Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Anna Gilbertson
Cyber Security Analyst
Share
01
Dec 2022
Side-by-side, data loss and cyber-attacks are two of the most common concerns expressed by IT directors. Whilst ransom has traditionally been seen as a big cause of this, ransom (and subsequently) data loss appears to be changing. This blog explores an incident seen within a middle eastern financial customer from May-June 2022. This customer suffered large data loss and a high volume of files with a ransom note were written on its network, but the institution’s data was not encrypted. This is an example of a growing trend in ransomware attacks, which involves exfiltration of the victim’s data and the write of a ransom note but no encryption of files. Instead of being extorted for the decryption of their files, companies are being extorted for the return of their stolen data.
Attack Summary
A threat actor spread laterally through a customer network by writing suspicious ‘.dat’ and ‘.exe’ files, exfiltrated more than 300GB of data over a two-month period and made beaconing connections to endpoints identified by OSINT as probable Cobalt Strike C2 servers.
Attack Details
In May an internal desktop was observed connecting to a rare external endpoint over the SSL protocol using a highly unusual port and the RClone client. These connections continued for several weeks and spiked at the same time as the device’s other malicious activity. It is likely that these connections reflected a potential point of infection.
The attacker then used the desktop and two other internal devices to perform network scanning and enumeration activity in order to discover other devices on the network it could infect. In total 856 unique IPs were scanned- largely over TCP, UDP and ICMP. Further directory replication service requests were also seen over DCE-RPC, suggesting an attempt to extract user credentials. One device was later seen accessing an unencrypted password file showing successful recon. The attacker then used the already compromised devices to infect other devices on the network by writing suspicious ‘.exe’ and ‘.dat’ files including ‘Bun.dat' and ‘Agent.exe’.
The compromised devices were then used by the attacker to download nearly 4GB of data from an internal server and to upload a similar amount to a suspicious IP address associated with a young domain. Over the following two months, the compromised devices went on to upload roughly 100GB of data to the same destination each week.
The attacker also used these devices to make beaconing connections to several rare and external endpoints. Some of these endpoints were created just before the beginning of the compromise and have all been identified by OSINT as probable Cobalt Strike command and control servers. During this beaconing an internal device was also observed making an extremely large number of writes of files that appeared to be ransom notes, these were appropriately named ‘YOURNETWORKDATAHASBEENCOMPROMISED.txt’.
Darktrace Coverage
How did this attack remain hidden from the company’s other tools? Neither the initial C2 IP Address, the follow-on Cobalt Strike C2 servers or the exfiltration server were associated with malicious activity in open-source reporting prior to this compromise. This meant they were likely omitted from expected blacklists and standard signature-based security. Furthermore, executable files written by the compromised devices included ‘anydesk.exe’ and ‘procdump64.exe’, both of which are legitimate tools commonly used by administrators. This demonstrates the use of living off the land tactics (LotL) which are typically hard to detect.
Given the attack’s novelty and LotL techniques, it is no surprise that Darktrace DETECT/Network identified anomalies in usual network behaviour. In particular, Cyber AI Analyst was a large highlight when it came to both Darktrace’s and the security team’s follow-up triage. AI Analyst collated different phases of the compromise such as the network scanning activity, the lateral movement activity over the DCE-RPC protocol, the data exfiltration, and the beaconing activity to the Cobalt Strike endpoints. This helped to map a clear timeline and progression of events along the kill chain.
Figure 1: An AI Analyst Graph showing the timeline of the beaconing activity to the Cobalt Strike Endpoints and the lateral movement activity over the DCE-RPC protocol.
Figure 2: AI Analyst Graph showing the timeline of overall suspicious activities carried out by the compromised devices.
On top of the DETECT product, Darktrace services had a large role to play in the aftermath. The customer subscribed to Darktrace’s Ask the Expert (ATE) service and only became fully aware of the compromise after submitting an ATE ticket requesting assistance investigating one of the related model breaches. Finally, RESPOND itself (although in human confirmation mode) was still able to be used to manually quarantine devices.
