Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Justin Fier
SVP, Red Team Operations
Share
22
Apr 2019
It’s no secret that collaboration is the bedrock of business. In fact, a Stanford University study demonstrated that merely priming employees to act in a collaborative fashion — without changing their environment or workflow — makes them more engaged, more persistent, more successful, and less fatigued.
To digitally optimize this biologically ingrained capacity for teamwork, businesses the world over have adopted Software as a Service (SaaS) applications that facilitate the sharing of information between multiple users. Run via centralized, cloud-hosted data centers rather than on local hardware, such applications offer financial and technical benefits to companies of all sizes, from storage savings to reliable connectivity to support speed. Yet it is their collaborative nature that has positioned SaaS software at the heart of the modern enterprise.
Figure 1: The projected number of applications used. Source: Blissfully.
At the same time, the interactivity of cloud services renders them an attractive target for advanced cyber-criminals, who can often leverage a single user’s credentials to compromise dozens of other accounts. And while leading vendors conform to high security standards, the cyber defenses they employ nonetheless have a common weakness: human error on the customer end. By launching sophisticated attacks like those in the case studies below, today’s threat actors are increasingly gaining access to cloud services through the front door, necessitating a fundamentally different security approach that can detect when credentialed users behave — ever so slightly — out of character.
SaaS security issues: Sensitive file access
Among the key challenges is balancing the convenience of open access to information with the imperative of protecting privileged assets. Indeed, with hundreds or even thousands of employees sharing a welter of files and databases at all times, safeguarding SaaS applications against insider threat is extraordinarily difficult with traditional security tools, which use fixed rules and signatures to catch only known, external cyber-attacks. Rather, detecting when credentialed users enter parts of these applications where they don’t belong requires AI security systems that understand their typical online behavior well enough to spot subtle anomalies. And as employees’ responsibilities and privileges inevitably change, such systems must be able to adapt while ‘on the job’.
The necessity of this AI-driven approach to cyber defense recently came to light when Darktrace detected a serious threat on the network of a European bank. After stealing credentials or otherwise gaining access, cyber-criminals will frequently run scripts to identify files containing keywords like “password.” Such was the case with the attackers that Darktrace thwarted, who had managed to find an Office 365 SharePoint file that stored unencrypted passwords. As they had already breached the network, the attackers could have reasonably expected to be in the clear — having already successfully bypassed any conventional security controls.
However, while these attackers would likely have exploited the cleartext passwords to escalate their privileges and further infiltrate the organization, Darktrace AI flagged the activity as anomalous for the bank’s particular network because it breached the following model: “Unusual SaaS Sensitive File Access.” Ultimately, the AI’s nuanced and evolving understanding of what constitutes “unusual” behavior for each of the bank’s users and devices proved critical, given that the suspicious file access may well have been benign in other circumstances.
Social engineering attacks
Perhaps the most difficult cloud-based attacks to counter are those that rely on social engineering, since they involve deceiving employees into handing over their credentials and other lucrative information voluntarily. In these cases, AI anomaly detection is the optimal security strategy, as thwarting a social engineering threat before it’s too late means protecting employees from their own mistakes.
In 2018, Darktrace detected a device on the network of a UK property development company that had attempted to connect to a rare external domain — two seconds after landing on office365.com. The domain had a suspicious name and offered HTTP connections to a form containing sensitive data transmitted in plain text, which would be vulnerable to a man-in-the-middle (MITM) attack. Further investigation indicated that an employee at the property development company had been tricked by a shortened URL in a phishing email to visit the suspicious domain, showing the legitimate looking Office 365 login page below:
Figure 2: A screenshot of the suspicious domain. A minor spelling mistake — “someone” spelt as “sorneone” — appears in the login field of the otherwise legitimate-looking pop-up window.
Despite the user actively clicking on the URL to visit the page, Darktrace flagged the event as threatening due to the rarity of the destination domain in comparison to company’s normal network activity. Artificial intelligence has consistently demonstrated this ability to provide a safety net for human error — flagging anomalous connections and rare domains regardless of how well they may be disguised to the unsuspecting user.
SaaS security solutions
From social engineering attacks to insider threats to stolen credentials, the inherent risks are largely user-dependent. As a consequence, any security tool up to the task of defending these applications must understand how these users work, evolve, and collaborate.
