Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Dan Fein
VP, Product
Share
12
Aug 2020
In March 2020, we documented the rise of Fearware: a type of email attack that involves exploiting a collective sense of fear and urgency in order to coax recipients into clicking on a malicious attachment or link. In the following weeks we saw over 130,000 new email domains registered to perform COVID-19 phishing. Five months on, this activity has unfortunately become the norm for cyber-criminals, who continue to take advantage of the pandemic in their attacks.
In recent weeks, Darktrace’s AI has identified cyber adversaries pivoting from claiming to offer urgent health-related advice or localized infection data, to impersonating relief funds in a particularly malevolent attempt to damage already struggling small businesses.
Figure 1: An interactive snapshot of Antigena Email’s user interface
A small business that had deployed Antigena Email was recently hit with a series of 10 spoofing emails claiming to be from the US Small Business Administration (SBA) about COVID-19 relief funds.
Note how the sender domain actually appears as sba.gov, just as it would in the recipient’s email client. This is possibly due to well-known and inherent weaknesses in Simple Mail Transfer Protocol (SMTP). In reality, the email originated from a mail server in Japan, and the link directs users to a compromised Brazilian domain which is unrelated to the SBA.
Figure 2: The fake login page
The above screenshot displays the fake login page that users are directed to after clicking the link. The page uses the logo of SBA and is formatted in the same style as legitimate pages from the genuine SBA website, such as the ‘forgotten password’ page below.
Figure 3: A screenshot from the legitimate SBA website
This Darktrace customer was a small business and may have been seeking funds. If this was the case, it could have easily fallen victim to this malicious attack targeting already vulnerable organizations. This attack shows how cyber-criminals continue to be creative and timely with their social engineering methods – and will stop at nothing in pursuit of their goals.
Antigena Email sits behind gateway tools, and so like every other threat that it detects and neutralizes, this email went undetected by the email provider’s built-in security tools or other gateway tools in place. Darktrace’s AI detected the rare link based on its understanding of normal communication patterns for the business, and recognized this as a spoofing attempt, preventing the message from ever reaching the inbox and protecting this vulnerable business from damage.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
How a Compromised eScan Update Enabled Multi‑Stage Malware and Blockchain C2
The rise of supply chain attacks
In recent years, the abuse of trusted software has become increasingly common, with supply chain compromises emerging as one of the fastest growing vectors for cyber intrusions. As highlighted in Darktrace’s Annual Threat Report 2026, attackers and state-actors continue to find significant value in gaining access to networks through compromised trusted links, third-party tools, or legitimate software. In January 2026, a supply chain compromise affecting MicroWorld Technologies’ eScan antivirus product was reported, with malicious updates distributed to customers through the legitimate update infrastructure. This, in turn, resulted in a multi‑stage loader malware being deployed on compromised devices [1][2].
An overview of eScan exploitation
According to eScan’s official threat advisory, unauthorized access to a regional update server resulted in an “incorrect file placed in the update distribution path” [3]. Customers associated with the affected update servers who downloaded the update during a two-hour window on January 20 were impacted, with affected Windows devices subsequently have experiencing various errors related to update functions and notifications [3].
While eScan did not specify which regional update servers were affected by the malicious update, all impacted Darktrace customer environments were located in the Europe, Middle East, and Africa (EMEA) region.
External research reported that a malicious 32-bit executable file , “Reload.exe”, was first installed on affected devices, which then dropped the 64-bit downloader, “CONSCTLX.exe”. This downloader establishes persistence by creating scheduled tasks such as “CorelDefrag”, which are responsible for executing PowerShell scripts. Subsequently, it evades detection by tampering with the Windows HOSTS file and eScan registry to prevent future remote updates intended for remediation. Additional payloads are then downloaded from its command-and-control (C2) server [1].
Darktrace’s coverage of eScan exploitation
Initial Access and Blockchain as multi-distributed C2 Infrastructure
On January 20, the same day as the aforementioned two‑hour exploit window, Darktrace observed multiple devices across affected networks downloading .dlz package files from eScan update servers, followed by connections to an anomalous endpoint, vhs.delrosal[.]net, which belongs to the attackers’ C2 infrastructure.
The endpoint contained a self‑signed SSL certificate with the string “O=Internet Widgits Pty Ltd, ST=SomeState, C=AU”, a default placeholder commonly used in SSL/TLS certificates for testing and development environments, as well as in malicious C2 infrastructure [4].
