous DRSGetNCChanges Operation

•      Device / New or Uncommon WMI Activity

•      Compliance / SMB Drive Write

•      Anomalous Connection / Data Sent to Rare Domain

•      Anomalous Connection / Uncommon 1 GiB Outbound

•      Unusual Activity / Unusual External Data Transfer

•      Unusual Activity / Unusual External Data to New Endpoints

•      Compliance / SSH to Rare External Destination

•      Anomalous Connection / Unusual SMB Version 1 Connectivity

•      Anomalous File / EXE from Rare External Location

•      Anomalous File / Script from Rare External Location

•      Compromise / Suspicious File and C2

•      Device / Initial Breach Chain Compromise

AI Analyst Incidents Observed

•      Possible SSL Command and Control

•      Possible HTTP Command and Control

•      Unusual Repeated Connections

•      Suspicious Directory Replication Service Activity

•      Device / New or Uncommon WMI Activity

•      SMB Write of Suspicious File

•      Suspicious File Download

•      Unusual External Data Transfer

•      Unusual External Data Transfer to Multiple Related Endpoints

IoCs

IoC - Type - Description

37.10[.]71[.]215 – IP – C2 + payload endpoint

173-44-141-47[.]nip[.]io – Hostname – C2 – payload

173.44[.]141[.]47 – IP – C2 + potential payload

170.130[.]55[.]77 – IP – Data exfiltration endpoint

Rclone.exe – Exe File – Common data tool

Rclone.bat – Script file – Common data tool

MITRE ATT&CK Mapping

Command and Control

T1071 - Application Layer Protocol

T1071.001 – Web protocols

T1573 – Encrypted channels

T1573.001 – Symmetric encryption

T1573.002 – Asymmetric encryption

T1571 – Non-standard port

T1105 – Ingress tool transfer

Execution

T1047 – Windows Management Instrumentation

Credential Access

T1003 – OS Credential Dumping

T1003.006 – DCSync

Lateral Movement

T1570 – Lateral Tool Transfer

T1021 - Remote Services

T1021.002 - SMB/Windows Admin Shares

T1021.006 – Windows Remote Management

Exfiltration

T1048 - Exfiltration Over Alternative Protocol

T1048.001 - Exfiltration Over Symmetric Encrypted Non-C2 Protocol

T1048.002 - Exfiltration Over Symmetric Encrypted Non-C2 Protocol

T1041 - Exfiltration Over C2 Channel

References

[1] https://cyberscoop.com/syssphinx-cybercrime-ransomware/

[2] https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/Syssphinx-FIN8-backdoor

[3] https://www.bleepingcomputer.com/news/security/fin8-deploys-alphv-ransomware-using-sardonic-malware-variant/

[4] https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/Syssphinx-FIN8-backdoor

[5] https://thehackernews.com/2023/07/fin8-group-using-modified-sardonic.html

[6] https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/Syssphinx-FIN8-backdoor

[7] https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/Syssphinx-FIN8-backdoor

[8] https://www.mandiant.com/resources/blog/windows-zero-day-payment-cards

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Adam Potter
Senior Cyber Analyst

More in this series

No items found.

Blog

/

Network

/

September 15, 2025

SEO Poisoning and Fake PuTTY sites: Darktrace’s Investigation into the Oyster backdoor

Default blog imageDefault blog image

What is SEO poisoning?

Search Engine Optimization (SEO) is the legitimate marketing technique of improving the visibility of websites in organic search engine results. Businesses, publishers, and organizations use SEO to ensure their content is easily discoverable by users. Techniques may include optimizing keywords, creating backlinks, or even ensuring mobile compatibility.

SEO poisoning occurs when attackers use these same techniques for malicious purposes. Instead of improving the visibility of legitimate content, threat actors use SEO to push harmful or deceptive websites to the top of search results. This method exploits the common assumption that top-ranking results are trustworthy, leading users to click on URLs without carefully inspecting them.

As part of SEO poisoning, the attacker will first register a typo-squatted domain, slightly misspelled or otherwise deceptive versions of real software sites, such as putty[.]run or puttyy[.]org. These sites are optimized for SEO and often even backed by malicious Google ads, increasing the visibility when users search for download links. To achieve that, threat actors may embed pages with strategically chosen, high-value keywords or replicate content from reputable sources to elevate the domain’s perceived authority in search engine algorithms [4]. In more advanced operations, these tactics are reinforced with paid promotion, such as Google ads, enabling malicious domains to appear above organic search results as sponsored links. This placement not only accelerates visibility but also impacts an unwarranted sense of legitimacy to unsuspected users.

