Blog
/
Network
/
April 2, 2024

Darktrace's Investigation of Raspberry Robin Worm

Discover how Darktrace is leading the hunt for Raspberry Robin. Explore early insights and strategies in the battle against cyber threats.
Written by
Alexandra Sentenac
Cyber Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Alexandra Sentenac
Cyber Analyst
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
02
Apr 2024

Introduction

In the face of increasingly hardened digital infrastructures and skilled security teams, malicious actors are forced to constantly adapt their attack methods, resulting in sophisticated attacks that are designed to evade human detection and bypass traditional network security measures.  

One such example that was recently investigated by Darktrace is Raspberry Robin, a highly evasive worm malware renowned for merging existing and novel techniques, as well as leveraging both physical hardware and software, to establish a foothold within organization’s networks and propagate additional malicious payloads.

What is Raspberry Robin?

Raspberry Robin, also known as ‘QNAP worm’, is a worm malware that was initially discovered at the end of 2023 [1], however, its debut in the threat landscape may have predated this, with Microsoft uncovering malicious artifacts linked to this threat (which it tracks under the name Storm-0856) dating back to 2019 [4]. At the time, little was known regarding Raspberry Robin’s objectives or operators, despite the large number of successful infections worldwide. While the identity of the actors behind Raspberry Robin still remains a mystery, more intelligence has been gathered about the malware and its end goals as it was observed delivering payloads from different malware families.

Who does Raspberry Robin target?

While it was initially reported that Raspberry Robin primarily targeted the technology and manufacturing industries, researchers discovered that the malware had actually targeted multiple sectors [3] [4]. Darktrace’s own investigations echoed this, with Raspberry Robin infections observed across various industries, including public administration, finance, manufacturing, retail education and transportation.

How does Raspberry Robin work?

Initially, it appeared that Raspberry Robin's access to compromised networks had not been utilized to deliver final-stage malware payloads, nor to steal corporate data. This uncertainty led researchers to question whether the actors involved were merely “cybercriminals playing around” or more serious threats [3]. This lack of additional exploitation was indeed peculiar, considering that attackers could easily escalate their attacks, given Raspberry Robin’s ability to bypass User Account Control using legitimate Windows tools [4].

However, at the end of July 2022, some clarity emerged regarding the operators' end goals. Microsoft researchers revealed that the access provided by Raspberry Robin was being utilized by an access broker tracked as DEV-0206 to distribute the FakeUpdates malware downloader [2]. Researchers further discovered malicious activity associated with Evil Corp TTPs (i.e., DEV-0243) [5] and payloads from the Fauppod malware family leveraging Raspberry Robin’s access [8]. This indicates that Raspberry Robin may, in fact, be an initial access broker, utilizing its presence on hundreds of infected networks to distribute additional payloads for paying malware operators. Thus far, Raspberry Robin has been observed distributing payloads linked to FIN11, Clop Gang, BumbleBee, IcedID, and TrueBot on compromised networks [12].

Raspberry Robin’s Continued Evolution

Since it first appeared in the wild, Raspberry Robin has evolved from "being a widely distributed worm with no observed post-infection actions [...] to one of the largest malware distribution platforms currently active" [8]. The fact that Raspberry Robin has become such a prevalent threat is likely due to the continual addition of new features and evasion capabilities to their malware [6] [7].  

Since its emergence, the malware has “changed its communication method and lateral movement” [6] in order to evade signature detections based on threat intelligence and previous versions. Endpoint security vendors commonly describe it as heavily obfuscated malware, employing multiple layers of evasion techniques to hinder detection and analysis. These include for example dropping a fake payload when analyzed in a sandboxed environment and using mixed-case executing commands, likely to avoid case-sensitive string-based detections.  

In more recent campaigns, Raspberry Robin further appears to have added a new distribution method as it was observed being downloaded from archive files sent as attachments using the messaging service Discord [11]. These attachments contained a legitimate and signed Windows executable, often abused by attackers for side-loading, alongside a malicious dynamic-link library (DLL) containing a Raspberry Robin sample.

Another reason for the recent success of the malware may be found in its use of one-day exploits. According to researchers, Raspberry Robin now utilizes several local privilege escalation exploits that had been recently disclosed, even before a proof of concept had been made available [9] [10]. This led cyber security professionals to believe that operators of the malware may have access to an exploit seller [6]. The use of these exploits enhances Raspberry Robin's detection evasion and persistence capabilities, enabling it to propagate on networks undetected.

