Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Max Heinemeyer
Global Field CISO
Share
14
Jan 2020
The FBI estimates that, on average, more than 4,000 ransomware attacks have occurred every day since 2016. Operating at machine speeds, ransomware is capable of wreaking havoc on a digital enterprise within mere seconds. And unfortunately, traditional security tools are only programmed to detect known cyber-threats using rules and signatures – leaving them blind to tailored and novel ransomware threats that have never been seen before in the wild.
Because Darktrace’s fundamental approach to cyber defense does not rely on rules and signatures to identify emerging threats, it is in a unique position to neutralize novel attacks. In one recent customer environment, Darktrace RESPOND (formerly known as 'Antigena') stopped a previously-unknown ‘zero-day’ ransomware attack targeting an electronics manufacturer. Even when deployed over a fraction of the digital estate, Darktrace RESPOND was able to neutralize this never-before-seen ransomware strain before it could do any damage.
Imperfect visibility, perfect response
While Darktrace provides 100% coverage of the entire digital infrastructure, from email and cloud to IoT and networks, business challenges sometimes prevent users from obtaining full visibility into their environment. However, even when working with imperfect data and suboptimal coverage, Cyber AI can still identify ongoing threats as they emerge. In the below attack, Darktrace was not covering the initial stages of the attack lifecycle, including the initial infection and command & control establishment – yet the AI was able to autonomously respond within seconds, before the attack escalated into a crisis.
Anatomy of a ransomware attack
In this example, Darktrace’s AI identified patient zero deviating significantly from its typical pattern of internal behavior. This was illustrated by a spike in the pattern of regular connections made by patient zero and a series of high-confidence alerts firing in quick succession. These included:
Compromise / Ransomware / Suspicious SMB Activity — triggers when a device begins making unusual SMB connections across the organization
Antigena Ransomware Block — triggers Antigena to take an action when the behavior is significantly similar to ransomware
Device / Reverse DNS Sweep — triggers when a device makes unusual reverse DNS lookups, a tactic often used during reconnaissance
Figure 1: Several Darktrace alerts fire, and a deviation from the regular pattern of life is visible
Indeed, not only was the device observed making an unexpectedly large number of connections, but it was also reading and writing a large number of SMB files and transferring this data internally to a server it did not usually communicate with. The spike in internal connections between patient zero and the server was a strong indicator of malware attempting to move laterally through the network.
Figure 2: Four model breaches observed on October 30th and a dotted line representing Antigena’s actions
Further investigation into the SMB activity revealed that hundreds of Dropbox-related files were accessed on SMB shares that the device had not previously accessed. Moreover, several of these files started becoming encrypted, appended with a [HELP_DECRYPT] extension.
Figure 3: Darktrace detects SMB activity relating to Dropbox files
Fortunately, Darktrace RESPOND was in Active Mode, and kicked in a second later, enforcing the usual pattern of life by blocking anomalous connections for five minutes, immediately stopping the encryption. By the time Darktrace’s AI took action, only four of these files were successfully encrypted.
Figure 4: Darktrace RESPOND kicks in 1 second after ransomware was detected
Figure 5: More Antigena (RESPOND) alerts and a clear indication of the unusual activity detected
RESPOND then took a second action to stop the ransomware from spreading to other devices. The combination of various anomalous activities was sufficient evidence for Autonomous Response to neutralize the threat: patient zero was quarantined for 24 hours, unable to connect to the server or any other device on the network.
Figure 6: Darktrace stops the infected device from conducting lateral movement & ransom activity
Darktrace RESPOND therefore not only stopped the encryption activity in its tracks, but also prevented the attackers from moving laterally across the network unimpeded – either by scanning, using harvested admin credentials, or performing internal reconnaissance. Autonomous Response initiated a surgical intervention that halted the malware’s spread, all while allowing normal business operations to continue.
No signatures, no problem
Crucially, this strain of ransomware was not associated with any publicly known indicators of compromise such as blacklisted command & control domains or malware file hashes. Darktrace was able to detect this never-before-seen attack based purely on its comprehensive understanding of the normal pattern of life for every device and user within the organization. Once the deviation from this normal behavior was identified, Antigena was able to stop it immediately – without relying on rules, signatures, or historical data. With autonomous response acting decisively and immediately, the security team had enough time to catch up and perform hands-on incident response work.
Darktrace’s AI provides a potent combination: Darktrace DETECT's capacity to reveal deviations in a device’s behavior together with RESPOND acting to block connections and contain the ransomware from spreading across the enterprise. AI-enabled Autonomous Response neutralized the threat by recognizing the lethal recipe of these unusual internal alerts and taking targeted action against the ransomware. This stealthy strain of ransomware is unlikely to have been noticed, let alone stopped, by a security team reliant on legacy tools.
