Blog
/
Identity
/
December 15, 2023

How Darktrace Halted A DarkGate in MS Teams

Discover how Darktrace thwarted DarkGate malware in Microsoft Teams. Stay informed on the latest cybersecurity measures and protect your business.
Written by
Natalia Sánchez Rocafort
Cyber Security Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Natalia Sánchez Rocafort
Cyber Security Analyst
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
15
Dec 2023

Securing Microsoft Teams and SharePoint

Given the prevalence of the Microsoft Teams and Microsoft SharePoint platforms in the workplace in recent years, it is essential that organizations stay vigilant to the threat posed by applications vital to hybrid and remote work and prioritize the security and cyber hygiene of these services. For just as the use of these platforms has increased exponentially with the rise of remote and hybrid working, so too has the malicious use of them to deliver malware to unassuming users.

Researchers across the threat landscape have begun to observe these legitimate services being leveraged by malicious actors as an initial access method. Microsoft Teams can easily be exploited to send targeted phishing messages to individuals within an organization, while appearing legitimate and safe. Although the exact contents of these messages may vary, the messages frequently use social engineering techniques to lure users to click on a SharePoint link embedded into the message. Interacting with the malicious link will then download a payload [1].

Darktrace observed one such malicious attempt to use Microsoft Teams and SharePoint in September 2023, when a device was observed downloading DarkGate, a commercial trojan that is known to deploy other strains of malware, also referred to as a commodity loader [2], after clicking on SharePoint link. Fortunately for the customer, Darktrace’s suite of products was perfectly poised to identify the initial signs of suspicious activity and Darktrace RESPOND™ was able to immediately halt the advancement of the attack.

DarkGate Attack Overview

On September 8, 2023, Darktrace DETECT™ observed around 30 internal devices on a customer network making unusual SSL connections to an external SharePoint site which contained the name of a person, 'XXXXXXXX-my.sharepoint[.]com' (107.136[.]8, 13.107.138[.]8). The organization did not have any employees who went by this name and prior to this activity, no internal devices had been seen contacting the endpoint.

At first glance, this initial attack vector would have appeared subtle and seemingly trustworthy to users. Malicious actors likely sent various users a phishing message via Microsoft Teams that contained the spoofed SharePoint link to the personalized SharePoint link ''XXXXXXXX-my.sharepoint[.]com'.

Figure 1: Advanced Search query showing a sudden spike in connections to ''XXXXXXXX -my.sharepoint[.]com'.

Darktrace observed around 10 devices downloading approximately 1 MB of data during their connections to the Sharepoint endpoint. Darktrace DETECT observed some of the devices making subsequent HTTP GET requests to a range of anomalous URIs. The devices utilized multiple user-agents for these connections, including ‘curl’, a command line tool that allows individuals to request and transfer data from a specific URL. The connections were made to the IP 5.188.87[.]58, an endpoint that has been flagged as an indicator of compromise (IoC) for DarkGate malware by multiple open-source intelligence (OSINT) sources [3], commonly associated with HTTP GET requests:

  1. GET request over port 2351 with the User-Agent header 'Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)' and the target URI '/bfyxraav' to 5.188.87[.]58
  2. GET request over port 2351 with the user-agent header 'curl' and the target URI '/' to 5.188.87[.]58
  3. GET request over port 2351 with the user-agent header 'curl/8.0.1' and the target URI '/msibfyxraav' to 5.188.87[.]58

The HTTP GET requests made with the user-agent header 'curl' and the target URI '/' to 5.188.87[.]58 were responded to with a filename called 'Autoit3.exe'. The other requests received script files with names ending in '.au3, such as 'xkwtvq.au3', 'otxynh.au3', and 'dcthbq.au3'. DarkGate malware has been known to make use of legitimate AutoIt files, and typically runs multiple AutoIt scripts (‘.au3’) [4].

Following these unusual file downloads, the devices proceeded to make hundreds of HTTP POST requests to the target URI '/' using the user-agent header 'Mozilla/4.0 (compatible; Synapse)' to 5.188.87[.]58. The contents of these requests, along with the contents of the responses, appear to be heavily obfuscated.

Figure 2: Example of obfuscated response, as shown in a packet capture downloaded from Darktrace.

While Microsoft’s Safe Attachments and Safe Links settings were unable to detect this camouflaged malicious activity, Darktrace DETECT observed the unusual over-the-network connectivity that occurred. While Darktrace DETECT identified multiple internal devices engaging in this anomalous behavior throughout the course of the compromise, the activity observed on one device in particular best showcases the overall kill chain of this attack.

The device in question was observed using two different user agents (curl/8.0.1 and Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)) when connecting to the endpoint 5.188.87[.]58 and target URI ‘/bfyxraav’. Additionally, Darktrace DETECT recognized that it was unusual for this device to be making these HTTP connections via destination port 2351.

