Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Dan Fein
VP, Product
Share
15
Jul 2020
With the move to remote working, the number of active daily users on Microsoft Teams has grown to 75 million, up from 20 million this time last year. Similar trends are being seen across Slack, Zoom, and Google Meet. With these SaaS applications becoming a staple in our working lives, we can expect cyber-criminals to begin leveraging their household names and trusted reputation to launch email attack campaigns.
Indeed, Darktrace’s AI picked up on one such attempt last month while deployed in passive mode at a multinational conglomerate. Antigena Email identified 48 incoming emails that impersonated a Microsoft Teams notification, but in fact came from an unknown sender and rare domain. The emails contained a hidden link to a Google storage site, hidden behind the text ‘Accept Collaboration’.
Figure 1: A snapshot of Antigena Email's user interface
File storage links such as these are often used because they bypass spam filtering. Whilst the links themselves aren’t deemed as malicious, they may well include malware-containing files or other harmful content. Whilst this attack would have been waved through by a traditional email security tool, Antigena Email noticed that in this case the page appeared to be hosting a Microsoft sign-in page. At the time the email came through, a URL scan did not reveal this site as malicious, but Antigena Email recognized that it is highly unusual for a Google domain to be hosting an Office login page.
Recognizing this as an attempt to impersonate an internal service to distribute phishing links, Antigena Email locked the link in question and held the messages back from the inbox. The screenshot below reveals the full list of models that were breached, and the respective actions that this prompted the AI to take.
Figure 2: The complete list of model breaches associated with this email, and the relevant actions taken
None of the 48 emails were caught by Microsoft’s built-in security tools, and 12 of the emails were opened by the recipient. Additionally, emails were sent to recipients in alphabetical order, suggesting that the attacker may have gotten hold of a company address book and likely would have continued their attack – targeting even more employees – had Antigena Email not identified the malicious activity and immediately alerted the security team.
This was not the first, and is unlikely to be the last, time that attackers leverage trusted SaaS collaboration tools to try and engage users and coax them into clicking a malicious link. Antigena Email can see through these attempts, recognizing when a trusted brand name is being used to mask unusual and threatening behavior. Hundreds of organizations are now relying on this AI technology for a more comprehensive detection and response strategy against these increasingly sophisticated attacks.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
From Amazon to Louis Vuitton: How Darktrace Detects Black Friday Phishing Attacks
Why Black Friday Drives a Surge in Phishing Attacks
In recent years, Black Friday has shifted from a single day of online retail sales and discounts to an extended ‘Black Friday Week’, often preceded by weeks of online hype. During this period, consumers are inundated with promotional emails and marketing campaigns as legitimate retailers compete for attention.
Unsurprisingly, this surge in legitimate communications creates an ideal environment for threat actors to launch targeted phishing campaigns designed to mimic legitimate retail emails. These campaigns often employ social engineering techniques that exploit urgency, exclusivity, and consumer trust in well-known brands, tactics designed to entice recipients into opening emails and clicking on malicious links.
Additionally, given the seasonal nature of Black Friday and the ever-changing habits of consumers, attackers adopt new tactics and register fresh domains each year, rather than reusing domains previously flagged as spam or phishing endpoints. While this may pose a challenge for traditional email security tools, it presents no such difficulty for Darktrace / EMAIL and its anomaly-based approach.
In the days and weeks leading up to ‘Black Friday’, Darktrace observed a spike in sophisticated phishing campaigns targeting consumers, demonstrating how attackers combine phycological manipulation with technical evasion to bypass basic security checks during this high-traffic period. This blog showcases several notable examples of highly convincing phishing emails detected and contained by Darktrace / EMAIL in mid to late November 2025.
Darktrace’s Black Friday Detections
Brand Impersonation: Deal Watchdogs’ Amazon Deals
The impersonation major online retailers has become a common tactic in retail-focused attacks, none more so than Amazon, which ranked as the fourth most impersonated brand in 2024, only behind Microsoft, Apple, Google, and Facebook [1]. Darktrace’s own research found Amazon to be the most mimicked brand, making up 80% of phishing attacks in its analysis of global consumer brands.
When faced with an email that appears to come from a trusted sender like Amazon, recipients are far more likely to engage, increasing the success rate of these phishing campaigns.