The Return-On-Security-Investment (ROSI) is often discussed when it comes to cyber security expenditure, and this incident provides a great example of the ROSI manifesting itself – recent ransomware attacks usually demand hundreds of thousands of dollars’ worth of ransom payments. Without Darktrace RESPOND containing the threat at an early stage, it is likely that thousands of files would have been encrypted. By relying on Cyber AI, the company was able to take back the advantage over an ever-evolving adversary, saving time, money, resources, and – perhaps most critically – the company’s reputation.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Shadow AI Detection: The First Step Toward Securing AI
Why shadow AI is emerging
Imagine you’re an employee under pressure, deadlines stacking up, repetitive tasks piling higher by the day. You find a free AI tool online that promises to automate the work in seconds; no approvals are needed. It feels like a simple win, paste in some data, write a quick prompt, and move faster.
But in that moment, something changed.
Sensitive customer information is entered into a tool your organization doesn’t monitor, doesn’t govern, and can’t see and suddenly, that data is no longer where it should be, and no one knows where it’s gone.
This is the reality of Shadow AI: employees using unsanctioned AI tools to move faster, while unintentionally creating risk that exists entirely outside visibility and control.
This is not just a one off case, research across businesses indicate that nearly half of employees report using unsanctioned AI tools, often prioritizing speed and productivity over security. Additionally, 51% of employees report connecting AI tools to work systems or apps without IT approval, creating significant operational risk where the average cost of security incidents in organizations with a high level of shadow AI usage can reach $670k.
While shadow AI is often top of mind for security professionals, it is just one component of how AI use can increase risk. Understanding and managing shadow AI use should be considered as part of a broader, comprehensive risk management strategy that aims to secure AI systems, including human and agent identities, interactions, human-AI partnerships, and behaviors operating across the digital enterprise from visibility and governance through detection, response, and recovery.
Effective risk management calls for a layered and interdisciplinary strategy. It requires addressing issues across governance and visibility; identity, access and agent control, data security and privacy, secure MLOps / LLMOps, runtime security, behavior-based detection, autonomous response and recovery.
This blog explores a specific governance and visibility use case linked to shadow AI and reveals the challenges it presents as well as the defensive strategies that security teams can adopt.
Why shadow AI is hard to detect
When it comes to AI, what organizations can easily see does not always reflect the full scope of AI activity occurring within the tools, applications, and workflows used across an enterprise. As a result, organizations using traditional rule-based methods to flag unusual activity may struggle to distinguish unsanctioned AI usage from legitimate operational behavior, particularly as SaaS applications, APIs, and orchestration layers increasingly have AI embedded into normal business workflows. Identifying threats using previously observed intelligence or depending on hard to maintain allow and block lists does not provide a dynamic enough strategy to manage risk. Also, many organizations are focusing on identifying Shadow AI in their governed infrastructure, like gateways, endpoints, or SASE, which is foundational. But, organizations require visibility and Shadow AI detection across all networked infrastructure from on-prem, hybrid, data centers, and cloud infrastructure that may not have endpoint agent visibility. This uncovers the utilization of MCP, data flows, and autonomous agents across these domains.
For example, employees interact with AI assistants across approved SaaS platforms every day. However, browser extensions and other types of plug-ins can route prompts that include enterprise data to embedded AI services in ways that are not visible to the security team. AI enabled workflows may invoke multiple APIs, orchestration layers, and cloud services behind the scenes, making it difficult for traditional security tooling to determine where data is processed, stored, or retransmitted. Because much of this activity occurs within trusted browser sessions and encrypted SaaS traffic, conventional network monitoring, DLP, and application allowlisting controls often lack the context needed to accurately identify or govern these interactions
Identifying AI tools in the environment is one part of the equation. Understanding the behavior surrounding their use is where the real challenge lies. An AI application is not inherently risky, but the way users or other assets interact with it may be. Sensitive data exposure, abnormal access patterns, and misuse of AI-assisted workflows often appear legitimate in isolation and only become visible through behavioral analysis across the broader environment.
What Shadow AI visibility does and doesn’t show
Comprehensive Shadow AI visibility allows organizations to answer several important questions:
What types of AI are we using? What AI platforms, agents, MCP clients/servers, and services are active across the enterprise?
Who is using AI services? Which users, business units, or systems are interacting with those AI services?
Is our data safe? Is sensitive or regulated data being exposed through prompts, workflows, or integrations?
Are AI systems behaving as expected? Are AI systems behaving anomalously or operating outside approved governance processes?
