Blog
/
Network
/
March 19, 2024

Pikabot Malware: Insights, Impact, & Attack Analysis

Learn about Pikabot malware and its rapid evolution in the wild, impacting organizations and how to defend against this growing threat.
No items found.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
No items found.
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
19
Mar 2024

How does Loader Malware work?

Throughout 2023, the Darktrace Threat Research team identified and investigated multiple strains of loader malware affecting customers across its fleet. These malicious programs typically serve as a gateway for threat actors to gain initial access to an organization’s network, paving the way for subsequent attacks, including additional malware infections or disruptive ransomware attacks.

How to defend against loader malware

The prevalence of such initial access threats highlights the need for organizations to defend against multi-phase compromises, where modular malware swiftly progresses from one stage of an attack to the next. One notable example observed in 2023 was Pikabot, a versatile loader malware used for initial access and often accompanied by secondary compromises like Cobalt Strike and Black Basta ransomware.

While Darktrace initially investigated multiple instances of campaign-like activity associated with Pikabot during the summer of 2023, a new campaign emerged in October which was observed targeting a Darktrace customer in Europe. Thanks to the timely detection by Darktrace DETECT™ and the support of Darktrace’s Security Operations Center (SOC), the Pikabot compromise was quickly shut down before it could escalate into a more disruptive attack.

What is Pikabot?

Pikabot is one of the latest modular loader malware strains that has been active since the first half of 2023, with several evolutions in its methodology observed in the months since. Initial researchers noted similarities to the Qakbot aka Qbot or Pinkslipbot and Mantanbuchus malware families, and while Pikabot appears to be a new malware in early development, it shares multiple commonalities with Qakbot [1].

First, both Pikabot and Qakbot have similar distribution methods, can be used for multi-stage attacks, and are often accompanied by downloads of Cobalt Strike and other malware strains. The threat actor known as TA577, which has also been referred to as Water Curupira, has been seen to use both types of malware in spam campaigns which can lead to Black Basta ransomware attacks [2] [3].Notably, a rise in Pikabot campaigns were observed in September and October 2023, shortly after the takedown of Qakbot in Operation Duck Hunt, suggesting that Pikabot may be serving as a replacement for initial access to target network [4].

How does Pikabot malware work?

Many Pikabot infections start with a malicious email, particularly using email thread hijacking; however, other cases have been distributed via malspam and malvertising [5]. Once downloaded, Pikabot runs anti-analysis techniques and checks the system’s language, self-terminating if the language matches that of a Commonwealth of Independent States (CIS) country, such as Russian or Ukrainian. It will then gather key information to send to a command-and-control (C2) server, at which point additional payload downloads may be observed [2]. Early response to a Pikabot infection is important for organizations to prevent escalation to a significant compromise such as ransomware.

Darktrace’s Coverage of Pikabot malware

Between April and July 2023, the Darktrace Threat Research team investigated Pikabot infections affected more than 15 customer environments; these attacks primarily targeted US and European organizations spanning multiple industries, and most followed the below lifecycle:

  1. Initial access via malspam or email, often outside of Darktrace’s scope
  2. Suspicious executable download from a URI in the format /\/[a-z0-9A-Z]{3,}\/[a-z0-9A-Z]{5,}/ and using a Windows PowerShell user agent
  3. C2 connections to IP addresses on uncommon ports including 1194 and 2078
  4. Some cases involved further C2 activity to Cobalt Strike endpoints

In October 2023, a second campaign emerged that largely followed the same attack pattern, with a notable difference that cURL was used for the initial payload download as opposed to PowerShell. All the Pikabot cases that Darktrace has observed since October 2023 have used cURL, which could indicate a shift in approach from targeting Windows devices to multi-operating system environments.

Figure 1: Timeline of the Pikabot infection over a 2-hour period.

On October 17, 2023, Darktrace observed a Pikabot infection on the network of a European customer after an internal user seemingly clicked a malicious link in a phishing email, thereby compromising their device. As the customer did not have Darktrace/Email™ deployed on their network, Darktrace did not have visibility over the email. Despite this, DETECT was still able to provide full visibility over the network-based activity that ensued.

Darktrace observed the device using a cURL user agent when initiating the download of an unusual executable (.exe) file from an IP address that had never previously been observed on the network. Darktrace further recognized that the executable file was attempting to masquerade as a different file type, likely to evade the detection of security teams and their security tools. Within one minute, the device began to communicate with additional unusual IP addresses on uncommon ports (185.106.94[.]174:5000 and 80.85.140[.]152:5938), both of which have been noted by open-source intelligence (OSINT) vendors as Pikabot C2 servers [6] [7].

Figure 2: Darktrace model breach Event Log showing the initial file download, immediately followed by a connection attempt to a Pikabot C2 server.

