ブログ
/
Network
/
September 13, 2023

How Darktrace Stopped Akira Ransomware

Learn how Darktrace is uniquely placed to identify and contain the novel Akira ransomware strain, first observed in March 2023.
Written by
Manoel Kadja
Cyber Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Manoel Kadja
Cyber Analyst
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
13
Sep 2023

Introduction to Akira Ransomware

In the face of a seemingly never-ending production line of novel ransomware strains, security teams across the threat landscape are continuing to see a myriad of new variants and groups targeting their networks. Naturally, new strains and threat groups present unique challenges to organizations. The use of previously unseen tactics, techniques, and procedures (TTPs) means that threat actors can often completely bypass traditional rule and signature-based security solutions, thus rendering an organization’s digital environment vulnerable to attack.

What is Akira Ransomware?

One such example of a novel ransomware family is Akira, which was first observed in the wild in March 2023. Much like many other strains, Akira is known to target corporate networks worldwide, encrypting sensitive files and demanding huge sums of money to retrieve the data and stop it from being posted online [1].

Key characteristics of Akira Ransomware

  • Targeted Attacks: Focuses on specific industries and organizations, often targeting those with valuable data.
  • Double Extortion Tactics: Employs double extortion by encrypting data and threatening to release it publicly if the ransom is not paid.
  • Advanced Encryption: Utilizes sophisticated encryption algorithms to ensure that data recovery is impossible without the decryption key.
  • Custom Ransom Notes: Delivers personalized ransom notes tailored to the victim, often containing detailed instructions and specific payment demands.
  • Stealth Techniques: Uses advanced evasion techniques to avoid detection by security tools and to remain undetected for extended periods.
  • Fast Encryption Process: Known for its rapid encryption process, minimizing the time window for detection and response by the victim.
  • Frequent Updates: Regularly updates its malware to bypass the latest security defenses and to improve its effectiveness.
  • Professional Communication: Maintains professional and often polite communication with victims to facilitate ransom payments and decryption.

Darktrace AI capabilities detect Akira Ransomware

In late May 2023, Darktrace observed multiple instances of Akira ransomware affecting networks across its customer base. Thanks to its anomaly-based approach to threat detection, Darktrace successfully identified the novel ransomware attacks and provided full visibility over the cyber kill chain, from the initial compromise to the eventual file encryptions and ransom notes. In cases where Darktrace was enabled in autonomous response mode, these attacks were mitigated the early stages of the attack, thus minimizing any disruption or damage to customer networks.

Initial access and privileged escalation

Methods used by Akira ransomware for privileged escalation

The Akira ransomware group typically uses spear-phishing campaigns containing malicious downloads or links as their primary initial access vector; however, they have also been known to use Remote Desktop Protocol (RDP) brute-force attacks to access target networks [2].

While Darktrace did observe the early access activities that are detailed below, it is very likely that the actual initial intrusion happened prior to this, through targeted phishing attacks that fell outside of Darktrace’s purview. The first indicators of compromise (IoCs) that Darktrace observed on customer networks affected by Darktrace were typically unusual RDP sessions, and the use of compromised administrative credentials.

Darktrace detection of initial access and priviledged escalation

On one Darktrace customer’s network (customer A), Darktrace identified a highly privileged credential being used for the first time on an internal server on May 21, 2023. Around a week later, this server was observed establishing RDP connections with multiple internal destination devices via port 3389. Further investigation carried out by the customer revealed that this credential had indeed been compromised. On May 30, Darktrace detected another device scanning internal devices and repeatedly failing to authenticate via Kerberos.

As the customer had integrated Darktrace with Microsoft Defender, their security team received additional cyber threat intelligence from Microsoft which, coupled with the anomaly alerts provided by Darktrace, helped to further contextualize these anomalous events. One specific detail gleaned from this integration was that the anomalous scanning activity and failed authentication attempts were carried out using the compromised administrative credentials mentioned earlier.

By integrating Microsoft Defender with Darktrace, customers can efficiently close security gaps across their digital infrastructure. While Darktrace understands customer environments and provides valuable network-level insights, by integrating with Microsoft Defender, customers can further enrich these insights with endpoint-specific information and activity.

In another customer’s network (customer B), Darktrace detected a device, later observed writing a ransom note, receiving an unusual RDP connection from another internal device. The RDP cookie used during this activity was an administrative RDP cookie that appeared to have been compromised. This device was also observed making multiple connections to the domain, api.playanext[.]com, and using the user agent , AnyDesk/7.1.11, indicating the use of the AnyDesk remote desktop service.