Conclusion
During this incident, the initial point of infection, data exfiltration endpoint, and Cobalt Strike C2 Servers were recently created and had no OSINT associating them with malicious activity. This demonstrates how ineffective traditional signature-based intrusion detection systems can be at detecting compromises and how effective Darktrace is at detecting novel campaigns and attacks. Despite this, detection is clearly not enough, especially as out-of-hours attacks increase in frequency and effectiveness. This customer had RESPOND in human confirmation mode which meant that the activity was acted upon and stopped slower than had it been set autonomously. If malicious data loss is to be stopped in full, companies need to reduce reliance on humans and embrace AI-based protection.
Thanks to Darktrace analyst Steve Robinson for his insights on the above threat investigation.
Appendices
Related AI Analyst Incidents
Unusual Repeated Connections
Suspicious DCE-RPC Activity
Internal Download and External Upload
Scanning of Multiple Devices
Possible SSL Command and Control Activity to Multiple Endpoints
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
ClearFake: From Fake CAPTCHAs to Blockchain-Driven Payload Retrieval
Darktrace detected a potential ClearFake‑related incident involving signs of EtherHiding activity and interactions with blockchain‑based infrastructure. A single device showed repeated suspicious command‑line behavior, primarily involving Microsoft HTML Application Host. The activity occurred over the course of a day and indicated early‑stage attempts to load malicious content associated with the ClearFake campaign.
How Darktrace Could Have Stopped a Surprise DDoS Incident
Learn how Darktrace could revolutionize DDoS defense, enabling companies to stop threats without 24/7 monitoring. Read more about how we thwart attacks!
Shadow AI Detection: The First Step Toward Securing AI
Why shadow AI is emerging
Imagine you’re an employee under pressure, deadlines stacking up, repetitive tasks piling higher by the day. You find a free AI tool online that promises to automate the work in seconds; no approvals are needed. It feels like a simple win, paste in some data, write a quick prompt, and move faster.
But in that moment, something changed.
Sensitive customer information is entered into a tool your organization doesn’t monitor, doesn’t govern, and can’t see and suddenly, that data is no longer where it should be, and no one knows where it’s gone.
This is the reality of Shadow AI: employees using unsanctioned AI tools to move faster, while unintentionally creating risk that exists entirely outside visibility and control.
This is not just a one off case, research across businesses indicate that nearly half of employees report using unsanctioned AI tools, often prioritizing speed and productivity over security. Additionally, 51% of employees report connecting AI tools to work systems or apps without IT approval, creating significant operational risk where the average cost of security incidents in organizations with a high level of shadow AI usage can reach $670k.
While shadow AI is often top of mind for security professionals, it is just one component of how AI use can increase risk. Understanding and managing shadow AI use should be considered as part of a broader, comprehensive risk management strategy that aims to secure AI systems, including human and agent identities, interactions, human-AI partnerships, and behaviors operating across the digital enterprise from visibility and governance through detection, response, and recovery.
Effective risk management calls for a layered and interdisciplinary strategy. It requires addressing issues across governance and visibility; identity, access and agent control, data security and privacy, secure MLOps / LLMOps, runtime security, behavior-based detection, autonomous response and recovery.
This blog explores a specific governance and visibility use case linked to shadow AI and reveals the challenges it presents as well as the defensive strategies that security teams can adopt.
Why shadow AI is hard to detect
When it comes to AI, what organizations can easily see does not always reflect the full scope of AI activity occurring within the tools, applications, and workflows used across an enterprise. As a result, organizations using traditional rule-based methods to flag unusual activity may struggle to distinguish unsanctioned AI usage from legitimate operational behavior, particularly as SaaS applications, APIs, and orchestration layers increasingly have AI embedded into normal business workflows. Identifying threats using previously observed intelligence or depending on hard to maintain allow and block lists does not provide a dynamic enough strategy to manage risk. Also, many organizations are focusing on identifying Shadow AI in their governed infrastructure, like gateways, endpoints, or SASE, which is foundational. But, organizations require visibility and Shadow AI detection across all networked infrastructure from on-prem, hybrid, data centers, and cloud infrastructure that may not have endpoint agent visibility. This uncovers the utilization of MCP, data flows, and autonomous agents across these domains.
