Blog
/
Network
/
February 8, 2024

How CoinLoader Hijacks Networks

Discover how Darktrace decrypted the CoinLoader malware hijacking networks for cryptomining. Learn about the tactics and protection strategies employed.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Signe Zaharka
Principal Cyber Analyst
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
08
Feb 2024

About Loader Malware

Loader malware was a frequent topic of conversation and investigation within the Darktrace Threat Research team throughout 2023, with a wide range of existing and novel variants affecting a significant number of Darktrace customers, as detailed in Darktrace’s inaugural End of Year Threat Report. The multi-phase nature of such compromises poses a significant threat to organizations due to the need to defend against multiple threats at the same time.

CoinLoader, a variant of loader malware first observed in the wild in 2018 [1], is an example of one of the more prominent variant of loaders observed by Darktrace in 2023, with over 65 customers affected by the malware. Darktrace’s Threat Research team conducted a deep dive investigation into the patterns of behavior exhibited by devices infected with CoinLoader in the latter part of 2023, with compromises observed in Europe, the Middle East and Africa (EMEA), Asia-Pacific (APAC) and the Americas.

The autonomous threat detection capabilities of Darktrace DETECT™ allowed for the effective identification of these CoinLoader infections whilst Darktrace RESPOND™, if active, was able to quickly curtail attacker’s efforts and prevent more disruptive, and potentially costly, secondary compromises from occurring.

What is CoinLoader?

Much like other strains of loader, CoinLoader typically serves as a first stage malware that allows threat actors to gain initial access to a network and establish a foothold in the environment before delivering subsequent malicious payloads, including adware, botnets, trojans or pay-per-install campaigns.

CoinLoader is generally propagated through trojanized popular software or game installation archive files, usually in the rar or zip formats. These files tend can be easily obtained via top results displayed in search engines when searching for such keywords as "crack" or "keygen" in conjunction with the name of the software the user wishes to pirate [1,2,3,4]. By disguising the payload as a legitimate programme, CoinLoader is more likely to be unknowingly downloaded by endpoint users, whilst also bypassing traditional security measures that trust the download.

It also has several additional counter-detection methods including using junk code, variable obfuscation, and encryption for shellcode and URL schemes. It relies on dynamic-link library (DLL) search order hijacking to load malicious DLLs to legitimate executable files. The malware is also capable of performing a variety of checks for anti-virus processes and disabling endpoint protection solutions.

In addition to these counter-detection tactics, CoinLoader is also able to prevent the execution of its malicious DLL files in sandboxed environments without the presence of specific DNS cache records, making it extremely difficult for security teams and researchers to analyze.

In 2020 it was reported that CoinLoader compromises were regularly seen alongside cryptomining activity and even used the alias “CoinMiner” in some cases [2]. Darktrace’s investigations into CoinLoader in 2023 largely confirmed this theory, with around 15% of observed CoinLoader connections being related to cryptomining activity.

Cryptomining malware consumes large amounts of a hijacked (or cryptojacked) device's resources to perform complex mathematical calculations and generate income for the attacker all while quietly working in the background. Cryptojacking can lead to high electricity costs, device slow down, loss of functionality, and in the worst case scenario can be a potential fire hazard.

Darktrace Coverage of CoinLoader

In September 2023, Darktrace observed several cases of CoinLoader that served to exemplify the command-and-control (C2) communication and subsequent cryptocurrency mining activities typically observed during CoinLoader compromises. While the initial infection method in these cases was outside of Darktrace’s purview, it likely occurred via socially engineered phishing emails or, as discussed earlier, trojanized software downloads.

Command-and-Control Activity

CoinLoader compromises observed across the Darktrace customer base were typically identified by encrypted C2 connections over port 433 to rare external endpoints using self-signed certificates containing "OU=IT,O=MyCompany LLC,L=San Francisco,ST=California,C=US" in their issue fields.

All observed CoinLoader C2 servers were associated with the ASN of MivoCloud, a Virtual Private Server (VPS) hosting service (AS39798 MivoCloud SRL). It had been reported that Russian-state sponsored threat actors had previously abused MivoCloud’s infrastructure in order to bypass geo-blocking measures during phishing attacks against western nations [5].

Darktrace observed that the majority of CoinLoader infrastructure utilized IP addresses in the 185.225.0.0/19 range and were associated with servers hosted in Romania, with just one instance of an IP address based in Moldova. The domain names of these servers typically followed the naming pattern ‘*[a-d]{1}[.]info’, with 'ams-updatea[.]info’, ‘ams-updateb[.]info’, ‘ams-updatec[.]info’, and ‘ams-updated[.]info’ routinely identified on affected networks.

Researchers found that CoinLoader typically uses DNS tunnelling in order to covertly exchange information with attacker-controlled infrastructure, including the domains ‘candatamsnsdn[.]info’, ‘mapdatamsnsdn[.]info’, ‘rqmetrixsdn[.]info’ [4].