In one case observed on November 16, Darktrace detected an email with the subject line “NOW LIVE: Amazon’s Best Early Black Friday Deals on Gadgets Under $60”. The email was sent to a customer by the sender ‘Deal Watchdogs’, in what appeared to be an attempt to masquerade as a legitimate discount-finding platform. No evidence indicated that the company was legitimate. In fact, the threat actor made no attempt to create a convincing name, and the domain appeared to be generated by a domain generation algorithm (DGA), as shown in Figure 2.
Although the email was sent by ‘Deal Watchdogs’, it attempted to impersonate Amazon by featuring realistic branding, including the Amazon logo and a shade of orange similar to that used by them for the ‘CLICK HERE’ button and headline text.
Figure 1: The contents of the email observed by Darktrace, featuring authentic-looking Amazon branding.
Darktrace identified that the email, marked as urgent by the sender, contained a suspicious link to a Google storage endpoint (storage.googleapis[.]com), which had been hidden by the text “CLICK HERE”. If clicked, the link could have led to a credential harvester or served as a delivery vector for a malicious payload hosted on the Google storage platform.
Fortunately, Darktrace immediately identified the suspicious nature of this email and held it before delivery, preventing recipients from ever receiving or interacting with the malicious content.
Figure 2: Darktrace / EMAIL’s detection of the malicious phishing email sent to a customer.
Around the same time, Darktrace detected a similar email attempting to spoof Amazon on another customer’s network with the subject line “Our 10 Favorite Deals on Amazon That Started Today”, also sent by ‘Deal Watchdogs,’ suggesting a broader campaign.
Analysis revealed that this email originated from the domain petplatz[.]com, a fake marketing domain previously linked to spam activity according to open-source intelligence (OSINT) [2].
Brand Impersonation: Louis Vuitton
A few days later, on November 20, Darktrace / EMAIL detected a phishing email attempting to impersonate the luxury fashion brand Louis Vuitton. At first glance, the email, sent under the name ‘Louis Vuitton’ and titled “[Black Friday 2025] Discover Your New Favorite Louis Vuitton Bag – Elegance Starts Here”, appeared to be a legitimate Black Friday promotion. However, Darktrace’s analysis uncovered several red flags indicating a elaborate brand impersonation attempt.
The email was not sent by Louis Vuitton but by rskkqxyu@bookaaatop[.]ru, a Russia-based domain never before observed on the customer’s network. Darktrace flagged this as suspicious, noting that .ru domains were highly unusual for this recipient’s environment, further reinforcing the likelihood of malicious intent. Subsequent analysis revealed that the domain had only recently registered and was flagged as malicious by multiple OSINT sources [3].
Figure 3: Darktrace / EMAIL’s detection of the malicious email attempting to spoofLouis Vuitton, originating from a suspicious Russia-based domain.
Darktrace further noted that the email contained a highly suspicious link hidden behind the text “View Collection” and “Unsubscribe,” ensuring that any interaction, whether visiting the supposed ‘handbag store’ or attempting to opt out of marketing emails, would direct recipients to the same endpoint. The link resolved to xn--80aaae9btead2a[.]xn--p1ai (топааабоок[.]рф), a domain confirmed as malicious by multiple OSINT sources [4]. At the time of analysis, the domain was inaccessible, likely due to takedown efforts or the short-lived nature of the campaign.
Darktrace / EMAIL blocked this email before it reached customer inboxes, preventing recipients from interacting with the malicious content and averting any disruption.
Figure 4: The suspicious domain linked in the Louis Vuitton phishing email, now defunct.
Too good to be true?
Aside from spoofing well-known brands, threat actors frequently lure consumers with “too good to be true” luxury offers, a trend Darktrace observed in multiple cases throughout November.
In one instance, Darktrace identified an email with the subject line “[Black Friday 2025] Luxury Watches Starting at $250.” Emails contained a malicious phishing link, hidden behind text like “Rolex Starting from $250”, “Shop Now”, and “Unsubscribe”.
Figure 5: Example of a phishing email detected by Darktrace, containing malicious links concealed behind seemingly innocuous text.
Similarly to the Louis Vuitton email campaign described above, this malicious link led to a .ru domain (hxxps://x.wwwtopsalebooks[.]ru/.../d65fg4er[.]html), which had been flagged as malicious by multiple sources [5].
