Discover how a new botnet is utilizing IoT drawing pads for reflection attacks. Stay informed on evolving cyber security threats with Darktrace experts.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Justin Fier
SVP, Red Team Operations
Share
29
Oct 2017
Earlier this year, Darktrace detected a new botnet engaged in a large-scale reflection and amplification attack targeting organizations around the world, including several governmental bodies. This attack is more pertinent than ever in light of potentially new, bigger, and more sophisticated IoT hacks, in the likes of the recently reported ‘Reaper Botnet’, we can increasingly expect to see in 2018.
This new type of botnet we detected earlier this year wasn’t using desktop computers to power its attacks – like Srizbi did when it was sending out 60 billion spam emails per day – and its methodology was distinct from Mirai – which uses DRVs and routers to generate DNS DDoS attacks with speeds of up to 1Tbps.
Instead, this new botnet was commandeering an unlikely assortment of devices made up of, among other things, IoT drawing pads. It contained far fewer devices than typical botnets, but through reflection and amplification techniques using SNMP, it was attempting to launch a powerful denial-of-service attack.
The threat began in a familiar fashion. An architectural firm introduced smart drawing into their network pads without alerting the IT team, and their internal security controls had no way of identifying the vulnerable devices. As such, the devices’ user credentials were never changed from the factory defaults.
Those credentials, along with their public string for SNMP authentication, were publicly available on Shodan, which also revealed that the devices had open ports for HTTP, HTTPS, Telnet, and SIP.
Darktrace detected the vulnerability when hundreds of external IP addresses from around the world made several thousand of SNMP connections to the devices over UDP port 161. Over 99 percent of these connections contained at least one “GetBulkRequest”, an SNMP operation used for the retrieval of large amounts of data.
In response to these requests, the devices issued an exponentially larger number of replies via “GetResponse”, some of which contained as many as 397,000 “GetResponse” objects. In 64 cases, the devices uploaded over 1MB of data.
A sample of this SNMP activity as observed by Darktrace’s AI algorithms:
Figure 1: Anomalous SNMP connections – the request and response are presented as two separate SNMP connections, but we can treat them as the same connection.
Normal network activity for these devices involved very occasional use of “GetBulkRequests” and “GetResponses.” Therefore, these spikes in activity were deemed highly anomalous by Darktrace’s AI algorithms, which had built a deep understanding of normal activity for the devices. By detecting the threat in real time, the security team discovered the threat while it was still in its early stages, and Darktrace’s network visibility provided detailed analytics on the incident.
Figure 2: The number of inbound connections on port 161 to one of the devices on port 161 is shown in orange. External data transfer from port 161 are shown in green. Time, top left, is x-axis value at right-hand origin.
The use of SNMP version 2c and “GetBulkRequests” were telltale signs of a reflection and amplification attack, which use scant resources to generate large attacks. All told, 273.2MiB left the devices on port 161.
The external data transfers on port 80 indicated that the attack went even further, as numerous external devices were attempting to access the devices’ HTTP resources, many of which were administrative PHP files.
A sample of resources that external devices attempted to access via HTTP:
Figure 3: The total outbound data from port 161 over the reporting period
Finally, Shodan also revealed that the devices were running an accessible SIP server on port 5060. Packet analysis showed that external devices “dialed” the devices and attempted to place a VoIP – strange behavior on the attacker’s part that remains unexplained.
Figure 4: VoIP call attempts via open SIP protocol
The target IP addresses were likely spoofed. By sending hundreds of “GetBulkRequests” from the spoofed IPs of the target networks, the IoT drawing pads were forced to send back more than 100 times the number of “GetResponses.” This is testament to the power of reflection and amplification attacks. It’s unclear what other devices were used in this attack, but even a small number of IoT devices at the architectural firm were able to generate an alarming amount of traffic.
The target IPs belonged to websites owned by entertainment and design companies, and even governmental bodies. By reporting on the anomalous SNMP requests as soon as they began, the firm’s security team was able to take the drawing pads offline before damage was done.
Had the attack succeeded in sabotaging the target networks, the firm could have been subject to legal action. The company revamped their security policies and made strides to secure all the IoT devices on their network to minimize risk of future incidents.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
In today's threat landscape, blending in to normal activity is the key to success for attackers and the growing reliance on residential proxies shows a significant shift in how threat actors are attempting to bypass IP detection tools.
The increasing dependency on residential proxies has exposed how prevalent proxy services are and how reliant a diverse range of threat actors are on them. From cybercriminal groups to state‑sponsored actors, the need to bypass IP detection tools is fundamental to the success of these groups. One malware that has quietly become notorious for its ability to avoid anomaly detection is GhostSocks, a malware that turns compromised devices into residential proxies.