Although this external domain does not appear directly related to Akira ransomware, open-source intelligence (OSINT) found associations with multiple malicious files, and it appeared to be associated with the AnyDesk user agent, AnyDesk/6.0.1 [3]. The connections to this endpoint likely represented the malicious use of AnyDesk to remotely control the customer’s device, rather than Akira command-and-control (C2) infrastructure or payloads. Alternatively, it could be indicative of a spoofing attempt in which the threat actor is attempting to masquerade as legitimate remote desktop service to remain undetected by security tools.

Around the same time, Darktrace observed many devices on customer B’s network making anomalous internal RDP connections and authenticating via Kerberos, NTLM, or SMB using the same administrative credential. These devices were later confirmed to be affected by Akira Ransomware.

Figure 1 shows how Darktrace detected one of those internal devices failing to login via SMB multiple times with a certain credential (indication of a possible SMB/NTLM brute force), before successfully accessing other internal devices via SMB, NTLM and RDP using the likely compromised administrative credential mentioned earlier.

Figure 1: Model Breach Event Log indicating unusual SMB, NTLM and RDP activity with different credentials detected which led to the Darktrace model breaches, "Unusual Admin RDP Session” and “Successful Admin Brute-Force Activity”.

Darktrace models observed for initial access and privilege escalation:

  • Device / Anomalous RDP Followed By Multiple Model Breaches
  • Anomalous Connection / Unusual Admin RDP Session
  • New Admin Credentials on Server
  • Possible SMB/NTLM Brute Force Indicator
  • Unusual Activity / Successful Admin Brute-Force Activity

Internal Reconnaissance and Lateral Movement

The next step Darktrace observed during Akira Ransomware attacks across the customer was internal reconnaissance and lateral movement.

How Akira Ransomware conducts internal reconnaissance

In another customer’s environment (customer C), after authenticating via NTLM using a compromised credential, a domain controller was observed accessing a large amount of SMB shares it had never previously accessed. Darktrace understood that this SMB activity represented a deviation in the device’s expected behavior and recognized that it could be indicative of SMB enumeration. Darktrace observed the device making at least 196 connections to 34 unique internal IPs via port 445. SMB actions read, write, and delete were observed during those connections. This domain controller was also one of many devices on the customer’s network that was received incoming connections from an external endpoint over port 3389 using the RDP protocol, indicating that the devices were likely being remotely controlled from outside the network. While there were no direct OSINT links with this endpoint and Akira ransomware, the domain controller in question was later confirmed to be compromised and played a key role in this phase of the attack.

Moreover, this represents the second IoC that Darktrace observed that had no obvious connection to Akira, likely indicating that Akira actors are establishing entirely new infrastructure to carry out their attacks, or even utilizing newly compromised legitimate infrastructure. As Darktrace adopts an anomaly-based approach to threat detection, it can recognize suspicious activity indicative of an emerging ransomware attack based on its unusualness, rather than having to rely on previously observed IoCs and lists of ‘known-bads’.

Darktrace further observed a flurry of activity related to lateral movement around this time, primarily via SMB writes of suspicious files to other internal destinations. One particular device on customer C’s network was detected transferring multiple executable (.exe) and script files to other internal devices via SMB.

Darktrace recognized that these transfers represented a deviation from the device’s normal SMB activity and may have indicated threat actors were attempting to compromise additional devices via the transfer of malicious software.

Figure 2: Advanced Search results showing 20 files associated with suspicious SMB write activity, amongst them executable files and dynamic link libraries (DLLs).

Darktrace DETECT models observed for internal reconnaissance and lateral movement:

  • Device / RDP Scan
  • Anomalous Connection / SMB Enumeration
  • Anomalous Connection / Possible Share Enumeration Activity
  • Scanning of Multiple Devices (Cyber AI Analyst Incident)
  • Device / Possible SMB/NTLM Reconnaissance
  • Compliance / Incoming Remote Desktop
  • Compliance / Outgoing NTLM Request from DC
  • Unusual Activity / Internal Data Transfer
  • Security Integration / Lateral Movement and Integration Detection
  • Device / Anomalous SMB Followed By Multiple Model Breaches

Ransomware deployment

In the final phase of Akira ransomware attacks detected on Darktrace customer networks, Darktrace identified the file extension “.akira” being added after encryption to a variety of files on the affected network shares, as well as a ransom note titled “akira_readme.txt” being dropped on affected devices.

On customer A’s network, after nearly 9,000 login failures and 2,000 internal connection attempts indicative of scanning activity, one device was detected transferring suspicious files over SMB to other internal devices. The device was then observed connecting to another internal device via SMB and continuing suspicious file activity, such as appending files on network shares with the “.akira” extension, and performing suspicious writes to SMB shares on other internal devices.

