Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Tony Jarvis
VP, Field CISO
Share
22
Mar 2022
In the lead-up to the 2020 US election, Microsoft and its partners attempted to bring down the pernicious Trickbot malware and reduce election tampering attempts. These efforts were successful, to an extent: the takedown effectively eliminated 94% of Trickbot’s infrastructure and massively reduced its influence in late 2020.
Malware rarely stays dead, however. We discussed previously how the arrests which followed REvil’s widespread attacks in 2021 have done little to disrupt that group’s Ransomware-as-a-Service operation, and how Ryuk ransomware fell into new hands after being abandoned by its creators.
Trickbot has seen a resurrection of even greater proportions. By June 2021, when Darktrace detected a Trickbot intrusion in one of its customer environments, the malware was far from a forgotten, ineffectual strain. It had instead become the most prevalent malware in the world.
It was only due to a last-minute activation of Darktrace’s Autonomous Response that this customer was able to avoid falling victim to a successful ransomware attack. Because it can take action at any stage of an attack, Autonomous Response could interrupt Trickbot even after it had taken root within the digital environment, and successfully prevent the execution of ransomware.
Trickbot takes root
The intrusion took place at a public administration organization in the EMEA region. Prior to Darktrace’s deployment, a single internal domain controller had been compromised by Trickbot, which then lay dormant for at least a month. By the time the malware began to take action, however, Darktrace’s AI had been deployed. Despite entering a compromised environment, the AI was able to differentiate between benign and malicious activity and immediately detect the threat, though at this point Autonomous Response was configured to not take any action without human confirmation.
Darktrace detected the compromised domain controller uploading a malicious DLL file – very likely Trickbot itself – to approximately 280 devices in the organization over SMB, and then using Windows Management Instrumentation (WMI) to configure and execute it. Despite Trickbot’s age and infamy, tools dependent on threat intelligence remained silent at this stage.
Figure 1: Timeline of the attack
How attackers resurrected Trickbot
Trickbot’s modular nature makes it a perfect gateway for a host of criminal activities, and keeps the malware itself adaptable and therefore hard to defend against. The action coordinated by Microsoft successfully took down the known IP addresses of multiple Trickbot command and control (C2) servers and temporarily prevented Trickbot operators from purchasing or leasing new ones. But it did not take long for the Trickbot infrastructure to be rebuilt, and in May and June of 2021 it was again deemed the most prevalent malware in a Global Threat Index.
Trickbot’s ability to evolve and circumvent existing OSINT was demonstrated in this attack, as Darktrace noticed 160 of the 280 compromised devices it had detected beginning to connect to a host of new C2 endpoints. None of these had OSINT associating them with malicious activity, but Darktrace considered the activity highly unusual in the context of previous behavior, and the security team were notified of this potential high-severity incident via a Proactive Threat Notification (PTN).
The attackers laid low for over a month, before the compromised devices were detected downloading masqueraded executable files and conducting anomalous scanning activity. These files were likely Ryuk ransomware payloads. By spacing out these stages of the attack, the threat actors made it harder for human teams to connect the dots and reveal the full scope of the threat.
Darktrace’s Cyber AI Analyst, which investigates and triages threats across entire digital environments, was able to piece these disparate events into a single attack narrative, however, and deliver a further PTN. Due to the severity of the situation, the customer submitted to Darktrace’s Ask the Expert (ATE) service to receive assistance with their threat response.
Figure 2: Cyber AI Analyst investigates suspicious executable files being spread to multiple internal devices
Autonomous Response shuts down a late-stage attack
Having understood the scale of the threat they now faced, the team activated Autonomous Response to take autonomous action to contain the threat. If Autonomous Response had been in place from the beginning, it would have stopped this attack in its earliest stages, while it was restricted to a single compromised domain controller. Crucially, however, Autonomous Response can take action at any stage of a ransomware attack.
Even at this late stage, it was able to halt the attackers and prevent Ryuk from being executed on the network. The AI blocked a chain of malicious activities including SMB enumeration, networking scanning, and suspicious outbound connections in seconds, disrupting the attack while enforcing normal business operations to ensure that the rest of the company’s work could continue uninterrupted.