Darktrace’s Coverage of Raspberry Robin

Through two separate investigations carried out by Darktrace’s Threat Research team, first in late 2022 and then in November 2023, it became evident that Raspberry Robin was capable of integrating new functionalities and tactics, techniques and procedures (TTPs) into its attacks. Darktrace DETECT™ provided full visibility over the evolving campaign activity, allowing for a comparison of the threat across both investigations. Additionally, if Darktrace RESPOND™ was enabled on affected networks, it was able to quickly mitigate and contain emerging activity during the initial stages, thwarting the further escalation of attacks.

Raspberry Robin Initial Infection

The most prevalent initial infection vector appears to be the introduction of an infected external drive, such as a USB stick, containing a malicious .LNK file (i.e., a Windows shortcut file) disguised as a thumb drive or network share. When clicked, the LNK file automatically launches cmd.exe to execute the malicious file stored on the external drive, and msiexec.exe to connect to a Raspberry Robin command-and-control (C2) endpoint and download the main malware component. The whole process leverages legitimate Windows processes and is therefore less likely to raise any alarms from more traditional security solutions. However, Darktrace DETECT was able to identify the use of Msiexec to connect to a rare endpoint as anomalous in every case investigated.

Little is currently known regarding how the external drives are infected and distributed, but it has been reported that affected USB drives had previously been used for printing at printing and copying shops, suggesting that the infection may have originated from such stores [13].

A method as simple as leaving an infected USB on a desk in a public location can be a highly effective social engineering tactic for attackers. Exploiting both curiosity and goodwill, unsuspecting individuals may innocently plug in a found USB, hoping to identify its owner, unaware that they have unwittingly compromised their device.

As Darktrace primarily operates on the network layer, the insertion of a USB endpoint device would not be within its visibility. Nevertheless, Darktrace did observe several instances wherein multiple Microsoft endpoints were contacted by compromised devices prior to the first connection to a Raspberry Robin domain. For example, connections to the URI '/fwlink/?LinkID=252669&clcid=0x409' were observed in multiple customer environments prior to the first Raspberry Robin external connection. This connectivity seems to be related to Windows attempting to retrieve information about installed hardware, such as a printer, and could also be related to the inserting of an external USB drive.

Figure 1: Device Event Log showing an affected device making connections to Microsoft endpoints, prior to contacting the Raspberry Robin C2 endpoint ‘vqdn[.]net’.
Figure 1: Device Event Log showing an affected device making connections to Microsoft endpoints, prior to contacting the Raspberry Robin C2 endpoint ‘vqdn[.]net’.

Raspberry Robin Command-and-Control Activity

In all cases investigated by Darktrace, compromised devices were detected making HTTP GET connections via the unusual port 8080 to Raspberry Robin C2 endpoints using the new user agent 'Windows Installer'.

The C2 hostnames observed were typically short and matched the regex /[a-zA-Z0-9]{2,4}.[a-zA-Z0-9]{2,6}/, and were hosted on various top-level domains (TLD) such as ‘.rocks’, ‘.pm’, and ‘.wf’. On one customer network, Darktrace observed the download of an MSI file from the Raspberry Robin domain ‘wak[.]rocks’. This package contained a heavily protected malicious DLL file whose purpose was unknown at the time.  

However, in September 2022, external researchers revealed that the main purpose of this DLL was to download further payloads and enable lateral movement, persistence and privilege escalation on compromised devices, as well as exfiltrating sensitive information about the device. As worm infections spread through networks automatically, exfiltrating device data is an essential process for threat actor to keep track of which systems have been infected.

On affected networks investigated by Darktrace, compromised devices were observed making C2 connections that contained sensitive device information, including hostnames and credentials, with additional host information likely found within the data packets [12].

Figure 2: Model Breach Event Log displaying the events that triggered the the ‘New User Agent and Suspicious Request Data’ DETECT model breach.
Figure 2: Model Breach Event Log displaying the events that triggered the the ‘New User Agent and Suspicious Request Data’ DETECT model breach.

As for C2 infrastructure, Raspberry Robin leverages compromised Internet of Things (IoT) devices such as QNAP network attached storage (NAS) systems with hijacked DNS settings [13]. NAS devices are data storage servers that provide access to the files they store from anywhere in the world. These features have been abused by Raspberry Robin operators to distribute their malicious payloads, as any uploaded file could be stored and shared easily using NAS features.