While Darktrace did not observe these particular domains, it did observer similar DNS lookups to a similar suspicous domain, namely ‘ucmetrixsdn[.]info’, in addition to the aforementioned HTTPS C2 connections.

Cryptomining Activity and Possible Additional Tooling

After establishing communication channels with CoinLoader servers, affected devices were observed carrying out a range of cryptocurrency mining activities. Darktrace detected devices connecting to multiple MivoCloud associated IP addresses using the MinerGate protocol alongside the credential “x”, a MinerGate credential observed by Darktrace in previous cryptojacking compromises, including the Sysrv-hello botnet.

Figure 1: Darktrace DETECT breach log showing an alerted mining activity model breach on an infected device.
Figure 2: Darktrace's Cyber AI Analyst providing details about unusual repeated connections to multiple endpoints related to CoinLoader cryptomining.

In a number of customer environments, Darktrace observed affected devices connected to endpoints associated with other malware such as the Andromeda botnet and the ViperSoftX information stealer. It was, however, not possible to confirm whether CoinLoader had dropped these additional malware variants onto infected devices.

On customer networks where Darktrace RESPOND was enabled in autonomous response mode, Darktrace was able to take swift targeted steps to shut down suspicious connections and contain CoinLoader compromises. In one example, following DETECT’s initial identification of an affected device connecting to multiple MivoCloud endpoints, RESPOND autonomously blocked the device from carrying out such connections, effectively shutting down C2 communication and preventing threat actors carrying out any cryptomining activity, or downloading subsequent malicious payloads. The autonomous response capability of RESPOND provides customer security teams with precious time to remove infected devices from their network and action their remediation strategies.

Figure 3: Darktrace RESPOND autonomously blocking CoinLoader connections on an affected device.

Additionally, customers subscribed to Darktrace’s Proactive Threat Notification (PTN) service would be alerted about potential CoinLoader activity observed on their network, prompting Darktrace’s Security Operations Center (SOC) to triage and investigate the activity, allowing customers to prioritize incidents that require immediate attention.

Conclusion

By masquerading as free or ‘cracked’ versions of legitimate popular software, loader malware like CoinLoader is able to indiscriminately target a large number of endpoint users without arousing suspicion. What’s more, once a network has been compromised by the loader, it is then left open to a secondary compromise in the form of potentially costly information stealers, ransomware or, in this case, cryptocurrency miners.

While urging employees to think twice before installing seemingly legitimate software unknown or untrusted locations is an essential first step in protecting an organization against threats like CoinLoader, its stealthy tactics mean this may not be enough.

In order to fully safeguard against such increasingly widespread yet evasive threats, organizations must adopt security solutions that are able to identify anomalies and subtle deviations in device behavior that could indicate an emerging compromise. The Darktrace suite of products, including DETECT and RESPOND, are well-placed to identify and contain these threats in the first instance and ensure they cannot escalate to more damaging network compromises.

Credit to: Signe Zaharka, Senior Cyber Security Analyst, Paul Jennings, Principal Analyst Consultant

Appendix

Darktrace DETECT Model Detections

  • Anomalous Connection/Multiple Connections to New External TCP Port
  • Anomalous Connection/Multiple Failed Connections to Rare Endpoint
  • Anomalous Connection/Rare External SSL Self-Signed
  • Anomalous Connection/Repeated Rare External SSL Self-Signed
  • Anomalous Connection/Suspicious Self-Signed SSL
  • Anomalous Connection/Young or Invalid Certificate SSL Connections to Rare
  • Anomalous Server Activity/Rare External from Server
  • Compromise/Agent Beacon (Long Period)
  • Compromise/Beacon for 4 Days
  • Compromise/Beacon to Young Endpoint
  • Compromise/Beaconing Activity To External Rare
  • Compromise/High Priority Crypto Currency Mining
  • Compromise/High Volume of Connections with Beacon Score
  • Compromise/Large Number of Suspicious Failed Connections
  • Compromise/New or Repeated to Unusual SSL Port
  • Compromise/Rare Domain Pointing to Internal IP
  • Compromise/Repeating Connections Over 4 Days
  • Compromise/Slow Beaconing Activity To External Rare
  • Compromise/SSL Beaconing to Rare Destination
  • Compromise/Suspicious File and C2
  • Compromise/Suspicious TLS Beaconing To Rare External
  • Device/ Anomalous Github Download
  • Device/ Suspicious Domain
  • Device/Internet Facing Device with High Priority Alert
  • Device/New Failed External Connections

Indicators of Compromise (IoCs)