As a result, Darktrace’s Cyber AI Analyst™ launched an autonomous investigation into the suspicious activity and was able to connect the unusual external connections together, viewing them as one beaconing incident as opposed to isolated series of connections.

Figure 3: Cyber AI Analyst investigation summarizing the unusual repeated connections made to 5.188.87[.]58 via destination port 2351.

Darktrace then observed the device downloading the ‘Autoit3.exe’ file. Darktrace RESPOND took swift mitigative action by blocking similar connections to this endpoint, preventing the device from downloading any additional suspicious files.

Figure 4: Suspicious ‘Autoit3.exe’ downloaded by the source device from the malicious external endpoint.

Just one millisecond later, Darktrace observed the device making suspicious HTTP GET requests to URIs including ‘/msibfyxraav’. Darktrace recognized that the device had carried out several suspicious actions within a relatively short period of time, breaching multiple DETECT models, indicating that it may have been compromised. As a result, RESPOND took action against the offending device by preventing it from communicating externally [blocking all outbound connections] for a period of one hour, allowing the customer’s security team precious time to address the issue.

It should be noted that, at this point, had the customer subscribed to Darktrace’s Proactive Threat Notification (PTN) service, the Darktrace Security Operations Center (SOC) would have investigated these incidents in greater detail, and likely would have sent a notification directly to the customer to inform them of the suspicious activity.

Additionally, AI Analyst collated various distinct events and suggested that these stages were linked as part of an attack. This type of augmented understanding of events calculated at machine speed is extremely valuable since it likely would have taken a human analyst hours to link all the facets of the incident together.  

Figure 5: AI Analyst investigation showcasing the use of the ‘curl’ user agent to connect to the target URI ‘/msibfyxraav’.
Figure 6: Darktrace RESPOND moved to mitigate any following connections by blocking all outgoing traffic for 1 hour.

Following this, an automated investigation was launched by Microsoft Defender for Endpoint. Darktrace is designed to coordinate with multiple third-party security tools, allowing for information on ongoing incidents to be seamlessly exchanged between Darktrace and other security tools. In this instance, Microsoft Defender identified a ‘low severity’ incident on the device, this automatically triggered a corresponding alert within DETECT, presented on the Darktrace Threat Visuallizer.

The described activity occurred within milliseconds. At each step of the attack, Darktrace RESPOND took action either by enforcing expected patterns of life [normality] on the affected device, blocking connections to suspicious endpoints for a specified amount of time, and/or blocking all outgoing traffic from the device. All the relevant activity was detected and promptly stopped for this device, and other compromised devices, thus containing the compromise and providing the security team invaluable remediation time.

Figure 7: Overview of the compromise activity, all of which took place within a matter of miliseconds.

Darktrace identified similar activity on other devices in this customer’s network, as well as across Darktrace’s fleet around the same time in early September.

On a different customer environment, Darktrace DETECT observed more than 25 ‘.au3’ files being downloaded; this activity can be seen in Figure 9.

Figure 8: High volume of file downloads following GET request and 'curl' commands.

Figure 9 provides more details of this activity, including the source and destination IP addresses (5.188.87[.]58), the destination port, the HTTP method used and the MIME/content-type of the file

Figure 9: Additional information of the anomalous connections.

A compromised server in another customer deployment was seen establishing unusual connections to the external IP address 80.66.88[.]145 – an endpoint that has been associated with DarkGate by OSINT sources [5]. This activity was identified by Darktrace/DETECT as a new connection for the device via an unusual destination port, 2840. As the device in question was a critical server, Darktrace DETECT treated it with suspicion and generated an ‘Anomalous External Activity from Critical Network Device’ model breach.  

Figure 10: Model breach and model breach event log for suspicious connections to additional endpoint.

Conclusion

While Microsoft Teams and SharePoint are extremely prominent tools that are essential to the business operations of many organizations, they can also be used to compromise via living off the land, even at initial intrusion. Any Microsoft Teams user within a corporate setting could be targeted by a malicious actor, as such SharePoint links from unknown senders should always be treated with caution and should not automatically be considered as secure or legitimate, even when operating within legitimate Microsoft infrastructure.

Malicious actors can leverage these commonly used platforms as a means to carry out their cyber-attacks, therefore organizations must take appropriate measures to protect and secure their digital environments. As demonstrated here, threat actors can attempt to deploy malware, like DarkGate, by targeting users with spoofed Microsoft Teams messages. By masking malicious links as legitimate SharePoint links, these attempts can easily convince targets and bypass traditional security tools and even Microsoft’s own Safe Links and Safe Attachments security capabilities.