Around 40 minutes after the initial download, Darktrace detected the device performing suspicious DNS tunneling using a pattern that resembled the Cobalt Strike Beacon. This was accompanied by beaconing activity to a rare domain, ‘wordstt182[.]com’, which was registered only 4 days prior to this activity [8]. Darktrace observed additional DNS connections to the endpoint, ‘building4business[.]net’, which had been linked to Black Basta ransomware [2].

Figure 3: The affected device making successful TXT DNS requests to known Black Basta endpoints.

As this customer had integrated Darktrace with the Microsoft Defender, Defender was able to contextualize the DETECT model breaches with endpoint insights, such as known threats and malware, providing customers with unparalleled visibility of the host-level detections surrounding network-level anomalies.

In this case, the behavior of the affected device triggered multiple Microsoft Defender alerts, including one alert which linked the activity to the threat actor Storm-0464, another name for TA577 and Water Curupira. These insights were presented to the customer in the form of a Security Integration alert, allowing them to build a full picture of the ongoing incident.

Figure 4: Security Integration alert from Microsoft Defender in Darktrace, linking the observed activity to the threat group Storm-0464.

As the customer had subscribed to Darktrace’s Proactive Threat Notification (PTN) service, the customer received timely alerts from Darktrace’s SOC notifying them of the suspicious activity associated with Pikabot. This allowed the customer’s security team to quickly identify the affected device and remove it from their environment for remediation.

Although the customer did have Darktrace RESPOND™ enabled on their network, it was configured in human confirmation mode, requiring manual application for any RESPOND actions. RESPOND had suggested numerous actions to interrupt and contain the attack, including blocking connections to the observed Pikabot C2 addresses, which were manually actioned by the customer’s security team after the fact. Had RESPOND been enabled in autonomous response mode during the attack, it would have autonomously blocked these C2 connections and prevented the download of any suspicious files, effectively halting the escalation of the attack.

Nonetheless, Darktrace DETECT’s prompt identification and alerting of this incident played a crucial role in enabling the customer to mitigate the threat of Pikabot, preventing it from progressing into a disruptive ransomware attack.

Figure 5: Darktrace RESPOND actions recommended from the initial file download and throughout the C2 traffic, ranging from blocking specific connections to IP addresses and ports to enforcing a normal pattern of life for the source device.

Conclusion

Pikabot is just one recent example of a modular strain of loader known for its adaptability and speed, seamlessly changing tactics from one campaign to the next and utilizing new infrastructure to initiate multi-stage attacks. Leveraging commonly used tools and services like Windows PowerShell and cURL, alongside anti-analysis techniques, this malware can evade the detection and often bypass traditional security tools.

In this incident, Darktrace detected a Pikabot infection in its early stages, identifying an anomalous file download using a cURL user agent, a new tactic for this particular strain of malware. This timely detection, coupled with the support of Darktrace’s SOC, empowered the customer to quickly identify the compromised device and act against it, thwarting threat actors attempting to connect to malicious Cobalt Strike and Black Basta servers. By preventing the escalation of the attack, including potential ransomware deployment, the customer’s environment remained safeguarded.

Had Darktrace RESPOND been enabled in autonomous response mode at the time of this attack, it would have been able to further support the customer by applying targeted mitigative actions to contain the threat of Pikabot at its onset, bolstering their defenses even more effectively.

Credit to Brianna Leddy, Director of Analysis, Signe Zaharka, Senior Cyber Security Analyst

Appendix

Darktrace DETECT Models

Anomalous Connection / Anomalous SSL without SNI to New External

Anomalous Connection / Application Protocol on Uncommon Port

Anomalous Connection / Multiple Connections to New External TCP Port

Anomalous Connection / New User Agent to IP Without Hostname

Anomalous Connection / Powershell to Rare External

Anomalous Connection / Rare External SSL Self-Signed

Anomalous Connection / Repeated Rare External SSL Self-Signed

Anomalous File / EXE from Rare External Location

Anomalous File / Masqueraded File Transfer

Anomalous File / Multiple EXE from Rare External Locations

Compromise / Agent Beacon to New Endpoint

Compromise / Beacon to Young Endpoint

Compromise / Beaconing Activity To External Rare

Compromise / DNS / DNS Tunnel with TXT Records

Compromise / New or Repeated to Unusual SSL Port

Compromise / SSL Beaconing to Rare Destination

Compromise / Suspicious Beaconing Behaviour

Compromise / Suspicious File and C2

Device / Initial Breach Chain Compromise

Device / Large Number of Model Breaches

Device / New PowerShell User Agent

Device / New User Agent

Device / New User Agent and New IP

Device / Suspicious Domain

Security Integration / C2 Activity and Integration Detection

Security Integration / Egress and Integration Detection

Security Integration / High Severity Integration Detection

Security Integration / High Severity Integration Incident

Security Integration / Low Severity Integration Detection

Security Integration / Low Severity Integration Incident

Antigena / Network / External Threat / Antigena File then New Outbound Block

Antigena / Network / External Threat / Antigena Suspicious Activity Block

Antigena / Network / External Threat / Antigena Suspicious File Block

Antigena / Network / Significant Anomaly / Antigena Breaches Over Time Block

Antigena / Network / Significant Anomaly / Antigena Controlled and Model Breach

Antigena / Network / Significant Anomaly / Antigena Enhanced Monitoring from Client Block