Are our AI systems under attack? Is an attacker attempting to manipulate prompts, influence agent behavior, or abuse AI-enabled workflows?
Answering these questions is foundational to broader AI governance efforts. However, it is limited to helping teams understand initial interactions and fails to offer insight into dependencies and outcomes that are critical to securing AI across an enterprise.
Deeper visibility that includes the ability to understand dependencies and outcomes are not always available in AI security point products. Answering the questions below requires understanding runtime behavior and operational outcomes:
What actions did the AI interaction trigger?
What systems, applications, or data did it access? Did the AI operate beyond its intended permissions or scope?
Could a low-risk interaction lead to high-risk outcomes?
What is the risk and context understanding of an anomalous activity to assist in prioritization of analysis and autonomous response action?
The distinction between these two sets of questions offers two different layers of AI security. The first set of questions focuses on discovery and interaction visibility. The second set focuses on providing visibility that includes the context and outcomes that are critical for managing follow-on risks associated with obfuscated downstream activities.
Together, these layers help organizations move beyond simply identifying AI usage toward understanding how AI behaves operationally across the enterprise.
How organizations are addressing shadow AI
Most organizations still approach shadow AI as an application control problem, relying on policies, browser restrictions, and allow/block lists. However, AI adoption is evolving faster than most governance processes can realistically keep pace with. New assistants, plugins, and embedded AI features appear continuously, creating pressure to enable business productivity while simultaneously containing risk.
Existing governance processes were designed for a more traditional SaaS adoption cycle, where new applications could be reviewed, approved, and monitored over longer time horizons. AI adoption operates differently. New capabilities can appear overnight inside existing platforms employees already use, making it difficult for security and governance teams to maintain an accurate understanding of enterprise AI exposure. This means that many organizations are experiencing significant operational overhead, particularly in large environments where AI usage is decentralized across teams, departments, and third-party services.
Where should organizations start when securing their AI systems?
Shadow AI identification is an on-going critical component for AI Risk/Governance Boards as well as security organizations. As organizations seek AI certifications like ISO 42001 AI Management Systems, visibility into all AI adoption from enterprise use to custom innovation and development is crucial. Shadow AI identification provides organizations with the visibility needed to decide whether an AI tool should be brought into governed environments to reduce data loss (DLP) risks or whether policies should be established and enforced to restrict their use.
As organizations rapidly innovate and adopt AI, they are taking on more and more risk. Organizations need to have a strategy in place to mitigate the assumed risk, especially with third-party adoption. Visibility, monitoring, governance enforcement, behavioral-based detection of non-deterministic systems, and autonomous investigation and containment becomes critical to mitigating the risk of AI systems.
How Darktrace secures AI and shadow AI
Attackers are using AI to move faster, scale tactics, and make threats more adaptive and convincing. Internally, organizations are grappling with new forms of risk created by generative AI, autonomous agents, shadow AI, and increasingly complex digital environments.
Darktrace helps organizations protect both people and AI in a world where AI is now central to how business gets done. Darktrace / SECURE AI helps organizations discover and control shadow AI by surfacing unsanctioned or unexpected AI activity where it appears – including MCP detections, distinguishing misuse of legitimate tools and unapproved services, and applying policy to contain data exposure while guiding users toward sanctioned options.
Stay up to date on AI security
Sign up for the Secure AI Readiness Program here: This gives you exclusive access to the latest news on the latest AI threats, updates on emerging approaches shaping AI security, and insights into the latest innovations, including Darktrace’s ongoing work in this area.
Ready to talk with a Darktrace expert on securing AI? Register here to receive practical guidance on the AI risks that matter most to your business, paired with clarity on where to focus first across governance, visibility, risk reduction, and long-term readiness.
From Click to Command: Behavioral Detection of AppleScript-Led MacOS Intrusions
Introduction
Darktrace’s Threat Research team is publishing this analysis to help defenders understand an active pattern of macOS tradecraft observed in multiple customer environments. This post summarizes the behaviors observed, how they were assessed, and what defenders can do now.
Across multiple environments, Darktrace observed a consistent MacOS intrusion pattern beginning with ClickFix-style user-assisted “update” execution and transitioning into AppleScript-driven post-compromise activity and sustained outbound signaling.
While individual indicators were low-confidence, the repeated convergence of weak behavioral signals — including HTTP POST beaconing, rare or IP-only destinations, SSL anomalies, and abnormal client characteristics — provided a defensible indication of command-and-control establishment Darktrace detection and response in these cases was driven by behavior over artifacts. In the highest-confidence instances, automated containment disrupted outbound signaling before sustained tasking could occur.