What is GhostSocks?
Originally marketed on the Russian underground forum xss[.]is as a Malware‑as‑a‑Service (MaaS), GhostSocks enables threat actors to turn compromised devices into residential proxies, leveraging the victim's internet bandwidth to route malicious traffic through it.
How does Ghostsocks malware work?
The malware offers the threat actor a “clean” IP address, making it look like it is coming from a household user. This enables the bypassing of geographic restrictions and IP detection tools, a perfect tool for avoiding anomaly detection. It wasn’t until 2024, when a partnership was announced with the infamous information stealer Lumma Stealer, that GhostSocks surged into widespread adoption and alluded to who may be the author of the proxy malware.
Written in GoLang, GhostSocks utilizes the SOCKS5 proxy protocol, creating a SOCKS5 connection on infected devices. It uses a relay‑based C2 implementation, where an intermediary server sits in between the real command-and-control (C2) server and the infected device.
How does Ghostsocks malware evade detection?
To further increase evasion, the Ghostsocks malware wraps its SOCKS5 tunnels in TLS encryption, allowing its malicious traffic to blend into normal network traffic.
Early variants of GhostSocks do not implement a persistence mechanism; however, later versions achieve persistence via registry run keys, ensuring sustained proxy operational time [1].
While proxying is its primary purpose, GhostSocks also incorporates backdoor functionality, enabling malicious actors to run arbitrary commands and download and deploy additional malicious payloads. This was evident with the well‑known ransomware group Black Basta, which reportedly used GhostSocks as a way of maintaining long‑term access to victims’ networks [1].
Darktrace’s detection of GhostSocks Malware
Darktrace observed a steady increase in GhostSocks activity across its customer base from late 2025, with its Threat Research team identifying multiple incidents involving the malware. In one notable case from December 2025, Darktrace detected GhostSocks operating alongside Lumma Stealer, reinforcing that the partnership between Lumma and GhostSocks remains active despite recent attempts to disrupt Lumma’s infrastructure.
Darktrace’s first detection of GhostSocks‑related activity came when a device on the network of a customer in the education sector began making connections to an endpoint with a suspicious self‑signed certificate that had never been seen on the network before.
The endpoint in question, 159.89.46[.]92 with the hostname retreaw[.]click, has been flagged by multiple open‑source intelligence (OSINT) sources as being associated with Lumma Stealer’s C2 infrastructure [2], indicating its likely role in the delivery of malicious payloads.
Figure 1: Darktrace’s detection of suspicious SSL connections to retreaw[.]click, indicating an attempted link to Lumma C2 infrastructure.
Less than two minutes later, Darktrace observed the same device downloading the executable (.exe) file “Renewable.exe” from the IP 86.54.24[.]29, which Darktrace recognized as 100% rare for this network.
Figure 2: Darktrace’s detection of a device downloading the unusual executable file “Renewable.exe”.
Both the file MD5 hash and the executable itself have been identified by multiple OSINT vendors as being associated with the GhostSocks malware [3], with the executable likely the backdoor component of the GhostSocks malware, facilitating the distribution of additional malicious payloads [4].
Following this detection, Darktrace’s Autonomous Response capability recommended a blocking action for the device in an early attempt to stop the malicious file download. In this instance, Darktrace was configured in Human Confirmation Mode, meaning the customer’s security team was required to manually apply any mitigative response actions. Had Autonomous Response been fully enabled at the time of the attack, the connections to 86.54.24[.]29 would have been blocked, rendering the malware ineffective at reaching its C2 infrastructure and halting any further malicious communication.
Figure 3: Darktrace’s Autonomous Response capability suggesting blocking the suspicious connections to the unusual endpoint from which the malicious executable was downloaded.
As the attack was able to progress, two days later the device was detected downloading additional payloads from the endpoint www.lbfs[.]site (23.106.58[.]48), including “Setup.exe”, “,.exe”, and “/vp6c63yoz.exe”.
Figure 4: Darktrace’s detection of a malicious payload being downloaded from the endpoint www.lbfs[.]site.
Once again, Darktrace recognized the anomalous nature of these downloads and suggested that a “group pattern of life” be enforced on the offending device in an attempt to contain the activity. By enforcing a pattern of life on a device, Darktrace restricts its activity to connections and behaviors similar to those performed by peer devices within the same group, while still allowing it to carry out its expected activity, effectively preventing deviations indicative of compromise while minimizing disruption. As mentioned earlier, these mitigative actions required manual implementation, so the activity was able to continue. Darktrace proceeded to suggest further actions to contain subsequent malicious downloads, including an attempt to block all outbound traffic to stop the attack from progressing.
Figure 5: An overview of download activity and the Autonomous Response actions recommended by Darktrace to block the downloads.