Antigena / Network / Significant Anomaly / Antigena Significant Anomaly from Client Block

Antigena / Network / Significant Anomaly / Antigena Significant Security Integration and Network Activity Block

List of Indicators of Compromise (IoC)

IOC - TYPE - DESCRIPTION + CONFIDENCE

128.140.102[.]132 - IP Address - Pikabot Download

185.106.94[.]174:5000 - IP Address: Port - Pikabot C2 Endpoint

80.85.140[.]152:5938 - IP Address: Port - Pikabot C2 Endpoint

building4business[.]net - Hostname - Cobalt Strike DNS Beacon

wordstt182[.]com - Hostname - Cobalt Strike Server

167.88.166[.]109 - IP Address - Cobalt Strike Server

192.9.135[.]73 - IP - Pikabot C2 Endpoint

192.121.17[.]68 - IP - Pikabot C2 Endpoint

185.87.148[.]132 - IP - Pikabot C2 Endpoint

129.153.22[.]231 - IP - Pikabot C2 Endpoint

129.153.135[.]83 - IP - Pikabot C2 Endpoint

154.80.229[.]76 - IP - Pikabot C2 Endpoint

192.121.17[.]14 - IP - Pikabot C2 Endpoint

162.252.172[.]253 - IP - Pikabot C2 Endpoint

103.124.105[.]147 - IP - Likely Pikabot Download

178.18.246[.]136 - IP - Pikabot C2 Endpoint

86.38.225[.]106 - IP - Pikabot C2 Endpoint

198.44.187[.]12 - IP - Pikabot C2 Endpoint

154.12.233[.]66 - IP - Pikabot C2 Endpoint

MITRE ATT&CK Mapping

TACTIC - TECHNIQUE

Defense Evasion - Masquerading: Masquerade File Type (T1036.008)

Command and Control - Application Layer Protocol: Web Protocols (T1071.001)

Command and Control - Non-Standard Port (T1571)

Command and Control - Application Layer Protocol: DNS (T1071.004)

Command and Control - Protocol Tunneling (T1572)

References

[1] https://news.sophos.com/en-us/2023/06/12/deep-dive-into-the-pikabot-cyber-threat/?&web_view=true  

[2] https://www.trendmicro.com/en_be/research/24/a/a-look-into-pikabot-spam-wave-campaign.html

[3] https://thehackernews.com/2024/01/alert-water-curupira-hackers-actively.html

[4] https://www.darkreading.com/cyberattacks-data-breaches/pikabot-malware-qakbot-replacement-black-basta-attacks

[5] https://www.redpacketsecurity.com/pikabot-distributed-via-malicious-ads-6/

[6] https://www.virustotal.com/gui/ip-address/185.106.94.174/detection

[7] https://www.virustotal.com/gui/ip-address/80.85.140.152/detection

[8] https://www.domainiq.com/domain?wordstt182.com

No items found.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
No items found.

More in this series

No items found.

Blog

/

/

October 15, 2025

How a Major Civil Engineering Company Reduced MTTR across Network, Email and the Cloud with Darktrace

Default blog imageDefault blog image

Asking more of the information security team

“What more can we be doing to secure the company?” is a great question for any cyber professional to hear from their Board of Directors. After successfully defeating a series of attacks and seeing the potential for AI tools to supercharge incoming threats, a UK-based civil engineering company’s security team had the answer: Darktrace.

“When things are coming at you at machine speed, you need machine speed to fight it off – it’s as simple as that,” said their Information Security Manager. “There were incidents where it took us a few hours to get to the bottom of what was going on. Darktrace changed that.”

Prevention was also the best cure. A peer organization in the same sector was still in business continuity measures 18 months after an attack, and the security team did not want to risk that level of business disruption.

Legacy tools were not meeting the team’s desired speed or accuracy

The company’s native SaaS email platform took between two and 14 days to alert on suspicious emails, with another email security tool flagging malicious emails after up to 24 days. After receiving an alert, responses often took a couple of days to coordinate. The team was losing precious time.

Beyond long detection and response times, the old email security platform was no longer performing: 19% of incoming spam was missed. Of even more concern: 6% of phishing emails reached users’ inboxes, and malware and ransomware email was also still getting through, with 0.3% of such email-borne payloads reaching user inboxes.

