Blog
/
Email
/
July 6, 2023

How Darktrace Foiled QR Code Phishing

Explore Darktrace's successful detection of QR code phishing. Understand the methods used to thwart these sophisticated cyber threats.
Written by
Alexandra Sentenac
Cyber Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Alexandra Sentenac
Cyber Analyst
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
06
Jul 2023

What is a QR Code?

Invented by a Japanese company in 1994 to label automobile parts, Quick Response codes, best known as QR codes, are rapidly becoming ubiquitous everywhere in the world. Their design, inspired by the board and black and white pieces of the game of Go, permits the storage of more information than regular barcodes and to access that information more quickly. The COVID-19 pandemic contributed to their increased popularity as it conveniently replaced physical media of all types for the purpose of content sharing. It is now common to see them in restaurant menus, plane tickets, advertisements and even in stickers containing minimal to no text pasted on lamp posts and other surfaces, enticing passers-by to scan its content. 

QR Code Phishing Attacks (Quishing)

Recently, threat actors have been identified using QR codes too to embed malicious URLs leading the unsuspecting user to compromised websites containing malware or designed to harvest credentials. In the past month, Darktrace has observed an increase in the number of phishing emails leveraging malicious QR codes for malware distribution and/or credential harvesting, a new form of social engineering attack labelled “Quishing” (i.e., QR code phishing).

Between June 13 and June 22, 2023, Darktrace protected a tech company against one such Quishing attack when five of its senior employees were sent malicious emails impersonating the company’s IT department. The emails contained a QR code that led to a login page designed to harvest the credentials of these senior staff members. Fortunately for the customer, Darktrace / EMAIL thwarted this phishing campaign in the first instance and the emails never reached the employee inboxes. 

Trends in Quishing Attacks

The Darktrace/Email team have noticed a recent and rapid increase in QR code abuse, suggesting that it is a growing tactic used by threat actors to deliver malicious payload links. This trend has also been observed by other security solutions [1] [2] [3] [4]. The Darktrace/Email team has identified malicious emails abusing QR codes in multiple ways. Examples include embedded image links which load a QR code and QR code images being delivered as attachments, such as those explored in this case study. Darktrace/Email is continually refining its detection of malicious QR codes and QR code extraction capabilities so that it can detect and block them regardless of their size and location within the email.   

Quishing Attack Overview

The attack consisted of five emails, each sent from different sender and envelope addresses, displayed common points between them. The emails all conveyed a sense of urgency, either via the use of words such as “urgent”, “now”, “required” or “important” in the subject field or by marking the email as high priority, thus making the recipient believe the message is pressing and requires immediate attention. 

Additionally, the subject of three of the emails directly referred to two factor authentication (2FA) enabling or QR code activation. Another particularity of these emails was that three of them attempted to impersonate the internal IT team of the company by inserting the company domain alongside strings, such as “it-desk” and “IT”, into the personal field of the emails. Email header fields like this are often abused by attackers to trick users by pretending to be an internal department or senior employee, thus avoiding more thorough validation checks. Both instilling a sense of urgency and including a known domain or name in the personal field are techniques that help draw attention to the email and maximize the chances that it is opened and engaged by the recipient. 

However, threat actors also need to make sure that the emails actually reach the intended inboxes, and this can be done in several ways. In this case, several tactics were employed. Two of the five emails were sent from legitimate sender addresses that successfully passed SPF validation, suggesting they were sent from compromised accounts. SPF is a standard email authentication method that tells the receiving email servers whether emails have been sent from authorized servers for a given domain. Without SPF validation, emails are more likely to be categorized as spam and be sent to the junk folder as they do not come from authorized sources.

Another of the malicious emails, which also passed SPF checks, used a health care facility company domain in the header-from address field but was actually sent from a different domain (i.e., envelope domain), which lowers the value of the SPF authentication. However, the envelope domain observed in this instance belonged to a company recently acquired by the tech company targeted by the campaign.

This shows a high level of targeting from the attackers, who likely hoped that this detail would make the email more familiar and less suspicious. In another case, the sender domain (i.e., banes-gn[.]com) had been created just 6 days prior, thus lowering the chances of there being open-source intelligence (OSINT) available on the domain. This reduces the chances of the email being detected by traditional email security solutions relying on signatures and known-bad lists.