Background
ClickFix-style activity typically relies on user-assisted execution and plausible “update” pretexting, followed by post-execution use of native tools to keep the footprint light. In MacOS environments, AppleScript and other built-in scripting mechanisms enable flexible post-compromise workflows while minimizing stable file-based indicators.
Following execution, affected devices exhibited a consistent behavioral pattern. AppleScript or equivalent native scripting activity was observed initiating follow-on workflows, after which outbound communications began to establish a structured rhythm.
These communications were characterized by repeated HTTP POST requests to low-prevalence or IP-only endpoints, often combined with unusual SSL properties and client identifiers that diverged from baseline device behavior. Individually, these signals were weak. When correlated across time and devices, they formed a pattern consistent with control establishment rather than benign software activity.
In higher-confidence cases, Autonomous Response actions were able to reduce or halt outbound signaling, interrupting the attacker’s ability to maintain control.
Detection Timeline
In representative cases, the sequence unfolded as follows:
Stage 1 – Initial Execution
Initial activity began with suspicious or masqueraded execution on a MacOS endpoint, consistent with ClickFix-style user deception.
Stage 2 – Post-Execution Scripting
This was followed closely by native scripting activity, most commonly AppleScript, indicating the transition into post-execution workflow.
Stage 3 – Outbound Communications
Outbound communications then emerged, initially sporadic but quickly forming a consistent cadence of HTTP POST requests to rare external endpoints.
Stage 4 – Anomaly Convergence
As activity persisted, additional anomalies became visible — unusual SSL characteristics, abnormal user agents, and connections to infrastructure with no prior network prevalence.
Stage 5 – Autonomous Response
In the most mature stages of the activity, automated containment actions disrupted outbound communications on affected devices, limiting the attacker’s ability to continue tasking while investigations progressed.
Darktrace coverage and detections
The following use-case highlights systems likely affected by malicious macOS intrusion activity linked by Microsoft to the Democratic People’s Republic of Korea (DPRK) [1], with indications of suspicious behavior observed between March 1 and May 3, 2026. The activity overlaps with patterns described in recent reporting on DPRK-nexus MacOS intrusions [1], though attribution confidence in this case remains moderate and based on behavioral alignment rather than solely infrastructure linkage.
Analyst confidence emerged through the correlation of multiple weak signals across time and devices. This included model coverage for rare external communications, sustained beaconing patterns, repeated HTTP POSTs, and anomalous client characteristics. Where enabled, Autonomous Response actions disrupted the most active outbound paths to reduce the attacker’s ability to maintain control while Darktrace’s investigation continued.
Notably, this highly anomalous behavior included:
Outbound connections to the rare external endpoint, zoom[.]uswebob[.]us associated with IP address, 148.72.73[.]98 [2][3] over port 443
Outbound connections to the rare external endpoint, check02id[.]com associated with IP address, 83.136.210[.]180 [4] over port 7365
Outbound connections to the rare external endpoints, 104.145.210[.]107 [5] over port 8443 and 83.136.208[.]48 [6] over port 443
Outbound connections to the rare external endpoint, 83.136.208[.]246 [7] over port 6783 with observed URI `/api/daemon` and a PowerShell user agent
Darktrace’s detection initially highlighted a desktop device (running MacOS) engaging in anomalous behavior as early as March 12, 2026. Starting on March 12, the source device triggered a ‘Possible Doppelganger Attack’ alert including connectivity to the hostname "zoom[.]uswebob[.]us · 148.72.73[.]98" over port 443 (TCP, HTTPS, H2). This model highlights a device connecting to a location that is rare but masquerades as legitimate software, such as Zoom in this case, a commonly used technique to blend into expected traffic [2] [3].
Figure 1: Initial connectivity observed to the rare external hostname, zoom[.]uswebob[.]us · 148.72.73[.]98, over port 443.
This was followed roughly seven later by a connection to 104.145.210[.]107 over port 8443, during which approximately 250 KiB of data of inbound data and 30 MiB of outbound data was observed, triggering the ‘Unusual Activity / Unusual External Data to New Endpoint’ in Darktrace.
Quickly after this connection, Darktrace’s Autonomous Response intervened, blocking the device’s access to the unusual external location and halting the data exfiltration attempt.
Figure 2: Darktrace’s detection of unusual data exfiltration, shortly followed by an Autonomous Response action to block it.
The device continued to consistently trigger model alerts relating to unusual external connectivity, including 'Posting HTTP to IP Without Hostname', 'Anomalous Connection / Rare External SSL Self-Signed' alerts, until well after 3 PM that day.
Figure 3: Additional external connectivity to new IP without a hostname, including connectivity to 83.136.208[.]246, alongside an anomalous ‘curl/8.7.1’ user agent and ‘/api/daemon’ URI.