Darktrace’s autonomous threat investigator, Cyber AI Analyst™, was able to analyze the multiple events related to this encryption activity and collate them into one AI Analyst incident, presenting a detailed and comprehensive summary of the entire incident within 10 minutes of Darktrace’s initial detection. Rather than simply viewing individual breaches as standalone activity, AI Analyst can identify the individual steps of an ongoing attack to provide complete visibility over emerging compromises and their kill chains. Not only does this bolster the network’s defenses, but the autonomous investigations carried out by AI Analyst also help to save the security team’s time and resources in triaging and monitoring ongoing incidents.

Figure 3: Darktrace Cyber AI Analyst incident correlated multiple model breaches together to show Akira ransomware encryption activity.

In addition to analyzing and compiling Darktrace model breaches, AI Analyst also leveraged the host-level insights provided by Microsoft Defender to enrich its investigation into the encryption event. By using the Security Integration model breaches, AI Analyst can retrieve timestamp and device details from a Defender alert and further investigate any unusual activity surrounding the alert to present a full picture of the suspicious activity.

In customer B’s environment, following the unusual RDP sessions and rare external connections using the AnyDesk user agent, an affected device was later observed writing around 2,000 files named "akira_readme.txt" to multiple internal SMB shares. This represented the malicious actor dropping ransom notes, containing the demands and extortion attempts of the actors.

Figure 4: Model Breach Event Log indicating the ransom note detected on May 12, 2023, which led to the Darktrace DETECT model breach, Anomalous Server Activity / Write to Network Accessible WebRoot.
Figure 5: Packet Capture (PCAP) demonstrating the Akira ransom note captured from the connection details seen in Figure 4.

As a result of this ongoing activity, an Enhanced Monitoring model breach, a high-fidelity detection model type that detects activities that are more likely to be indicative of compromise, was escalated to Darktrace’s Security Operations Center (SOC) who, in turn were able to further investigate and triage this ransomware activity. Customers who have subscribed to Darktrace’s Proactive Threat Notification (PTN) service would receive an alert from the SOC team, advising urgent follow up action.

Darktrace detection models observed during ransomware deployment:

  • Security Integration / Integration Ransomware Incident
  • Security Integration / High Severity Integration Detection
  • Security Integration / Integration Ransomware Detected
  • Device / Suspicious File Writes to Multiple Hidden SMB Shares
  • Compliance / SMB Drive Write
  • Compromise / Ransomware / Suspicious SMB Activity (Proactive Threat Notification Alerted by the Darktrace SOC)
  • Anomalous File / Internal / Additional Extension Appended to SMB File
  • Anomalous File / Internal / Unusual SMB Script Write
  • Compromise / Ransomware / Ransom or Offensive Words Written to SMB
  • Anomalous Server Activity /Write to Network Accessible WebRoot
  • Anomalous Server Activity /Write to Network Accessible WebRoot

Darktrace autonomous response neutralizes Akira Ransomware

When Darktrace is configured in autonomous response mode, it is able to follow up successful threat identifications with instant autonomous actions that stop malicious actors in their tracks and prevent them from achieving their end goals.

In the examples of Darktrace customers affected by Akira Ransomware outlined above, only customer A had autonomous response mode enabled during their ransomware attack. The autonomous response capability of Darktrace helped the customer to minimize disruption to the business through multiple targeted actions on devices affected by ransomware.

One action carried out by Darktrace's Autonomous Respose was to block all on-going traffic from affected devices. In doing so, Darktrace effectively shuts down communications between devices affected by Akira and the malicious infrastructure used by threat actors, preventing the spread of data on the client network or threat actor payloads.

Another crucial response action applied on this customer’s network was combat Akira was to “Enforce a Pattern of Life” on affected devices. This action is designed to prevent devices from performing any activity that would constitute a deviation from their expected behavior, while allowing them to continue their ‘usual’ business operations without causing any disruption.

While the initial intrusion of the attack on customer A’s network likely fell outside of the scope of Darktrace’s visibility, Darktrace was able to minimize the disruption caused by Akira, containing the ransomware and allowing the customer to further investigate and remediate.

Darktrace Autonomous Response model breaches:

  • Antigena / Network / External Threat / Antigena Ransomware Block
  • Antigena / Network / External Threat / Antigena Suspicious Activity Block
  • Antigena / Network / Significant Anomaly / Antigena Enhanced Monitoring from Server Block
  • Antigena / Network / External Threat / Antigena Suspicious Activity Block
  • Antigena / Network / External Threat / Antigena File then New Outbound Block
  • Antigena / Network / Insider Threat / Antigena Unusual Privileged User Activities Block
  • Antigena / Network / Significant Anomaly / Antigena Breaches Over Time Block
  • Antigena / Network / Significant Anomaly / Antigena Significant Anomaly from Client Block
  • Antigena / Network /Insider Threat /Antigena SMB Enumeration Block

Conclusion

The impact of cyber attacks

Novel ransomware strains like Akira Ransomware present a significant challenge to security teams across the globe due to the constant evolution of attack methods and tactics, making it huge a challenge for security teams to stay up to date with the most current threat intelligence.  

