Darktrace / Forensic Acquisition & Investigation automates cloud forensic analysis, enabling rapid investigation of compromised servers via Cloudypots honeypot data. It reveals attacker activity, highlights key events, decodes malicious payloads, and identifies malware campaigns like perfctl, helping defenders accelerate triage and understand cloud-based intrusion techniques.

This blog breaks down how attackers rapidly weaponized the React2Shell vulnerability, with a particular focus on cloud‑native financial environments. Drawing on Darktrace’s honeypot research, it explores emerging threat actor tooling, exploitation timelines, and why behavioral‑anomaly‑led security is critical in today’s cloud landscape.

Cloud security has focused heavily on prevention, posture, and configuration. Real attacks don’t happen there. They unfold at runtime, across live workloads and identities, where visibility is limited and evidence disappears fast. This blog covers why runtime is the most critical layer to secure, how attackers exploit dynamic cloud behavior, and why posture-based tools alone.

Generative AI services like Amazon Bedrock are introducing new risks around access, visibility, and data exposure. This blog explores how Darktrace / CLOUD helps prevent these incidents through deep configuration visibility, privilege analysis, misconfiguration detection, and behavioral anomaly monitoring across Bedrock and SageMaker environments.

Following the announcement of Darktrace / Forensic Acquisition & Investigation, we’re excited to share how Darktrace / CLOUD is evolving to deliver a truly unified approach to cloud security. For the first time, security teams can detect novel cloud threats in real time, automatically investigate them with forensic depth, and respond decisively — all within a single solution built for hybrid and multi-cloud environments.

The launch of Darktrace / Forensic Acquisition & Investigation marks a breakthrough moment for cloud security, bringing automated forensic investigations — once reserved for the largest organizations and specialized DFIR teams — to security teams of every size.

Cloud has changed everything, but investigations haven’t kept up. With breaches hitting cloud data and attackers moving faster than ever, legacy forensics are too slow, too manual, and too fragmented. It’s time for a cloud-first approach: automated, unified, and built for today’s speed of attack.

Darktrace identified anomalous activity within its customer base linked to a supply chain attack exploiting Salesloft integrations in August 2025. Learn about the campaign and how Darktrace detects and responds to such threats using AI-driven threat detection and Autonomous Response capabilities.

The importance of cloud investigation and incident response are compounded by an expanded attack surface in the cloud, lack of advanced tooling to upskill teams, and increasing regulatory pressure from compliance regulations. This blog dives into these challenges and explores potential solutions for security teams attempting to secure their cloud environment

 Most cloud environments struggle to strike the right balance between security and accessibility. This blog breaks down why traditional approaches to cloud forensics often fail and outlines practical, security-first strategies to solve the access dilemma. You’ll learn how to enable effective investigations without over-permissioning your environment.

This blog walks through an example of how Darktrace’s CDR and automated cloud forensics capabilities automate cloud detection, and deep forensic investigation in a way that’s fast, scalable, and deeply insightful.

Learn how Darktrace helps bridge the DFIR skills gap with user-friendly, cloud-native forensic tools that streamline investigations across complex, multi-cloud environments.

This blog covers the five core capabilities that security teams should consider when evaluating a cloud forensics and incident response solution.

Darktrace’s latest research reveals that an evolving social engineering campaign continues to target cryptocurrency users through fake startup companies. These malicious operations impersonate AI, gaming, and Web3 firms using spoofed social media accounts and project documentation hosted on legitimate platforms like Notion and GitHub.

The biggest sources of risk in the cloud are misconfigurations, IAM failures, and infrastructure that is unprepared to handle cross-domain threats. Learn how AI-powered cloud security tools can help security teams identify and mitigate these risks.

While many internal teams contribute to general cloud hygiene, the security team has increasingly taken the lead on cloud security. Learn how AI-powered cloud detection and response tools can help these teams with new responsibilities.

This blog highlights how vulnerability data, collected using Cado's new vulnerability discovery feature, can be fused with threat data to help deepen the understanding of an attack, as well as guide remediation efforts.

Cado Security Labs (now part of Darktrace) identified Triton RAT, a Python-based open-source tool controlled via Telegram.

Cado Security Labs discovered a new cryptomining campaign exploiting exposed Jupyter Notebooks on Windows and Linux. The attack deploys UPX-packed binaries that decrypt and execute a cryptominer, targeting various cryptocurrencies.