Choosing Darktrace

“When evaluating tools in 2023, only Darktrace had what I was looking for: an existing, mature, AI-based cybersecurity solution. ChatGPT had just come out and a lot of companies were saying ‘AI this’ and ‘AI that’. Then you’d take a look, and it was all rules- and cases-based, not AI at all,” their Information Security Manager.

The team knew that, with AI-enabled attacks on the horizon, a cybersecurity company that had already built, fielded, and matured an AI-powered cyber defense would give the security team the ability to fend off machine-speed attacks at the same pace as the attackers.

Darktrace accomplishes this with multi-layered AI that learns each organization’s normal business operations. With this detailed level of understanding, Darktrace’s Self-Learning AI can recognize unusual activity that may indicate a cyber-attack, and works to neutralize the threat with precise response actions. And it does this all at machine speed and with minimal disruption.

On the morning the team was due to present its findings, the session was cancelled – for a good reason. The Board didn’t feel further discussion was necessary because the case for Darktrace was so conclusive. The CEO described the Darktrace option as ‘an insurance policy we can’t do without’.

Saving time with Darktrace / EMAIL

Darktrace / EMAIL reduced the discovery, alert, and response process from days or weeks to seconds .

Darktrace / EMAIL automates what was originally a time-consuming and repetitive process. The team has recovered between eight and 10 working hours a week by automating much of this process using / EMAIL.

Today, Darktrace / EMAIL prevents phishing emails from reaching employees’ inboxes. The volume of hostile and unsolicited email fell to a third of its original level after Darktrace / EMAIL was set up.

Further savings with Darktrace / NETWORK and Darktrace / IDENTITY

Since its success with Darktrace / EMAIL, the company adopted two more products from the Darktrace ActiveAI Security Platform – Darktrace / NETWORK and Darktrace / IDENTITY.

These have further contributed to cost savings. An initial plan to build a 24/7 SOC would have required hiring and retaining six additional analysts, rather than the two that currently use Darktrace, costing an additional £220,000 per year in salary. With Darktrace, the existing analysts have the tools needed to become more effective and impactful.

An additional benefit: Darktrace adoption has lowered the company’s cyber insurance premiums. The security team can reallocate this budget to proactive projects.

Detection of novel threats provides reassurance

Darktrace’s unique approach to cybersecurity added a key benefit. The team’s previous tool took a rules-based approach – which was only good if the next attack featured the same characteristics as the ones on which the tool was trained.

“Darktrace looks for anomalous behavior, and we needed something that detected and responded based on use cases, not rules that might be out of date or too prescriptive,” their Information Security Manager. “Our existing provider could take a couple of days to update rules and signatures, and in this game, speed is of the essence. Darktrace just does everything we need - without delay.”

Where rules-based tools must wait for a threat to emerge before beginning to detect and respond to it, Darktrace identifies and protects against unknown and novel threats, speeding identification, response, and recovery, minimizing business disruption as a result.

Looking to the future

With Darktrace in place, the UK-based civil engineering company team has reallocated time and resources usually spent on detection and alerting to now tackle more sophisticated, strategic challenges. Darktrace has also equipped the team with far better and more regularly updated visibility into potential vulnerabilities.

“One thing that frustrates me a little is penetration testing; our ISO accreditation mandates a penetration test at least once a year, but the results could be out of date the next day,” their Information Security Manager. “Darktrace / Proactive Exposure Management will give me that view in real time – we can run it daily if needed - and that’s going to be a really effective workbench for my team.”

As the company looks to further develop its security posture, Darktrace remains poised to evolve alongside its partner.

Continue reading
About the author
The Darktrace Community

Blog

/

Network

/

October 14, 2025

Inside Akira’s SonicWall Campaign: Darktrace’s Detection and Response

akira sonicwallDefault blog imageDefault blog image

Introduction: Background on Akira SonicWall campaign

Between July and August 2025, security teams worldwide observed a surge in Akira ransomware incidents involving SonicWall SSL VPN devices [1]. Initially believed to be the result of an unknown zero-day vulnerability, SonicWall later released an advisory announcing that the activity was strongly linked to a previously disclosed vulnerability, CVE-2024-40766, first identified over a year earlier [2].

On August 20, 2025, Darktrace observed unusual activity on the network of a customer in the US. Darktrace detected a range of suspicious activity, including network scanning and reconnaissance, lateral movement, privilege escalation, and data exfiltration. One of the compromised devices was later identified as a SonicWall virtual private network (VPN) server, suggesting that the incident was part of the broader Akira ransomware campaign targeting SonicWall technology.

As the customer was subscribed to the Managed Detection and Response (MDR) service, Darktrace’s Security Operations Centre (SOC) team was able to rapidly triage critical alerts, restrict the activity of affected devices, and notify the customer of the threat. As a result, the impact of the attack was limited - approximately 2 GiB of data had been observed leaving the network, but any further escalation of malicious activity was stopped.