Darktrace Detects Quishing Attack

Despite its novelty, the domain was detected and assessed as highly suspicious by Darktrace. Darktrace/Email was able to recognize all of the emails as spoofing and impersonation attempts and applied the relevant tags to them, namely “IT Impersonation” and “Fake Account Alert”, depending on the choice of personal field and subject. The senders of the five emails had no prior history or association with the recipient nor the company as no previous correspondence had been observed between the sender and recipient. The tags applied informed on the likely intent and nature of the suspicious indicators present in the email, as shown in Figure 1. 

Darktrace/Email UI
Figure 1: Email log overview page, displaying important information clearly and concisely. 

Quishing Attack Tactics

Minimal Plain Text

Another characteristic shared by these emails was that they had little to no text included in the body of the email and they did not contain a plain text portion, as shown in Figure 2. For most normal emails sent by email clients and most automated programs, an email will contain an HTML component and a text component, in addition to any potential attachments present. All the emails had one image attachment, suggesting the bulk of the message was displayed in the image rather than the email body. This hinders textual analysis and filtering of the email for suspicious keywords and language that could reveal its phishing intent. Additionally, the emails were well-formatted and used the logo of the well-known corporation Microsoft, suggesting some level of technical ability on the part of the attackers. 

Figure 2: Email body properties giving additional insights into the content of the email. 

Attachment and link payloads

The threat actors employed some particularly innovative and novel techniques with regards to the attachments and link payloads within these emails. As previously stated, all emails contained an image attachment and one or two links. Figure 3 shows that Darktrace/Email detected that the malicious links present in these emails were located in the attachments, rather than the body of the email. This is a technique often employed by threat actors to bypass link analysis by security gateways. Darktrace/Email was also able to detect this link as a QR code link, as shown in Figure 4.

Figure 3: Further properties and metrics regarding the location of the link within the email. 
Figure 4: Darktrace / EMAIL analyzes multiple metrics and properties related to links, some of which are detailed here. 

The majority of the text, as well as the malicious payload, was contained within the image attachment, which for one of the emails looked like this: 

example of quishing email
Figure 5: Redacted screenshot of the image payload contained in one of the emails. 

Convincing Appearance

As shown, the recipient is asked to setup 2FA authentication for their account within two days if they don’t want to be locked out. The visual formatting of the image, which includes a corporate logo and Privacy Statement and Acceptable Use Policy notices, is well balanced and convincing. The payload, in this case the QR code containing a malicious link, is positioned in the centre so as to draw attention and encourage the user to scan and click. This is a type of email employees are increasingly accustomed to receiving in order to log into corporate networks and applications. Therefore, recipients of such malicious emails might assume represents expected business activity and thus engage with the QR code without questioning it, especially if the email is claiming to be from the IT department.  

Malicious Redirection

Two of the Quishing emails contained links to legitimate file storage and sharing solutions Amazon Web Services (AWS) and and InterPlanetary File System (IPFS), whose domains are less likely to be blocked by traditional security solutions. Additionally, the AWS domain link contained a redirect to a different domain that has been flagged as malicious by multiple security vendors [5]. Malicious redirection was observed in four of the five emails, initially from well-known and benign services’ domains such as bing[.]com and login[.]microsoftonline[.]com. This technique allows attackers to hide the real destination of the link from the user and increase the likelihood that the link is clicked. In two of the emails, the redirect domain had only recently been registered, and in one case, the redirect domain observed was hosted on the new .zip top level domain (i.e., docusafe[.]zip). The domain name suggests it is attempting to masquerade as a compressed file containing important documentation. As seen in Figure 6, a new Darktrace/Email feature allows customers to safely view the final destination of the link, which in this case was a seemingly fake Microsoft login page which could be used to harvest corporate credentials.

Figure 6: Safe preview available from the Darktrace/Email Console showing the destination webpage of one of the redirect links observed.