IoC - Hostname C2 Server

ams-updatea[.]info

ams-updateb[.]info

ams-updatec[.]info

ams-updated[.]info

candatamsna[.]info

candatamsnb[.]info

candatamsnc[.]info

candatamsnd[.]info

mapdatamsna[.]info

mapdatamsnb[.]info

mapdatamsnc[.]info

mapdatamsnd[.]info

res-smarta[.]info

res-smartb[.]info

res-smartc[.]info

res-smartd[.]info

rqmetrixa[.]info

rqmetrixb[.]info

rqmetrixc[.]info

rqmetrixd[.]info

ucmetrixa[.]info

ucmetrixb[.]info

ucmetrixc[.]info

ucmetrixd[.]info

any-updatea[.]icu

IoC - IP Address - C2 Server

185.225[.]16.192

185.225[.]16.61

185.225[.]16.62

185.225[.]16.63

185.225[.]16.88

185.225[.]17.108

185.225[.]17.109

185.225[.]17.12

185.225[.]17.13

185.225[.]17.135

185.225[.]17.14

185.225[.]17.145

185.225[.]17.157

185.225[.]17.159

185.225[.]18.141

185.225[.]18.142

185.225[.]18.143

185.225[.]19.218

185.225[.]19.51

194.180[.]157.179

194.180[.]157.185

194.180[.]158.55

194.180[.]158.56

194.180[.]158.62

194.180[.]158.63

5.252.178[.]74

94.158.246[.]124

IoC - IP Address - Cryptocurrency mining related endpoint

185.225.17[.]114

185.225.17[.]118

185.225.17[.]130

185.225.17[.]131

185.225.17[.]132

185.225.17[.]142

IoC - SSL/TLS certificate issuer information - C2 server certificate example

emailAddress=admin@example[.]ltd,CN=example[.]ltd,OU=IT,O=MyCompany LLC,L=San Francisco,ST=California,C=US

emailAddress=admin@'res-smartd[.]info,CN=res-smartd[.]info,OU=IT,O=MyCompany LLC,L=San Francisco,ST=California,C=US

CN=ucmetrixd[.]info,OU=IT,O=MyCompany LLC,L=San Francisco,ST=California,C=US

MITRE ATT&CK Mapping

INITIAL ACCESS

Exploit Public-Facing Application - T1190

Spearphishing Link - T1566.002

Drive-by Compromise - T1189

COMMAND AND CONTROL

Non-Application Layer Protocol - T1095

Non-Standard Port - T1571

External Proxy - T1090.002

Encrypted Channel - T1573

Web Protocols - T1071.001

Application Layer Protocol - T1071

DNS - T1071.004

Fallback Channels - T1008

Multi-Stage Channels - T1104

PERSISTENCE

Browser Extensions

T1176

RESOURCE DEVELOPMENT

Web Services - T1583.006

Malware - T1588.001

COLLECTION

Man in the Browser - T1185

IMPACT

Resource Hijacking - T1496

References

1. https://www.avira.com/en/blog/coinloader-a-sophisticated-malware-loader-campaign

2. https://asec.ahnlab.com/en/17909/

3. https://www.cybereason.co.jp/blog/cyberattack/5687/

4. https://research.checkpoint.com/2023/tunnel-warfare-exposing-dns-tunneling-campaigns-using-generative-models-coinloader-case-study/

5. https://securityboulevard.com/2023/02/three-cases-of-cyber-attacks-on-the-security-service-of-ukraine-and-nato-allies-likely-by-russian-state-sponsored-gamaredon/

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Signe Zaharka
Principal Cyber Analyst

More in this series

No items found.

Blog

/

AI

/

October 15, 2025

How a Major Civil Engineering Company Reduced MTTR across Network, Email and the Cloud with Darktrace

Default blog imageDefault blog image

Asking more of the information security team

“What more can we be doing to secure the company?” is a great question for any cyber professional to hear from their Board of Directors. After successfully defeating a series of attacks and seeing the potential for AI tools to supercharge incoming threats, a UK-based civil engineering company’s security team had the answer: Darktrace.

“When things are coming at you at machine speed, you need machine speed to fight it off – it’s as simple as that,” said their Information Security Manager. “There were incidents where it took us a few hours to get to the bottom of what was going on. Darktrace changed that.”

Prevention was also the best cure. A peer organization in the same sector was still in business continuity measures 18 months after an attack, and the security team did not want to risk that level of business disruption.

Legacy tools were not meeting the team’s desired speed or accuracy

The company’s native SaaS email platform took between two and 14 days to alert on suspicious emails, with another email security tool flagging malicious emails after up to 24 days. After receiving an alert, responses often took a couple of days to coordinate. The team was losing precious time.

Beyond long detection and response times, the old email security platform was no longer performing: 19% of incoming spam was missed. Of even more concern: 6% of phishing emails reached users’ inboxes, and malware and ransomware email was also still getting through, with 0.3% of such email-borne payloads reaching user inboxes.