Indeed, it is precisely the sought-after interconnectedness and collaborative nature of cloud platforms which makes the potential reward for attackers so great, as a single breach could allow them to compromise an entire company. Yet the efficiencies promised need not come at the cost of security, since the latest AI cyber defenses shine a light on even the most remote corners of the cloud.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Chinese APT Campaign Targets Entities with Updated FDMTP Backdoor
Darktrace have identified activity consistent with Chinese-nexus operations, a Twill Typhoon-linked campaign targeting customer environments, primarily within the Asia-Pacific & Japan (APJ) region
Beginning in late September 2025, multiple affected hosts were observed making requests to domains impersonating content delivery networks (CDNs), including infrastructure masquerading as Yahoo- and Apple-affiliated services. Across these cases, Darktrace identified a consistent behavioral execution pattern: the retrieval of legitimate binaries alongside malicious Dynamic Link Libraries (DLLs), enabling sideloading and execution of a modular .NET-based Remote Access Trojan (RAT) framework.
The activity aligns with patterns described in Darktrace’s previous Chinese-nexus operations report, Crimson Echo. In this case, observed modular intrusion chains built on legitimate software, and staged payload delivery. Threat actors retrieve legitimate binaries alongside configuration files and malicious DLLs to enable sideloading of a .NET-based RAT.
Observed Campaign
Across cases, the same ordered sequence appears: retrieval of a legitimate executable, (2) retrieval of a matching .config file, (3) retrieval of the malicious
DLL, (4) repeated DLL downloads over time, and (5) command-and-control (C2) communication. The .config file retrieves a malicious binary, while the legitimate binary provides a legitimate process to run it in.
Darktrace assesses with moderate confidence that this activity aligns with publicly reported Twill Typhoon tradecraft. The observed use of FDMTP, DLL sideloading, and overlapping infrastructure is consistent with previously observed operations, though not unique to a single actor. While initial access was not directly observed, previous Twill Typhoon campaigns have typically involved spear-phishing.
What Darktrace Observed
Since late September 2025, Darktrace has observed multiple customer environments making HTTP GET requests to infrastructure presenting as “CDN” endpoints for well-known platforms (including Yahoo and Apple lookalikes). Across cases, the affected hosts retrieved legitimate executables, then matching .config files (same base filename), then DLLs intended for sideloading. The sequencing of a legitimate binary + configuration + DLL has been previously observed in campaigns linked to China-nexus threat actors.
In several cases, affected hosts also issued outbound requests to a /GetCluster endpoint, including the protocol=Dotnet-Tcpdmtp parameter. This activity was repeatedly followed by retrieval of DLL content that was subsequently used for search-order hijacking within legitimate processes.
In the September–October 2025 cases, Darktrace alerting commonly surfaced early-stage registration and C2 setup behaviors, followed by retrieval of a DLL (e.g., Client.dll) from the same external host, sometimes repeatedly over multiple days, consistent with establishing and maintaining the execution chain.
In April 2026, a finance-sector endpoint initiated a series of GET requests to yahoo-cdn[.]it[.]com, first fetching legitimate binaries (including vshost.exe and dfsvc.exe), then repeatedly retrieving associated configuration and DLL components (including dfsvc.exe.config and dnscfg.dll) over an 11-day window. The use of both Visual Studio hosting and OneClick (dfsvc.exe) paths are used to ensure the malware can run in the targeted environment.
Technical Analysis
Initial staging and execution
While the initial access method is unknown, Darktrace security researchers identified multiple archives containing the malware.
A representative example includes a ZIP archive (“test.zip”) containing:
A legitimate executable: biz_render.exe (Sogou Pinyin IME)
A malicious DLL: browser_host.dll
Contained within the zip archive named “test.zip” is the legitimate binary “biz_render.exe”, a popular Chinese Input Method Editor (IME) Sogou Pinyin.
Alongside the legitimate binary is a malicious DLL named “browser_host.dll”. As the legitimate binary loads a legitimate DLL named “browser_host.dll” via LoadLibraryExW, the malicious DLL has been named the same to sideload the malicious DLL into biz_render.exe. By supplying a malicious DLL with an identical name, the actor hijacks execution flow, enabling the payload to execute within a trusted process.
The legitimate binary invokes the function GetBrowserManagerInstance from the sideloaded “browser_host.dll”, which then performs XOR-based decryption of embedded strings (key 0x90) to resolve and dynamically load mscoree.dll.