Threat Overview

CVE-2024-40766 and other misconfigurations

CVE-2024-40766 is an improper access control vulnerability in SonicWall’s SonicOS, affecting Gen 5, Gen 6, and Gen 7 devices running SonicOS version 7.0.1 5035 and earlier [3]. The vulnerability was disclosed on August 23, 2024, with a patch released the same day. Shortly after, it was reported to be exploited in the wild by Akira ransomware affiliates and others [4].

Almost a year later, the same vulnerability is being actively targeted again by the Akira ransomware group. In addition to exploiting unpatched devices affected by CVE-2024-40766, security researchers have identified three other risks potentially being leveraged by the group [5]:

*The Virtual Office Portal can be used to initially set up MFA/TOTP configurations for SSLVPN users.

Thus, even if SonicWall devices were patched, threat actors could still target them for initial access by reusing previously stolen credentials and exploiting other misconfigurations.

Akira Ransomware

Akira ransomware was first observed in the wild in March 2023 and has since become one of the most prolific ransomware strains across the threat landscape [6]. The group operates under a Ransomware-as-a-Service (RaaS) model and frequently uses double extortion tactics, pressuring victims to pay not only to decrypt files but also to prevent the public release of sensitive exfiltrated data.

The ransomware initially targeted Windows systems, but a Linux variant was later observed targeting VMware ESXi virtual machines [7]. In 2024, it was assessed that Akira would continue to target ESXi hypervisors, making attacks highly disruptive due to the central role of virtualisation in large-scale cloud deployments. Encrypting the ESXi file system enables rapid and widespread encryption with minimal lateral movement or credential theft. The lack of comprehensive security protections on many ESXi hypervisors also makes them an attractive target for ransomware operators [8].

Victimology

Akira is known to target organizations across multiple sectors, most notably those in manufacturing, education, and healthcare. These targets span multiple geographic regions, including North America, Latin America, Europe and Asia-Pacific [9].

Geographical distribution of organization’s affected by Akira ransomware in 2025 [9].
Figure 1: Geographical distribution of organization’s affected by Akira ransomware in 2025 [9].

Common Tactics, Techniques and Procedures (TTPs) [7][10]

Initial Access
Targets remote access services such as RDP and VPN through vulnerability exploitation or stolen credentials.

Reconnaissance
Uses network scanning tools like SoftPerfect and Advanced IP Scanner to map the environment and identify targets.

Lateral Movement
Moves laterally using legitimate administrative tools, typically via RDP.

Persistence
Employs techniques such as Kerberoasting and pass-the-hash, and tools like Mimikatz to extract credentials. Known to create new domain accounts to maintain access.

Command and Control
Utilizes remote access tools including AnyDesk, RustDesk, Ngrok, and Cloudflare Tunnel.

Exfiltration
Uses tools such as FileZilla, WinRAR, WinSCP, and Rclone. Data is exfiltrated via protocols like FTP and SFTP, or through cloud storage services such as Mega.

Darktrace’s Coverage of Akira ransomware

Reconnaissance

Darktrace first detected of unusual network activity around 05:10 UTC, when a desktop device was observed performing a network scan and making an unusual number of DCE-RPC requests to the endpoint mapper (epmapper) service. Network scans are typically used to identify open ports, while querying the epmapper service can reveal exposed RPC services on the network.

Multiple other devices were also later seen with similar reconnaissance activity, and use of the Advanced IP Scanner tool, indicated by connections to the domain advanced-ip-scanner[.]com.

Lateral movement

Shortly after the initial reconnaissance, the same desktop device exhibited unusual use of administrative tools. Darktrace observed the user agent “Ruby WinRM Client” and the URI “/wsman” as the device initiated a rare outbound Windows Remote Management (WinRM) connection to two domain controllers (REDACTED-dc1 and REDACTED-dc2). WinRM is a Microsoft service that uses the WS-Management (WSMan) protocol to enable remote management and control of network devices.

Darktrace also observed the desktop device connecting to an ESXi device (REDACTED-esxi1) via RDP using an LDAP service credential, likely with administrative privileges.

Credential access

At around 06:26 UTC, the desktop device was seen fetching an Active Directory certificate from the domain controller (REDACTED-dc1) by making a DCE-RPC request to the ICertPassage service. Shortly after, the device made a Kerberos login using the administrative credential.

Figure 3: Darktrace’s detection of the of anomalous certificate download and subsequent Kerberos login.

Further investigation into the device’s event logs revealed a chain of connections that Darktrace’s researchers believe demonstrates a credential access technique known as “UnPAC the hash.”

This method begins with pre-authentication using Kerberos’ Public Key Cryptography for Initial Authentication (PKINIT), allowing the client to use an X.509 certificate to obtain a Ticket Granting Ticket (TGT) from the Key Distribution Center (KDC) instead of a password.