When the chain of events of an attack escalates within milliseconds, organizations must rely on AI-driven tools that can quickly identify and automatically respond to suspicious events without latency. As such, the value of Darktrace DETECT and Darktrace RESPOND cannot be overstated. Given the efficacy and efficiency of Darktrace’s detection and autonomous response capabilities, a more severe network compromise in the form of the DarkGate commodity loader was ultimately averted.

Credit to Natalia Sánchez Rocafort, Cyber Security Analyst, Zoe Tilsiter.

Appendices

Darktrace DETECT Model Detections

  • [Model Breach: Device / Initial Breach Chain Compromise 100% –– Breach URI: /#modelbreach/114039 ] (Enhanced Monitoring)·      [Model Breach: Device / Initial Breach Chain Compromise 100% –– Breach URI: /#modelbreach/114124 ] (Enhanced Monitoring)
  • [Model Breach: Device / New User Agent and New IP 62% –– Breach URI: /#modelbreach/114030 ]
  • [Model Breach: Anomalous Connection / Application Protocol on Uncommon Port 46% –– Breach URI: /#modelbreach/114031 ]
  • [Model Breach: Anomalous Connection / New User Agent to IP Without Hostname 62% –– Breach URI: /#modelbreach/114032 ]
  • [Model Breach: Device / New User Agent 32% –– Breach URI: /#modelbreach/114035 ]
  • [Model Breach: Device / Three Or More New User Agents 31% –– Breach URI: /#modelbreach/114036 ]
  • [Model Breach: Anomalous Server Activity / Anomalous External Activity from Critical Network Device 62% –– Breach URI: /#modelbreach/612173 ]
  • [Model Breach: Anomalous File / EXE from Rare External Location 61% –– Breach URI: /#modelbreach/114037 ]
  • [Model Breach: Anomalous Connection / Multiple Connections to New External TCP Port 61% –– Breach URI: /#modelbreach/114042 ]
  • [Model Breach: Security Integration / Integration Ransomware Detected 100% –– Breach URI: /#modelbreach/114049 ]
  • [Model Breach: Compromise / Beaconing Activity To External Rare 62% –– Breach URI: /#modelbreach/114059 ]
  • [Model Breach: Compromise / HTTP Beaconing to New Endpoint 30% –– Breach URI: /#modelbreach/114067 ]
  • [Model Breach: Security Integration / C2 Activity and Integration Detection 100% –– Breach URI: /#modelbreach/114069 ]
  • [Model Breach: Anomalous File / EXE from Rare External Location 55% –– Breach URI: /#modelbreach/114077 ]
  • [Model Breach: Compromise / High Volume of Connections with Beacon Score 66% –– Breach URI: /#modelbreach/114260 ]
  • [Model Breach: Security Integration / Low Severity Integration Detection 59% –– Breach URI: /#modelbreach/114293 ]
  • [Model Breach: Security Integration / Low Severity Integration Detection 33% –– Breach URI: /#modelbreach/114462 ]
  • [Model Breach: Security Integration / Integration Ransomware Detected 100% –– Breach URI: /#modelbreach/114109 ]·      [Model Breach: Device / Three Or More New User Agents 31% –– Breach URI: /#modelbreach/114118 ]·      [Model Breach: Anomalous Connection / Application Protocol on Uncommon Port 46% –– Breach URI: /#modelbreach/114113 ] ·      [Model Breach: Anomalous Connection / New User Agent to IP Without Hostname 62% –– Breach URI: /#modelbreach/114114 ]·      [Model Breach: Device / New User Agent 32% –– Breach URI: /#modelbreach/114117 ]·      [Model Breach: Anomalous File / EXE from Rare External Location 61% –– Breach URI: /#modelbreach/114122 ]·      [Model Breach: Security Integration / Low Severity Integration Detection 54% –– Breach URI: /#modelbreach/114310 ]
  • [Model Breach: Security Integration / Integration Ransomware Detected 65% –– Breach URI: /#modelbreach/114662 ]Darktrace/Respond Model Breaches
  • [Model Breach: Antigena / Network::External Threat::Antigena Suspicious File Block 61% –– Breach URI: /#modelbreach/114033 ]
  • [Model Breach: Antigena / Network::External Threat::Antigena File then New Outbound Block 100% –– Breach URI: /#modelbreach/114038 ]
  • [Model Breach: Antigena / Network::Significant Anomaly::Antigena Enhanced Monitoring from Client Block 100% –– Breach URI: /#modelbreach/114040 ]
  • [Model Breach: Antigena / Network::Significant Anomaly::Antigena Significant Anomaly from Client Block 87% –– Breach URI: /#modelbreach/114041 ]
  • [Model Breach: Antigena / Network::Significant Anomaly::Antigena Controlled and Model Breach 87% –– Breach URI: /#modelbreach/114043 ]
  • [Model Breach: Antigena / Network::External Threat::Antigena Ransomware Block 100% –– Breach URI: /#modelbreach/114052 ]
  • [Model Breach: Antigena / Network::Significant Anomaly::Antigena Significant Security Integration and Network Activity Block 87% –– Breach URI: /#modelbreach/114070 ]
  • [Model Breach: Antigena / Network::Significant Anomaly::Antigena Breaches Over Time Block 87% –– Breach URI: /#modelbreach/114071 ]
  • [Model Breach: Antigena / Network::External Threat::Antigena Suspicious Activity Block 87% –– Breach URI: /#modelbreach/114072 ]
  • [Model Breach: Antigena / Network::External Threat::Antigena Suspicious File Block 53% –– Breach URI: /#modelbreach/114079 ]
  • [Model Breach: Antigena / Network::Significant Anomaly::Antigena Breaches Over Time Block 64% –– Breach URI: /#modelbreach/114539 ]
  • [Model Breach: Antigena / Network::External Threat::Antigena Ransomware Block 66% –– Breach URI: /#modelbreach/114667 ]
  • [Model Breach: Antigena / Network::External Threat::Antigena Suspicious Activity Block 79% –– Breach URI: /#modelbreach/114684 ]·      
  • [Model Breach: Antigena / Network::External Threat::Antigena Ransomware Block 100% –– Breach URI: /#modelbreach/114110 ]·      
  • [Model Breach: Antigena / Network::Significant Anomaly::Antigena Significant Anomaly from Client Block 87% –– Breach URI: /#modelbreach/114111 ]·      
  • [Model Breach: Antigena / Network::Significant Anomaly::Antigena Controlled and Model Breach 87% –– Breach URI: /#modelbreach/114115 ]·      
  • [Model Breach: Antigena / Network::Significant Anomaly::Antigena Breaches Over Time Block 87% –– Breach URI: /#modelbreach/114116 ]·      
  • [Model Breach: Antigena / Network::External Threat::Antigena Suspicious File Block 61% –– Breach URI: /#modelbreach/114121 ]·      
  • [Model Breach: Antigena / Network::External Threat::Antigena File then New Outbound Block 100% –– Breach URI: /#modelbreach/114123 ]·      
  • [Model Breach: Antigena / Network::Significant Anomaly::Antigena Enhanced Monitoring from Client Block 100% –– Breach URI: /#modelbreach/114125 ]