The DLL uses the Windows Common Language Runtime (CLR) to execute managed .NET code inside the process rather than relying solely on native binaries. During execution, the loader loads a payload directly into memory as .NET assemblies, enabling an in-memory execution.
C2 Registration
A GET request is made to:
GET /GetCluster?protocol=DotNet-TcpDmtp&tag={0}&uid={1}
with the custom header:
Verify_Token: Dmtp
This returns Base64-encoded and gzip-compressed IP addresses used for subsequent communication.
Figure 2: Decoded IPs.
Staged payload retrieval
Subsequent activity includes retrieval of multiple components from yahoo-cdn.it[.]com. The following GET requests are made:
Dfsvc.exe is the legitimate Windows ClickOnce Engine, part of the .NET framework used for updating ClickOnce Applications. Accompanying dfsvc.exe is a legitimate dfsvc.exe.config file that is used to store configuration data for the application. However, in this instance the malware has replaced the legitimate dfsvc.exe.config with the one retrieved from the server in: C:\Windows\Microsoft.NET\Framework64\v4.0.30319.
Additionally, vhost.exe the legitimate Visual Studio hosting process is retrieved from the server, along with “Microsoft.VisualStudio.HostingProcess.Utilities.Sync.dll” and “config.etl”. The DLL is used to decrypt the AES encrypted payload in config.etl and load it. The encrypted payload is dnscfg.dll, which can be loaded into vshost instead of dfsvc, and may be used if the environment does not support .NET.
Figure 3: ClickOnce configuration.
The malicious configuration disables logging, forces the application to load dnscfg.dll from the remote server, and uses a custom AppDomainManager to ensure the DLL is executed during initialization of dfsvc.exe. To ensure persistence, a scheduled task is added for %APPDATA%\Local\Microsoft\WindowsApps\dfsvc.exe.
Core payload
The DLL dnscfg.dll is a .NET binary named Client.TcpDmtp.dll. The payload is a heavily obfuscated backdoor that generates its logic at runtime and communicates with the command and control (C2) over custom TCP, DMTP (Duplex Message Transport Protocol) and appears to be an updated version of FDMTP to version 3.2.5.1
Once connected, the malware enters a persistent loop (LoopMessage), enabling it to receive commands from the remote server.
Figure 5: DMTP Connect function.
Rather than referencing values directly, they are retrieved through containers that are resolved at runtime. String values are stored in an encrypted byte array (_0) and decrypted by a custom XOR-based string decryption routine (dcsoft). The lower 16 bits of the provided key are XORed with 0xA61D (42525) to derive the initial XOR key, while subsequent bits define the string length and offset into the encrypted byte array. Each character is reconstructed from two encrypted bytes and XORed with the incrementing key value, producing the plaintext string used by the payload.
Figure 6: Decrypted strings.
Embedded in the resources section are multiple compressed binaries, the majority of which are library files. The only exceptions are client.core.dll and client.dmtpframe.dll.
Figure 7: Resources.
Modular framework and plugins
The payload embeds multiple compressed libraries, notably:
client.core.dll
client.dmtpframe.dll
Client.core.dll is a core library used for system profiling, C2 communication and plugin execution. The implant has the functionality to retrieve information including antivirus products, domain name, HWID, CLR version, administrator status, hardware details, network details, operating system, and user.
Figure 8: Client.Core.Info functions.
Additionally, the component is responsible for loading plugins, with support for both binary and JSON-based plugin execution. This allows plugins to receive commands and parameters in different formats depending on the task being performed.
The framework handles details such as plugin hashes, method names, task identifiers, caller tracking, and argument processing, allowing plugins to be executed consistently within the environment. In addition to execution management, the library also provides plugins with access to common runtime functionality such as logging, communication, and process handling.
Figure 9: Client.core functions.
client.dmtpframe.dll handles:
DMTP communication
Heartbeats and reconnection
Plugin persistence via registry:
HKCU\Software\Microsoft\IME\{id}
Client.dmtpframe.dll is built on the TouchSocket DMTP networking library and continues to manage the remote plugins. The DLL implements remote communication features including heartbeat maintenance, reconnection handling, RPC-style messaging, SSL support, and token-based verification. The DLL also has the ability to add plugins to the registry under HKCU/Software/Microsoft/IME/{id} for persistence.