With their C2 communications and lateral movement efforts disrupted, the attackers were unable to execute Ryuk, and the attack came to an end just in time. It is likely that this last-minute activation of Autonomous Response avoided widespread data encryption and possibly exfiltration, as well as the numerous costs which follow a successful ransomware attack even if a ransom is paid.
Deploying Autonomous Response before it’s too late
Despite only being activated once the attack had taken root, Darktrace was still able to distinguish malicious activity from normal business operations and stop the threat without causing disruption. Next time an attack strikes, this organization will be prepared with Autonomous Response in fully autonomous mode from the outset, ready to take action at the first sign of an emerging threat and minimize their remediation efforts.
The journey to fully autonomous security requires organizations to build trust in AI’s accuracy and decision-making. What this journey looks like for each individual organization will differ, but the need for technology that can autonomously respond to emerging threats is not a lesson any organization ought to learn the hard way.
Thanks to Darktrace analyst Sam Lister for his insights on the above threat find.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Atomic Stealer: Darktrace’s Investigation of a Growing macOS Threat
Atomic Stealer is rapidly emerging as a significant macOS threat, using infostealing and backdoor capabilities to target Apple users worldwide. Darktrace observed campaigns in 24 countries, detecting activity across multiple kill chain stages and providing recommended actions to contain attacks.
CastleLoader & CastleRAT: Behind TAG150’s Modular Malware Delivery System
TAG-150, a MaaS operator active since March 2025, uses CastleLoader and CastleRAT in multi-stage attacks. CastleLoader acts as a loader that retrieves and executes additional malware through deceptive domains and malicious GitHub repositories, while CastleRAT functions as a remote access trojan providing attackers with system control, command execution, and data theft capabilities. Darktrace detected and blocked early attack activity, leveraging Autonomous Response to prevent further compromise and protect enterprise networks.
Xillen Stealer Updates to Version 5 to Evade AI Detection
Xillen Stealer v4/v5 introduces advanced features to evade AI detection, steal credentials, cryptocurrency, and sensitive data across browsers, password managers, and cloud environments. With polymorphic engines, container persistence, and behavioral mimicking, this Python-based malware highlights evolving threats and future AI integration in cybercrime campaigns.
Atomic Stealer: Darktrace’s Investigation of a Growing macOS Threat
The Rise of Infostealers Targeting Apple Users
In a threat landscape historically dominated by Windows-based threats, the growing prevalence of macOS information stealers targeting Apple users is becoming an increasing concern for organizations. Infostealers are a type of malware designed to steal sensitive data from target devices, often enabling attackers to extract credentials and financial data for resale or further exploitation. Recent research identified infostealers as the largest category of new macOS malware, with an alarming 101% increase in the last two quarters of 2024 [1].
What is Atomic Stealer?
Among the most notorious is Atomic macOS Stealer (or AMOS), first observed in 2023. Known for its sophisticated build, Atomic Stealer can exfiltrate a wide range of sensitive information including keychain passwords, cookies, browser data and cryptocurrency wallets.
Originally marketed on Telegram as a Malware-as-a-Service (MaaS), Atomic Stealer has become a popular malware due to its ability to target macOS. Like other MaaS offerings, it includes services like a web panel for managing victims, with reports indicating a monthly subscription cost between $1,000 and $3,000 [2]. Although Atomic Stealer’s original intent was as a standalone MaaS product, its unique capability to target macOS has led to new variants emerging at an unprecedented rate
Even more concerning, the most recent variant has now added a backdoor for persistent access [3]. This backdoor presents a significant threat, as Atomic Stealer campaigns are believed to have reached an around 120 countries. The addition of a backdoor elevates Atomic Stealer to the rare category of backdoor deployments potentially at a global scale, something only previously attributed to nation-state threat actors [4].
This level of sophistication is also evident in the wide range of distribution methods observed since its first appearance; including fake application installers, malvertising and terminal command execution via the ClickFix technique. The ClickFix technique is particularly noteworthy: once the malware is downloaded onto the device, users are presented with what appears to be a legitimate macOS installation prompt. In reality, however, the user unknowingly initiates the execution of the Atomic Stealer malware.