However, Darktrace found that QNAP servers are not the only devices being exploited by Raspberry Robin, with DETECT identifying other IoT devices being used as C2 infrastructure, including a Cerio wireless access point in one example. Darktrace recognized that this connection was new to the environment and deemed it as suspicious, especially as it also used new software and an unusual port for the HTTP protocol (i.e., 8080 rather than 80).

In several instances, Darktrace observed Raspberry Robin utilizing TOR exit notes as backup C2 infrastructure, with compromised devices detected connecting to TOR endpoints.

Figure 3: Raspberry Robin C2 endpoint when viewed in a sandbox environment.
Figure 3: Raspberry Robin C2 endpoint when viewed in a sandbox environment.
Figure 4: Raspberry Robin C2 endpoint when viewed in a sandbox environment.
Figure 4: Raspberry Robin C2 endpoint when viewed in a sandbox environment.

Raspberry Robin in 2022 vs 2023

Despite the numerous updates and advancements made to Raspberry Robin between the investigations carried out in 2022 and 2023, Darktrace’s detection of the malware was largely the same.

DETECT models breached during first investigation at the end of 2022:

  • Device / New User Agent
  • Anomalous Server Activity / New User Agent from Internet Facing System
  • Device / New User Agent and New IP
  • Compromise / Suspicious Request Data
  • Compromise / Uncommon Tor Usage
  • Possible Tor Usage

DETECT models breached during second investigation in late 2023:

  • Device / New User Agent and New IP
  • Device / New User Agent and Suspicious Request Data
  • Device / New User Agent
  • Device / Suspicious Domain
  • Possible Tor Usage

Darktrace’s anomaly-based approach to threat detection enabled it to consistently detect the TTPs and IoCs associated with Raspberry Robin across the two investigations, despite the operator’s efforts to make it stealthier and more difficult to analyze.

In the first investigation in late 2022, Darktrace detected affected devices downloading addition executable (.exe) files following connections to the Raspberry Robin C2 endpoint, including a numeric executable file that appeared to be associated with the Vidar information stealer. Considering the advanced evasion techniques and privilege escalation capabilities of Raspberry Robin, early detection is key to prevent the malware from downloading additional malicious payloads.

In one affected customer environment investigated in late 2023, a total of 12 devices were compromised between mid-September and the end of October. As this particular customer did not have Darktrace RESPOND, the Raspberry Robin infection was able to spread through the network unabated until the customer acted upon Darktrace DETECT’s alerts.

Had Darktrace RESPOND been enabled in autonomous response mode, it would have been able to take immediate action following the first observed connection to a Raspberry Robin C2 endpoint, by blocking connections to the suspicious endpoint and enforcing a device’s normal ‘pattern of life’.

By enforcing a pattern of life on an affected device, RESPOND would prevent it from carrying out any activity that deviates from this learned pattern, including connections to new endpoints using new software as was the case in Figure 5, effectively shutting down the attack in the first instance.

Model Breach Event Log showing RESPOND’s actions against connections to Raspberry Robin C2 endpoints.
Figure 5: Model Breach Event Log showing RESPOND’s actions against connections to Raspberry Robin C2 endpoints.

Conclusion

Raspberry Robin is a highly evasive and adaptable worm known to evolve and change its TTPs on a regular basis in order to remain undetected on target networks for as long as possible. Due to its ability to drop additional malware variants onto compromised devices, it is crucial for organizations and their security teams to detect Raspberry Robin infections at the earliest possible stage to prevent the deployment of potentially disruptive secondary attacks.

Despite its continued evolution, Darktrace's detection of Raspberry Robin remained largely unchanged across the two investigations. Rather than relying on previous IoCs or leveraging existing threat intelligence, Darktrace DETECT’s anomaly-based approach allows it to identify emerging compromises by detecting the subtle deviations in a device’s learned behavior that would typically come with a malware compromise.

By detecting the attacks at an early stage, Darktrace gave its customers full visibility over malicious activity occurring on their networks, empowering them to identify affected devices and remove them from their environments. In cases where Darktrace RESPOND was active, it would have been able to take autonomous follow-up action to halt any C2 communication and prevent the download of any additional malicious payloads.  