Around the same time, a third executable download was detected, this time from the hostname hxxp[://]d2ihv8ymzp14lr.cloudfront.net/2021-08-19/udppump[.]exe, along with the file “udppump.exe”.While GhostSocks may have been present only to facilitate the delivery of additional payloads, there is no indication that these CloudFront endpoints or files are functionally linked to GhostSocks. Rather, the evidence points to broader malicious file‑download activity.
Shortly after the multiple executable files had been downloaded, Darktrace observed the device initiating a series of repeated successful connections to several rare external endpoints, behavior consistent with early-stage C2 beaconing activity.
Cyber AI Analyst’s investigation
Figure 7: Darktrace’s detection of additional malicious file downloads from malicious CloudFront endpoints.
Throughout the course of this attack, Darktrace’s Cyber AI Analyst carried out its own autonomous investigation, piecing together seemingly separate events into one wider incident encompassing the first suspicious downloads beginning on December 4, the unusual connectivity to many suspicious IPs that followed, and the successful beaconing activity observed two days later. By analyzing these events in real-time and viewing them as part of the bigger picture, Cyber AI Analyst was able to construct an in‑depth breakdown of the attack to aid the customer’s investigation and remediation efforts.
Figure 8: Cyber AI Analyst investigation detailing the sequence of events on the compromised device, highlighting its extensive connectivity to rare endpoints, the related malicious file‑download activity, and finally the emergence of C2 beaconing behavior.
Conclusion
The versatility offered by GhostSocks is far from new, but its ability to convert compromised devices into residential proxy nodes, while enabling long‑term, covert network access—illustrates how threat actors continue to maximise the value of their victims’ infrastructure. Its growing popularity, coupled with its ongoing partnership with Lumma, demonstrates that infrastructure takedowns alone are insufficient; as long as threat actors remain committed to maintaining anonymity and can rapidly rebuild their ecosystems, related malware activity is likely to persist in some form.
Credit to Isabel Evans (Cyber Analyst), Gernice Lee (Associate Principal Analyst & Regional Consultancy Lead – APJ) Edited by Ryan Traill (Content Manager)
Associate Principal Analyst & Regional Consultancy Lead
Blog
/
Email
/
March 24, 2026
Darktrace Unites Human Behavior and Threat Detection Across Email, Slack, Teams, and Zoom
The communication attack surface is expanding
Modern attackers no longer focus solely on inboxes, they target people and the productivity systems where work actually happens. Meanwhile, the boundary between internal and external usage of tools is becoming blurrier everyday – turning the entire workplace into the attack surface. In 2025, identity compromise emerged as the single most consistent threat across the global threat landscape, as observed by Darktrace research across our entire customer base. Over 70% of incidents in the US involved SaaS/M365 account compromise and phishing or email-based social engineering, making credential abuse the single most effective initial access vector.
Despite this upward trend, investment in existing security awareness training (SAT) isn’t moving the needle on reducing risk. 84% of organizations still measure success through completion rates1, even though completion of standard training correlates with less than 2% real improvement in risky behavior.2 By prioritizing completion, organizations reward time spent rather than meaningful engagement, yet time in training doesn’t translate to retention or real-world decision-making. This compliance-first approach has left the workforce unprepared for the threats they actually face.
At the same time, attacks have evolved. Highly personalized, AI-generated campaigns now move fluidly across email, Slack, Teams, Zoom, and beyond, blending channels and even targeting systems directly through techniques like prompt injection. This new reality demands a different approach: one that treats people and the tools they use as a single ecosystem, where behavior and detection continuously inform and strengthen each other.
Only an adaptive communication security system can keep pace with the speed, creativity, and cross channel nature of today’s threats.
Ushering in the adaptive era of workplace security
With this release, Darktrace brings together our new behavior-driven training solution with email detection, cross-channel visibility, and platform-level insights. Powered by Self-Learning AI, it delivers protection across both people and the communication tools they rely on every day, including email, Slack, Teams, and Zoom.
Each component learns from the others – training adapts to real user behavior, detection evolves across channels, and response is continuously refined – creating a powerful feedback loop that strengthens resilience and improves accuracy against today’s AI-driven threats.
Introducing: Unified training and email security for a self-improving email defense
Our brand new product, Darktrace / Adaptive Human Defense, closes the gap between human behavior and email security to continuously strengthen both people and defenses. Each user receives personalized training that adapts to their own inbox activity and skill level, with learning delivered directly within the flow of their day-to-day email interactions.
By learning from each user’s interactions with security training, it adapts security responses, creating a closed-loop system where training reinforces detection and detection informs training. Let’s look at some of the benefits.