Gathering Account Credentials

Given the nature of the landing page, it is highly likely that this phishing campaign had the objective of stealing the recipients’ credentials, as further indicated by the presence of the recipients’ email addresses in the links. Additionally, these emails were sent to senior employees, likely in an attempt to gather high value credentials to use in future attacks against the company. Had they succeeded, this would have represented a serious security incident, especially considering that 61% of attacks in 2023 involved stolen or hacked credentials according to Verizon’s 2023 data breach investigations report [6]. However, these emails received the highest possible anomaly score (100%) and were held by Darktrace/Email, thus ensuring that their intended recipients were never exposed to them. 

Looking at the indicators of compromise (IoCs) identified in this campaign, it appears that several of the IPs associated with the link payloads have been involved in previous phishing campaigns. Exploring the relations tab for these IPs in Virus Total, some of the communicating files appear to be .eml files and others have generic filenames including strings such as “invoice” “remittance details” “statement” “voice memo”, suggesting they have been involved in other phishing campaigns seemingly related to payment solicitation and other fraud attempts.

Figure 7: Virus Total’s relations tab for the IP 209.94.90[.]1 showing files communicating with the IP. 

Conclusion

Even though the authors of this Quishing campaign used all the tricks in the book to ensure that their emails would arrive unactioned by security tools to the targeted high value recipients’ inboxes, Darktrace/Email was able to immediately recognize the phishing attempts for what they were and block the emails from reaching their destination. 

This campaign used both classic and novel tactics, techniques, and procedures, but ultimately were detected and thwarted by Darktrace/Email. It is yet another example of the increasing attack sophistication mentioned in a previous Darktrace blog [7], wherein the attack landscape is moving from low-sophistication, low-impact, and generic phishing tactics to more targeted, sophisticated and higher impact attacks. Darktrace/Email does not rely on historical data nor known-bad lists and is best positioned to protect organizations from these highly targeted and sophisticated attacks.

References

[1] https://www.infosecurity-magazine.com/opinions/qr-codes-vulnerability-cybercrimes/ 

[2] https://www.helpnetsecurity.com/2023/03/21/qr-scan-scams/ 

[3] https://www.techtarget.com/searchsecurity/feature/Quishing-on-the-rise-How-to-prevent-QR-code-phishing 

[4] https://businessplus.ie/tech/qr-code-phishing-hp/ 

[5] https://www.virustotal.com/gui/domain/fistulacure.com

[6] https://www.verizon.com/business/en-gb/resources/reports/dbir/ ; https://www.verizon.com/business/en-gb/resources/reports/dbir/