This blog will focus on activity observed across multiple Darktrace customer environments where Atomic Stealer was detected, along with several indicators of compromise (IoCs). These included devices that successfully connected to endpoints associated with Atomic Stealer, those that attempted but failed to establish connections, and instances suggesting potential data exfiltration activity.
Darktrace’s Coverage of Atomic Stealer
As this evolving threat began to spread across the internet in June 2025, Darktrace observed a surge in Atomic Stealer activity, impacting numerous customers in 24 different countries worldwide. Initially, most of the cases detected in 2025 affected Darktrace customers within the Europe, Middle East, and Africa (EMEA) region. However, later in the year, Darktrace began to observe a more even distribution of cases across EMEA, the Americas (AMS), and Asia Pacific (APAC). While multiple sectors were impacted by Atomic Stealer, Darktrace customers in the education sector were the most affected, particularly during September and October, coinciding with the return to school and universities after summer closures. This spike likely reflects increased device usage as students returned and reconnected potentially compromised devices to school and campus environments.
Starting from June, Darktrace detected multiple events of suspicious HTTP activity to external connections to IPs in the range 45.94.47.0/24. Investigation by Darktrace’s Threat Research team revealed several distinct patterns ; HTTP POST requests to the URI “/contact”, identical cURL User Agents and HTTP requests to “/api/tasks/[base64 string]” URIs.
Within one observed customer’s environment in July, Darktrace detected two devices making repeated initiated HTTP connections over port 80 to IPs within the same range. The first, Device A, was observed making GET requests to the IP 45.94.47[.]158 (AS60781 LeaseWeb Netherlands B.V.), targeting the URI “/api/tasks/[base64string]” using the “curl/8.7.2” user agent. This pattern suggested beaconing activity and triggered the ‘Beaconing Activity to External Rare' model alert in Darktrace / NETWORK, with Device A’s Model Event Log showing repeated connections. The IP associated with this endpoint has since been flagged by multiple open-source intelligence (OSINT) vendors as being associated with Atomic Stealer [5].
Figure 1: Darktrace’s detection of Device A showing repeated connections to the suspicious IP address over port 80, indicative of beaconing behavior.
Darktrace’s Cyber AI Analyst subsequently launched an investigation into the activity, uncovering that the GET requests resulted in a ‘503 Service Unavailable’ response, likely indicating that the server was temporarily unable to process the requests.
Figure 2: Cyber AI Analyst Incident showing the 503 Status Code, indicating that the server was temporarily unavailable.
This unusual activity prompted Darktrace’s Autonomous Response capability to recommend several blocking actions for the device in an attempt to stop the malicious activity. However, as the customer’s Autonomous Response configuration was set to Human Confirmation Mode, Darktrace was unable to automatically apply these actions. Had Autonomous Response been fully enabled, these connections would have been blocked, likely rendering the malware ineffective at reaching its malicious command-and-control (C2) infrastructure.
Figure 3: Autonomous Response’s suggested actions to block suspicious connectivity on Device A in the first customer environment.
In another customer environment in August, Darktrace detected similar IoCs, noting a device establishing a connection to the external endpoint 45.94.47[.]149 (ASN: AS57043 Hostkey B.V.). Shortly after the initial connections, the device was observed making repeated requests to the same destination IP, targeting the URI /api/tasks/[base64string] with the user agent curl/8.7.1, again suggesting beaconing activity. Further analysis of this endpoint after the fact revealed links to Atomic Stealer in OSINT reporting [6].
Figure 4: Cyber AI Analyst investigation finding a suspicious URI and user agent for the offending device within the second customer environment.
As with the customer in the first case, had Darktrace’s Autonomous Response been properly configured on the customer’s network, it would have been able to block connectivity with 45.94.47[.]149. Instead, Darktrace suggested recommended actions that the customer’s security team could manually apply to help contain the attack.
Figure 5: Autonomous Response’s suggested actions to block suspicious connectivity to IP 45.94.47[.]149 for the device within the second customer environment.