List of IoCs

IoC - Type - Description + Confidence

5.188.87[.]58 - IP address - C2 endpoint

80.66.88[.]145 - IP address - C2 endpoint

/bfyxraav - URI - Possible C2 endpoint URI

/msibfyxraav - URI - Possible C2 endpoint URI

Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) - User agent - Probable user agent leveraged

curl - User agent - Probable user agent leveraged

curl/8.0.1 - User agent - Probable user agent leveraged

Mozilla/4.0 (compatible; Synapse) - User agent - Probable user agent leveraged

Autoit3.exe - Filename - Exe file

CvUYLoTv.au3    

eDVeqcCe.au3

FeLlcFRS.au3

FTEZlGhe.au3

HOrzcEWV.au3

rKlArXHH.au3

SjadeWUz.au3

ZgOLxJQy.au3

zSrxhagw.au3

ALOXitYE.au3

DKRcfZfV.au3

gQZVKzek.au3

JZrvmJXK.au3

kLECCtMw.au3

LEXCjXKl.au3

luqWdAzF.au3

mUBNrGpv.au3

OoCdHeJT.au3

PcEJXfIl.au3

ssElzrDV.au3

TcBwRRnp.au3

TFvAUIgu.au3

xkwtvq.au3

otxynh.au3

dcthbq.au3 - Filenames - Possible exe files delivered in response to curl/8.0.1 GET requests with Target URI '/msibfyxraav

f3a0a85fe2ea4a00b3710ef4833b07a5d766702b263fda88101e0cb804d8c699 - SHA256 file hash - Possible SHA256 hashes of 'Autoit3.exe' files

afa3feea5964846cd436b978faa7d31938e666288ffaa75d6ba75bfe6c12bf61 - SHA256 file hash - Possible SHA256 hashes of 'Autoit3.exe' files

63aeac3b007436fa8b7ea25298362330423b80a4cb9269fd2c3e6ab1b1289208 - SHA256 file hash - Possible SHA256 hashes of 'Autoit3.exe' files

ab6704e836a51555ec32d1ff009a79692fa2d11205f9b4962121bda88ba55486 - SHA256 file hash - Possible SHA256 hashes of 'Autoit3.exe' files

References

1. https://www.truesec.com/hub/blog/darkgate-loader-delivered-via-teams

2. https://feedit.cz/wp-content/uploads/2023/03/YiR2022_onepager_ransomware_loaders.pdf