[7] https://darktrace.com/blog/shifting-email-conversation 

Darktrace Model Detections 

Association models

No Sender or Content Association

New Sender

Unknown Sender

Low Sender Association

Link models

Focused Link to File Storage

Focused Rare Classified Links

New Unknown Hidden Redirect

High Risk Link + Low Sender Association

Watched Link Type

High Classified Link

File Storage From New

Hidden Link To File Storage

New Correspondent Classified Link

New Unknown Redirect

Rare Hidden Classified Link

Rare Hidden Link

Link To File Storage

Link To File Storage and Unknown Sender

Open Redirect

Unknown Sender Isolated Rare Link

Visually Prominent Link

Visually Prominent Link Unexpected For Sender

Low Link Association

Low Link Association and Unknown Sender

Spoof models

Fake Support Style

External Domain Similarities

Basic Known Entity Similarities

Unusual models

Urgent Request Banner

Urgent Request Banner + Basic Suspicious Sender

Very Young Header Domain

Young Header Domain

Unknown User Tracking

Unrelated Personal Name Address

Unrelated Personal Name Address + Freemail

Unusual Header TLD

Unusual Connection From Unknown

Unbroken Personal

Proximity models

Spam + Unknown Sender

Spam

Spam models

Unlikely Freemail Correspondence

Unlikely Freemail Personalization

General Indicators models

Incoming Mail Security Warning Message

Darktrace Model Tags

Credential Harvesting

Internal IT Impersonation

Multistage payload

Lookalike Domain

Phishing Link

Email Account Takeover

Fake Account Alert

Low Mailing History

No Association

Spoofing Indicators

Unknown Correspondent

VIP

Freemail

IoC - Type - Description & Confidence

fistulacure[.]com

domain

C2 Infrastructure

docusafe[.]zip

domain

Possible C2 Infrastructure

mwmailtec[.]com

domain

Possible C2 Infrastructure

czeromedia[.]com

domain

Possible C2 Infrastructure

192.40.165[.]109

IP address

Probable C2 Infrastructure

209.94.90[.]1

IP address

C2 Infrastructure

52.61.107[.]58

IP address

Possible C2 Infrastructure

40.126.32[.]133

IP address

Possible C2 Infrastructure

211.63.158[.]157

IP address

Possible C2 Infrastructure

119.9.27[.]129

IP address

Possible C2 Infrastructure

184.25.204[.]33

IP address

Possible C2 Infrastructure

40.107.8[.]107

IP address

Probable C2 Infrastructure

40.107.212[.]111

IP address

Possible Infrastructure

27.86.113[.]2

IP address

Possible C2 Infrastructure

192.40.191[.]19

IP address

Possible C2 Infrastructure

157.205.202[.]217

IP address

Possible C2 Infrastructure

a31f1f6063409ecebe8893e36d0048557142cbf13dbaf81af42bf14c43b12a48

SHA256 hash

Possible Malicious File

4c4fb35ab6445bf3749b9d0ab1b04f492f2bc651acb1bbf7af5f0a47502674c9

SHA256 hash

Possible Malicious File

f9c51d270091c34792b17391017a09724d9a7890737e00700dc36babeb97e252

SHA256 hash

Possible Malicious File

9f8ccfd616a8f73c69d25fd348b874d11a036b4d2b3fc7dbb99c1d6fa7413d9a

SHA256 hash

Possible Malicious File

b748894348c32d1dc5702085d70d846c6dd573296e79754df4857921e707c439

SHA256 hash

Possible Malicious File

Written by
Alexandra Sentenac
Cyber Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Alexandra Sentenac
Cyber Analyst

Unmasking Vo1d: Inside Darktrace’s Botnet Detection

Network
November 12, 2025
Christina Kreza
Cyber Analyst
Watch the NIS2 Webinar
Trending blogs
1
Pre-CVE Threat Detection: 10 Examples Identifying Malicious Activity Prior to Public Disclosure of a Vulnerability
Jul 2, 2025
2
How Empowering End Users can Improve Your Email Security and Decrease the Burden on the SOC
May 8, 2024
3
Elevating Network Security: Confronting Trust, Ransomware, & Novel Attacks
Jun 21, 2024
4
The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners
Apr 9, 2024
5
The State of AI in Cybersecurity: The Impact of AI on Cybersecurity Solutions
May 13, 2024

More in this series

No items found.
Continue reading
Email
September 30, 2025

Out of Character: Detecting Vendor Compromise and Trusted Relationship Abuse with Darktrace

Phishing emails from compromised vendors are increasingly difficult to distinguish from genuine correspondence. They challenge workers, security teams and traditional email SEGs alike. Anomaly detection can be a game-changer in spotting the subtle signs of these meticulous attacks.
Read more
Email
July 21, 2025

Global Telecom Provider: Powering and Protecting the World's Data Giants

A telecom company relies on Darktrace to uncover email threats other tools miss, save the team time on investigations, and enable 24/7 protection.
The Darktrace Community
Read more
Email
June 18, 2025

Darktrace Collaborates with Microsoft: Unifying Email Security with a Shared Vision

Darktrace and Microsoft have joined forces to enhance email security through a new integration, unifying threat response and quarantine capabilities. This collaboration strengthens defenses and streamlines visibility for security teams, reflecting a shared vision for proactive cyber protection.
Carlos Gray
Senior Product Marketing Manager, Email
Read more

Blog

/

Network

/

November 14, 2025

Unmasking Vo1d: Inside Darktrace’s Botnet Detection

Default blog imageDefault blog image

What is Vo1d APK malware?