Figure 6: Darktrace / EMAIL’s detection of a malicious email promoting a fake luxury watch store, which was successfully held from recipient inboxes.
If accessed, this domain would redirect users to luxy-rox[.]com, a recently created domain (15 days old at the time of writing) that has also been flagged as malicious by OSINT sources [6]. When visited, the redirect domain displayed a convincing storefront advertising high-end watches at heavily discounted prices.
Figure 7: The fake storefront presented upon visiting the redirectdomain, luxy-rox[.]com.
Although the true intent of this domain could not be confirmed, it was likely a scam site or a credential-harvesting operation, as users were required to create an account to complete a purchase. As of the time or writing, the domain in no longer accessible .
This email illustrates a layered evasion tactic: attackers employed multiple domains, rapid domain registration, and concealed redirects to bypass detection. By leveraging luxury branding and urgency-driven discounts, the campaign sought to exploit seasonal shopping behaviors and entice victims into clicking.
Staying Protected During Seasonal Retail Scams
The investigation into these Black Friday-themed phishing emails highlights a clear trend: attackers are exploiting seasonal shopping events with highly convincing campaigns. Common tactics observed include brand impersonation (Amazon, Louis Vuitton, luxury watch brands), urgency-driven subject lines, and hidden malicious links often hosted on newly registered domains or cloud services.
These campaigns frequently use redirect chains, short-lived infrastructure, and psychological hooks like exclusivity and luxury appeal to bypass user scepticism and security filters. Organizations should remain vigilant during retail-heavy periods, reinforcing user awareness training, link inspection practices, and anomaly-based detection to mitigate these evolving threats.
Credit to Ryan Traill (Analyst Content Lead) and Owen Finn (Cyber Analyst)
CastleLoader & CastleRAT: Behind TAG150’s Modular Malware Delivery System
What is TAG-150?
TAG-150, a relatively new Malware-as-a-Service (MaaS) operator, has been active since March 2025, demonstrating rapid development and an expansive, evolving infrastructure designed to support its malicious operations. The group employs two custom malware families, CastleLoader and CastleRAT, to compromise target systems, with a primary focus on the United States [1]. TAG-150’s infrastructure included numerous victim-facing components, such as IP addresses and domains functioning as command-and-control (C2) servers associated with malware families like SecTopRAT and WarmCookie, in addition to CastleLoader and CastleRAT [2].
As of May 2025, CastleLoader alone had infected a reported 469 devices, underscoring the scale and sophistication of TAG-150’s campaign [1].
What are CastleLoader and CastleRAT?
CastleLoader is a loader malware, primarily designed to download and install additional malware, enabling chain infections across compromised systems [3]. TAG-150 employs a technique known as ClickFix, which uses deceptive domains that mimic document verification systems or browser update notifications to trick victims into executing malicious scripts. Furthermore, CastleLoader leverages fake GitHub repositories that impersonate legitimate tools as a distribution method, luring unsuspecting users into downloading and installing malware on their devices [4].
CastleRAT, meanwhile, is a remote access trojan (RAT) that serves as one of the primary payloads delivered by CastleLoader. Once deployed, CastleRAT grants attackers extensive control over the compromised system, enabling capabilities such as keylogging, screen capturing, and remote shell access.
TAG-150 leverages CastleLoader as its initial delivery mechanism, with CastleRAT acting as the main payload. This two-stage attack strategy enhances the resilience and effectiveness of their operations by separating the initial infection vector from the final payload deployment.
How are they deployed?
Castleloader uses code-obfuscation methods such as dead-code insertion and packing to hinder both static and dynamic analysis. After the payload is unpacked, it connects to its command-and-control server to retrieve and running additional, targeted components.
Its modular architecture enables it to function both as a delivery mechanism and a staging utility, allowing threat actors to decouple the initial infection from payload deployment. CastleLoader typically delivers its payloads as Portable Executables (PEs) containing embedded shellcode. This shellcode activates the loader’s core module, which then connects to the C2 server to retrieve and execute the next-stage malware.[6]
Following this, attackers deploy the ClickFix technique, impersonating legitimate software distribution platforms like Google Meet or browser update notifications. These deceptive sites trick victims into copying and executing PowerShell commands, thereby initiating the infection kill chain. [1]
When a user clicks on a spoofed Cloudflare “Verification Step” prompt, a background request is sent to a PHP script on the distribution domain (e.g., /s.php?an=0). The server’s response is then automatically copied to the user’s clipboard using the ‘unsecuredCopyToClipboard()’ function. [7].