3. https://www.virustotal.com/gui/ip-address/5.188.87[.]58

4. https://www.forescout.com/resources/darkgate-loader-malspam-campaign/

5. https://otx.alienvault.com/indicator/ip/80.66.88[.]145

Written by
Natalia Sánchez Rocafort
Cyber Security Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Natalia Sánchez Rocafort
Cyber Security Analyst

Patch and Persist: Darktrace’s Detection of Blind Eagle (APT-C-36)

Network
June 25, 2025
Charlotte Thompson
Cyber Analyst
Watch the NIS2 Webinar
Trending blogs
1
The State of AI in Cybersecurity: The Impact of AI on Cybersecurity Solutions
May 13, 2024
2
How Empowering End Users can Improve Your Email Security and Decrease the Burden on the SOC
May 8, 2024
3
Elevating Network Security: Confronting Trust, Ransomware, & Novel Attacks
Jun 21, 2024
4
The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners
Apr 9, 2024
5
RansomHub Ransomware: Darktrace’s Investigation of the Newest Tool in ShadowSyndicate's Arsenal
Jan 14, 2025

More in this series

No items found.
Continue reading
Identity
May 23, 2025

From Rockstar2FA to FlowerStorm: Investigating a Blooming Phishing-as-a-Service Platform

FlowerStorm is a phishing-as-a-service platform that leverages Adversary-in-the-Middle attacks to steal Microsoft 365 credentials and bypass MFA. Darktrace detected a SaaS compromise linked to FlowerStorm, identifying suspicious logins, password resets, and privilege escalation attempts, enabling early containment through AI-driven threat detection and response.
Justin Torres
Cyber Analyst
Read more
Identity
April 29, 2025

MFA Under Attack: AiTM Phishing Kits Abusing Legitimate Services

Tycoon 2FA uses AiTM phishing and legitimate services to bypass MFA. Darktrace AI stopped it, read the blog to learn how Self-Learning AI detects sophisticated threats.
Alexandra Sentenac
Cyber Analyst
Read more
Identity
January 28, 2025

Bytesize Security: Insider Threats in Google Workspace

Insider threats pose significant risks due to access to internal systems. Darktrace detected a former employee attempting to steal data from the customer’s Google Workspace platform. Learn about this threat here.
Vivek Rajan
Cyber Analyst
Read more

Blog

/

Network

/

June 27, 2025

Patch and Persist: Darktrace’s Detection of Blind Eagle (APT-C-36)

login on laptop dual factor authenticationDefault blog imageDefault blog image

What is Blind Eagle?

Since 2018, APT-C-36, also known as Blind Eagle, has been observed performing cyber-attacks targeting various sectors across multiple countries in Latin America, with a particular focus on Colombian organizations.

Blind Eagle characteristically targets government institutions, financial organizations, and critical infrastructure [1][2].

Attacks carried out by Blind Eagle actors typically start with a phishing email and the group have been observed utilizing various Remote Access Trojans (RAT) variants, which often have in-built methods for hiding command-and-control (C2) traffic from detection [3].

What we know about Blind Eagle from a recent campaign

Since November 2024, Blind Eagle actors have been conducting an ongoing campaign targeting Colombian organizations [1].

In this campaign, threat actors have been observed using phishing emails to deliver malicious URL links to targeted recipients, similar to the way threat actors have previously been observed exploiting CVE-2024-43451, a vulnerability in Microsoft Windows that allows the disclosure of a user’s NTLMv2 password hash upon minimal interaction with a malicious file [4].

Despite Microsoft patching this vulnerability in November 2024 [1][4], Blind Eagle actors have continued to exploit the minimal interaction mechanism, though no longer with the intent of harvesting NTLMv2 password hashes. Instead, phishing emails are sent to targets containing a malicious URL which, when clicked, initiates the download of a malicious file. This file is then triggered by minimal user interaction.

Clicking on the file triggers a WebDAV request, with a connection being made over HTTP port 80 using the user agent ‘Microsoft-WebDAV-MiniRedir/10.0.19044’. WebDAV is a transmission protocol which allows files or complete directories to be made available through the internet, and to be transmitted to devices [5]. The next stage payload is then downloaded via another WebDAV request and malware is executed on the target device.

Attackers are notified when a recipient downloads the malicious files they send, providing an insight into potential targets [1].

Darktrace’s coverage of Blind Eagle

In late February 2025, Darktrace observed activity assessed with medium confidence to be  associated with Blind Eagle on the network of a customer in Colombia.

Within a period of just five hours, Darktrace / NETWORK detected a device being redirected through a rare external location, downloading multiple executable files, and ultimately exfiltrating data from the customer’s environment.

Since the customer did not have Darktrace’s Autonomous Response capability enabled on their network, no actions were taken to contain the compromise, allowing it to escalate until the customer’s security team responded to the alerts provided by Darktrace.