For example, employees interact with AI assistants across approved SaaS platforms every day. However, browser extensions and other types of plug-ins can route prompts that include enterprise data to embedded AI services in ways that are not visible to the security team. AI enabled workflows may invoke multiple APIs, orchestration layers, and cloud services behind the scenes, making it difficult for traditional security tooling to determine where data is processed, stored, or retransmitted. Because much of this activity occurs within trusted browser sessions and encrypted SaaS traffic, conventional network monitoring, DLP, and application allowlisting controls often lack the context needed to accurately identify or govern these interactions
Identifying AI tools in the environment is one part of the equation. Understanding the behavior surrounding their use is where the real challenge lies. An AI application is not inherently risky, but the way users or other assets interact with it may be. Sensitive data exposure, abnormal access patterns, and misuse of AI-assisted workflows often appear legitimate in isolation and only become visible through behavioral analysis across the broader environment.
What Shadow AI visibility does and doesn’t show
Comprehensive Shadow AI visibility allows organizations to answer several important questions:
What types of AI are we using? What AI platforms, agents, MCP clients/servers, and services are active across the enterprise?
Who is using AI services? Which users, business units, or systems are interacting with those AI services?
Is our data safe? Is sensitive or regulated data being exposed through prompts, workflows, or integrations?
Are AI systems behaving as expected? Are AI systems behaving anomalously or operating outside approved governance processes?
Are our AI systems under attack? Is an attacker attempting to manipulate prompts, influence agent behavior, or abuse AI-enabled workflows?
Answering these questions is foundational to broader AI governance efforts. However, it is limited to helping teams understand initial interactions and fails to offer insight into dependencies and outcomes that are critical to securing AI across an enterprise.
Deeper visibility that includes the ability to understand dependencies and outcomes are not always available in AI security point products. Answering the questions below requires understanding runtime behavior and operational outcomes:
What actions did the AI interaction trigger?
What systems, applications, or data did it access? Did the AI operate beyond its intended permissions or scope?
Could a low-risk interaction lead to high-risk outcomes?
What is the risk and context understanding of an anomalous activity to assist in prioritization of analysis and autonomous response action?
The distinction between these two sets of questions offers two different layers of AI security. The first set of questions focuses on discovery and interaction visibility. The second set focuses on providing visibility that includes the context and outcomes that are critical for managing follow-on risks associated with obfuscated downstream activities.
Together, these layers help organizations move beyond simply identifying AI usage toward understanding how AI behaves operationally across the enterprise.
How organizations are addressing shadow AI
Most organizations still approach shadow AI as an application control problem, relying on policies, browser restrictions, and allow/block lists. However, AI adoption is evolving faster than most governance processes can realistically keep pace with. New assistants, plugins, and embedded AI features appear continuously, creating pressure to enable business productivity while simultaneously containing risk.
Existing governance processes were designed for a more traditional SaaS adoption cycle, where new applications could be reviewed, approved, and monitored over longer time horizons. AI adoption operates differently. New capabilities can appear overnight inside existing platforms employees already use, making it difficult for security and governance teams to maintain an accurate understanding of enterprise AI exposure. This means that many organizations are experiencing significant operational overhead, particularly in large environments where AI usage is decentralized across teams, departments, and third-party services.
Where should organizations start when securing their AI systems?
Shadow AI identification is an on-going critical component for AI Risk/Governance Boards as well as security organizations. As organizations seek AI certifications like ISO 42001 AI Management Systems, visibility into all AI adoption from enterprise use to custom innovation and development is crucial. Shadow AI identification provides organizations with the visibility needed to decide whether an AI tool should be brought into governed environments to reduce data loss (DLP) risks or whether policies should be established and enforced to restrict their use.