Vo1d malware first appeared in the wild in September 2024 and has since evolved into one of the most widespread Android botnets ever observed. This large-scale Android malware primarily targets smart TVs and low-cost Android TV boxes. Initially, Vo1d was identified as a malicious backdoor capable of installing additional third-party software [1]. Its functionality soon expanded beyond the initial infection to include deploying further malicious payloads, running proxy services, and conducting ad fraud operations. By early 2025, it was estimated that Vo1d had infected 1.3 to 1.6 million devices worldwide [2].

From a technical perspective, Vo1d embeds components into system storage to enable itself to download and execute new modules at any time. External researchers further discovered that Vo1d uses Domain Generation Algorithms (DGAs) to create new command-and-control (C2) domains, ensuring that regardless of existing servers being taken down, the malware can quickly reconnect to new ones. Previous published analysis identified dozens of C2 domains and hundreds of DGA seeds, along with new downloader families. Over time, Vo1d has grown increasingly sophisticated with clear signs of stronger obfuscation and encryption methods designed to evade detection [2].

Darktrace’s coverage

Earlier this year, Darktrace observed a surge in Vo1d-related activity across customer environments, with the majority of affected customers based in South Africa. Devices that had been quietly operating as expected began exhibiting unusual network behavior, including excessive DNS lookups. Open-source intelligence (OSINT) has long highlighted South Africa as one of the countries most impacted by Vo1d infections [2].

What makes the recent activity particularly interesting is that the surge observed by Darktrace appears to be concentrated specifically in South African environments. This localized spike suggests that a significant number of devices may have been compromised, potentially due to vulnerable software, outdated firmware, or even preloaded malware. Regions with high prevalence of low-cost, often unpatched devices are especially susceptible, as these everyday consumer electronics can be quietly recruited into the botnet’s network. This specifically appears to be the case with South Africa, where public reporting has documented widespread use of low-cost boxes, such as non-Google-certified Android TV sticks, that frequently ship with outdated firmware [3].

The initial triage highlighted the core mechanism Vo1d uses to remain resilient: its use of DGA. A DGA deterministically creates a large list of pseudo-random domain names on a predictable schedule. This enables the malware to compute hundreds of candidate domains using the same algorithm, instead of using a hard-coded single C2 hostname that defenders could easily block or take down. To ensure reproducible from the infected device’s perspective, Vo1d utilizes DGA seeds. These seeds might be a static string, a numeric value, or a combination of underlying techniques that enable infected devices to generate the same list of candidate domains for a time window, provided the same DGA code, seed, and date are used.

Interestingly, Vo1d’s DGA seeds do not appear to be entirely unpredictable, and the generated domains lack fully random-looking endings. As observed in Figure 1, there is a clear pattern in the names generated. In this case, researchers identified that while the first five characters would change to create the desired list of domain names, the trailing portion remained consistent as part of the seed: 60b33d7929a, which OSINT sources have linked to the Vo1d botnet. [2]. Darktrace’s Threat Research team also identified a potential second DGA seed, with devices in some cases also engaging in activity involving hostnames matching the regular expression /[a-z]{5}fc975904fc9\.(com|top|net). This second seed has not been reported by any OSINT vendors at the time of writing.

Another recurring characteristic observed across multiple cases was the choice of top-level domains (TLDs), which included .com, .net, and .top.

Figure 1: Advanced Search results showing DNS lookups, providing a glimpse on the DGA seed utilized.

The activity was detected by multiple models in Darktrace / NETWORK™, which triggered on devices making an unusually large volume of DNS requests for domains uncommon across the network.

During the network investigation, Darktrace analysts traced Vo1d’s infrastructure and uncovered an interesting pattern related to responder ASNs. A significant number of connections pointed to AS16509 (AMAZON-02). By hosting redirectors or C2 nodes inside major cloud environments, Vo1d is able to gain access to highly available and geographically diverse infrastructure. When one node is taken down or reported, operators can quickly enable a new node under a different IP within the same ASN. Another feature of cloud infrastructure that hardens Vo1d’s resilience is the fact that many organizations allow outbound connections to cloud IP ranges by default, assuming they are legitimate. Despite this, Darktrace was able to identify the rarity of these endpoints, identifying the unusualness of the activity.