Figure 4: Continued external SSL connectivity to IP 83.136.208[.]48, including connectivity to 83.136.208[.]246, alongside an anomalous ‘curl/8.7.1’ user agent and ‘/api/daemon’ URI.
Figure 5: Continued external HTTP connectivity to hostname, check02id[.]com · 83.136.210[.]180, alongside an anomalous ‘Go-http-client/1,1’ user agent.
From March 13 to March 28, the device continued exhibit unusual connectivity to various endpoints (e.g., 83.136.208[.]48, 83.136.208[.]246, check02id[.]com · 83.136.210[.]180), with the 'Multiple HTTP POSTs to Rare Hostname' model consistently triggering.
Windows OS Case
Pivoting over to an additional device, this time running Windows OS, anomalous behavior was also observed between March 30 and April 20. Notably, on March 30, the device was observed making a large number of suspicious external connection attempts to 83.136.208[.]246 over port 6783, all of which failed.
A further indicator was observed on April 1 with PowerShell connectivity to the same rare endpoint (83.136.208[.]246, port 6783), using the URI '/api/daemon' and the user agent 'Mozilla/5.0 (Windows NT; Windows NT 10.0; fr-FR) WindowsPowerShell/5.1.26100.7920'. Additional alerts included 'New User Agent to IP Without Hostname' and 'Anomalous Github Download', alongside activity involving the same endpoint.
Figure 6 : ‘Anomalous Powershell to Rare External Destination’ and ‘Github Download’ model alerts. This behavior involved connectivity with the endpoints ‘83.136.208[.]246’ and ‘github[.]com’.
The device continued triggering 'Posting HTTP to IP Without Hostname' & 'PowerShell to External Rare' alerts between April 4 and April 20 across multiple related endpoints (i.e., 83.136.208[.]48, 83.136.208[.]246, check02id[.]com · 83.136.210[.]180).
Darktrace’s Autonomous Response capability was able to block suspicious PowerShell attempts to unusual external locations, as shown below in an example from April 20.
Figure 7: Autonomous Response intervening to block an unusual PowerShell connection to an external destination.
Cyber AI Analyst investigations
In higher-confidence instances, Darktrace’s Cyber AI Analyst investigations helped connect otherwise separate model alerts into a single incident narrative, highlighting the attacker’s progression from post-execution scripting into sustained outbound signaling. This contextual stitching is particularly valuable in macOS scenarios where static artefacts are limited, and behavioral sequencing defines the intrusion.
Cyber AI Analyst investigations highlighted alerts on March 12, including unusual repeated connections and possible SSL command-and-control (C2) to multiple endpoints:
Figure 8: Cyber AI Analyst investigation linking events into a unified incident.
Autonomous Response
In addition to the containment actions detailed earlier, Autonomous Response implemented multiple additional measures to contain suspicious activity throughout the course of this attack. Whenever unusual external connectivity was detected, Darktrace blocked it, closing down potential C2 channels. Likewise, when data exfiltration attempts were identified, these connections were stopped to prevent the potential loss of sensitive data.
Figure 9: Autonomous Response actions implemented by Darktrace in response to suspicious connectivity in mid-March.
Furthermore, in cases where a device was deemed to have carried out a significant number of anomalous activities, Darktrace enforced a “pattern of life” on the device, preventing it from deviating from its expected behavior while allowing legitimate business operations to continue uninterrupted.
Figure 10: Autonomous Response actions implemented by Darktrace in response to suspicious connectivity in April, including the “Enforce Pattern of Life” action.
Conclusion
macOS intrusion tradecraft continues to shift toward native tooling and lightweight control channels designed to evade signature-led controls.
The repeated convergence of rare destinations, POST-based signaling, and anomalous client behavior — observed across time and across devices — provided sufficient evidence to act early and with confidence.
As macOS tradecraft continues to evolve, the defender advantage increasingly lies not in signatures, but in the ability to reason from behavior.
Credit to Justin Torres (Senior Cyber Analyst), Nathaniel Jones (VP, Security & AI Strategy, FCISO)
Edited by Ryan Traill (Content Manager)
Appendices
Darktrace Model Alert Coverage:
/ NETWORK-based model alerts:
· Anomalous Connection::Multiple HTTP POSTs to Rare Hostname
.jpg)
![Initial connectivity observed to the rare external hostname, zoom[.]uswebob[.]us · 148.72.73[.]98, over port 443.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/6a3c241a851b82605cdf62fb_Screenshot%202026-06-24%20at%2011.38.14%E2%80%AFAM.png)