Therefore, it is paramount for organizations to adopt a technology designed around an intelligent decision maker able to identify unusual activity that could be indicative of a ransomware attack without depending solely on rules, signatures, or statistic lists of malicious IoCs.

Importance of AI-powered cybersecurity solutions

Darktrace identified Akira ransomware at every stage of the attack’s kill chain on multiple customer networks, even when threat actors were utilizing seemingly legitimate services (or spoofed versions of them) to carry out malicious activity. While this may have gone unnoticed by traditional security tools, Darktrace’s anomaly-based detection enabled it to recognize malicious activity for what it was. When enabled in autonomous response mode, Darktrace is able to follow up initial detections with machine-speed preventative actions to stop the spread of ransomware and minimize the damage caused to customer networks.  

There is no silver bullet to defend against novel cyber-attacks, however Darktrace’s anomaly-based approach to threat detection and autonomous response capabilities are uniquely placed to detect and respond to cyber disruption without latency.

Credit to: Manoel Kadja, Cyber Analyst, Nahisha Nobregas, SOC Analyst.

Appendices

IOC - Type - Description/Confidence

202.175.136[.]197 - External destination IP -Incoming RDP Connection

api.playanext[.]com - External hostname - Possible RDP Host

.akira - File Extension - Akira Ransomware Extension

akira_readme.txt - Text File - Akira Ransom Note

AnyDesk/7.1.11 - User Agent -AnyDesk User Agent

MITRE ATT&CK Mapping

Tactic & Technique

DISCOVERY

T1083 - File and Directory Discovery

T1046 - Network Service Scanning

T1135 - Network Share Discovery

RECONNAISSANCE

T1595.002 - Vulnerability Scanning

CREDENTIAL ACCESS, COLLECTION

T1557.001 - LLMNR/NBT-NS Poisoning and SMB Relay

DEFENSE EVASION, LATERAL MOVEMENT

T1550.002 - Pass the Hash

DEFENSE EVASION, PERSISTENCE, PRIVILEGE ESCALATION, INITIAL ACCESS

T1078 - Valid Accounts

DEFENSE EVASION

T1006 - Direct Volume Access

LATERAL MOVEMENT

T1563.002 - RDP Hijacking

T1021.001 - Remote Desktop Protocol

T1080 - Taint Shared Content

T1021.002 - SMB/Windows Admin Shares

INITIAL ACCESS

T1190 - Exploit Public-Facing Application

T1199 - Trusted Relationship

PERSISTENCE, INITIAL ACCESS

T1133 - External Remote Services

PERSISTENCE

T1505.003 - Web Shell

IMPACT

T1486 - Data Encrypted for Impact

References

[1] https://www.bleepingcomputer.com/news/security/meet-akira-a-new-ransomware-operation-targeting-the-enterprise/

[2] https://www.civilsdaily.com/news/cert-in-warns-against-akira-ransomware/#:~:text=Spread%20Methods%3A%20Akira%20ransomware%20is,Desktop%20connections%20to%20infiltrate%20systems

[3] https://hybrid-analysis.com/sample/0ee9baef94c80647eed30fa463447f000ec1f50a49eecfb71df277a2ca1fe4db?environmentId=100

執筆者
Manoel Kadja
Cyber Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Manoel Kadja
Cyber Analyst

From Amazon to Louis Vuitton: How Darktrace Detects Black Friday Phishing Attacks

Email
November 27, 2025
Ryan Traill
Analyst Content Lead
Watch the NIS2 Webinar
Trending blogs
1
CVE公開前の脅威検知脆弱性が公開される前に悪意あるアクティビティを識別した10件の事例
Jul 2, 2025
2
How Empowering End Users can Improve Your Email Security and Decrease the Burden on the SOC
May 8, 2024
3
Elevating Network Security: Confronting Trust, Ransomware, & Novel Attacks
Jun 21, 2024
4
The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners
Apr 9, 2024
5
The State of AI in Cybersecurity: The Impact of AI on Cybersecurity Solutions
May 13, 2024

More in this series

No items found.
Continue reading
Network
November 26, 2025

CastleLoader & CastleRAT: Behind TAG150’s Modular Malware Delivery System

TAG-150, a MaaS operator active since March 2025, uses CastleLoader and CastleRAT in multi-stage attacks. CastleLoader acts as a loader that retrieves and executes additional malware through deceptive domains and malicious GitHub repositories, while CastleRAT functions as a remote access trojan providing attackers with system control, command execution, and data theft capabilities. Darktrace detected and blocked early attack activity, leveraging Autonomous Response to prevent further compromise and protect enterprise networks.
Read more
Network
November 20, 2025