The next stage involves User-to-User (U2U) authentication when requesting a Service Ticket (ST) from the KDC. Within Darktrace's visibility of this traffic, U2U was indicated by the client and service principal names within the ST request being identical. Because PKINIT was used earlier, the returned ST contains the NTLM hash of the credential, which can then be extracted and abused for lateral movement or privilege escalation [11].

Flowchart of Kerberos PKINIT pre-authentication and U2U authentication [12].
Figure 4: Flowchart of Kerberos PKINIT pre-authentication and U2U authentication [12]
Figure 5: Device event log showing the Kerberos Login and Kerberos Ticket events

Analysis of the desktop device’s event logs revealed a repeated sequence of suspicious activity across multiple credentials. Each sequence included a DCE-RPC ICertPassage request to download a certificate, followed by a Kerberos login event indicating PKINIT pre-authentication, and then a Kerberos ticket event consistent with User-to-User (U2U) authentication.

Darktrace identified this pattern as highly unusual. Cyber AI Analyst determined that the device used at least 15 different credentials for Kerberos logins over the course of the attack.

By compromising multiple credentials, the threat actor likely aimed to escalate privileges and facilitate further malicious activity, including lateral movement. One of the credentials obtained via the “UnPAC the hash” technique was later observed being used in an RDP session to the domain controller (REDACTED-dc2).

C2 / Additional tooling

At 06:44 UTC, the domain controller (REDACTED-dc2) was observed initiating a connection to temp[.]sh, a temporary cloud hosting service. Open-source intelligence (OSINT) reporting indicates that this service is commonly used by threat actors to host and distribute malicious payloads, including ransomware [13].

Shortly afterward, the ESXi device was observed downloading an executable named “vmwaretools” from the rare external endpoint 137.184.243[.]69, using the user agent “Wget.” The repeated outbound connections to this IP suggest potential command-and-control (C2) activity.

Cyber AI Analyst investigation into the suspicious file download and suspected C2 activity between the ESXI device and the external endpoint 137.184.243[.]69.
Figure 6: Cyber AI Analyst investigation into the suspicious file download and suspected C2 activity between the ESXI device and the external endpoint 137.184.243[.]69.
Packet capture (PCAP) of connections between the ESXi device and 137.184.243[.]69.
Figure 7: Packet capture (PCAP) of connections between the ESXi device and 137.184.243[.]69.

Data exfiltration

The first signs of data exfiltration were observed at around 7:00 UTC. Both the domain controller (REDACTED-dc2) and a likely SonicWall VPN device were seen uploading approximately 2 GB of data via SSH to the rare external endpoint 66.165.243[.]39 (AS29802 HVC-AS). OSINT sources have since identified this IP as an indicator of compromise (IoC) associated with the Akira ransomware group, known to use it for data exfiltration [14].

Cyber AI Analyst incident view highlighting multiple unusual events across several devices on August 20. Notably, it includes the “Unusual External Data Transfer” event, which corresponds to the anomalous 2 GB data upload to the known Akira-associated endpoint 66.165.243[.]39.
Figure 8: Cyber AI Analyst incident view highlighting multiple unusual events across several devices on August 20. Notably, it includes the “Unusual External Data Transfer” event, which corresponds to the anomalous 2 GB data upload to the known Akira-associated endpoint 66.165.243[.]39.

Cyber AI Analyst

Throughout the course of the attack, Darktrace’s Cyber AI Analyst autonomously investigated the anomalous activity as it unfolded and correlated related events into a single, cohesive incident. Rather than treating each alert as isolated, Cyber AI Analyst linked them together to reveal the broader narrative of compromise. This holistic view enabled the customer to understand the full scope of the attack, including all associated activities and affected assets that might otherwise have been dismissed as unrelated.

Overview of Cyber AI Analyst’s investigation, correlating all related internal and external security events across affected devices into a single pane of glass.
Figure 9: Overview of Cyber AI Analyst’s investigation, correlating all related internal and external security events across affected devices into a single pane of glass.

Containing the attack

In response to the multiple anomalous activities observed across the network, Darktrace's Autonomous Response initiated targeted mitigation actions to contain the attack. These included:

  • Blocking connections to known malicious or rare external endpoints, such as 137.184.243[.]69, 66.165.243[.]39, and advanced-ip-scanner[.]com.
  • Blocking internal traffic to sensitive ports, including 88 (Kerberos), 3389 (RDP), and 49339 (DCE-RPC), to disrupt lateral movement and credential abuse.
  • Enforcing a block on all outgoing connections from affected devices to contain potential data exfiltration and C2 activity.
Autonomous Response actions taken by Darktrace on an affected device, including the blocking of malicious external endpoints and internal service ports.
Figure 10: Autonomous Response actions taken by Darktrace on an affected device, including the blocking of malicious external endpoints and internal service ports.