Credit to Alexandra Sentenac, Cyber Analyst, Trent Kessler, Senior Cyber Analyst, Victoria Baldie, Director of Incident Management

Appendices

Darktrace DETECT Model Coverage

Device / New User Agent and New IP

Device / New User Agent and Suspicious Request Data

Device / New User Agent

Compromise / Possible Tor Usage

Compromise / Uncommon Tor Usage

MITRE ATT&CK Mapping

Tactic - Technique

Command & Control - T1090.003 Multi-hop Proxy

Lateral Movement - T1210 Exploitation of remote services

Exfiltration over C2 Data - T1041 Exfiltration over C2 Channel

Data Obfuscation - T1001 Data Obfuscation

Vulnerability Scanning - T1595.002 Vulnerability Scanning

Non-Standard Port - T1571 Non-Standard Port

Persistence - T1176 Browser Extensions

Initial Access - T1189 Drive By Compromise / T1566.002  Spearphishing Link

Collection - T1185 Man in the browser

List of IoCs

IoC - Type - Description + Confidence

vqdn[.]net - Hostname - C2 Server

mwgq[.]net - Hostname - C2 Server

wak[.]rocks - Hostname - C2 Server

o7car[.]com - Hostname - C2 Server

6t[.]nz - Hostname - C2 Server

fcgz[.]net - Hostname - Possible C2 Server

d0[.]wf - Hostname - C2 Server

e0[.]wf - Hostname - C2 Server

c4z[.]pl - Hostname - C2 Server

5g7[.]at - Hostname - C2 Server

5ap[.]nl - Hostname - C2 Server

4aw[.]ro - Hostname - C2 Server

0j[.]wf - Hostname - C2 Server

f0[.]tel - Hostname - C2 Server

h0[.]pm - Hostname - C2 Server

y0[.]pm - Hostname - C2 Server

5qy[.]ro - Hostname - C2 Server

g3[.]rs - Hostname - C2 Server

5qe8[.]com - Hostname - C2 Server

4j[.]pm - Hostname - C2 Server

m0[.]yt - Hostname - C2 Server

zk4[.]me - Hostname - C2 Server

59.15.11[.]49 - IP address - Likely C2 Server

82.124.243[.]57 - IP address - C2 Server

114.32.120[.]11 - IP address - Likely C2 Server

203.186.28[.]189 - IP address - Likely C2 Server

70.124.238[.]72 - IP address - C2 Server

73.6.9[.]83 - IP address - Likely C2 Server

References

[1] https://redcanary.com/blog/raspberry-robin/  

[2] https://www.bleepingcomputer.com/news/security/microsoft-links-raspberry-robin-malware-to-evil-corp-attacks/

[3] https://7095517.fs1.hubspotusercontent-na1.net/hubfs/7095517/FLINT%202022-016%20-%20QNAP%20worm_%20who%20benefits%20from%20crime%20(1).pdf

[4] https://www.bleepingcomputer.com/news/security/microsoft-finds-raspberry-robin-worm-in-hundreds-of-windows-networks/

[5] https://therecord.media/microsoft-ties-novel-raspberry-robin-malware-to-evil-corp-cybercrime-syndicate

[6] https://securityaffairs.com/158969/malware/raspberry-robin-1-day-exploits.html

[7] https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/

[8] https://redmondmag.com/articles/2022/10/28/microsoft-details-threat-actors-leveraging-raspberry-robin-worm.aspx

[9] https://www.bleepingcomputer.com/news/security/raspberry-robin-malware-evolves-with-early-access-to-windows-exploits/

[10] https://www.bleepingcomputer.com/news/security/raspberry-robin-worm-drops-fake-malware-to-confuse-researchers/

[11] https://thehackernews.com/2024/02/raspberry-robin-malware-upgrades-with.html

[12] https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/

[13] https://blog.bushidotoken.net/2023/05/raspberry-robin-global-usb-malware.html

Written by
Alexandra Sentenac
Cyber Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Alexandra Sentenac
Cyber Analyst

Phantom Footprints: Tracking GhostSocks Malware

Network
March 26, 2026
Isabel Evans
Cyber Analyst
Watch the NIS2 Webinar
Trending blogs
1
Darktrace Recognized as the Only Visionary in the 2026 Gartner® Magic Quadrant™ for CPS Protection Platforms
Mar 20, 2026
2
How Empowering End Users can Improve Your Email Security and Decrease the Burden on the SOC
May 8, 2024
3
Elevating Network Security: Confronting Trust, Ransomware, & Novel Attacks
Jun 21, 2024
4
The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners
Apr 9, 2024
5
The State of AI in Cybersecurity: The Impact of AI on Cybersecurity Solutions
May 13, 2024