Xillen Stealer Updates to Version 5 to Evade AI Detection

Xillen Stealer v4/v5 introduces advanced features to evade AI detection, steal credentials, cryptocurrency, and sensitive data across browsers, password managers, and cloud environments. With polymorphic engines, container persistence, and behavioral mimicking, this Python-based malware highlights evolving threats and future AI integration in cybercrime campaigns.
Tara Gould
Threat Researcher
Read more
Network
November 12, 2025

Unmasking Vo1d: Inside Darktrace’s Botnet Detection

Earlier this year, Darktrace investigated the Vo1d malware campaign, tracing its activity from DGA-based DNS beaconing to major cloud infrastructure and ultimately to its C2 server communications. This blog explores how Darktrace detected Vo1d and presents a detailed timeline of Cyber AI Analyst’s investigation.
Christina Kreza
Cyber Analyst
Read more

Blog

/

Email

/

November 27, 2025

From Amazon to Louis Vuitton: How Darktrace Detects Black Friday Phishing Attacks

Default blog imageDefault blog image

Why Black Friday Drives a Surge in Phishing Attacks

In recent years, Black Friday has shifted from a single day of online retail sales and discounts to an extended ‘Black Friday Week’, often preceded by weeks of online hype. During this period, consumers are inundated with promotional emails and marketing campaigns as legitimate retailers compete for attention.

Unsurprisingly, this surge in legitimate communications creates an ideal environment for threat actors to launch targeted phishing campaigns designed to mimic legitimate retail emails. These campaigns often employ social engineering techniques that exploit urgency, exclusivity, and consumer trust in well-known brands, tactics designed to entice recipients into opening emails and clicking on malicious links.

Additionally, given the seasonal nature of Black Friday and the ever-changing habits of consumers, attackers adopt new tactics and register fresh domains each year, rather than reusing domains previously flagged as spam or phishing endpoints. While this may pose a challenge for traditional email security tools, it presents no such difficulty for Darktrace / EMAIL and its anomaly-based approach.

In the days and weeks leading up to ‘Black Friday’, Darktrace observed a spike in sophisticated phishing campaigns targeting consumers, demonstrating how attackers combine phycological manipulation with technical evasion to bypass basic security checks during this high-traffic period. This blog showcases several notable examples of highly convincing phishing emails detected and contained by Darktrace / EMAIL in mid to late November 2025.

Darktrace’s Black Friday Detections

Brand Impersonation: Deal Watchdogs’ Amazon Deals

The impersonation major online retailers has become a common tactic in retail-focused attacks, none more so than Amazon, which ranked as the fourth most impersonated brand in 2024, only behind Microsoft, Apple, Google, and Facebook [1]. Darktrace’s own research found Amazon to be the most mimicked brand, making up 80% of phishing attacks in its analysis of global consumer brands.

When faced with an email that appears to come from a trusted sender like Amazon, recipients are far more likely to engage, increasing the success rate of these phishing campaigns.

In one case observed on November 16, Darktrace detected an email with the subject line “NOW LIVE: Amazon’s Best Early Black Friday Deals on Gadgets Under $60”. The email was sent to a customer by the sender ‘Deal Watchdogs’, in what appeared to be an attempt to masquerade as a legitimate discount-finding platform. No evidence indicated that the company was legitimate. In fact, the threat actor made no attempt to create a convincing name, and the domain appeared to be generated by a domain generation algorithm (DGA), as shown in Figure 2.

Although the email was sent by ‘Deal Watchdogs’, it attempted to impersonate Amazon by featuring realistic branding, including the Amazon logo and a shade of orange similar to that used by them for the ‘CLICK HERE’ button and headline text.

Figure 1: The contents of the email observed by Darktrace, featuring authentic-looking Amazon branding.

Darktrace identified that the email, marked as urgent by the sender, contained a suspicious link to a Google storage endpoint (storage.googleapis[.]com), which had been hidden by the text “CLICK HERE”. If clicked, the link could have led to a credential harvester or served as a delivery vector for a malicious payload hosted on the Google storage platform.

Fortunately, Darktrace immediately identified the suspicious nature of this email and held it before delivery, preventing recipients from ever receiving or interacting with the malicious content.

Figure 2: Darktrace / EMAIL’s detection of the malicious phishing email sent to a customer.

Around the same time, Darktrace detected a similar email attempting to spoof Amazon on another customer’s network with the subject line “Our 10 Favorite Deals on Amazon That Started Today”, also sent by ‘Deal Watchdogs,’ suggesting a broader campaign.

Analysis revealed that this email originated from the domain petplatz[.]com, a fake marketing domain previously linked to spam activity according to open-source intelligence (OSINT) [2].