Analysts further observed that once a generated domain successfully resolved, infected devices consistently began establishing outbound connections to ephemeral port ranges like TCP ports 55520 and 55521. These destination ports are atypical for standard web or DNS traffic. Even though the choice of high-numbered ports appears random, it is likely far from not accidental. Commonly used ports such as port 80 (HTTP) or 443 (HTTPS) are often subject to more scrutiny and deeper inspection or content filtering, making them riskier for attackers. On the other hand, unregistered ports like 55520 and 55521 are less likely to be blocked, providing a more covert channel that blends with outbound TCP traffic. This tactic helps evade firewall rules that focus on common service ports. Regardless, Darktrace was able to identify external connections on uncommon ports to locations that the network does not normally visit.

The continuation of the described activity was identified by Darktrace’s Cyber AI Analyst, which correlated individual events into a broader interconnected incident. It began with the multiple DNS requests for the algorithmically generated domains, followed by repeated connections to rare endpoints later confirmed as attacker-controlled infrastructure. Cyber AI Analyst’s investigation further enabled it to categorize the events as part of the “established foothold” phase of the attack.

Figure 2: Cyber AI Analyst incident illustrating the transition from DNS requests for DGA domains to connections with resolved attacker-controlled infrastructure.

Conclusion

The observations highlighted in this blog highlight the precision and scale of Vo1d’s operations, ranging from its DGA-generated domains to its covert use of high-numbered ports. The surge in affected South African environments illustrate how regions with many low-cost, often unpatched devices can become major hubs for botnet activity. This serves as a reminder that even everyday consumer electronics can play a role in cybercrime, emphasizing the need for vigilance and proactive security measures.

Credit to Christina Kreza (Cyber Analyst & Team Lead) and Eugene Chua (Principal Cyber Analyst & Team Lead)

Edited by Ryan Traill (Analyst Content Lead)

Appendices

Darktrace Model Detections

  • Anomalous Connection / Devices Beaconing to New Rare IP
  • Anomalous Connection / Multiple Connections to New External TCP Port
  • Anomalous Connection / Multiple Failed Connections to Rare Endpoint
  • Compromise / DGA Beacon
  • Compromise / Domain Fluxing
  • Compromise / Fast Beaconing to DGA
  • Unusual Activity / Unusual External Activity

List of Indicators of Compromise (IoCs)

  • 3.132.75[.]97 – IP address – Likely Vo1d C2 infrastructure
  • g[.]sxim[.]me – Hostname – Likely Vo1d C2 infrastructure
  • snakeers[.]com – Hostname – Likely Vo1d C2 infrastructure

Selected DGA IoCs

  • semhz60b33d7929a[.]com – Hostname – Possible Vo1d C2 DGA endpoint
  • ggqrb60b33d7929a[.]com – Hostname – Possible Vo1d C2 DGA endpoint
  • eusji60b33d7929a[.]com – Hostname – Possible Vo1d C2 DGA endpoint
  • uacfc60b33d7929a[.]com – Hostname – Possible Vo1d C2 DGA endpoint
  • qilqxfc975904fc9[.]top – Hostname – Possible Vo1d C2 DGA endpoint

MITRE ATT&CK Mapping

  • T1071.004 – Command and Control – DNS
  • T1568.002 – Command and Control – Domain Generation Algorithms
  • T1568.001 – Command and Control – Fast Flux DNS
  • T1571 – Command and Control – Non-Standard Port

[1] https://news.drweb.com/show/?lng=en&i=14900

[2] https://blog.xlab.qianxin.com/long-live-the-vo1d_botnet/

[3] https://mybroadband.co.za/news/broadcasting/596007-warning-for-south-africans-using-specific-types-of-tv-sticks.html

The content provided in this blog is published by Darktrace for general informational purposes only and reflects our understanding of cybersecurity topics, trends, incidents, and developments at the time of publication. While we strive to ensure accuracy and relevance, the information is provided “as is” without any representations or warranties, express or implied. Darktrace makes no guarantees regarding the completeness, accuracy, reliability, or timeliness of any information presented and expressly disclaims all warranties.

Nothing in this blog constitutes legal, technical, or professional advice, and readers should consult qualified professionals before acting on any information contained herein. Any references to third-party organizations, technologies, threat actors, or incidents are for informational purposes only and do not imply affiliation, endorsement, or recommendation.