Once a user lands on one of these fake pages, they are presented with what looks like a legitimate software download option. Upon clicking the download indicator, the user will be redirected to another separate domain that actually hosts the payload. This hosting domain is usually unrelated to the nominally referenced software. These third-party sites can involve recently registered domains but may also include legitimate websites that have been recently compromised. By hosting malware on a variety of infrastructure, attackers can prolong the availability of distribution methods for these malicious files before they are taken down.

What is the Oyster backdoor?

Oyster, also known as Broomstick or CleanUpLoader, is a C++ based backdoor malware first identified in July 2023. It enables remote access to infected systems, offering features such as command-line interaction and file transfers.

Oyster has been widely adopted by various threat actors, often as an entry point for ransomware attacks. Notable examples include Vanilla Tempest and Rhysida ransomware groups, both of which have been observed leveraging the Oyster backdoor to enhance their attack capabilities. Vanilla Tempest is known for using Oyster’s stealth persistence to maintain long-term access within targeted networks, often aligning their operations with ransomware deployment [5]. Rhysida has taken this further by deploying Oyster as an initial access tool in ransomware campaigns, using it to conduct reconnaissance and move laterally before executing encryption activities [6].

Once installed, the backdoor gathers basic system information before communicating with a command-and-control (C2) server. The malware largely relies on a ‘cmd.exe’ instance to execute commands and launch other files [1].

In previous SEO poisoning cases, the file downloaded from the fake pages is not just PuTTY, but a trojanized version that includes the stealthy Oyster backdoor. PuTTY is a free and open-source terminal emulator for Windows that allows users to connect to remote servers and devices using protocols like SSH and Telnet. In the recent campaign, once a user visits the fake software download site, ranked highly through SEO poisoning, the malicious payload is downloaded through direct user interaction and subsequently installed on the local device, initiating the compromise. The malware then performs two actions simultaneously: it installs a fully functional version of PuTTY to avoid user suspicion, while silently deploying the Oyster backdoor. Given PuTTY’s nature, it is prominently used by IT administrators with highly privileged account as opposed to standard users in a business, possibly narrowing the scope of the targets.

Oyster’s persistence mechanism involves creating a Windows Scheduled Task that runs every few minutes. Notably, the infection uses Dynamic Link Library (DLL) side loading, where a malicious DLL, often named ‘twain_96.dll’, is executed via the legitimate Windows utility ‘rundll32.exe’, which is commonly used to run DLLs [2]. This technique is frequently used by malicious actors to blend their activity with normal system operations.

Darktrace’s Coverage of the Oyster Backdoor

In June 2025, security analysts at Darktrace identified a campaign leveraging search engine manipulation to deliver malware masquerading as the popular SSH client, PuTTY. Darktrace / NETWORK’s anomaly-based detection identified signs of malicious activity, and when properly configured, its Autonomous Response capability swiftly shut down the threar before it could escalate into a more disruptive attack. Subsequent analysis by Darktrace’s Threat Research team revealed that the payload was a variant of the Oyster backdoor.

The first indicators of an emerging Oyster SEO campaign typically appeared when user devices navigated to a typosquatted domain, such as putty[.]run or putty app[.]naymin[.]com, via a TLS/SSL connection.

Figure 1: Darktrace’s detection of a device connecting to the typosquatted domain putty[.]run.

The device would then initiate a connection to a secondary domain that hosts the malicious installer, likely triggered by user interaction with redirect elements on the landing page. This secondary site may not have any immediate connection to PuTTY itself but is instead a hijacked blog, a file-sharing service, or a legitimate-looking content delivery subdomain.

Figure 2: Darktrace’s detection of the device making subsequent connections to the payload domain.

Following installation, multiple affected devices were observed attempting outbound connectivity to rare external IP addresses, specifically requesting the ‘/secure’ endpoint as noted within the declared URIs. After the initial callback, the malware continued communicating with additional infrastructure, maintaining its foothold and likely waiting for tasking instructions. Communication patterns included:

·       Endpoints with URIs /api/kcehc and /api/jgfnsfnuefcnegfnehjbfncejfh

·       Endpoints with URI /reg and user agent “WordPressAgent”, “FingerPrint” or “FingerPrintpersistent”

This tactic has been consistently linked to the Oyster backdoor, which has shown similar URI patterns across multiple campaigns [3].