Choosing Darktrace

“When evaluating tools in 2023, only Darktrace had what I was looking for: an existing, mature, AI-based cybersecurity solution. ChatGPT had just come out and a lot of companies were saying ‘AI this’ and ‘AI that’. Then you’d take a look, and it was all rules- and cases-based, not AI at all,” their Information Security Manager.

The team knew that, with AI-enabled attacks on the horizon, a cybersecurity company that had already built, fielded, and matured an AI-powered cyber defense would give the security team the ability to fend off machine-speed attacks at the same pace as the attackers.

Darktrace accomplishes this with multi-layered AI that learns each organization’s normal business operations. With this detailed level of understanding, Darktrace’s Self-Learning AI can recognize unusual activity that may indicate a cyber-attack, and works to neutralize the threat with precise response actions. And it does this all at machine speed and with minimal disruption.

On the morning the team was due to present its findings, the session was cancelled – for a good reason. The Board didn’t feel further discussion was necessary because the case for Darktrace was so conclusive. The CEO described the Darktrace option as ‘an insurance policy we can’t do without’.

Saving time with Darktrace / EMAIL

Darktrace / EMAIL reduced the discovery, alert, and response process from days or weeks to seconds .

Darktrace / EMAIL automates what was originally a time-consuming and repetitive process. The team has recovered between eight and 10 working hours a week by automating much of this process using / EMAIL.

Today, Darktrace / EMAIL prevents phishing emails from reaching employees’ inboxes. The volume of hostile and unsolicited email fell to a third of its original level after Darktrace / EMAIL was set up.

Further savings with Darktrace / NETWORK and Darktrace / IDENTITY

Since its success with Darktrace / EMAIL, the company adopted two more products from the Darktrace ActiveAI Security Platform – Darktrace / NETWORK and Darktrace / IDENTITY.

These have further contributed to cost savings. An initial plan to build a 24/7 SOC would have required hiring and retaining six additional analysts, rather than the two that currently use Darktrace, costing an additional £220,000 per year in salary. With Darktrace, the existing analysts have the tools needed to become more effective and impactful.

An additional benefit: Darktrace adoption has lowered the company’s cyber insurance premiums. The security team can reallocate this budget to proactive projects.

Detection of novel threats provides reassurance

Darktrace’s unique approach to cybersecurity added a key benefit. The team’s previous tool took a rules-based approach – which was only good if the next attack featured the same characteristics as the ones on which the tool was trained.

“Darktrace looks for anomalous behavior, and we needed something that detected and responded based on use cases, not rules that might be out of date or too prescriptive,” their Information Security Manager. “Our existing provider could take a couple of days to update rules and signatures, and in this game, speed is of the essence. Darktrace just does everything we need - without delay.”

Where rules-based tools must wait for a threat to emerge before beginning to detect and respond to it, Darktrace identifies and protects against unknown and novel threats, speeding identification, response, and recovery, minimizing business disruption as a result.

Looking to the future

With Darktrace in place, the UK-based civil engineering company team has reallocated time and resources usually spent on detection and alerting to now tackle more sophisticated, strategic challenges. Darktrace has also equipped the team with far better and more regularly updated visibility into potential vulnerabilities.

“One thing that frustrates me a little is penetration testing; our ISO accreditation mandates a penetration test at least once a year, but the results could be out of date the next day,” their Information Security Manager. “Darktrace / Proactive Exposure Management will give me that view in real time – we can run it daily if needed - and that’s going to be a really effective workbench for my team.”

As the company looks to further develop its security posture, Darktrace remains poised to evolve alongside its partner.

Continue reading
About the author
The Darktrace Community

Blog

/

Network

/

October 14, 2025

Inside Akira’s SonicWall Campaign: Darktrace’s Detection and Response

Default blog imageDefault blog image

Introduction: Background on Akira SonicWall campaign

Between July and August 2025, security teams worldwide observed a surge in Akira ransomware incidents involving SonicWall SSL VPN devices [1]. Initially believed to be the result of an unknown zero-day vulnerability, SonicWall later released an advisory announcing that the activity was strongly linked to a previously disclosed vulnerability, CVE-2024-40766, first identified over a year earlier [2].

On August 20, 2025, Darktrace observed unusual activity on the network of a customer in the US. Darktrace detected a range of suspicious activity, including network scanning and reconnaissance, lateral movement, privilege escalation, and data exfiltration. One of the compromised devices was later identified as a SonicWall virtual private network (VPN) server, suggesting that the incident was part of the broader Akira ransomware campaign targeting SonicWall technology.

As the customer was subscribed to the Managed Detection and Response (MDR) service, Darktrace’s Security Operations Centre (SOC) team was able to rapidly triage critical alerts, restrict the activity of affected devices, and notify the customer of the threat. As a result, the impact of the attack was limited - approximately 2 GiB of data had been observed leaving the network, but any further escalation of malicious activity was stopped.