Managed Detection and Response

As this customer was an MDR subscriber, multiple Enhanced Monitoring alerts—high-fidelity models designed to detect activity indicative of compromise—were triggered across the network. These alerts prompted immediate investigation by Darktrace’s SOC team.

Upon determining that the activity was likely linked to an Akira ransomware attack, Darktrace analysts swiftly acted to contain the threat. At around 08:05 UTC, devices suspected of being compromised were quarantined, and the customer was promptly notified, enabling them to begin their own remediation procedures without delay.

A wider campaign?

Darktrace’s SOC and Threat Research teams identified at least three additional incidents likely linked to the same campaign. All targeted organizations were based in the US, spanning various industries, and each have indications of using SonicWall VPN, indicating it had likely been targeted for initial access.

Across these incidents, similar patterns emerged. In each case, a suspicious executable named “vmwaretools” was downloaded from the endpoint 85.239.52[.]96 using the user agent “Wget”, bearing some resemblance to the file downloads seen in the incident described here. Data exfiltration was also observed via SSH to the endpoints 107.155.69[.]42 and 107.155.93[.]154, both of which belong to the same ASN also seen in the incident described in this blog: S29802 HVC-AS. Notably, 107.155.93[.]154 has been reported in OSINT as an indicator associated with Akira ransomware activity [15]. Further recent Akira ransomware cases have been observed involving SonicWall VPN, where no similar executable file downloads were observed, but SSH exfiltration to the same ASN was. These overlapping and non-overlapping TTPs may reflect the blurring lines between different affiliates operating under the same RaaS.

Lessons from the campaign

This campaign by Akira ransomware actors underscores the critical importance of maintaining up-to-date patching practices. Threat actors continue to exploit previously disclosed vulnerabilities, not just zero-days, highlighting the need for ongoing vigilance even after patches are released. It also demonstrates how misconfigurations and overlooked weaknesses can be leveraged for initial access or privilege escalation, even in otherwise well-maintained environments.

Darktrace’s observations further reveal that ransomware actors are increasingly relying on legitimate administrative tools, such as WinRM, to blend in with normal network activity and evade detection. In addition to previously documented Kerberos-based credential access techniques like Kerberoasting and pass-the-hash, this campaign featured the use of UnPAC the hash to extract NTLM hashes via PKINIT and U2U authentication for lateral movement or privilege escalation.

Credit to Emily Megan Lim (Senior Cyber Analyst), Vivek Rajan (Senior Cyber Analyst), Ryan Traill (Analyst Content Lead), and Sam Lister (Specialist Security Researcher)

Appendices

Darktrace Model Detections

Anomalous Connection / Active Remote Desktop Tunnel

Anomalous Connection / Data Sent to Rare Domain

Anomalous Connection / New User Agent to IP Without Hostname

Anomalous Connection / Possible Data Staging and External Upload

Anomalous Connection / Rare WinRM Incoming

Anomalous Connection / Rare WinRM Outgoing

Anomalous Connection / Uncommon 1 GiB Outbound

Anomalous Connection / Unusual Admin RDP Session

Anomalous Connection / Unusual Incoming Long Remote Desktop Session

Anomalous Connection / Unusual Incoming Long SSH Session

Anomalous Connection / Unusual Long SSH Session

Anomalous File / EXE from Rare External Location

Anomalous Server Activity / Anomalous External Activity from Critical Network Device

Anomalous Server Activity / Outgoing from Server

Anomalous Server Activity / Rare External from Server

Compliance / Default Credential Usage

Compliance / High Priority Compliance Model Alert

Compliance / Outgoing NTLM Request from DC

Compliance / SSH to Rare External Destination

Compromise / Large Number of Suspicious Successful Connections

Compromise / Sustained TCP Beaconing Activity To Rare Endpoint

Device / Anomalous Certificate Download Activity

Device / Anomalous SSH Followed By Multiple Model Alerts

Device / Anonymous NTLM Logins

Device / Attack and Recon Tools

Device / ICMP Address Scan

Device / Large Number of Model Alerts

Device / Network Range Scan

Device / Network Scan

Device / New User Agent To Internal Server

Device / Possible SMB/NTLM Brute Force

Device / Possible SMB/NTLM Reconnaissance

Device / RDP Scan

Device / Reverse DNS Sweep

Device / Suspicious SMB Scanning Activity

Device / UDP Enumeration

Unusual Activity / Unusual External Data to New Endpoint

Unusual Activity / Unusual External Data Transfer

User / Multiple Uncommon New Credentials on Device

User / New Admin Credentials on Client

User / New Admin Credentials on Server

Enhanced Monitoring Models

Compromise / Anomalous Certificate Download and Kerberos Login

Device / Initial Attack Chain Activity

Device / Large Number of Model Alerts from Critical Network Device

Device / Multiple Lateral Movement Model Alerts

Device / Suspicious Network Scan Activity

Unusual Activity / Enhanced Unusual External Data Transfer

Antigena/Autonomous Response Models

Antigena / Network / External Threat / Antigena File then New Outbound Block

Antigena / Network / External Threat / Antigena Suspicious Activity Block

Antigena / Network / External Threat / Antigena Suspicious File Block

Antigena / Network / Insider Threat / Antigena Large Data Volume Outbound Block

Antigena / Network / Insider Threat / Antigena Network Scan Block

Antigena / Network / Insider Threat / Antigena Unusual Privileged User Activities Block