Darktrace analysts also noted the sophisticated use of spoofed user agent strings across multiple investigated customer networks. These headers, which are typically used to identify the application making an HTTP request, are carefully crafted to appear benign or mimic legitimate software. One common example seen in the campaign is the user agent string “WordPressAgent”. While this string references a legitimate web application or plugin, it does not appear to correspond to any known WordPress services or APIs. Its inclusion is most likely designed to mimic background web traffic commonly associated with WordPress-based content management systems.

Figure 3: Cyber AI Analyst investigation linking the HTTP C2 activity.

Case-Specific Observations

While the previous section focused on tactics and techniques common across observed Oyster infections, a closer examination reveals notable variations and unique elements in specific cases. These distinct features offer valuable insights into the diverse operational approaches employed by threat actors. These distinct features, from unusual user agent strings to atypical network behavior, offer valuable insights into the diverse operational approaches employed by the threat actors. Crucially, the divergence in post-exploitation activity reflects a broader trend in the use of widely available malware families like Oyster as flexible entry points, rather than fixed tools with a single purpose. This modular use of the backdoor reflects the growing Malware-as-a-Service (MaaS) ecosystem, where a single initial infection can be repurposed depending on the operator’s goals.

From Infection to Data Egress

In one observed incident, Darktrace observed an infected device downloading a ZIP file named ‘host[.]zip’ via curl from the URI path /333/host[.]zip, following the standard payload delivery chain. This file likely contained additional tools or payloads intended to expand the attacker’s capabilities within the compromised environment. Shortly afterwards, the device exhibited indicators of probable data exfiltration, with outbound HTTP POST requests featuring the URI pattern: /upload?dir=NAME_FOLDER/KEY_KEY_KEY/redacted/c/users/public.

This format suggests the malware was actively engaged in local host data staging and attempting to transmit files from the target machine. The affected device, identified as a laptop, aligns with the expected target profile in SEO poisoning scenarios, where unsuspecting end users download and execute trojanized software.

Irregular RDP Activity and Scanning Behavior

Several instances within the campaign revealed anomalous or unexpected Remote Desktop Protocol (RDP) sessions occurring shortly after DNS requests to fake PuTTY domains. Unusual RDP connections frequently followed communication with Oyster backdoor C2 servers. Additionally, Darktrace detected patterns of RDP scanning, suggesting the attackers were actively probing for accessible systems within the network. This behavior indicates a move beyond initial compromise toward lateral movement and privilege escalation, common objectives once persistence is established.

The presence of unauthorized and administrative RDP sessions following Oyster infections aligns with the malware’s historical role as a gateway for broader impact. In previous campaigns, Oyster has often been leveraged to enable credential theft, lateral movement, and ultimately ransomware deployment. The observed RDP activity in this case suggests a similar progression, where the backdoor is not the final objective but rather a means to expand access and establish control over the target environment.

Cryptic User Agent Strings?

In multiple investigated cases, the user agent string identified in these connections featured formatting that appeared nonsensical or cryptic. One such string containing seemingly random Chinese-language characters translated into an unusual phrase: “Weihe river is where the water and river flow.” Legitimate software would not typically use such wording, suggesting that the string was intended as a symbolic marker rather than a technical necessity. Whether meant as a calling card or deliberately crafted to frame attribution, its presence highlights how subtle linguistic cues can complicate analysis.

Figure 4: Darktrace’s detection of malicious connections using a user agent with randomized Chinese-language formatting.

Strategic Implications

What makes this campaign particularly noteworthy is not simply the use of Oyster, but its delivery mechanism. SEO poisoning has traditionally been associated with cybercriminal operations focused on opportunistic gains, such as credential theft and fraud. Its strength lies in casting a wide net, luring unsuspecting users searching for popular software and tricking them into downloading malicious binaries. Unlike other campaigns, SEO poisoning is inherently indiscriminate, given that the attacker cannot control exactly who lands on their poisoned search results. However, in this case, the use of PuTTY as the luring mechanism possibly indicates a narrowed scope - targeting IT administrators and accounts with high privileges due to the nature of PuTTY’s functionalities.

