TAG-150, a MaaS operator active since March 2025, uses CastleLoader and CastleRAT in multi-stage attacks. CastleLoader acts as a loader that retrieves and executes additional malware through deceptive domains and malicious GitHub repositories, while CastleRAT functions as a remote access trojan providing attackers with system control, command execution, and data theft capabilities. Darktrace detected and blocked early attack activity, leveraging Autonomous Response to prevent further compromise and protect enterprise networks.

Xillen Stealer v4/v5 introduces advanced features to evade AI detection, steal credentials, cryptocurrency, and sensitive data across browsers, password managers, and cloud environments. With polymorphic engines, container persistence, and behavioral mimicking, this Python-based malware highlights evolving threats and future AI integration in cybercrime campaigns.

Earlier this year, Darktrace investigated the Vo1d malware campaign, tracing its activity from DGA-based DNS beaconing to major cloud infrastructure and ultimately to its C2 server communications. This blog explores how Darktrace detected Vo1d and presents a detailed timeline of Cyber AI Analyst’s investigation.

Darktrace has been named the only Customers’ Choice in the 2025 Gartner® Peer Insights™ Voice of the Customer for Network Detection and Response, earning a 4.8/5 rating from 242 reviews and being named both Gartner Customers’ Choice and a Magic Quadrant Leader recognition.

Darktrace investigates a DragonForce-affiliated ransomware attack targeting the manufacturing sector. The blog details the attack lifecycle, from network scanning and credential brute-forcing to data exfiltration and file encryption.

In October 2025, Microsoft disclosed a critical vulnerability in its Windows Server Update Service (WSUS). This blog details Darktrace’s analysis of the vulnerability, focusing on two US customers where active exploitation was detected.

Darktrace delivers the next evolution of NDR, extending an industry-first bridge across the network and endpoint gap with Self-Learning AI.

Starting in July 2025, Akira ransomware attacks surged globally, targeting SonicWall SSL VPN devices. In August, Darktrace detected suspicious activity in a US network, including scanning, lateral movement, and data exfiltration. A compromised SonicWall VPN server linked the incident to the broader Akira campaign exploiting known vulnerabilities.

Darktrace exposed a cybercrime-as-a-service campaign using Python and Go-based malware, Docker containerization, and a full operator UI. With DDoS-as-a-service features, modular APIs, and advanced evasion, this platform highlights the need for defenders to monitor cloud workloads, container orchestration, and API activity to counter evolving threats.

SEO poisoning is a malicious tactic where threat actors manipulate search engine rankings to promote deceptive websites. These sites often mimic legitimate software downloads, delivering malware like the Oyster backdoor. Learn about Darktrace’s investigation into the tactics used to deliver Oyster via fake PuTTY sites and manipulate search visibility.

Unifying network and email security closes critical gaps in your defenses, enabling faster detection, investigation, and response. Discover how an integrated, AI-driven approach strengthens protection across the entire attack lifecycle.

This blog outlines a real-world attack where threat actors exploited Fortinet SSL-VPN vulnerabilities to infiltrate a network. It highlights how Darktrace identified threat and took immediate actions to contain it, demonstrating the importance of proactive detection and rapid intervention in minimizing risk and disruption.

Darktrace investigates active exploitation of Ivanti EPMM vulnerabilities CVE-2025-4427 and CVE-2025-4428. Threat actors can leverage these CVEs for unauthenticated remote code execution, delivering malware like KrustyLoader. This blog explores evolving post-exploitation tactics and emphasizes the need for continuous visibility and machine-speed response across enterprise network environments.

Explore key cyber threat trends observed across Darktrace’s customer base in the first half of 2025. As threat actors increasingly adopt AI and diversify their techniques and tooling, anomaly-based detection continues to prove vital in defending against evolving attacks.

This blog examines a real-world Auto-Color malware attack that originated from the exploitation of CVE-2025-31324. Learn how Darktrace identified and contained the threat using AI-driven detection and response, with additional support from its expert analyst team.

Learn about a recent Scattered Spider attack observed by Darktrace, comparing tactics with those seen in previous attacks. Widespread use of LOTL techniques alongside continued changes in TTPs such as their recent use of Ransomware-as-a-Service (RaaS) platforms can make it challenging for security teams to harden defenses.

Since 2018, Blind Eagle has targeted Latin American organizations using phishing and RATs. Darktrace detected Blind Eagle activity on a customer network involving C2 connectivity, malicious payload downloads and data exfiltration. Without Autonomous Response, the attack escalated, highlighting the need for proactive detection and response defense to counter fast-evolving threats.

An industry leading petrochemical manufacturer uses the Darktrace ActiveAI Security Platform to improve visibility, protect against supply chain attacks, and save the security team hundreds of hours of incident investigation.

A critical SAP vulnerability, CVE-2025-31324, allows unauthenticated remote code execution via NetWeaver Visual Composer. Despite early mitigation guidance, many systems remain exposed. Darktrace detected exploitation attempts six days before public disclosure, highlighting the importance of proactive, threat-agnostic detection.

ClickFix is a social engineering technique that exploits human error through fake prompts, leading users to unknowingly run malicious commands. Learn how Darktrace detects and responds to such threats!