In the most recent case observed by Darktrace in October, multiple instances of Atomic Stealer activity were seen across one customer’s environment, with two devices communicating with Atomic Stealer C2 infrastructure. During this incident, one device was observed making an HTTP GET request to the IP 45.94.47[.]149 (ASN: AS60781 LeaseWeb Netherlands B.V.). These connections targeted the URI /api/tasks/[base64string, using the user agent curl/8.7.1.
Shortly afterward, the device began making repeated connections over port 80 to the same external IP, 45.94.47[.]149. This activity continued for several days until Darktrace detected the device making an HTTP POST request to a new IP, 45.94.47[.]211 (ASN: AS57043 Hostkey B.V.), this time targeting the URI /contact, again using the curl/8.7.1 user agent. Similar to the other IPs observed in beaconing activity, OSINT reporting later linked this one to information stealer C2 infrastructure [7].
Figure 6: Darktrace’s detection of suspicious beaconing connectivity with the suspicious IP 45.94.47.211.
Further investigation into this customer’s network revealed that similar activity had been occurring as far back as August, when Darktrace detected data exfiltration on a second device. Cyber AI Analyst identified this device making a single HTTP POST connection to the external IP 45.94.47[.]144, another IP with malicious links [8], using the user agent curl/8.7.1 and targeting the URI /contact.
Figure 7: Cyber AI Analyst investigation finding a successful POST request to 45.94.47[.]144 for the device within the third customer environment.
A deeper investigation into the technical details within the POST request revealed the presence of a file named “out.zip”, suggesting potential data exfiltration.
Figure 8: Advanced Search log in Darktrace / NETWORK showing “out.zip”, indicating potential data exfiltration for a device within the third customer environment.
Similarly, in another environment, Darktrace was able to collect a packet capture (PCAP) of suspected Atomic Stealer activity, which revealed potential indicators of data exfiltration. This included the presence of the “out.zip” file being exfiltrated via an HTTP POST request, along with data that appeared to contain details of an Electrum cryptocurrency wallet and possible passwords.
Read more about Darktrace’s full deep dive into a similar case where this tactic was leveraged by malware as part of an elaborate cryptocurrency scam.
Figure 9: PCAP of an HTTP POST request showing the file “out.zip” and details of Electrum Cryptocurrency wallet.
Although recent research attributes the “out.zip” file to a new variant named SHAMOS [9], it has also been linked more broadly to Atomic Stealer [10]. Indeed, this is not the first instance where Darktrace has seen the “out.zip” file in cases involving Atomic Stealer either. In a previous blog detailing a social engineering campaign that targeted cryptocurrency users with the Realst Stealer, the macOS version of Realst contained a binary that was found to be Atomic Stealer, and similar IoCs were identified, including artifacts of data exfiltration such as the “out.zip” file.
Conclusion
The rapid rise of Atomic Stealer and its ability to target macOS marks a significant shift in the threat landscape and should serve as a clear warning to Apple users who were traditionally perceived as more secure in a malware ecosystem historically dominated by Windows-based threats.
Atomic Stealer’s growing popularity is now challenging that perception, expanding its reach and accessibility to a broader range of victims. Even more concerning is the emergence of a variant embedded with a backdoor, which is likely to increase its appeal among a diverse range of threat actors. Darktrace’s ability to adapt and detect new tactics and IoCs in real time delivers the proactive defense organizations need to protect themselves against emerging threats before they can gain momentum.
Credit to Isabel Evans (Cyber Analyst), Dylan Hinz (Associate Principal Cyber Analyst) Edited by Ryan Traill (Analyst Content Lead)
In July 2025, Darktrace was named a Customers’ Choice in the Gartner® Peer Insights™ Voice of the Customer for Email Security, a distinction given to vendors who have scores that meet or exceed the market average for both axes (User Interest and Adoption, and Overall Experience). To us, both achievements are testament to the customer-first approach that has fueled our rapid growth. We feel this new distinction from Gartner validates the innovation, efficacy, and customer-centric delivery that set Darktrace apart.