This raises important implications when considered alongside Oyster. As a backdoor often linked to ransomware operations and persistent access frameworks, Oyster is far more valuable as an entry point into corporate or government networks than small-scale cybercrime. The presence of this malware in an SEO-driven delivery chain suggests a potential convergence between traditional cybercriminal delivery tactics and objectives often associated with more sophisticated attackers. If actors with state-sponsored or strategic objectives are indeed experimenting with SEO poisoning, it could signal a broadening of their targeting approaches. This trend aligns with the growing prominence of MaaS and the role of initial access brokers in today’s cybercrime ecosystem.

Whether the operators seek financial extortion through ransomware or longer-term espionage campaigns, the use of such techniques blurs the traditional distinctions. What looks like a mass-market infection vector might, in practice, be seeding footholds for high-value strategic intrusions.

Credit to Christina Kreza (Cyber Analyst) and Adam Potter (Senior Cyber Analyst)

Appendices

MITRE ATT&CK Mapping

·       T1071.001 – Command and Control – Web Protocols

·       T1008 – Command and Control – Fallback Channels

·       T0885 – Command and Control – Commonly Used Port

·       T1571 – Command and Control – Non-Standard Port

·       T1176 – Persistence – Browser Extensions

·       T1189 – Initial Access – Drive-by Compromise

·       T1566.002 – Initial Access – Spearphishing Link

·       T1574.001 – Persistence – DLL

Indicators of Compromise (IoCs)

·       85.239.52[.]99 – IP address

·       194.213.18[.]89/reg – IP address / URI

·       185.28.119[.]113/secure – IP address / URI

·       185.196.8[.]217 – IP address

·       185.208.158[.]119 – IP address

·       putty[.]run – Endpoint

·       putty-app[.]naymin[.]com – Endpoint

·       /api/jgfnsfnuefcnegfnehjbfncejfh

·       /api/kcehc

Darktrace Model Detections

·       Anomalous Connection / New User Agent to IP Without Hostname

·       Anomalous Connection / Posting HTTP to IP Without Hostname

·       Compromise / HTTP Beaconing to Rare Destination

·       Compromise / Large Number of Suspicious Failed Connections

·       Compromise / Beaconing Activity to External Rare

·       Compromise / Quick and Regular Windows HTTP Beaconing

·       Device / Large Number of Model Alerts

·       Device / Initial Attack Chain Activity

·       Device / Suspicious Domain

·       Device / New User Agent

·       Antigena / Network / Significant Anomaly / Antigena Breaches Over Time Block

·       Antigena / Network / External Threat / Antigena Suspicious Activity Block

·       Antigena / Network / Significant Anomaly / Antigena Significant Anomaly from Client Block

References

[1] https://malpedia.caad.fkie.fraunhofer.de/details/win.broomstick

[2] https://arcticwolf.com/resources/blog/malvertising-campaign-delivers-oyster-broomstick-backdoor-via-seo-poisoning-trojanized-tools/

[3] https://hunt.io/blog/oysters-trail-resurgence-infrastructure-ransomware-cybercrime

[4] https://www.crowdstrike.com/en-us/cybersecurity-101/social-engineering/seo-poisoning/

[5] https://blackpointcyber.com/blog/vanilla-tempest-oyster-backdoor-netsupport-unknown-infostealers-soc-incidents-blackpoint-apg/

[6] https://areteir.com/article/rhysida-using-oyster-backdoor-in-attacks/

The content provided in this blog is published by Darktrace for general informational purposes only and reflects our understanding of cybersecurity topics, trends, incidents, and developments at the time of publication. While we strive to ensure accuracy and relevance, the information is provided “as is” without any representations or warranties, express or implied. Darktrace makes no guarantees regarding the completeness, accuracy, reliability, or timeliness of any information presented and expressly disclaims all warranties.

Nothing in this blog constitutes legal, technical, or professional advice, and readers should consult qualified professionals before acting on any information contained herein. Any references to third-party organizations, technologies, threat actors, or incidents are for informational purposes only and do not imply affiliation, endorsement, or recommendation.

Darktrace, its affiliates, employees, or agents shall not be held liable for any loss, damage, or harm arising from the use of or reliance on the information in this blog.

The cybersecurity landscape evolves rapidly, and blog content may become outdated or superseded. We reserve the right to update, modify, or remove any content without notice.

Continue reading
About the author
Christina Kreza
Cyber Analyst

Blog

/

Network

/

September 9, 2025

The benefits of bringing together network and email security

Default blog imageDefault blog image

In many organizations, network and email security operate in isolation. Each solution is tasked with defending its respective environment, even though both are facing the same advanced, multi-domain threats.  