Darktrace observed a device on the customer’s network being directed over HTTP to a rare external IP, namely 62[.]60[.]226[.]112, which had never previously been seen in this customer’s environment and was geolocated in Germany. Multiple open-source intelligence (OSINT) providers have since linked this endpoint with phishing and malware campaigns [9].

The device then proceeded to download the executable file hxxp://62[.]60[.]226[.]112/file/3601_2042.exe.

Darktrace’s detection of the affected device connecting to an unusual location based in Germany.
Figure 1: Darktrace’s detection of the affected device connecting to an unusual location based in Germany.
Darktrace’s detection of the affected device downloading an executable file from the suspicious endpoint.
Figure 2: Darktrace’s detection of the affected device downloading an executable file from the suspicious endpoint.

The device was then observed making unusual connections to the rare endpoint 21ene.ip-ddns[.]com and performing unusual external data activity.

This dynamic DNS endpoint allows a device to access an endpoint using a domain name in place of a changing IP address. Dynamic DNS services ensure the DNS record of a domain name is automatically updated when the IP address changes. As such, malicious actors can use these services and endpoints to dynamically establish connections to C2 infrastructure [6].

Further investigation into this dynamic endpoint using OSINT revealed multiple associations with previous likely Blind Eagle compromises, as well as Remcos malware, a RAT commonly deployed via phishing campaigns [7][8][10].

Darktrace’s detection of the affected device connecting to the suspicious dynamic DNS endpoint, 21ene.ip-ddns[.]com.
Figure 3: Darktrace’s detection of the affected device connecting to the suspicious dynamic DNS endpoint, 21ene.ip-ddns[.]com.

Shortly after this, Darktrace observed the user agent ‘Microsoft-WebDAV-MiniRedir/10.0.19045’, indicating usage of the aforementioned transmission protocol WebDAV. The device was subsequently observed connected to an endpoint associated with Github and downloading data, suggesting that the device was retrieving a malicious tool or payload. The device then began to communicate to the malicious endpoint diciembrenotasenclub[.]longmusic[.]com over the new TCP port 1512 [11].

Around this time, the device was also observed uploading data to the endpoints 21ene.ip-ddns[.]com and diciembrenotasenclub[.]longmusic[.]com, with transfers of 60 MiB and 5.6 MiB observed respectively.

Figure 4: UI graph showing external data transfer activity.

This chain of activity triggered an Enhanced Monitoring model alert in Darktrace / NETWORK. These high-priority model alerts are designed to trigger in response to higher fidelity indicators of compromise (IoCs), suggesting that a device is performing activity consistent with a compromise.

Darktrace’s detection of initial attack chain activity.
Figure 5: Darktrace’s detection of initial attack chain activity.

A second Enhanced Monitoring model was also triggered by this device following the download of the aforementioned executable file (hxxp://62[.]60[.]226[.]112/file/3601_2042.exe) and the observed increase in C2 activity.

Following this activity, Darktrace continued to observe the device beaconing to the 21ene.ip-ddns[.]com endpoint.

Darktrace’s Cyber AI Analyst was able to correlate each of the individual detections involved in this compromise, identifying them as part of a broader incident that encompassed C2 connectivity, suspicious downloads, and external data transfers.

Cyber AI Analyst’s investigation into the activity observed on the affected device.
Figure 6: Cyber AI Analyst’s investigation into the activity observed on the affected device.
Figure 7: Cyber AI Analyst’s detection of the affected device’s broader connectivity throughout the course of the attack.

As the affected customer did not have Darktrace’s Autonomous Response configured at the time, the attack was able to progress unabated. Had Darktrace been properly enabled, it would have been able to take a number of actions to halt the escalation of the attack.

For example, the unusual beaconing connections and the download of an unexpected file from an uncommon location would have been shut down by blocking the device from making external connections to the relevant destinations.

Conclusion

The persistence of Blind Eagle and ability to adapt its tactics, even after patches were released, and the speed at which the group were able to continue using pre-established TTPs highlights that timely vulnerability management and patch application, while essential, is not a standalone defense.

Organizations must adopt security solutions that use anomaly-based detection to identify emerging and adapting threats by recognizing deviations in user or device behavior that may indicate malicious activity. Complementing this with an autonomous decision maker that can identify, connect, and contain compromise-like activity is crucial for safeguarding organizational networks against constantly evolving and sophisticated threat actors.