Threat Overview

CVE-2024-40766 and other misconfigurations

CVE-2024-40766 is an improper access control vulnerability in SonicWall’s SonicOS, affecting Gen 5, Gen 6, and Gen 7 devices running SonicOS version 7.0.1 5035 and earlier [3]. The vulnerability was disclosed on August 23, 2024, with a patch released the same day. Shortly after, it was reported to be exploited in the wild by Akira ransomware affiliates and others [4].

Almost a year later, the same vulnerability is being actively targeted again by the Akira ransomware group. In addition to exploiting unpatched devices affected by CVE-2024-40766, security researchers have identified three other risks potentially being leveraged by the group [5]:

*The Virtual Office Portal can be used to initially set up MFA/TOTP configurations for SSLVPN users.

Thus, even if SonicWall devices were patched, threat actors could still target them for initial access by reusing previously stolen credentials and exploiting other misconfigurations.

Akira Ransomware

Akira ransomware was first observed in the wild in March 2023 and has since become one of the most prolific ransomware strains across the threat landscape [6]. The group operates under a Ransomware-as-a-Service (RaaS) model and frequently uses double extortion tactics, pressuring victims to pay not only to decrypt files but also to prevent the public release of sensitive exfiltrated data.

The ransomware initially targeted Windows systems, but a Linux variant was later observed targeting VMware ESXi virtual machines [7]. In 2024, it was assessed that Akira would continue to target ESXi hypervisors, making attacks highly disruptive due to the central role of virtualisation in large-scale cloud deployments. Encrypting the ESXi file system enables rapid and widespread encryption with minimal lateral movement or credential theft. The lack of comprehensive security protections on many ESXi hypervisors also makes them an attractive target for ransomware operators [8].

Victimology

Akira is known to target organizations across multiple sectors, most notably those in manufacturing, education, and healthcare. These targets span multiple geographic regions, including North America, Latin America, Europe and Asia-Pacific [9].

Geographical distribution of organization’s affected by Akira ransomware in 2025 [9].
Figure 1: Geographical distribution of organization’s affected by Akira ransomware in 2025 [9].

Common Tactics, Techniques and Procedures (TTPs) [7][10]

Initial Access
Targets remote access services such as RDP and VPN through vulnerability exploitation or stolen credentials.

Reconnaissance
Uses network scanning tools like SoftPerfect and Advanced IP Scanner to map the environment and identify targets.

Lateral Movement
Moves laterally using legitimate administrative tools, typically via RDP.

Persistence
Employs techniques such as Kerberoasting and pass-the-hash, and tools like Mimikatz to extract credentials. Known to create new domain accounts to maintain access.

Command and Control
Utilizes remote access tools including AnyDesk, RustDesk, Ngrok, and Cloudflare Tunnel.

Exfiltration
Uses tools such as FileZilla, WinRAR, WinSCP, and Rclone. Data is exfiltrated via protocols like FTP and SFTP, or through cloud storage services such as Mega.

Darktrace’s Coverage of Akira ransomware

Reconnaissance

Darktrace first detected of unusual network activity around 05:10 UTC, when a desktop device was observed performing a network scan and making an unusual number of DCE-RPC requests to the endpoint mapper (epmapper) service. Network scans are typically used to identify open ports, while querying the epmapper service can reveal exposed RPC services on the network.

Multiple other devices were also later seen with similar reconnaissance activity, and use of the Advanced IP Scanner tool, indicated by connections to the domain advanced-ip-scanner[.]com.

Lateral movement

Shortly after the initial reconnaissance, the same desktop device exhibited unusual use of administrative tools. Darktrace observed the user agent “Ruby WinRM Client” and the URI “/wsman” as the device initiated a rare outbound Windows Remote Management (WinRM) connection to two domain controllers (REDACTED-dc1 and REDACTED-dc2). WinRM is a Microsoft service that uses the WS-Management (WSMan) protocol to enable remote management and control of network devices.

Darktrace also observed the desktop device connecting to an ESXi device (REDACTED-esxi1) via RDP using an LDAP service credential, likely with administrative privileges.

Credential access

At around 06:26 UTC, the desktop device was seen fetching an Active Directory certificate from the domain controller (REDACTED-dc1) by making a DCE-RPC request to the ICertPassage service. Shortly after, the device made a Kerberos login using the administrative credential.

Figure 3: Darktrace’s detection of the of anomalous certificate download and subsequent Kerberos login.

Further investigation into the device’s event logs revealed a chain of connections that Darktrace’s researchers believe demonstrates a credential access technique known as “UnPAC the hash.”

This method begins with pre-authentication using Kerberos’ Public Key Cryptography for Initial Authentication (PKINIT), allowing the client to use an X.509 certificate to obtain a Ticket Granting Ticket (TGT) from the Key Distribution Center (KDC) instead of a password.