Brand Impersonation: Louis Vuitton

A few days later, on November 20, Darktrace / EMAIL detected a phishing email attempting to impersonate the luxury fashion brand Louis Vuitton. At first glance, the email, sent under the name ‘Louis Vuitton’ and titled “[Black Friday 2025] Discover Your New Favorite Louis Vuitton Bag – Elegance Starts Here”, appeared to be a legitimate Black Friday promotion. However, Darktrace’s analysis uncovered several red flags indicating a elaborate brand impersonation attempt.

The email was not sent by Louis Vuitton but by rskkqxyu@bookaaatop[.]ru, a Russia-based domain never before observed on the customer’s network. Darktrace flagged this as suspicious, noting that .ru domains were highly unusual for this recipient’s environment, further reinforcing the likelihood of malicious intent. Subsequent analysis revealed that the domain had only recently registered and was flagged as malicious by multiple OSINT sources [3].

Figure 3: Darktrace / EMAIL’s detection of the malicious email attempting to spoofLouis Vuitton, originating from a suspicious Russia-based domain.

Darktrace further noted that the email contained a highly suspicious link hidden behind the text “View Collection” and “Unsubscribe,” ensuring that any interaction, whether visiting the supposed ‘handbag store’ or attempting to opt out of marketing emails, would direct recipients to the same endpoint. The link resolved to xn--80aaae9btead2a[.]xn--p1ai (топааабоок[.]рф), a domain confirmed as malicious by multiple OSINT sources [4]. At the time of analysis, the domain was inaccessible, likely due to takedown efforts or the short-lived nature of the campaign.

Darktrace / EMAIL blocked this email before it reached customer inboxes, preventing recipients from interacting with the malicious content and averting any disruption.

Figure 4: The suspicious domain linked in the Louis Vuitton phishing email, now defunct.

Too good to be true?

Aside from spoofing well-known brands, threat actors frequently lure consumers with “too good to be true” luxury offers, a trend Darktrace observed in multiple cases throughout November.

In one instance, Darktrace identified an email with the subject line “[Black Friday 2025] Luxury Watches Starting at $250.” Emails contained a malicious phishing link, hidden behind text like “Rolex Starting from $250”, “Shop Now”, and “Unsubscribe”.

Figure 5: Example of a phishing email detected by Darktrace, containing malicious links concealed behind seemingly innocuous text.

Similarly to the Louis Vuitton email campaign described above, this malicious link led to a .ru domain (hxxps://x.wwwtopsalebooks[.]ru/.../d65fg4er[.]html), which had been flagged as malicious by multiple sources [5].

Figure 6: Darktrace / EMAIL’s detection of a malicious email promoting a fake luxury watch store, which was successfully held from recipient inboxes.

If accessed, this domain would redirect users to luxy-rox[.]com, a recently created domain (15 days old at the time of writing) that has also been flagged as malicious by OSINT sources [6]. When visited, the redirect domain displayed a convincing storefront advertising high-end watches at heavily discounted prices.

Figure 7: The fake storefront presented upon visiting the redirectdomain, luxy-rox[.]com.

Although the true intent of this domain could not be confirmed, it was likely a scam site or a credential-harvesting operation, as users were required to create an account to complete a purchase. As of the time or writing, the domain in no longer accessible .

This email illustrates a layered evasion tactic: attackers employed multiple domains, rapid domain registration, and concealed redirects to bypass detection. By leveraging luxury branding and urgency-driven discounts, the campaign sought to exploit seasonal shopping behaviors and entice victims into clicking.

Staying Protected During Seasonal Retail Scams

The investigation into these Black Friday-themed phishing emails highlights a clear trend: attackers are exploiting seasonal shopping events with highly convincing campaigns. Common tactics observed include brand impersonation (Amazon, Louis Vuitton, luxury watch brands), urgency-driven subject lines, and hidden malicious links often hosted on newly registered domains or cloud services.

These campaigns frequently use redirect chains, short-lived infrastructure, and psychological hooks like exclusivity and luxury appeal to bypass user scepticism and security filters. Organizations should remain vigilant during retail-heavy periods, reinforcing user awareness training, link inspection practices, and anomaly-based detection to mitigate these evolving threats.