More in this series

No items found.
Continue reading
Network
April 2, 2026

How Chinese-Nexus Cyber Operations Have Evolved – And What It Means For Cyber Risk and Resilience 

Darktrace's latest threat research reveals how Chinese-nexus cyber operations have evolved from isolated intrusions into long-term strategic positioning, with attackers prioritizing persistent access to critical infrastructure and digital ecosystems to gain lasting operational and economic advantage.
Nathaniel Jones
VP, Security & AI Strategy, Field CISO
Read more
Network
March 26, 2026

Phantom Footprints: Tracking GhostSocks Malware

GhostSocks is an emerging threat turning compromised devices into residential proxy nodes to help attackers evade detection. Darktrace identifies its growing use alongside Lumma Stealer, highlighting the malware’s stealth, payload delivery, and persistence. AI-driven detection and Autonomous Response reveal the full attack lifecycle and underscore the need for proactive defense.
Isabel Evans
Cyber Analyst
Read more
Network
March 17, 2026

When Reality Diverges from the Playbook: Darktrace Identifies Encryption in a World Leaks Ransomware Attack

World Leaks, a rebrand of Hunters International, are known for their extortion-only attack model, abandoning the tactic of file encryption. However, contrary to these claims, Darktrace detected a World Leaks compromise where a ransomware payload was deployed, and customer data was encrypted.
Tiana Kelly
Senior Cyber Analyst & Team Lead
Read more

Blog

/

Network

/

April 2, 2026

How Chinese-Nexus Cyber Operations Have Evolved – And What It Means For Cyber Risk and Resilience 

Chinese-Nexus Cyber OperationsDefault blog imageDefault blog image

Cybersecurity has traditionally organized risk around incidents, breaches, campaigns, and threat groups. Those elements still matter—but if we fixate on individual incidents, we risk missing the shaping of the entire ecosystem. Nation‑state–aligned operators are increasingly using cyber operations to establish long-term strategic leverage, not just to execute isolated attacks or short‑term objectives.  

Our latest research, Crimson Echo, shifts the lens accordingly. Instead of dissecting campaigns, malware families, or actor labels as discrete events, the threat research team analyzed Chinese‑nexus activity as a continuum of behaviors over time. That broader view reveals how these operators position themselves within environments: quietly, patiently, and persistently—often preparing the ground long before any recognizable “incident” occurs.  

How Chinese-nexus cyber threats have changed over time

Chinese-nexus cyber activity has evolved in four phases over the past two decades. This ranges from early, high-volume operations in the 1990s and early 2000s to more structured, strategically-aligned activity in the 2010s, and now toward highly adaptive, identity-centric intrusions.  

Today’s phase is defined by scale, operational restraint, and persistence. Attackers are establishing access, evaluating its strategic value, and maintaining it over time. This reflects a broader shift: cyber operations are increasingly integrated into long-term economic and geopolitical strategies. Access to digital environments, specifically those tied to critical national infrastructure, supply chains, and advanced technology, has become a form of strategic leverage for the long-term.  

How Darktrace analysts took a behavioral approach to a complex problem

One of the challenges in analyzing nation-state cyber activity is attribution. Traditional approaches often rely on tracking specific threat groups, malware families, or infrastructure. But these change constantly, and in the case of Chinese-nexus operations, they often overlap.

Crimson Echo is the result of a retrospective analysis of three years of anomalous activity observed across the Darktrace fleet between July 2022 and September 2025. Using behavioral detection, threat hunting, open-source intelligence, and a structured attribution framework (the Darktrace Cybersecurity Attribution Framework), the team identified dozens of medium- to high-confidence cases and analyzed them for recurring operational patterns.  

This long-horizon, behavior-centric approach allows Darktrace to identify consistent patterns in how intrusions unfold, reinforcing that behavioral patterns that matter.  