The next stage involves User-to-User (U2U) authentication when requesting a Service Ticket (ST) from the KDC. Within Darktrace's visibility of this traffic, U2U was indicated by the client and service principal names within the ST request being identical. Because PKINIT was used earlier, the returned ST contains the NTLM hash of the credential, which can then be extracted and abused for lateral movement or privilege escalation [11].

Flowchart of Kerberos PKINIT pre-authentication and U2U authentication [12].
Figure 4: Flowchart of Kerberos PKINIT pre-authentication and U2U authentication [12]
Figure 5: Device event log showing the Kerberos Login and Kerberos Ticket events

Analysis of the desktop device’s event logs revealed a repeated sequence of suspicious activity across multiple credentials. Each sequence included a DCE-RPC ICertPassage request to download a certificate, followed by a Kerberos login event indicating PKINIT pre-authentication, and then a Kerberos ticket event consistent with User-to-User (U2U) authentication.

Darktrace identified this pattern as highly unusual. Cyber AI Analyst determined that the device used at least 15 different credentials for Kerberos logins over the course of the attack.

By compromising multiple credentials, the threat actor likely aimed to escalate privileges and facilitate further malicious activity, including lateral movement. One of the credentials obtained via the “UnPAC the hash” technique was later observed being used in an RDP session to the domain controller (REDACTED-dc2).

C2 / Additional tooling

At 06:44 UTC, the domain controller (REDACTED-dc2) was observed initiating a connection to temp[.]sh, a temporary cloud hosting service. Open-source intelligence (OSINT) reporting indicates that this service is commonly used by threat actors to host and distribute malicious payloads, including ransomware [13].

Shortly afterward, the ESXi device was observed downloading an executable named “vmwaretools” from the rare external endpoint 137.184.243[.]69, using the user agent “Wget.” The repeated outbound connections to this IP suggest potential command-and-control (C2) activity.

Cyber AI Analyst investigation into the suspicious file download and suspected C2 activity between the ESXI device and the external endpoint 137.184.243[.]69.
Figure 6: Cyber AI Analyst investigation into the suspicious file download and suspected C2 activity between the ESXI device and the external endpoint 137.184.243[.]69.
Packet capture (PCAP) of connections between the ESXi device and 137.184.243[.]69.
Figure 7: Packet capture (PCAP) of connections between the ESXi device and 137.184.243[.]69.

Data exfiltration

The first signs of data exfiltration were observed at around 7:00 UTC. Both the domain controller (REDACTED-dc2) and a likely SonicWall VPN device were seen uploading approximately 2 GB of data via SSH to the rare external endpoint 66.165.243[.]39 (AS29802 HVC-AS). OSINT sources have since identified this IP as an indicator of compromise (IoC) associated with the Akira ransomware group, known to use it for data exfiltration [14].

Cyber AI Analyst incident view highlighting multiple unusual events across several devices on August 20. Notably, it includes the “Unusual External Data Transfer” event, which corresponds to the anomalous 2 GB data upload to the known Akira-associated endpoint 66.165.243[.]39.
Figure 8: Cyber AI Analyst incident view highlighting multiple unusual events across several devices on August 20. Notably, it includes the “Unusual External Data Transfer” event, which corresponds to the anomalous 2 GB data upload to the known Akira-associated endpoint 66.165.243[.]39.

Cyber AI Analyst

Throughout the course of the attack, Darktrace’s Cyber AI Analyst autonomously investigated the anomalous activity as it unfolded and correlated related events into a single, cohesive incident. Rather than treating each alert as isolated, Cyber AI Analyst linked them together to reveal the broader narrative of compromise. This holistic view enabled the customer to understand the full scope of the attack, including all associated activities and affected assets that might otherwise have been dismissed as unrelated.

Overview of Cyber AI Analyst’s investigation, correlating all related internal and external security events across affected devices into a single pane of glass.
Figure 9: Overview of Cyber AI Analyst’s investigation, correlating all related internal and external security events across affected devices into a single pane of glass.

Containing the attack

In response to the multiple anomalous activities observed across the network, Darktrace's Autonomous Response initiated targeted mitigation actions to contain the attack. These included:

  • Blocking connections to known malicious or rare external endpoints, such as 137.184.243[.]69, 66.165.243[.]39, and advanced-ip-scanner[.]com.
  • Blocking internal traffic to sensitive ports, including 88 (Kerberos), 3389 (RDP), and 49339 (DCE-RPC), to disrupt lateral movement and credential abuse.
  • Enforcing a block on all outgoing connections from affected devices to contain potential data exfiltration and C2 activity.
Autonomous Response actions taken by Darktrace on an affected device, including the blocking of malicious external endpoints and internal service ports.
Figure 10: Autonomous Response actions taken by Darktrace on an affected device, including the blocking of malicious external endpoints and internal service ports.