This siloed approach overlooks a critical reality: email remains the most common vector for initiating cyber-attacks, while the network is the primary stage on which those attacks progress. Without direct integration between these two domains, organizations risk leaving blind spots that adversaries can exploit.  

A modern security strategy needs to unify email and network defenses, not just in name, but in how they share intelligence, conduct investigations, and coordinate response actions. Let’s take a look at how this joined-up approach delivers measurable technical, operational, and commercial benefits.

Technical advantages

Pre-alert intelligence: Gathering data before the threat strikes

Most security tools start working when something goes wrong – an unusual login, a flagged attachment, a confirmed compromise. But by then, attackers may already be a step ahead.

By unifying network and email security under a single AI platform (like the Darktrace Active AI Security Platform), you can analyze patterns across both environments in real time, even when there are no alerts. This ongoing monitoring builds a behavioral understanding of every user, device, and domain in your ecosystem.

That means when an email arrives from a suspicious domain, the system already knows whether that domain has appeared on your network before – and whether its behavior has been unusual. Likewise, when new network activity involves a domain first spotted in an email, it’s instantly placed in the right context.

This intelligence isn’t built on signatures or after-the-fact compromise indicators – it’s built on live behavioral baselines, giving your defenses the ability to flag threats before damage is done.

Alert-related intelligence: Connecting the dots in real time

Once an alert does fire, speed and context matter. The Darktrace Cyber AI Analyst can automatically investigate across both environments, piecing together network and email evidence into a single, cohesive incident.

Instead of leaving analysts to sift through fragmented logs, the AI links events like a phishing email to suspicious lateral movement on the recipient’s device, keeping the full attack chain intact. Investigations that might take hours – or even days – can be completed in minutes, with far fewer false positives to wade through.

This is more than a time-saver. It ensures defenders maintain visibility after the first sign of compromise, following the attacker as they pivot into network infrastructure, cloud services, or other targets. That cross-environment continuity is impossible to achieve with disconnected point solutions or siloed workflows.

Operational advantages

Streamlining SecOps across teams

In many organizations, email security is managed by IT, while network defense belongs to the SOC. The result? Critical information is scattered between tools and teams, creating blind spots just when you need clarity.

When email and network data flow into a single platform, everyone is working from the same source of truth. SOC analysts gain immediate visibility into email threats without opening another console or sending a request to another department. The IT team benefits from the SOC’s deeper investigative context.

The outcome is more than convenience: it’s faster, more informed decision-making across the board.

Reducing time-to-meaning and enabling faster response

A unified platform removes the need to manually correlate alerts between tools, reducing time-to-meaning for every incident. Built-in AI correlation instantly ties together related events, guiding analysts toward coordinated responses with higher confidence.

Instead of relying on manual SIEM rules or pre-built SOAR playbooks, the platform connects the dots in real time, and can even trigger autonomous response actions across both environments simultaneously. This ensures attacks are stopped before they can escalate, regardless of where they begin.

Commercial advantages

While purchasing “best-of-breed" for all your different tools might sound appealing, it often leads to a patchwork of solutions with overlapping costs and gaps in coverage. However good a “best-in-breed" email security solution might be in the email realm, it won't be truly effective without visibility across domains and an AI analyst piecing intelligence together. That’s why we think “best-in-suite" is the only “best-in-breed" approach that works – choosing a high-quality platform ensures that every new capability strengthens the whole system.  

On top of that, security budgets are under constant pressure. Managing separate vendors for email and network defense means juggling multiple contracts, negotiating different SLAs, and stitching together different support models.

With a single provider for both, procurement and vendor management become far simpler. You deal with one account team, one support channel, and one unified strategy for both environments. If you choose to layer on managed services, you get consistent expertise across your whole security footprint.

Even more importantly, an integrated AI platform sets the stage for growth. Once email and network are under the same roof, adding coverage for other attack surfaces – like cloud or identity – is straightforward. You’re building on the same architecture, not bolting on new point solutions that create more complexity.

Check out the white paper, The Modern Security Stack: Why Your NDR and Email Security Solutions Need to Work Together, to explore these benefits in more depth, with real-world examples and practical steps for unifying your defenses.

[related-resource]

Continue reading
About the author
Mikey Anderson
Product Marketing Manager, Network Detection & Response
Your data. Our AI.
Elevate your network security with Darktrace AI