What the data shows

Several clear trends emerged from the analysis:

  • Targeting is concentrated in strategically important sectors. Across the dataset, 88% of intrusions occurred in organizations classified as critical infrastructure, including transportation, critical manufacturing, telecommunications, government, healthcare, and Information Technology (IT) services.  
  • Strategically important Western economies are a primary focus. The US alone accounted for 22.5% of observed cases, and when combined with major European economies including Germany, Italy, Spain and the UK, over half of all intrusions (55%) were concentrated in these regions.  
  • Nearly 63% of intrusions of intrusions began with the exploitation of internet-facing systems, reinforcing the continued risk posed by externally exposed infrastructure.  

Two models of cyber operations

Across the dataset, Chinese-nexus activity followed two operational models.  

The first is best described as “smash and grab.” These are short-horizon intrusions optimized for speed. Attackers move quickly – often exfiltrating data within 48 hours – and prioritize scale over stealth. The median duration of these compromises is around 10 days. It’s clear they are willing to risk detection for short-term gain.  

The second is “low and slow.” These operations were less prevalent in the dataset, but potentially more consequential. Here, attackers prioritize persistence, establishing durable access through identity systems and legitimate administrative tools, so they can maintain access undetected for months or even years. In one notable case, the actor had fully compromised the environment and established persistence, only to resurface in the environment more than 600 days after. The operational pause underscores both the depth of the intrusion and the actor’s long‑term strategic intent. This suggests that cyber access is a strategic asset to preserve and leverage over time, and we observed these attacks most often inin sectors of the high strategic importance.  

It’s important to note that the same operational ecosystem can employ both models concurrently, selecting the appropriate model based on target value, urgency, intended access. The observation of a “smash and grab” model should not be solely interpreted as a failure of tradecraft, but instead an operational choice likely aligned with objectives. Where “low and slow” operations are optimized for patience, smash and grab is optimized for speed; both seemingly are deliberate operational choices, not necessarily indicators of capability.  

Rethinking cyber risk

For many organizations, cyber risk is still framed as a series of discrete events. Something happens, it is detected and contained, and the organization moves on. But persistent access, particularly in deeply interconnected environments that span cloud, identity-based SaaS and agentic systems, and complex supply chain networks, creates a major ongoing exposure risk. Even in the absence of disruption or data theft, that access can provide insight into operations, dependencies, and strategic decision-making. Cyber risk increasingly resembles long-term competitive intelligence.  

This has impact beyond the Security Operations Center. Organizations need to shift how they think about governance, visibility, and resilience, and treat cyber exposure as a structural business risk instead of an incident response challenge.  

What comes next

The goal of this research is to provide a clearer understanding of how these operations work, so defenders can recognize them earlier and respond more effectively. That includes shifting from tracking indicators to understanding behaviors, treating identity providers as critical infrastructure risks, expanding supplier oversight, investing in rapid containment capabilities, and more.  

Learn more about the findings of Darktrace’s latest research, Crimson Echo: Understanding Chinese-nexus Cyber Operations Through Behavioral Analysis, by downloading the full report and summaries for business leaders, CISOs, and SOC analysts here.  

Continue reading
About the author
Nathaniel Jones
VP, Security & AI Strategy, Field CISO

Blog

/

Proactive Security

/

April 1, 2026

AI-powered security for a rapidly growing grocery enterprise

Default blog imageDefault blog image

Protecting a complex, fast-growing retail organization

For this multi-banner grocery holding organization, cybersecurity is considered an essential business enabler, protecting operations, growth, and customer trust. The organization’s lean IT team manages a highly distributed environment spanning corporate offices, 100+ stores, distribution centers and  thousands of endpoints, users, and third-party connections.

Mergers and acquisitions fueled rapid growth, but they also introduced escalating complexity that constrained visibility into users, endpoints, and security risks inherited across acquired environments.

Closing critical visibility gaps with limited resources

Enterprise-wide visibility is a top priority for the organization, says the  Vice President of Information Technology. “We needed insights beyond the perimeter into how users and devices were behaving across the organization.”

A security breach that occurred before the current IT leadership joined the company reinforced the urgency and elevated cybersecurity to an executive-level priority with a focus on protecting customer trust. The goal was to build a multi-layered security model that could deliver autonomous, enterprise-wide protection without adding headcount.

Managing cyber risk in M&A

Mergers and acquisitions are central to the grocery holding company’s growth strategy. But each transaction introduces new cyber risk, including inherited network architectures, inconsistent tooling, excessive privileges, and remnants of prior security incidents that were never fully remediated.