Darktrace / CLOUD combines with Cado’s automated forensics capture to achieve rapid containment and deep investigative capabilities. Learn more about accelerating MTTR here.

Cado Security Labs (now part of Darktrace) identified a malware campaign targeting the Royal Thai Police, attributed to Chinese APT group Mustang Panda. The campaign uses a disguised LNK file and PDF decoy to deliver the Yokai backdoor.

This blog details a simulation of a ransomware attack that bypassed EDR, simulated via a ClickFix social engineering technique. The attack used an obfuscated HTML and custom C++ binary to encrypt files and establish a reverse shell. Cado's forensic platform then demonstrated how to trace the attack chain, highlighting the need for robust DFIR beyond EDR.

This blog dives into the strengths and limitations of CNAPP, explaining how a CDR solution can enhance cloud security to identify and mitigate cross-domain threats.

Cloud security solutions can be deployed with agentless or agent-based approaches or use a combination of methods. Organizations must weigh which method applies best to the assets and data the tool will protect.

Cado Security Labs (now part of Darktrace) identified two new campaigns exploiting misconfigured Selenium Grid instances for cryptomining and proxyjacking. Attackers injected scripts to deploy reverse shells, IPRoyal Pawn, EarnFM, TraffMonetizer, and WatchTower for proxyjacking, and a Golang binary to install a cryptominer. These attacks highlight the critical need for Selenium Grid users to enable authentication.

In the coming years, cloud security will not only need to adapt to increasingly complex environments as ecosystems become more distributed, but also to rapidly evolving threats like supply chain attacks, advanced misconfiguration exploits, and credential theft. AI-powered cloud security tools can help security teams keep up.

This blog highlights how Darktrace / CLOUD leverages self-learning AI to tackle critical cloud security challenges—such as misconfigurations, hybrid environment complexity, securing productivity suites, and agent fatigue—by providing unified visibility, intelligent monitoring, and real-time threat response to empower organizations with proactive protection.

This blog announces the general availability of Microsoft Azure support for Darktrace / CLOUD, enabling real-time cloud detection and response across dynamic multi-cloud environments. Read more to discover how Darktrace is pioneering AI-led real-time cloud detection and response.

Cado Security (now part of Darktrace) analyzed "Cthulhu Stealer," a macOS malware-as-a-service written in Go. It impersonates legitimate software, prompts for user and MetaMask passwords, and steals credentials, cryptocurrency wallets, and game accounts. Functionally similar to Atomic Stealer, Cthulhu was rented via an underground marketplace, but its operators faced complaints and a ban for alleged exit scamming.

Cado researchers detected a typosquatting domain mimicking their corporate site, part of a broader campaign targeting tech companies. The malicious domain redirected to the legitimate one, and an accompanying fake X (Twitter) account was created. Cado took swift action, informing staff, blocking emails, and reporting the domain for suspension.

As cloud adoption surges, the need for scalable, cloud-native security is paramount. This blog explores whether Cloud Detection and Response (CDR) is merely Network Detection and Response (NDR) tailored for the cloud, highlighting the unique challenges and essential solutions SOC teams require to secure dynamic cloud environments effectively.

Cado Security (now a part of Darktrace) found attackers are abusing Cloudflare's WARP service, a free VPN, to launch attacks. WARP traffic often bypasses firewalls due to Cloudflare's trusted status, making it harder to detect. Campaigns like "SSWW" cryptojacking and SSH brute-forcing exploit this trust, highlighting a significant security risk for organizations.

Cado Security Labs identified a GuLoader campaign targeting European industrial companies via spearphishing emails with compressed batch files. This malware uses obfuscated PowerShell scripts and shellcode with anti-debugging techniques to establish persistence and inject into legitimate processes, to deliver Remote Access Trojans. GuLoader's ongoing evolution highlights the need for robust security.

P2Pinfect, a sophisticated Rust-based malware, has evolved from a dormant spreading botnet to actively deploying ransomware and a cryptominer, primarily infecting Redis servers and using a P2P C2. The updated version includes a user-mode rootkit, but its ransomware impact is limited by the low privileges often associated with Redis.