As organizations rapidly innovate and adopt AI, they are taking on more and more risk. Organizations need to have a strategy in place to mitigate the assumed risk, especially with third-party adoption. Visibility, monitoring, governance enforcement, behavioral-based detection of non-deterministic systems, and autonomous investigation and containment becomes critical to mitigating the risk of AI systems.
How Darktrace secures AI and shadow AI
Attackers are using AI to move faster, scale tactics, and make threats more adaptive and convincing. Internally, organizations are grappling with new forms of risk created by generative AI, autonomous agents, shadow AI, and increasingly complex digital environments.
Darktrace helps organizations protect both people and AI in a world where AI is now central to how business gets done. Darktrace / SECURE AI helps organizations discover and control shadow AI by surfacing unsanctioned or unexpected AI activity where it appears – including MCP detections, distinguishing misuse of legitimate tools and unapproved services, and applying policy to contain data exposure while guiding users toward sanctioned options.
Stay up to date on AI security
Sign up for the Secure AI Readiness Program here: This gives you exclusive access to the latest news on the latest AI threats, updates on emerging approaches shaping AI security, and insights into the latest innovations, including Darktrace’s ongoing work in this area.
Ready to talk with a Darktrace expert on securing AI? Register here to receive practical guidance on the AI risks that matter most to your business, paired with clarity on where to focus first across governance, visibility, risk reduction, and long-term readiness.
From Click to Command: Behavioral Detection of AppleScript-Led MacOS Intrusions
Introduction
Darktrace’s Threat Research team is publishing this analysis to help defenders understand an active pattern of macOS tradecraft observed in multiple customer environments. This post summarizes the behaviors observed, how they were assessed, and what defenders can do now.
Across multiple environments, Darktrace observed a consistent MacOS intrusion pattern beginning with ClickFix-style user-assisted “update” execution and transitioning into AppleScript-driven post-compromise activity and sustained outbound signaling.
While individual indicators were low-confidence, the repeated convergence of weak behavioral signals — including HTTP POST beaconing, rare or IP-only destinations, SSL anomalies, and abnormal client characteristics — provided a defensible indication of command-and-control establishment Darktrace detection and response in these cases was driven by behavior over artifacts. In the highest-confidence instances, automated containment disrupted outbound signaling before sustained tasking could occur.
Background
ClickFix-style activity typically relies on user-assisted execution and plausible “update” pretexting, followed by post-execution use of native tools to keep the footprint light. In MacOS environments, AppleScript and other built-in scripting mechanisms enable flexible post-compromise workflows while minimizing stable file-based indicators.
Following execution, affected devices exhibited a consistent behavioral pattern. AppleScript or equivalent native scripting activity was observed initiating follow-on workflows, after which outbound communications began to establish a structured rhythm.
These communications were characterized by repeated HTTP POST requests to low-prevalence or IP-only endpoints, often combined with unusual SSL properties and client identifiers that diverged from baseline device behavior. Individually, these signals were weak. When correlated across time and devices, they formed a pattern consistent with control establishment rather than benign software activity.
In higher-confidence cases, Autonomous Response actions were able to reduce or halt outbound signaling, interrupting the attacker’s ability to maintain control.
Detection Timeline
In representative cases, the sequence unfolded as follows:
Stage 1 – Initial Execution
Initial activity began with suspicious or masqueraded execution on a MacOS endpoint, consistent with ClickFix-style user deception.
Stage 2 – Post-Execution Scripting
This was followed closely by native scripting activity, most commonly AppleScript, indicating the transition into post-execution workflow.
Stage 3 – Outbound Communications
Outbound communications then emerged, initially sporadic but quickly forming a consistent cadence of HTTP POST requests to rare external endpoints.