The Python-based variant of CastleRAT, known as “PyNightShade,” has been engineered with stealth in mind, showing minimal detection across antivirus platforms [2]. As illustrated in Figure 1, PyNightShade communicates with the geolocation API service ip-api[.]com, demonstrating both request and response behavior
Figure 1: Packet Capture (PCAP) of PyNightShade, the Python-based variant of CastleRAT, communicating with the geolocation API service ip-api[.]com.
Darktrace Coverage
In mid-2025, Darktrace observed a range of anomalous activities across its customer base that appeared linked to CastleLoader, including the example below from a US based organization.
The activity began on June 26, when a device on the customer’s network was observed connecting to the IP address 173.44.141[.]89, a previously unseen IP for this network along with the use of multiple user agents, which was also rare for the user. It was later determined that the IP address was a known indicator of compromise (IoC) associated with TAG-150’s CastleRAT and CastleLoader operations [2][5].
Figure 2: Darktrace’s detection of a device making unusual connections to the malicious endpoint 173.44.141[.]89.
The device was observed downloading two scripts from this endpoint, namely ‘/service/download/data_5x.bin’ and ‘/service/download/data_6x.bin’, which have both been linked to CastleLoader infections by open-source intelligence (OSINT) [8]. The archives contains embedded shellcode, which enables attackers to execute arbitrary code directly in memory, bypassing disk writes and making detection by endpoint detection and response (EDR) tools significantly more difficult [2].
Figure 3: Darktrace’s detection of two scripts from the malicious endpoint.
In addition to this, the affected device exhibited a high volume of internal connections to a broad range of endpoints, indicating potential scanning activity. Such behavior is often associated with reconnaissance efforts aimed at mapping internal infrastructure.
Darktrace / NETWORK correlated these behaviors and generated an Enhanced Monitoring model, a high-fidelity security model designed to detect activity consistent with the early stages of an attack. These high-priority models are continuously monitored and triaged by Darktrace’s Security Operations Center (SOC) as part of the Managed Threat Detection and Managed Detection & Response services, ensuring that subscribed customers are promptly alerted to emerging threats.
Figure 4: Darktrace detected an unusual ZIP file download alongside the anomalous script, followed by internal connectivity. This activity was correlated under an Enhanced Monitoring model.
Darktrace Autonomous Response
Fortunately, Darktrace’s Autonomous Response capability was fully configured, enabling it to take immediate action against the offending device by blocking any further connections external to the malicious endpoint, 173.44.141[.]89. Additionally, Darktrace enforced a ‘group pattern of life’ on the device, restricting its behavior to match other devices in its peer group, ensuring it could not deviate from expected activity, while also blocking connections over 443, shutting down any unwanted internal scanning.
Figure 5: Actions performed by Darktrace’s Autonomous Response to contain the ongoing attack.
Conclusion
The rise of the MaaS ecosystem, coupled with attackers’ growing ability to customize tools and techniques for specific targets, is making intrusion prevention increasingly challenging for security teams. Many threat actors now leverage modular toolkits, dynamic infrastructure, and tailored payloads to evade static defenses and exploit even minor visibility gaps. In this instance, Darktrace demonstrated its capability to counter these evolving tactics by identifying early-stage attack chain behaviors such as network scanning and the initial infection attempt. Autonomous Response then blocked the CastleLoader IP delivering the malicious ZIP payload, halting the attack before escalation and protecting the organization from a potentially damaging multi-stage compromise
Credit to Ahmed Gardezi (Cyber Analyst) Tyler Rhea (Senior Cyber Analyst) Edited by Ryan Traill (Analyst Content Lead)
![Packet Capture (PCAP) of PyNightShade, the Python-based variant of CastleRAT, communicating with the geolocation API service ip-api[.]com.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/69275c5ecce362fa92c1aeaa_Screenshot%202025-11-26%20at%2012.00.24%E2%80%AFPM.png)