Credit to Ryan Traill (Analyst Content Lead) and Owen Finn (Cyber Analyst)

Appendices

References

1.        https://keepnetlabs.com/blog/top-5-most-spoofed-brands-in-2024

2.        https://www.virustotal.com/gui/domain/petplatz.com

3.        https://www.virustotal.com/gui/domain/bookaaatop.ru

4.        https://www.virustotal.com/gui/domain/xn--80aaae9btead2a.xn--p1ai

5.        https://www.virustotal.com/gui/url/e2b868a74531cd779d8f4a0e1e610ec7f4efae7c29d8b8ab32c7a6740d770897?nocache=1

6.        https://www.virustotal.com/gui/domain/luxy-rox.com

Indicators of Compromise (IoCs)

IoC – Type – Description + Confidence

petplatz[.]com – Hostname – Spam domain

bookaaatop[.]ru – Hostname – Malicious Domain

xn--80aaae9btead2a[.]xn--p1ai (топааабоок[.]рф) – Hostname - Malicious Domain

hxxps://x.wwwtopsalebooks[.]ru/.../d65fg4er[.]html) – URL – Malicious Domain

luxy-rox[.]com – Hostname -  Malicious Domain

MITRE ATT&CK Mapping  

Tactic – Technique – Sub-Technique  

Initial Access - Phishing – (T1566)  

Continue reading
About the author
Ryan Traill
Analyst Content Lead

Blog

/

Network

/

November 27, 2025

CastleLoader & CastleRAT: Behind TAG150’s Modular Malware Delivery System

Default blog imageDefault blog image

What is TAG-150?

TAG-150, a relatively new Malware-as-a-Service (MaaS) operator, has been active since March 2025, demonstrating rapid development and an expansive, evolving infrastructure designed to support its malicious operations. The group employs two custom malware families, CastleLoader and CastleRAT, to compromise target systems, with a primary focus on the United States [1]. TAG-150’s infrastructure included numerous victim-facing components, such as IP addresses and domains functioning as command-and-control (C2) servers associated with malware families like SecTopRAT and WarmCookie, in addition to CastleLoader and CastleRAT [2].

As of May 2025, CastleLoader alone had infected a reported 469 devices, underscoring the scale and sophistication of TAG-150’s campaign [1].

What are CastleLoader and CastleRAT?

CastleLoader is a loader malware, primarily designed to download and install additional malware, enabling chain infections across compromised systems [3]. TAG-150 employs a technique known as ClickFix, which uses deceptive domains that mimic document verification systems or browser update notifications to trick victims into executing malicious scripts. Furthermore, CastleLoader leverages fake GitHub repositories that impersonate legitimate tools as a distribution method, luring unsuspecting users into downloading and installing malware on their devices [4].

CastleRAT, meanwhile, is a remote access trojan (RAT) that serves as one of the primary payloads delivered by CastleLoader. Once deployed, CastleRAT grants attackers extensive control over the compromised system, enabling capabilities such as keylogging, screen capturing, and remote shell access.

TAG-150 leverages CastleLoader as its initial delivery mechanism, with CastleRAT acting as the main payload. This two-stage attack strategy enhances the resilience and effectiveness of their operations by separating the initial infection vector from the final payload deployment.

How are they deployed?

Castleloader uses code-obfuscation methods such as dead-code insertion and packing to hinder both static and dynamic analysis. After the payload is unpacked, it connects to its command-and-control server to retrieve and running additional, targeted components.

Its modular architecture enables it to function both as a delivery mechanism and a staging utility, allowing threat actors to decouple the initial infection from payload deployment. CastleLoader typically delivers its payloads as Portable Executables (PEs) containing embedded shellcode. This shellcode activates the loader’s core module, which then connects to the C2 server to retrieve and execute the next-stage malware.[6]

Following this, attackers deploy the ClickFix technique, impersonating legitimate software distribution platforms like Google Meet or browser update notifications. These deceptive sites trick victims into copying and executing PowerShell commands, thereby initiating the infection kill chain. [1]

When a user clicks on a spoofed Cloudflare “Verification Stepprompt, a background request is sent to a PHP script on the distribution domain (e.g., /s.php?an=0). The server’s response is then automatically copied to the user’s clipboard using the ‘unsecuredCopyToClipboard()’ function. [7].

The Python-based variant of CastleRAT, known as “PyNightShade,” has been engineered with stealth in mind, showing minimal detection across antivirus platforms [2]. As illustrated in Figure 1, PyNightShade communicates with the geolocation API service ip-api[.]com, demonstrating both request and response behavior

Packet Capture (PCAP) of PyNightShade, the Python-based variant of CastleRAT, communicating with the geolocation API service ip-api[.]com.
Figure 1: Packet Capture (PCAP) of PyNightShade, the Python-based variant of CastleRAT, communicating with the geolocation API service ip-api[.]com.

Darktrace Coverage

In mid-2025, Darktrace observed a range of anomalous activities across its customer base that appeared linked to CastleLoader, including the example below from a US based organization.

The activity began on June 26, when a device on the customer’s network was observed connecting to the IP address 173.44.141[.]89, a previously unseen IP for this network along with the use of multiple user agents, which was also rare for the user.  It was later determined that the IP address was a known indicator of compromise (IoC) associated with TAG-150’s CastleRAT and CastleLoader operations [2][5].