Credit to Charlotte Thompson (Senior Cyber Analyst), Eugene Chua (Principal Cyber Analyst) and Ryan Traill (Analyst Content Lead)

Appendices

IoCs

IoC – Type - Confidence
Microsoft-WebDAV-MiniRedir/10.0.19045 – User Agent

62[.]60[.]226[.]112 – IP – Medium Confidence

hxxp://62[.]60[.]226[.]112/file/3601_2042.exe – Payload Download – Medium Confidence

21ene.ip-ddns[.]com – Dynamic DNS Endpoint – Medium Confidence

diciembrenotasenclub[.]longmusic[.]com  - Hostname – Medium Confidence

Darktrace’s model alert coverage

Anomalous File / Suspicious HTTP Redirect
Anomalous File / EXE from Rare External Location
Anomalous File / Multiple EXE from Rare External Location
Anomalous Server Activity / Outgoing from Server
Unusual Activity / Unusual External Data to New Endpoint
Device / Anomalous Github Download
Anomalous Connection / Multiple Connections to New External TCP Port
Device / Initial Attack Chain Activity
Anomalous Server Activity / Rare External from Server
Compromise / Suspicious File and C2
Compromise / Fast Beaconing to DGA
Compromise / Large Number of Suspicious Failed Connections
Device / Large Number of Model Alert

Mitre Attack Mapping:

Tactic – Technique – Technique Name

Initial Access - T1189 – Drive-by Compromise
Initial Access - T1190 – Exploit Public-Facing Application
Initial Access ICS - T0862 – Supply Chain Compromise
Initial Access ICS - T0865 – Spearphishing Attachment
Initial Access ICS - T0817 - Drive-by Compromise
Resource Development - T1588.001 – Malware
Lateral Movement ICS - T0843 – Program Download
Command and Control - T1105 - Ingress Tool Transfer
Command and Control - T1095 – Non-Application Layer Protocol
Command and Control - T1571 – Non-Standard Port
Command and Control - T1568.002 – Domain Generation Algorithms
Command and Control ICS - T0869 – Standard Application Layer Protocol
Evasion ICS - T0849 – Masquerading
Exfiltration - T1041 – Exfiltration Over C2 Channel
Exfiltration - T1567.002 – Exfiltration to Cloud Storage

References

1)    https://research.checkpoint.com/2025/blind-eagle-and-justice-for-all/

2)    https://assets.kpmg.com/content/dam/kpmgsites/in/pdf/2025/04/kpmg-ctip-blind-eagle-01-apr-2025.pdf.coredownload.inline.pdf

3)    https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-remote-access-trojan/#:~:text=They%20might%20be%20attached%20to,remote%20access%20or%20system%20administration

4)    https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43451

5)    https://www.ionos.co.uk/digitalguide/server/know-how/webdav/

6)    https://vercara.digicert.com/resources/dynamic-dns-resolution-as-an-obfuscation-technique

7)    https://threatfox.abuse.ch/ioc/1437795

8)    https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/remcos-malware/

9)    https://www.virustotal.com/gui/url/b3189db6ddc578005cb6986f86e9680e7f71fe69f87f9498fa77ed7b1285e268

10) https://www.virustotal.com/gui/domain/21ene.ip-ddns.com

11) https://www.virustotal.com/gui/domain/diciembrenotasenclub.longmusic.com/community

Continue reading
About the author
Charlotte Thompson
Cyber Analyst

Blog

/

Network

/

June 19, 2025

Customer Case Study: Leading Petrochemical Manufacturer

Default blog imageDefault blog image

Headquartered in Saudi Arabia, this industry leading petrochemical manufacturer serves customers in more than 80 countries across diverse markets throughout Europe, Africa, Latin America, the Middle East, China, and Southeast Asia.

Cyber resiliency critical to growth strategy

This leading petrochemical manufacturer’s vision is to be one of the major global players in the production and marketing of designated petrochemicals and downstream products. The company aims to significantly increase its capacity to up to a million metric tons within the next few years.

With cyber-attacks on critical infrastructure increasing 30% globally last year, cyber resiliency is essential to supporting the company’s strategic business goals of:

  • Maximizing production through efficient asset utilization
  • Maximizing sales by conducting 90% of its business outside Saudi Arabia
  • Optimizing resources and processes by integrating with UN Global Compact principles for sustainability and efficiency
  • Growing its business portfolio by engaging in joint ventures to diversify production and add value to the economy

However, the industry leader faced several challenges in its drive to fortify its cybersecurity defenses.

Visibility gaps delay response time

The company’s existing security setup provided limited visibility to the in-house security team, hindering its ability to detect anomalous network and user activity in real time. This resulted in delayed responses to potential incidents, making proactive issue resolution difficult and any remediation in the event of a successful attack costly and time-consuming.

Manual detection drains resources

Without automated detection and response capabilities, the organization’s security team had to manually monitor for suspicious activity – a time-consuming and inefficient approach that strained resources and left the organization vulnerable. This made it difficult for the team to stay current with training or acquire new skills and certifications, which are core to the ethos of both the company’s owners and the team itself.