Darktrace, its affiliates, employees, or agents shall not be held liable for any loss, damage, or harm arising from the use of or reliance on the information in this blog.

The cybersecurity landscape evolves rapidly, and blog content may become outdated or superseded. We reserve the right to update, modify, or remove any content.

Continue reading
About the author
Christina Kreza
Cyber Analyst

Blog

/

Network

/

November 6, 2025

Darktrace Named the Only 2025 Gartner® Peer Insights™ Customers’ Choice for Network Detection and Response

Default blog imageDefault blog image

Darktrace: The only Customers’ Choice for NDR in 2025

In a year defined by rapid change across the threat landscape, recognition from those who use and rely on security technology every day means the most.

That’s why we’re proud to share that Darktrace has been named the only Customers’ Choice in the 2025 Gartner® Peer Insights™ Voice of the Customer for Network Detection and Response (NDR).

Out of 11 leading NDR vendors evaluated, Darktrace stood alone as the sole Customers’ Choice, a recognition that we feel reflects not just our innovation, but the trust and satisfaction of the customers who secure their networks with Darktrace every day.

What the Gartner® Peer Insights™ Voice of the Customer means

“Voice of the Customer” is a document that synthesizes Gartner Peer Insights reviews into insights for buyers of technology and services. This aggregated peer perspective, along with the individual detailed reviews, is complementary to Gartner expert research and can play a key role in your buying process. Peers are verified reviewers of a technology product or service, who not only rate the offering, but also provide valuable feedback to consider before making a purchase decision. Vendors placed in the upper-right “Customers’ Choice” quadrant of the “Voice of the Customer” have scores that meet or exceed the market average for both axes (User Interest and Adoption, and Overall Experience).It’s not just a rating. We feel it’s a reflection of genuine customer sentiment and success in the field.

In our view, Customers consistently highlight Darktrace’s ability to:

  • Detect and respond to unknown threats in real time
  • Deliver unmatched visibility across IT, OT, and cloud environments
  • Automate investigations and responses through AI-driven insights

We believe this recognition reinforces what our customers already know: that Darktrace helps them see, understand, and stop attacks others miss.

A rare double: recognized by customers and analysts alike

This distinction follows another major recogniton. Darktrace’s placement as a Leader in the Gartner® Magic Quadrant™ for Network Detection and Response earlier this year.

That makes Darktrace the only vendor to achieve both:

  • A Leader status in the Gartner Magic Quadrant for NDR, and
  • A Customers’ Choice in Gartner Peer Insights 2025

It’s a rare double that we feel reflects both industry leadership and customer trust, two perspectives that, together, define what great cybersecurity looks like.

A Customers’ Choice across the network and the inbox

To us, this recognition also builds on Darktrace’s momentum across multiple domains. Earlier this year, Darktrace was also named a Customers’ Choice for Email Security Platforms in the Gartner® Peer Insights™ report.

With more than 1,000 verified reviews across Network Detection and Response, Email Security Platforms, and Cyber Physical Systems (CPS), we at Darktrace are proud to be trusted across the full attack surface, from the inbox to the industrial network.

Thank you to our customers

We’re deeply grateful to every customer who shared their experience with Darktrace on Gartner Peer Insights. Your insights drive our innovation and continue to shape how we protect complex, dynamic environments across the world.

Discover why customers choose Darktrace for network and email security.

Gartner® Peer Insights™ content consists of the opinions of individual end users based on their own experiences, and should not be construed as statements of fact, nor do they represent the views of Gartner or its affiliates. Gartner does not endorse any vendor, product or service depicted in this content nor makes any warranties, expressed or implied, with respect to this content, about its accuracy or completeness, including any warranties of merchantability or fitness for a particular purpose.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Magic Quadrant and Peer Insights are registered trademarks of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved.

Gartner, Voice of the Customer for Network Detection and Response, By Peer Community Contributor, 30 October 2025

Continue reading
About the author
Mikey Anderson
Product Marketing Manager, Network Detection & Response
Your data. Our AI.
Elevate your network security with Darktrace AI