Utilizing a multi‑distributed C2 infrastructure, the attackers also leveraged domains linked with the Solana open‑source blockchain for C2 purposes, namely “.sol”. These domains were human‑readable names that act as aliases for cryptocurrency wallet addresses. As browsers do not natively resolve .sol domains, the Solana Naming System (formerly known as Bonfida, an independent contributor within the Solana ecosystem) provides a proxy service, through endpoints such as sol-domain[.]org, to enable browser access.
Darktrace observed devices connecting to blackice.sol-domain[.]org, indicating that attackers were likely using this proxy to reach a .sol domain for C2 activity. Given this behavior, it is likely that the attackers leveraged .sol domains as a dead drop resolver, a C2 technique in which threat actors host information on a public and legitimate service, such as a blockchain. Additional proxy resolver endpoints, such as sns-resolver.bonfida.workers[.]dev, were also observed.
Solana transactions are transparent, allowing all activity to be viewed publicly. When Darktrace analysts examined the transactions associated with blackice[.]sol, they observed that the earliest records dated November 7, 2025, which coincides with the creation date of the known C2 endpoint vhs[.]delrosal[.]net as shown in WHOIS Lookup information [4][5].
Figure 1: WHOIS Look records of the C2 endpoint vhs[.]delrosal[.]net.
Figure 2: Earliest observed transaction record for blackice[.]sol on public ledgers.
Subsequent instructions found within the transactions contained strings such as “CNAME= vhs[.]delrosal[.]net”, indicating attempts to direct the device toward the malicious endpoint. A more recent transaction recorded on January 28 included strings such as “hxxps://96.9.125[.]243/i;code=302”, suggesting an effort to change C2 endpoints. Darktrace observed multiple alerts triggered for these endpoints across affected devices.
Similar blockchain‑related endpoints, such as “tumama.hns[.]to”, were also observed in C2 activities. The hns[.]to service allows web browsers to access websites registered on Handshake, a decentralized blockchain‑based framework designed to replace centralized authorities and domain registries for top‑level domains. This shift toward decentralized, blockchain‑based infrastructure likely reflects increased efforts by attackers to evade detection.
In outgoing connections to these malicious endpoints across affected networks, Darktrace / NETWORK recognized that the activity was 100% rare and anomalous for both the devices and the wider networks, likely indicative of malicious beaconing, regardless of the underlying trusted infrastructure. In addition to generating multiple model alerts to capture this malicious activity across affected networks, Darktrace’s Cyber AI Analyst was able to compile these separate events into broader incidents that summarized the entire attack chain, allowing customers’ security teams to investigate and remediate more efficiently. Moreover, in customer environments where Darktrace’s Autonomous Response capability was enabled, Darktrace took swift action to contain the attack by blocking beaconing connections to the malicious endpoints, even when those endpoints were associated with seemingly trustworthy services.
Conclusion
Attacks targeting trusted relationships continue to be a popular strategy among threat actors. Activities linked to trusted or widely deployed software are often unintentionally whitelisted by existing security solutions and gateways. Darktrace observed multiple devices becoming impacted within a very short period, likely because tools such as antivirus software are typically mass‑deployed across numerous endpoints. As a result, a single compromised delivery mechanism can greatly expand the attack surface.
Attackers are also becoming increasingly creative in developing resilient C2 infrastructure and exploiting legitimate services to evade detection. Defenders are therefore encouraged to closely monitor anomalous connections and file downloads. Darktrace’s ability to detect unusual activity amidst ever‑changing tactics and indicators of compromise (IoCs) helps organizations maintain a proactive and resilient defense posture against emerging threats.
Credit to Joanna Ng (Associate Principal Cybersecurity Analyst) and Min Kim (Associate Principal Cybersecurity Analyst) and Tara Gould (Malware Researcher Lead)
Edited by Ryan Traill (Content Manager)
Appendices
Darktrace Model Detections
Anomalous File::Zip or Gzip from Rare External Location
![WHOIS Look records of the C2 endpoint vhs[.]delrosal[.]net.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/69e6bd15391fbfb9bc810102_Screenshot%202026-04-20%20at%204.56.01%E2%80%AFPM.png)
![Earliest observed transaction record for blackice[.]sol on public ledgers.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/69e6bd3a9035e7b16c8df83c_Screenshot%202026-04-20%20at%204.56.40%E2%80%AFPM.png)