Managed Detection and Response

As this customer was an MDR subscriber, multiple Enhanced Monitoring alerts—high-fidelity models designed to detect activity indicative of compromise—were triggered across the network. These alerts prompted immediate investigation by Darktrace’s SOC team.

Upon determining that the activity was likely linked to an Akira ransomware attack, Darktrace analysts swiftly acted to contain the threat. At around 08:05 UTC, devices suspected of being compromised were quarantined, and the customer was promptly notified, enabling them to begin their own remediation procedures without delay.

A wider campaign?

Darktrace’s SOC and Threat Research teams identified at least three additional incidents likely linked to the same campaign. All targeted organizations were based in the US, spanning various industries, and each have indications of using SonicWall VPN, indicating it had likely been targeted for initial access.

Across these incidents, similar patterns emerged. In each case, a suspicious executable named “vmwaretools” was downloaded from the endpoint 85.239.52[.]96 using the user agent “Wget”, bearing some resemblance to the file downloads seen in the incident described here. Data exfiltration was also observed via SSH to the endpoints 107.155.69[.]42 and 107.155.93[.]154, both of which belong to the same ASN also seen in the incident described in this blog: S29802 HVC-AS. Notably, 107.155.93[.]154 has been reported in OSINT as an indicator associated with Akira ransomware activity [15]. Further recent Akira ransomware cases have been observed involving SonicWall VPN, where no similar executable file downloads were observed, but SSH exfiltration to the same ASN was. These overlapping and non-overlapping TTPs may reflect the blurring lines between different affiliates operating under the same RaaS.

Lessons from the campaign

This campaign by Akira ransomware actors underscores the critical importance of maintaining up-to-date patching practices. Threat actors continue to exploit previously disclosed vulnerabilities, not just zero-days, highlighting the need for ongoing vigilance even after patches are released. It also demonstrates how misconfigurations and overlooked weaknesses can be leveraged for initial access or privilege escalation, even in otherwise well-maintained environments.

Darktrace’s observations further reveal that ransomware actors are increasingly relying on legitimate administrative tools, such as WinRM, to blend in with normal network activity and evade detection. In addition to previously documented Kerberos-based credential access techniques like Kerberoasting and pass-the-hash, this campaign featured the use of UnPAC the hash to extract NTLM hashes via PKINIT and U2U authentication for lateral movement or privilege escalation.

Credit to Emily Megan Lim (Senior Cyber Analyst), Vivek Rajan (Senior Cyber Analyst), Ryan Traill (Analyst Content Lead), and Sam Lister (Specialist Security Researcher)

Appendices

Darktrace Model Detections

Anomalous Connection / Active Remote Desktop Tunnel

Anomalous Connection / Data Sent to Rare Domain

Anomalous Connection / New User Agent to IP Without Hostname

Anomalous Connection / Possible Data Staging and External Upload

Anomalous Connection / Rare WinRM Incoming

Anomalous Connection / Rare WinRM Outgoing

Anomalous Connection / Uncommon 1 GiB Outbound

Anomalous Connection / Unusual Admin RDP Session

Anomalous Connection / Unusual Incoming Long Remote Desktop Session

Anomalous Connection / Unusual Incoming Long SSH Session

Anomalous Connection / Unusual Long SSH Session

Anomalous File / EXE from Rare External Location

Anomalous Server Activity / Anomalous External Activity from Critical Network Device

Anomalous Server Activity / Outgoing from Server

Anomalous Server Activity / Rare External from Server

Compliance / Default Credential Usage

Compliance / High Priority Compliance Model Alert

Compliance / Outgoing NTLM Request from DC

Compliance / SSH to Rare External Destination

Compromise / Large Number of Suspicious Successful Connections

Compromise / Sustained TCP Beaconing Activity To Rare Endpoint

Device / Anomalous Certificate Download Activity

Device / Anomalous SSH Followed By Multiple Model Alerts

Device / Anonymous NTLM Logins

Device / Attack and Recon Tools

Device / ICMP Address Scan

Device / Large Number of Model Alerts

Device / Network Range Scan

Device / Network Scan

Device / New User Agent To Internal Server

Device / Possible SMB/NTLM Brute Force

Device / Possible SMB/NTLM Reconnaissance

Device / RDP Scan

Device / Reverse DNS Sweep

Device / Suspicious SMB Scanning Activity

Device / UDP Enumeration

Unusual Activity / Unusual External Data to New Endpoint

Unusual Activity / Unusual External Data Transfer

User / Multiple Uncommon New Credentials on Device

User / New Admin Credentials on Client

User / New Admin Credentials on Server

Enhanced Monitoring Models

Compromise / Anomalous Certificate Download and Kerberos Login

Device / Initial Attack Chain Activity

Device / Large Number of Model Alerts from Critical Network Device

Device / Multiple Lateral Movement Model Alerts

Device / Suspicious Network Scan Activity

Unusual Activity / Enhanced Unusual External Data Transfer

Antigena/Autonomous Response Models

Antigena / Network / External Threat / Antigena File then New Outbound Block

Antigena / Network / External Threat / Antigena Suspicious Activity Block

Antigena / Network / External Threat / Antigena Suspicious File Block

Antigena / Network / Insider Threat / Antigena Large Data Volume Outbound Block

Antigena / Network / Insider Threat / Antigena Network Scan Block

Antigena / Network / Insider Threat / Antigena Unusual Privileged User Activities Block