Cyber-attacks on critical infrastructure increasing

The petrochemical manufacturer is part of a broader ecosystem of companies, making the protection of its supply chain – both upstream and downstream – critical. With several manufacturing entities and multiple locations, the customer’s internal structure is complex and challenging to secure. As cyber-attacks on critical infrastructure escalate, it needed a more comprehensive approach to safeguard its business and the wider ecosystem.

Keeping and growing skills and focus in-house

To strengthen its cybersecurity strategy, the company considered two options:

  1. Make a significant initial and ongoing investment in a Security Operations Center (SOC), which would involve skills development outside the company and substantial management overhead.
  2. Use a combination of new, automated tools and an outsourced Managed Detection and Response (MDR) service to reduce the burden on internal security specialists and allow the company to invest in upskilling its staff so they can focus on more strategic tasks.

Faced with this choice between entirely outsourcing security and augmenting the security team with new capabilities, the customer chose the second option, selecting Darktrace to automate the company’s monitoring, detection, and response. Today, the petrochemical manufacturer is using:

Extending the SOC with 24/7 expert support

To alleviate the burden on its lean security team, the company augmented its in-house capabilities with Darktrace’s Managed Detection & Response service. This support acts as an extension of its SOC, providing 24/7 monitoring, investigation, and escalation of high-priority threats. With Darktrace’s global SOC managing alert triage and autonomously containing threats, the organization’s internal team can focus on strategic initiatives. The result is a stronger security posture and increased capacity to proactively address evolving cyber risks – without expanding headcount or sacrificing visibility.

A unique approach to AI

In its search for a new security platform, the company’s Director of Information Technology said Darktrace’s autonomous response capability, coupled with Self-Learning AI-driven threat reduction, were two big reasons for selecting Darktrace over competing products and services.

AI was a huge factor – no one else was doing what Darktrace was doing with [AI].”

Demonstrated visibility

Before Darktrace, the customer had no visibility into the network activity to and from remote worker devices. Some employees need the ability to connect to its networks at any time and from any location, including the Director of Information Technology. The trial deployment of Darktrace / ENDPOINT was a success and gave the team peace of mind that, no matter the location or device, high-value remote workers were protected by Darktrace.

Modular architecture  

Darktrace's modular architecture allowed the company to deploy security controls across its complex, multi-entity environment. The company’s different locations run on segregated networks but are still interconnected and need to be protected. Darktrace / NETWORK provides a unified view and coordinated security response across the organization’s entire network infrastructure, including endpoint devices.

Results

The petrochemical manufacturer is using Darktrace across all of its locations and has achieved total visibility across network and user activity. “Darktrace is increasing in value every day,” said the Director of Information Technology.

I don’t have a big team, and Darktrace makes our lives very, very easy, not least the automation of some of the tasks that require constant manual review.”

Time savings frees analysts to focus on proactive security

Darktrace / NETWORK provides continuous, AI-driven monitoring and analysis of the company’s network activity, user behavior, and threat patterns, establishing a baseline of what normal activity looks like, and then alerting analysts to any deviations from normal traffic, activity, and behaviors. Darktrace’s autonomous response capabilities speed up response to detected threats, meaning intervention from the security team is required for fewer incidents and alerts.

In October 2024 alone, Darktrace Cyber AI Analyst saved the team 810 investigation hours, and autonomously responded to 180 anomalous behaviors that were uncovered during the investigations. With Darktrace managing the majority of threat detection and response efforts, the security team has been able to change its day-to-day activity from manual review of traffic and alerts and belated response to activity, to proactively fortifying its detection and response posture and upskilling to meet evolving requirements.  

Layered email protection reduces phishing threats

The company’s email infrastructure posed a challenge due to petrochemical industry regulations requiring on-premises email servers, with some security delivered via Microsoft Azure. By integrating Darktrace / EMAIL into the Azure stack, the organization has reduced the volume of phishing emails its users receive by 5%.

“Now we have one more layer of security related to email – every email goes through two filters. If something is not being caught or traced by Azure, it is being detected by Darktrace,” said the Director of Information Technology. “As a result, we’re now seeing only about 15% to 20% of the phishing emails we used to receive before implementing Darktrace.”

Preparing for a secure future

The time saved using Darktrace has helped the security team take proactive steps, including preparing for new cyber resilience regulations for Saudi Arabia’s Critical National Infrastructure, as mandated by the National Cybersecurity Authority (NCA).

“The team now has ample time to prepare policies and procedures that meet the new NCA regulations and, in some cases, enhance the requirements of the new law,” said the Director of Information Technology. “All of this is possible because they don’t need to keep watch; Darktrace takes on so much of that task for them.”

Continue reading
About the author
The Darktrace Community
Your data. Our AI.
Elevate your network security with Darktrace AI