Stage 4 – Anomaly Convergence
As activity persisted, additional anomalies became visible — unusual SSL characteristics, abnormal user agents, and connections to infrastructure with no prior network prevalence.
Stage 5 – Autonomous Response
In the most mature stages of the activity, automated containment actions disrupted outbound communications on affected devices, limiting the attacker’s ability to continue tasking while investigations progressed.
Darktrace coverage and detections
The following use-case highlights systems likely affected by malicious macOS intrusion activity linked by Microsoft to the Democratic People’s Republic of Korea (DPRK) [1], with indications of suspicious behavior observed between March 1 and May 3, 2026. The activity overlaps with patterns described in recent reporting on DPRK-nexus MacOS intrusions [1], though attribution confidence in this case remains moderate and based on behavioral alignment rather than solely infrastructure linkage.
Analyst confidence emerged through the correlation of multiple weak signals across time and devices. This included model coverage for rare external communications, sustained beaconing patterns, repeated HTTP POSTs, and anomalous client characteristics. Where enabled, Autonomous Response actions disrupted the most active outbound paths to reduce the attacker’s ability to maintain control while Darktrace’s investigation continued.
Notably, this highly anomalous behavior included:
Outbound connections to the rare external endpoint, zoom[.]uswebob[.]us associated with IP address, 148.72.73[.]98 [2][3] over port 443
Outbound connections to the rare external endpoint, check02id[.]com associated with IP address, 83.136.210[.]180 [4] over port 7365
Outbound connections to the rare external endpoints, 104.145.210[.]107 [5] over port 8443 and 83.136.208[.]48 [6] over port 443
Outbound connections to the rare external endpoint, 83.136.208[.]246 [7] over port 6783 with observed URI `/api/daemon` and a PowerShell user agent
Darktrace’s detection initially highlighted a desktop device (running MacOS) engaging in anomalous behavior as early as March 12, 2026. Starting on March 12, the source device triggered a ‘Possible Doppelganger Attack’ alert including connectivity to the hostname "zoom[.]uswebob[.]us · 148.72.73[.]98" over port 443 (TCP, HTTPS, H2). This model highlights a device connecting to a location that is rare but masquerades as legitimate software, such as Zoom in this case, a commonly used technique to blend into expected traffic [2] [3].
Figure 1: Initial connectivity observed to the rare external hostname, zoom[.]uswebob[.]us · 148.72.73[.]98, over port 443.
This was followed roughly seven later by a connection to 104.145.210[.]107 over port 8443, during which approximately 250 KiB of data of inbound data and 30 MiB of outbound data was observed, triggering the ‘Unusual Activity / Unusual External Data to New Endpoint’ in Darktrace.
Quickly after this connection, Darktrace’s Autonomous Response intervened, blocking the device’s access to the unusual external location and halting the data exfiltration attempt.
Figure 2: Darktrace’s detection of unusual data exfiltration, shortly followed by an Autonomous Response action to block it.
The device continued to consistently trigger model alerts relating to unusual external connectivity, including 'Posting HTTP to IP Without Hostname', 'Anomalous Connection / Rare External SSL Self-Signed' alerts, until well after 3 PM that day.
Figure 3: Additional external connectivity to new IP without a hostname, including connectivity to 83.136.208[.]246, alongside an anomalous ‘curl/8.7.1’ user agent and ‘/api/daemon’ URI.
Figure 4: Continued external SSL connectivity to IP 83.136.208[.]48, including connectivity to 83.136.208[.]246, alongside an anomalous ‘curl/8.7.1’ user agent and ‘/api/daemon’ URI.
Figure 5: Continued external HTTP connectivity to hostname, check02id[.]com · 83.136.210[.]180, alongside an anomalous ‘Go-http-client/1,1’ user agent.
From March 13 to March 28, the device continued exhibit unusual connectivity to various endpoints (e.g., 83.136.208[.]48, 83.136.208[.]246, check02id[.]com · 83.136.210[.]180), with the 'Multiple HTTP POSTs to Rare Hostname' model consistently triggering.