Antigena / Network / Manual / Quarantine Device

Antigena / Network / Significant Anomaly / Antigena Alerts Over Time Block

Antigena / Network / Significant Anomaly / Antigena Controlled and Model Alert

Antigena / Network / Significant Anomaly / Antigena Enhanced Monitoring from Client Block

Antigena / Network / Significant Anomaly / Antigena Enhanced Monitoring from Server Block

Antigena / Network / Significant Anomaly / Antigena Significant Anomaly from Client Block

Antigena / Network / Significant Anomaly / Antigena Significant Server Anomaly Block

Antigena / Network / Significant Anomaly / Repeated Antigena Alerts

List of Indicators of Compromise (IoCs)

·      66.165.243[.]39 – IP Address – Data exfiltration endpoint

·      107.155.69[.]42 – IP Address – Probable data exfiltration endpoint

·      107.155.93[.]154 – IP Address – Likely Data exfiltration endpoint

·      137.184.126[.]86 – IP Address – Possible C2 endpoint

·      85.239.52[.]96 – IP Address – Likely C2 endpoint

·      hxxp://85.239.52[.]96:8000/vmwarecli  – URL – File download

·      hxxp://137.184.126[.]86:8080/vmwaretools – URL – File download

MITRE ATT&CK Mapping

Initial Access – T1190 – Exploit Public-Facing Application

Reconnaissance – T1590.002 – Gather Victim Network Information: DNS

Reconnaissance – T1590.005 – Gather Victim Network Information: IP Addresses

Reconnaissance – T1592.004 – Gather Victim Host Information: Client Configurations

Reconnaissance – T1595 – Active Scanning

Discovery – T1018 – Remote System Discovery

Discovery – T1046 – Network Service Discovery

Discovery – T1083 – File and Directory Discovery

Discovery – T1135 – Network Share Discovery

Lateral Movement – T1021.001 – Remote Services: Remote Desktop Protocol

Lateral Movement – T1021.004 – Remote Services: SSH

Lateral Movement – T1021.006 – Remote Services: Windows Remote Management

Lateral Movement – T1550.002 – Use Alternate Authentication Material: Pass the Hash

Lateral Movement – T1550.003 – Use Alternate Authentication Material: Pass the Ticket

Credential Access – T1110.001 – Brute Force: Password Guessing

Credential Access – T1649 – Steal or Forge Authentication Certificates

Persistence, Privilege Escalation – T1078 – Valid Accounts

Resource Development – T1588.001 – Obtain Capabilities: Malware

Command and Control – T1071.001 – Application Layer Protocol: Web Protocols

Command and Control – T1105 – Ingress Tool Transfer

Command and Control – T1573 – Encrypted Channel

Collection – T1074 – Data Staged

Exfiltration – T1041 – Exfiltration Over C2 Channel

Exfiltration – T1048 – Exfiltration Over Alternative Protocol

References

[1] https://thehackernews.com/2025/08/sonicwall-investigating-potential-ssl.html

[2] https://www.sonicwall.com/support/notices/gen-7-and-newer-sonicwall-firewalls-sslvpn-recent-threat-activity/250804095336430

[3] https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0015

[4] https://arcticwolf.com/resources/blog/arctic-wolf-observes-akira-ransomware-campaign-targeting-sonicwall-sslvpn-accounts/

[5] https://www.rapid7.com/blog/post/dr-akira-ransomware-group-utilizing-sonicwall-devices-for-initial-access/

[6] https://www.ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf

[7] https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a

[8] https://blog.talosintelligence.com/akira-ransomware-continues-to-evolve/

[9] https://www.ransomware.live/map?year=2025&q=akira

[10] https://attack.mitre.org/groups/G1024/
[11] https://labs.lares.com/fear-kerberos-pt2/#UNPAC

[12] https://www.thehacker.recipes/ad/movement/kerberos/unpac-the-hash

[13] https://www.s-rminform.com/latest-thinking/derailing-akira-cyber-threat-intelligence)

[14] https://fieldeffect.com/blog/update-akira-ransomware-group-targets-sonicwall-vpn-appliances

[15] https://arcticwolf.com/resources/blog/arctic-wolf-observes-july-2025-uptick-in-akira-ransomware-activity-targeting-sonicwall-ssl-vpn/

Continue reading
About the author
Emily Megan Lim
Cyber Analyst
Your data. Our AI.
Elevate your network security with Darktrace AI