Reduce successful phishing at the source with contextual Just in Time coaching: Contextual coaching appears directly in real email threads the moment risky behavior is detected, so habits change where mistakes actually happen. Configurable triggers and group policies target the right users, reducing repeated errors and administrative overhead.
Adaptive phishing simulations that progress automatically with each user: Embedded simulations vary in their degree of realism, from generic phishing to generative AI-enabled spear phishing. Users progress through the difficulty levels based on their performance to give an accurate picture of their phishing preparedness.
Native email security integration turns human behavior into quantified risk: The native email security integration allows engagement, links clicked, and question success signals to flow back into / EMAIL recipes and models, so detection and response adapt automatically as users learn.
Actionable risk and trend analytics beyond completion rates: Analytics that surface repeat offenders, high-value targets, and measurable exposure, moving beyond completion metrics to give leaders actionable insights tied to real behavior.
Industry-first cross-channel full-message analysis for email, Slack, Teams, and Zoom
Darktrace now brings full-message analysis to Email, Slack, Teams, Zoom, and even generative AI prompts. The same leading behavioral analysis from EMAIL extends to every message, tracing intent, tone, relationships, and conversation flow across all communication activity for a complete understanding of every user interaction.
By correlating messaging and collaboration activity with email and account environments, cross-channel analysis reveals multi-domain attack paths and follows both users and threats as a single, continuous narrative – delivering better context to improve detection across the entire organization.
Eliminate cross-channel blind spots: Detect phishing, malware, account takeovers, and conversational manipulation across email and collaboration platforms, so attackers can’t exploit Slack, Teams, or Zoom as a new entry point. Unified behavioral analysis gives security teams a coherent, single view, for no more fragmented, channel-specific gaps.
Spot generative AI prompt injection attacks before they manipulate assistants: Dedicated models surface threats targeting corporate AI assistants – like ShadowLeak and Hashjack – before they can silently manipulate workflows, reducing risk before static filters catch up.
Industry-first DMARC with bi-directional ASM and email security integration
Darktrace transforms domain protection by linking DMARC, attack surface intelligence, and email security into a single, continuously evolving workflow. Instead of treating domain authentication and exposure as separate tasks, this unified approach shows not just where domains are vulnerable, but how attackers are actively exploiting them.
Fix authentication weaknesses faster: SPF, DKIM, DMARC configurations, and external exposure data are analyzed together, giving teams clear guidance to correct weaknesses before they can be abused. Deep bidirectional integration with attack surface intelligence reduces impersonation risk at the source.
Accelerate email investigations: DMARC context is embedded directly into email workflows, enriching triage with authentication posture, internal/external sender lists, and seamless pivots between email and domain intelligence for faster, more accurate investigations.
Committed to innovation
These updates are part of a broader Darktrace release, which also includes:
Innovations in cloud security with continuous Kubernetes posture management, as well as native integrations with Proactive Exposure Management (PEM) and Attack Surface Management (ASM).
Innovations to Darktrace / Forensic Acquisition & Investigation, including faster cloud incident investigations, automated and on-demand forensic data capture across hybrid environments, and open forensic coverage for third-party endpoint and XDR ecosystems.
Innovations in OT security, including Operational Overview Architecture diagrams, Operational Overview reporting, expanded ICS & IoMT device classification, and expanded OT & IIoT Protocol Coverage.
Join us for an exclusive announcement event where Darktrace, the leader in AI-native cybersecurity, will be announcing our latest innovations, including a demo of our new product / Adaptive Human Defense, an exclusive conversation with a Darktrace customer, and a deep dive into the Darktrace ActiveAI Security Portal.
[1] 84% of organizations still measure security awareness training success through completion rates, a vanity metric with no correlation to behavior change. (Source: NIST Awareness Effectiveness Study, Forrester 2025)
[2] 'Limited benefit from embedded phishing training. Using randomized controlled trials and statistical modeling, embedded training provides a statistically-significant reduction in average failure rate, but of only 2%.' Ho, G., Mirian, A., Luo, E., Tong, K., Lee, E., Liu, L., Longhurst, C. A., Dameff, C., Savage, S., & Voelker, G. M. (2025). Understanding the Efficacy of Phishing Training in Practice. Proceedings of the 2025 IEEE Symposium on Security and Privacy.
![Darktrace’s detection of suspicious SSL connections to retreaw[.]click, indicating an attempted link to Lumma C2 infrastructure.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/69c5739b43fdfed6f1b02053_Screenshot%202026-03-26%20at%2010.57.44%E2%80%AFAM.png)
![Darktrace’s detection of a malicious payload being downloaded from the endpoint www.lbfs[.]site.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/69c57465977a5ae3f07c6d69_Screenshot%202026-03-26%20at%2011.01.05%E2%80%AFAM.png)