Figure 2: Darktrace’s detection of a device making unusual connections to the malicious endpoint 173.44.141[.]89.

The device was observed downloading two scripts from this endpoint, namely ‘/service/download/data_5x.bin’ and ‘/service/download/data_6x.bin’, which have both been linked to CastleLoader infections by open-source intelligence (OSINT) [8]. The archives contains embedded shellcode, which enables attackers to execute arbitrary code directly in memory, bypassing disk writes and making detection by endpoint detection and response (EDR) tools significantly more difficult [2].

Darktrace’s detection of two scripts from the malicious endpoint.
Figure 3: Darktrace’s detection of two scripts from the malicious endpoint.

In addition to this, the affected device exhibited a high volume of internal connections to a broad range of endpoints, indicating potential scanning activity. Such behavior is often associated with reconnaissance efforts aimed at mapping internal infrastructure.

Darktrace / NETWORK correlated these behaviors and generated an Enhanced Monitoring model, a high-fidelity security model designed to detect activity consistent with the early stages of an attack. These high-priority models are continuously monitored and triaged by Darktrace’s Security Operations Center (SOC) as part of the Managed Threat Detection and Managed Detection & Response services, ensuring that subscribed customers are promptly alerted to emerging threats.

Darktrace detected an unusual ZIP file download alongside the anomalous script, followed by internal connectivity. This activity was correlated under an Enhanced Monitoring model.
Figure 4: Darktrace detected an unusual ZIP file download alongside the anomalous script, followed by internal connectivity. This activity was correlated under an Enhanced Monitoring model.

Darktrace Autonomous Response

Fortunately, Darktrace’s Autonomous Response capability was fully configured, enabling it to take immediate action against the offending device by blocking any further connections external to the malicious endpoint, 173.44.141[.]89. Additionally, Darktrace enforced a ‘group pattern of life’ on the device, restricting its behavior to match other devices in its peer group, ensuring it could not deviate from expected activity, while also blocking connections over 443, shutting down any unwanted internal scanning.

Figure 5: Actions performed by Darktrace’s Autonomous Response to contain the ongoing attack.

Conclusion

The rise of the MaaS ecosystem, coupled with attackers’ growing ability to customize tools and techniques for specific targets, is making intrusion prevention increasingly challenging for security teams. Many threat actors now leverage modular toolkits, dynamic infrastructure, and tailored payloads to evade static defenses and exploit even minor visibility gaps. In this instance, Darktrace demonstrated its capability to counter these evolving tactics by identifying early-stage attack chain behaviors such as network scanning and the initial infection attempt. Autonomous Response then blocked the CastleLoader IP delivering the malicious ZIP payload, halting the attack before escalation and protecting the organization from a potentially damaging multi-stage compromise

Credit to Ahmed Gardezi (Cyber Analyst) Tyler Rhea (Senior Cyber Analyst)
Edited by Ryan Traill (Analyst Content Lead)

Appendices

Darktrace Model Detections

  • Anomalous Connection / Unusual Internal Connections
  • Anomalous File / Zip or Gzip from Rare External Location
  • Anomalous File / Script from Rare External Location
  • Initial Attack Chain Activity (Enhanced Monitoring Model)

MITRE ATT&CK Mapping

  • T15588.001 - Resource Development – Malware
  • TG1599 – Defence Evasion – Network Boundary Bridging
  • T1046 – Discovery – Network Service Scanning
  • T1189 – Initial Access

List of IoCs
IoC - Type - Description + Confidence

  • 173.44.141[.]89 – IP – CastleLoader C2 Infrastructure
  • 173.44.141[.]89/service/download/data_5x.bin – URI – CastleLoader Script
  • 173.44.141[.]89/service/download/data_6x.bin – URI  - CastleLoader Script
  • wsc.zip – ZIP file – Possible Payload

References

[1] - https://blog.polyswarm.io/castleloader

[2] - https://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations

[3] - https://www.pcrisk.com/removal-guides/34160-castleloader-malware

[4] - https://www.scworld.com/brief/malware-loader-castleloader-targets-devices-via-fake-github-clickfix-phishing

[5] https://www.virustotal.com/gui/ip-address/173.44.141.89/community

[6] https://thehackernews.com/2025/07/castleloader-malware-infects-469.html

[7] https://www.cryptika.com/new-castleloader-attack-using-cloudflare-themed-clickfix-technique-to-infect-windows-computers/

[8] https://www.cryptika.com/castlebot-malware-as-a-service-deploys-range-of-payloads-linked-to-ransomware-attacks/

Continue reading
About the author
Your data. Our AI.
Elevate your network security with Darktrace AI