Windows OS Case
Pivoting over to an additional device, this time running Windows OS, anomalous behavior was also observed between March 30 and April 20. Notably, on March 30, the device was observed making a large number of suspicious external connection attempts to 83.136.208[.]246 over port 6783, all of which failed.
A further indicator was observed on April 1 with PowerShell connectivity to the same rare endpoint (83.136.208[.]246, port 6783), using the URI '/api/daemon' and the user agent 'Mozilla/5.0 (Windows NT; Windows NT 10.0; fr-FR) WindowsPowerShell/5.1.26100.7920'. Additional alerts included 'New User Agent to IP Without Hostname' and 'Anomalous Github Download', alongside activity involving the same endpoint.
Figure 6 : ‘Anomalous Powershell to Rare External Destination’ and ‘Github Download’ model alerts. This behavior involved connectivity with the endpoints ‘83.136.208[.]246’ and ‘github[.]com’.
The device continued triggering 'Posting HTTP to IP Without Hostname' & 'PowerShell to External Rare' alerts between April 4 and April 20 across multiple related endpoints (i.e., 83.136.208[.]48, 83.136.208[.]246, check02id[.]com · 83.136.210[.]180).
Darktrace’s Autonomous Response capability was able to block suspicious PowerShell attempts to unusual external locations, as shown below in an example from April 20.
Figure 7: Autonomous Response intervening to block an unusual PowerShell connection to an external destination.
Cyber AI Analyst investigations
In higher-confidence instances, Darktrace’s Cyber AI Analyst investigations helped connect otherwise separate model alerts into a single incident narrative, highlighting the attacker’s progression from post-execution scripting into sustained outbound signaling. This contextual stitching is particularly valuable in macOS scenarios where static artefacts are limited, and behavioral sequencing defines the intrusion.
Cyber AI Analyst investigations highlighted alerts on March 12, including unusual repeated connections and possible SSL command-and-control (C2) to multiple endpoints:
Figure 8: Cyber AI Analyst investigation linking events into a unified incident.
Autonomous Response
In addition to the containment actions detailed earlier, Autonomous Response implemented multiple additional measures to contain suspicious activity throughout the course of this attack. Whenever unusual external connectivity was detected, Darktrace blocked it, closing down potential C2 channels. Likewise, when data exfiltration attempts were identified, these connections were stopped to prevent the potential loss of sensitive data.
Figure 9: Autonomous Response actions implemented by Darktrace in response to suspicious connectivity in mid-March.
Furthermore, in cases where a device was deemed to have carried out a significant number of anomalous activities, Darktrace enforced a “pattern of life” on the device, preventing it from deviating from its expected behavior while allowing legitimate business operations to continue uninterrupted.
Figure 10: Autonomous Response actions implemented by Darktrace in response to suspicious connectivity in April, including the “Enforce Pattern of Life” action.
Conclusion
macOS intrusion tradecraft continues to shift toward native tooling and lightweight control channels designed to evade signature-led controls.
The repeated convergence of rare destinations, POST-based signaling, and anomalous client behavior — observed across time and across devices — provided sufficient evidence to act early and with confidence.
As macOS tradecraft continues to evolve, the defender advantage increasingly lies not in signatures, but in the ability to reason from behavior.
Credit to Justin Torres (Senior Cyber Analyst), Nathaniel Jones (VP, Security & AI Strategy, FCISO)
Edited by Ryan Traill (Content Manager)
Appendices
Darktrace Model Alert Coverage:
/ NETWORK-based model alerts:
· Anomalous Connection::Multiple HTTP POSTs to Rare Hostname
.jpg)
![Initial connectivity observed to the rare external hostname, zoom[.]uswebob[.]us · 148.72.73[.]98, over port 443.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/6a3c241a851b82605cdf62fb_Screenshot%202026-06-24%20at%2011.38.14%E2%80%AFAM.png)