“Our M&A targets range from small chains with a single IT person and limited cyber tools to large chains with more developed IT teams, toolsets and instrumentation,” explains the VP of IT. “We needed a fast, repeatable, and reliable way to assess cyber risk before transactions closed.”

AI-driven security built for scale, speed, and resilience

Rather than layering additional point tools onto an already complex environment, the retailer adopted the Darktrace ActiveAI Security Platform™ in 2020 as part of a broader modernization effort to improve resilience, close visibility gaps, and establish a security foundation that could scale with growth.

“Darktrace’s AI-driven approach provided the ideal solution to these challenges,” shares the VP of IT. “It has empowered our organization to maintain a robust security strategy, ensuring the protection of our network and the smooth operation of our business.”

Enterprise-wide visibility into traffic  

By monitoring both north-south and east-west traffic and applying Self-Learning AI, Darktrace develops a dynamic understanding of how users and devices normally behave across locations, roles, and systems.

“Modeling normal behavior across the environment enables us to quickly spot behavior that doesn’t fit. Even subtle changes that could signal a threat but appear legitimate at first glance,” explains the VP of IT.

Real-time threat containment, 24/7

Adopting autonomous response has created operational breathing room for the security team, says the company’s Cybersecurity  Engineer.

“Early on, we enabled full Darktrace autonomous mode and we continue to do so today,” shares the IT Security Architect. “Allowing the technology to act first gives us the time we need to investigate incidents during business hours without putting the business at risk.”

Unified, actionable view of security ecosystem

The grocery retailer integrated Darktrace with its existing security ecosystem of firewalls, vulnerability management tools, and endpoint detection and response, and the VP of IT described the adoption process as “exceptionally smooth.”

The team can correlate enterprise-wide security data for a unified and actionable picture of all activity and risk. Using this “single pane of glass” approach, the retailer trains Level 1 and Level 2 operations staff to assist with investigations and user follow-ups, effectively extending the reach of the security function without expanding headcount.

From reactive defense to security at scale

With Darktrace delivering continuous visibility, autonomous containment, and integrated security workflows, the organization has strengthened its cybersecurity posture while improving operational efficiency. The result is a security model that not only reduces risk, but also supports growth, resilience, and informed decision-making at the business level.

Faster detection, faster resolution

With autonomous detection and response, the retailer can immediately contain risk while analysts investigate and validate activity. With this approach, the company can maintain continuous protection even outside business hours and reduce the chance of lateral spread across systems or locations.

Enterprise-grade protection with a lean team

From cloud environments to clients to SaaS collaboration tools, Darktrace provides holistic autonomous AI defense, processing petabytes of the organization’s network traffic and investigating millions of individual events that could be indicative of a wider incident.

Today, Darktrace autonomously conducts the majority of all investigations on behalf of the IT team, escalating only a tiny fraction for analyst review. The impact has been profound, freeing analysts from endless alerts and hours of triage so they can focus on more valuable, proactive, and gratifying work.

“From an operational perspective, Darktrace gives us time back,” says the Cybersecurity Engineer. More importantly, says the VP of IT, “it gives us peace of mind that we’re protected even if we’re not actively monitoring every alert.”

A strategic input for M&A decision-making

One of the most strategic outcomes has been the role of cybersecurity on M&A. 90 days prior to closing a transaction, the security team uses Darktrace alongside other tools to perform a cyber risk assessment of the potential acquisition. “Our approach with Darktrace has consistently identified gaps and exposed risks,” says the VP of IT, including:

  • Remnants of previous incidents that were never fully remediated
  • Network configurations with direct internet exposure
  • Excessive administrative privileges in Active Directory or on critical hosts

While security findings may not alter deal timelines, the VP of IT says they can have enormous business implications. “With early visibility into these risks, we can reduce exposure to inherited cyber threats, strengthen our position during negotiations, and establish clear remediation requirements.”

A security strategy built to evolve with the business

As the holding group expands its cloud footprint, it will extend Darktrace protections into Azure, applying the same AI-driven visibility and autonomous response to cloud workloads. The VP of IT says Darktrace's evolving capabilities will be instrumental in addressing the organization’s future cybersecurity needs and ability to adapt to the dynamic nature of cloud security.

“With Darktrace’s AI-driven approach, we have moved beyond reactive defense, establishing a resilient security foundation for confident expansion and modernization.”

Continue reading
About the author
Your data. Our AI.
Elevate your network security with Darktrace AI