Cado Security Labs (now part of Darktrace) identified a "Meeten" campaign deploying a cross-platform (macOS/Windows) infostealer called Realst. Threat actors create fake Web3 companies with AI-generated content and social media to trick targets into downloading malicious meeting applications.

Cado Security labs researchers (now part of Darktrace) encountered a Linux malware campaign, "Spinning YARN," that targets Docker, Apache Hadoop, Redis, and Confluence. This campaign exploits vulnerabilities in these widely used platforms to gain access.

This blog discusses why companies use third-party data management for efficiency, global access, collaboration, and reliability, while also addressing security risks associated and best practices with third-party data management.

Understand the evolution of cloud-based attacks and the increasing use of alternative methods for initial access in cyber threats.

Cerber ransomware's Linux variant is actively exploiting CVE-2023-22518 in Confluence servers. It uses three UPX-packed C++ payloads: a primary stager, a log checker for environment assessment, and an encryptor that renames files with a .L0CK3D extension.

Cado Security Labs (now part of Darktrace) identified a Docusign spearphishing campaign targeting tech executives. Attackers use compromised Japanese business emails and malicious links redirecting to credential-stealing sites. The campaign leverages obfuscated JavaScript to mimic legitimate login pages, aiming to steal credentials for further attacks like BEC scams.

Discover cloud migration insights, security challenges, best practices, and Darktrace's unique approach to enhancing cloud visibility and risk management.

Explore strategies, services, and risks associated with mastering cloud migration. Learn more here about hybrid cloud model, benefits, and migration phases.

Migo is a cryptojacking campaign targeting Redis servers, that uses novel system-weakening techniques for initial access. It deploys a Golang ELF binary for cryptocurrency mining, which employs compile-time obfuscation and achieves persistence on Linux hosts. Migo also utilizes a modified user-mode rootkit to hide its processes and on-disk artifacts, complicating analysis and forensics.

Cado Security Labs uncovered a new campaign targeting vulnerable Docker services. Attackers deploy XMRig miners and the 9hits viewer application to generate credits. This campaign highlights attackers' evolving monetization strategies and the ongoing vulnerability of exposed Docker hosts.

"Commando Cat" is a novel cryptojacking campaign exploiting exposed Docker API endpoints. This campaign demonstrates the continued determination attackers have to exploit the service and achieve a variety of objectives.

OracleIV is a DDoS botnet exploiting misconfigured Docker Engine APIs. It delivers a malicious Python ELF executable within a Docker container ("oracleiv_latest") to perform various DoS attacks. The botnet communicates with a C2 server for commands, demonstrating attackers' continued use of exposed Docker instances.

AI that learns each unique cloud environment gives real-time visibility, contextual threat detection, and truly autonomous, cloud-native response — overcoming blind spots and limits of agentless or agent-based tools.

Qubitstrike is an emerging cryptojacking campaign primarily targeting exposed Jupyter Notebooks that exfiltrates cloud credentials, mines XMRig, and employs persistence mechanisms. The malware utilizes Discord for C2, displaying compromised host information and enabling command execution, file transfer, and process hiding via the Diamorphine rootkit.

Cado researchers (now part of Darktrace) identified a campaign by the threat actor Diicot, focusing on SSH brute-forcing and cryptojacking. Diicot utilizes custom tools, modified packers, and Discord for C2, and has expanded its capabilities to include doxxing and DDoS attacks via a Mirai-based botnet.

Darktrace integrates AI with Amazon Security Lake for enhanced security investigations & threat detection. Learn how this collaboration benefits security teams.

Cado Labs (now part of Darktrace) discovered an updated version of the Legion hacktool. This new iteration has enhanced capabilities, including SSH abuse and exploiting additional AWS services like DynamoDB, CloudWatch, and AWS Owl, by harvesting credentials from misconfigured web servers.

Cado Security Labs researchers (now part of Darktrace) encountered Legion, an emerging Python-based credential harvester and hacktool. Legion exploits various services for the purpose of email abuse.

A new P2Pinfect variant compiled for the Microprocessor without Interlocked Pipelined Stages (MIPS) architecture has been discovered. This demonstrates increased targeting of routers, Internet of Things (IoT) and other embedded devices by those behind P2Pinfect.

Darktrace highlights a handful of data theft incidents on shared cloud platforms, showing that cloud computing can be a vulnerable place for modern extortion.