A Gartner Magic Quadrant is a culmination of research in a specific market, giving you a wide-angle view of the relative positions of the market’s competitors. CIOs and CISOs can use this research to make informed decisions about which email security platform can best accomplish their goals. We encourage our customers to read the full report to get the complete picture.
Leaders are recognized for strong market adoption, financial stability, and established integrations with major collaboration platforms.
Why do we believe Darktrace is leading in the email security market?
Our relentless innovation which drives proven results
At Darktrace we continue to push the frontier of email security, with industry-first AI-native detection and response capabilities that go beyond traditional SEG approaches. How do we do it?
With a proven approach that gets results. Darktrace’s unique business-centric anomaly detection catches advanced phishing, supply chain compromises, and BEC attacks – detecting them on average 13 days earlier than attack-centric solutions. That’s why 75% of our customers have removed their SEG and now rely on their native email security provider combined with Darktrace.
By offering comprehensive protection beyond the inbox. Darktrace / EMAIL goes further than traditional inbound filtering, delivering account and messaging protection, DLP, and DMARC capabilities, ensuring best-in-class security across inbound, outbound, and domain protection scenarios.
Continuous innovation. We are ranked second highest in the Gartner Critical Capabilities research for core email security function, likely thanks to our product strategy and rapid pace of innovation. We’ve release major capabilities twice a year for nearly five years, including advanced AI models and expanded coverage for collaboration platforms.
We deliver exceptional customer experiences worldwide
Darktrace’s leadership isn’t just about excelling in technology, it’s about delivering an outstanding experience that customers value. Let’s dig into what makes our customers tick.
Proven loyalty from our base. Recognition from Gartner Peer Insights as a Customers’ Choice, combined with a 4.8-star rating (based on 340 reviews as of November 2025), demonstrates for us the trust of thousands of organizations worldwide, not just the analysts.
Customer-first support. Darktrace goes beyond ticket-only models with dedicated account teams and award-winning service, backed by significant headcount growth in technical support and analytics roles over the past year.
Local expertise. With offices spanning continents, Darktrace is able to provide regional language support and tailored engagement from teams on the ground, ensuring personalized service and a human-first experience.
Darktrace enhances security stacks with a partner-first architecture
There are plenty of tools out there than encourage a siloed approach. Darktrace / EMAIL plays well with others, enhancing your native security provider and allowing you to slim down your stack. It’s designed to set you up for future growth, with:
A best-in-breed platform approach. Natively built on Self-Learning AI, Darktrace / EMAIL delivers deep integration with our / NETWORK, / IDENTITY, and / CLOUD products as part of a unified platforms – that enables and enhances comprehensive enterprise-wise security.
Optimized workflows. Darktrace integrates tightly with an extended ecosystem of security tools – including a strategic partnership with Microsoft enabling unified threat response and quarantine capabilities – bringing constant innovation to all of your SOC workflows.
A channel-first strategy. Darktrace is making significant investments in partner-driven architectures, enabling integrated ecosystems that deliver maximum value and future-ready security for our customers.
Analyst recognized. Customer approved.
Darktrace / EMAIL is not just another inbound email security tool; it’s an advanced email security platform trusted by thousands of users to protect them against advanced phishing, messaging, and account-level attacks.
As a Leader, we believe we owe our positioning to our customers and partners for supporting our growth. In the upcoming years we will continue to innovate to serve the organizations who depend on Darktrace for threat protection.
Gartner, Gartner® Magic Quadrant™ for Email Security Platforms, Max Taggett, Nikul Patel, 3 December 2025
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Magic Quadrant is a registered trademark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Darktrace.
![Autonomous Response’s suggested actions to block suspicious connectivity to IP 45.94.47[.]149 for the device within the second customer environment.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/6931e3cb1ddc36af8205720b_Screenshot%202025-12-04%20at%2011.40.54%E2%80%AFAM.png)
![Cyber AI Analyst investigation finding a successful POST request to 45.94.47[.]144 for the device within the third customer environment.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/6931e41d22eb7e9a3e8217d5_Screenshot%202025-12-04%20at%2011.42.15%E2%80%AFAM.png)