Plugins observed
While the full set of plugins remains unknown, researchers were able to identify four plugins, including:
Persist.WpTask.dll - used to create, remove and trigger scheduled Windows tasks remotely.
Persist.registry.dll - used to manage registry persistence with the ability to create, and delete registry values, along with hidden persistence keys.
Persist.extra.dll - used to load and persist the main framework.
Assist.dll - used to remotely retrieve files or commands, as well as manipulate system processes.
Figure 10: Plugins stored in IME registry.
Figure 11: Obfuscated script in plugin resources.
Persist.extra.dll is a module that is used to load a script “setup.log” to load and persist the main framework. Stored within the resources section of the binary is an obfuscated script that creates a .NET COM object that is added to the registry key HKCU\Software\Classes\TypeLib\ {9E175B61-F52A-11D8-B9A5-505054503030} \1.0\1\Win64 for persistence. After deobfuscating this script, another DLL is revealed named “WindowsBase.dll”.
Figure 12: Registry entry for script.
The binary checks in with icloud-cdn[.]net every five minutes, retrieves a version string, downloads an encrypted payload named checksum.bin, saves it locally as C:\ProgramData\USOShared\Logs\checksum.etl, decrypts it with AES using the hardcoded key POt_L[Bsh0=+@0a., and loads the decrypted assembly directly from memory via Assembly.Load(byte[]). The version.txt file acts as an update marker so it only re-downloads when the remote version changes, while the mutex prevents duplicate instances.
Figure 13: USOShared/Logs.
Checksum.etl is decrypted with AES and loaded into memory, loading another .NET DLL named “Client.dll”. This binary is the same as “dnscfg.dll” mentioned at the start and allows the threat actors to update the main framework based on the version.
Conclusion
Across cases, Darktrace consistently observed the following sequence:
Retrieval of legitimate executables
Retrieval of DLLs for sideloading
C2 registration via /GetCluster
This approach is consistent with broader China-nexus tradecraft. As outlined in Darktrace’s Crimson Echo report, the stable feature of this activity is behavioral. Infrastructure rotates and payloads can change, but the execution model persists. For defenders, the implication is straightforward: detection anchored to individual indicators will degrade quickly. Detection anchored to a behavioral sequence offer a far more durable approach.
Credit to Tara Gould (Malware Research Lead), Adam Potter (Senior Cyber Analyst), Emma Foulger (Global Threat Research Operations Lead), Nathaniel Jones (VP, Security & AI Strategy)
Edited by Ryan Traill (Content Manager)
Appendices
A detailed list of detection models and triggered indicators is provided alongside IoCs.
Resilience at the Speed of AI: Defending the Modern Campus with Darktrace
Why higher education is a different cybersecurity battlefield
After four decades in IT, now serving as both CIO and CISO, I’ve learned one simple truth: cybersecurity is never “done.” It’s a constant game of cat and mouse. Criminals evolve. Technologies advance. Regulations expand. But in higher education, the challenge is uniquely complex.
Unlike a bank or a military installation, we can’t lock down networks to a narrow set of approved applications. Higher education environments are open by design. Students collaborate globally, faculty conduct cutting-edge research, and administrators manage critical operations, all of which require seamless access to the internet, global networks, cloud platforms, and connected systems.
Combine that openness with expanding regulatory mandates and tight budgets, and the balancing act becomes clear.
Threat actors don’t operate under the same constraints. Often well-funded and sponsored by nation-states with significant resources, they’re increasingly organized, strategic, and innovative.
That sophistication shows up in the tactics we face every day, from social engineering and ransomware to AI-driven impersonation attacks. We’re dealing with massive volumes of data, countless signals, and a very small window between detection and damage.
No human team, no matter how talented or how numerous, can manually sift through that noise at the speed required.
Discovering a force multiplier
Nothing in cybersecurity is 100% foolproof. I never “set it and forget it.” But for institutions balancing rising threats and finite resources, the Darktrace ActiveAI Security Platform™ offers something incredibly valuable: peace of mind through speed and scale.
It closes the gap between detection and response in a way humans can’t possibly match. At the speed of light, it can quarantine, investigate, and contain anomalous activity.
I’ve purchased and deployed Darktrace three separate times at three different institutions because I’ve seen firsthand what it can do and what it enables teams like mine to achieve.