Antigena / Network / Manual / Quarantine Device

Antigena / Network / Significant Anomaly / Antigena Alerts Over Time Block

Antigena / Network / Significant Anomaly / Antigena Controlled and Model Alert

Antigena / Network / Significant Anomaly / Antigena Enhanced Monitoring from Client Block

Antigena / Network / Significant Anomaly / Antigena Enhanced Monitoring from Server Block

Antigena / Network / Significant Anomaly / Antigena Significant Anomaly from Client Block

Antigena / Network / Significant Anomaly / Antigena Significant Server Anomaly Block

Antigena / Network / Significant Anomaly / Repeated Antigena Alerts

List of Indicators of Compromise (IoCs)

·      66.165.243[.]39 – IP Address – Data exfiltration endpoint

·      107.155.69[.]42 – IP Address – Probable data exfiltration endpoint

·      107.155.93[.]154 – IP Address – Likely Data exfiltration endpoint

·      137.184.126[.]86 – IP Address – Possible C2 endpoint

·      85.239.52[.]96 – IP Address – Likely C2 endpoint

·      hxxp://85.239.52[.]96:8000/vmwarecli  – URL – File download

·      hxxp://137.184.126[.]86:8080/vmwaretools – URL – File download

MITRE ATT&CK Mapping

Initial Access – T1190 – Exploit Public-Facing Application

Reconnaissance – T1590.002 – Gather Victim Network Information: DNS

Reconnaissance – T1590.005 – Gather Victim Network Information: IP Addresses

Reconnaissance – T1592.004 – Gather Victim Host Information: Client Configurations

Reconnaissance – T1595 – Active Scanning

Discovery – T1018 – Remote System Discovery

Discovery – T1046 – Network Service Discovery

Discovery – T1083 – File and Directory Discovery

Discovery – T1135 – Network Share Discovery

Lateral Movement – T1021.001 – Remote Services: Remote Desktop Protocol

Lateral Movement – T1021.004 – Remote Services: SSH

Lateral Movement – T1021.006 – Remote Services: Windows Remote Management

Lateral Movement – T1550.002 – Use Alternate Authentication Material: Pass the Hash

Lateral Movement – T1550.003 – Use Alternate Authentication Material: Pass the Ticket

Credential Access – T1110.001 – Brute Force: Password Guessing

Credential Access – T1649 – Steal or Forge Authentication Certificates

Persistence, Privilege Escalation – T1078 – Valid Accounts

Resource Development – T1588.001 – Obtain Capabilities: Malware

Command and Control – T1071.001 – Application Layer Protocol: Web Protocols

Command and Control – T1105 – Ingress Tool Transfer

Command and Control – T1573 – Encrypted Channel

Collection – T1074 – Data Staged

Exfiltration – T1041 – Exfiltration Over C2 Channel

Exfiltration – T1048 – Exfiltration Over Alternative Protocol

References

[1] https://thehackernews.com/2025/08/sonicwall-investigating-potential-ssl.html

[2] https://www.sonicwall.com/support/notices/gen-7-and-newer-sonicwall-firewalls-sslvpn-recent-threat-activity/250804095336430

[3] https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0015

[4] https://arcticwolf.com/resources/blog/arctic-wolf-observes-akira-ransomware-campaign-targeting-sonicwall-sslvpn-accounts/

[5] https://www.rapid7.com/blog/post/dr-akira-ransomware-group-utilizing-sonicwall-devices-for-initial-access/

[6] https://www.ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf

[7] https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a

[8] https://blog.talosintelligence.com/akira-ransomware-continues-to-evolve/

[9] https://www.ransomware.live/map?year=2025&q=akira

[10] https://attack.mitre.org/groups/G1024/
[11] https://labs.lares.com/fear-kerberos-pt2/#UNPAC

[12] https://www.thehacker.recipes/ad/movement/kerberos/unpac-the-hash

[13] https://www.s-rminform.com/latest-thinking/derailing-akira-cyber-threat-intelligence)

[14] https://fieldeffect.com/blog/update-akira-ransomware-group-targets-sonicwall-vpn-appliances

[15] https://arcticwolf.com/resources/blog/arctic-wolf-observes-july-2025-uptick-in-akira-ransomware-activity-targeting-sonicwall-ssl-vpn/

Continue reading
About the author
Emily Megan Lim
Cyber Analyst
Your data. Our AI.
Elevate your network security with Darktrace AI