I first encountered Darktrace while serving as CIO for a large multi-campus college system. What caught my attention was Darktrace's Self-Learning AI, and its ability to learn what "normal" looked like across our network. Instead of relying solely on static signatures or rigid rules, Darktrace built a behavioral baseline unique to our environment and alerted us in real time when something simply didn’t look right.
In higher education, where strict lockdowns aren’t realistic, that behavioral model made all the difference. We deployed it across five campuses, and the impact was immediate. Operating 24/7, Darktrace surfaced threats in ways our team couldn’t replicate manually.
Over time, the Darktrace platform evolved alongside the changing threat landscape, expanding into intrusion prevention, cloud visibility, and email security. At subsequent institutions, including Washington College, Darktrace was one of my first strategic investments.
Revealing the hidden threat other tools missed
One of the most surprising investigations of my career involved a data leak. Leadership suspected sensitive information from high-level meetings was being exposed, but our traditional tools couldn’t provide any answers.
Using Darktrace’s deep network visibility, down to packet-level data, we traced unusual connections to our CCTV camera system, which had been configured with a manufacturer’s default password. A small group of employees had hacked into the CCTV cameras, accessed audio-enabled recordings from boardroom meetings, and stored copies locally.
No other tool in our environment could have surfaced those connections the way Darktrace did. It was a clear example of why using AI to deeply understand how your organization, systems, and tools normally behave, matters: threats and risks don’t always look the way we expect.
Elevating a D-rating into a A-level security program
When I arrived at my last CISO role, the institution had recently experienced a significant ransomware attack. Attackers located data which informed their setting ransom demands to an amount they knew would likely result in payment. It was a sobering example of how calculated and strategic modern cybercriminals have become.
Third-party cyber ratings reflected that reality, with a D rating.
To raise the bar, we implemented a comprehensive security program and integrated layered defenses; -deploying state of the art tools and methods- across the environment, with Darktrace at its core.
After a 90-day learning period to establish our behavioral baseline, we transitioned the platform into fully autonomous mode. In a single 30-day span, Darktrace conducted more than 2,500 investigations and autonomously resolved 92% of all false positives.
For a small team, that’s transformative. Instead of drowning in alerts, my staff focused on less than 200 meaningful cases that warranted human review.
Today, we maintain a perfect A rating from third-party assessors and have remained cybersafe.
Peace of mind isn’t about complacency
The effect of Darktrace as a force multiplier has a real human impact.
With the time reclaimed through automation, we expanded community education programs and implemented simulated phishing exercises. Through sustained training and awareness efforts, we reduced social engineering susceptibility from nearly 45% to under 5%.
On a personal level, Darktrace allows me to sleep better at night and take time off knowing we have intelligent systems monitoring and responding around the clock. For any CIO or CISO carrying institutional risk on their shoulders, that matters.
The next era: AI vs. AI
A new chapter in cybersecurity is unfolding as adversaries leverage AI to enhance scale, speed, and believability. Phishing campaigns are more personalized, impersonation attempts are more precise, and deepfake video technology, including live video, is disturbingly authentic. At the same time, organizations are rapidly adopting AI across their own environments —from GenAI assistants to embedded tools to autonomous agents. These systems don’t operate within fixed rules. They act across email, cloud, SaaS, and identity systems, often with broad permissions, and their behavior can evolve over time in ways that are difficult to predict or control.
That creates a new kind of security challenge. It’s not just about defending against AI-powered threats but understanding and governing how AI behaves within your environment, including what it can access, how it acts, and where risk begins to emerge.
From my perspective, this is a natural next step for Darktrace.
Darktrace brings a level of maturity and behavioral understanding uniquely suited to the complexity of AI environments. Self-Learning AI learns the normal patterns of each business to interpret context, uncover subtle intent, and detect meaningful deviations without relying on predefined rules or signatures. Extending into securing AI by bringing real-time visibility and control to GenAI assistants, AI agents, development environments and Shadow AI, feels like the logical evolution of what Darktrace already does so well.
Just as importantly, Darktrace is already built for dynamic, cross-domain environments where risk doesn’t sit in a single tool or control plane. In higher education, activity already spans multiple systems and, with AI, that interconnection only accelerates.
Having deployed Darktrace multiple times, I have confidence it’s uniquely positioned to lead in this space and help organizations adopt AI with greater visibility and control.
---
Since authoring this blog, Irving Bruckstein has transitioned to the role of Chief Executive Officer of the Cyberaigroup.
