Blog
/
/
July 11, 2024

GuLoader: Evolving Tactics in Latest Campaign Targeting European Industry

Cado Security Labs identified a GuLoader campaign targeting European industrial companies via spearphishing emails with compressed batch files. This malware uses obfuscated PowerShell scripts and shellcode with anti-debugging techniques to establish persistence and inject into legitimate processes, to deliver Remote Access Trojans. GuLoader's ongoing evolution highlights the need for robust security.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Tara Gould
Threat Researcher
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
11
Jul 2024

Researchers from Cado Security Labs (now part of Darktrace) recently discovered a  campaign targeting European industrial and engineering companies. GuLoader is an evasive shellcode downloader used to deliver Remote Access Trojans (RAT) that has been used by threat actors since 2019 and continues to advance. 

Image 1

Initial access

Cado identified a number of spearphishing emails sent to electronic manufacturing, engineering and industrial companies in European countries including Romania, Poland, Germany and Kazakhstan. The emails typically include order inquiries and contain an archive file attachment (iso, 7z, gzip, rar). The emails are sent from various email addresses including from fake companies and compromised accounts. The emails typically hijack an existing email thread or request information about an order. 

PowerShell  

The first stage of GuLoader is a batch file that is compressed in the archive from the email attachment. As shown in Image 2, the batch file contains an obfuscated PowerShell script, which is done to evade detection.

Batch file
Image 2: Obfuscated PowerShell

The obfuscated script contains strings that are deobfuscated through a function “Boendes” (in this sample) that contains a for loop that takes every fifth character, with the rest of the characters being junk. After deobfuscating, the functionality of the script is clearer. These values can be retrieved by debugging the script, however deobfuscating with Script 1 in the Scripts section, makes it easier to read for static analysis.

Deobfuscated Powershell
Image 3 - Deobfuscated PowerShell

This Powershell script contains the function “Aromastofs” that is used to invoke the provided expressions. A secondary file is downloaded from careerfinder[.]ro and saved as “Knighting.Pro” in the user’s AppData/Roaming folder. The content retrieved from “Kighting.Pro” is decoded from Base64, converted to ASCII and selected from position 324537, with the length 29555. This is stored as “$Nongalactic” and contains more Powershell. 

Second Powershell script
Image 4 - Second PowerShell script
Deobfuscated Secondary Powershell
Image 5 - Deobfuscated Secondary PowerShell

As seen in Image 5, the secondary PowerShell is obfuscated in the same manner as before with the function “Boendes”. The script begins with checking which PowerShell is being used 32 or 64 bit. If 64 bit is in use, a 32 bit PowerShell process is spawned to execute the script, and to enable 32 bit processes later in the chain. 

The function named “Brevsprkkernes” is a secondary obfuscation function. The function takes the obfuscated hex string, converts to a byte array, applies XOR with a key of 173 and converts to ASCII. This obfuscation is used to evade detection and analysis more difficult. Again, these values can be retrieved with debugging; however for readability, using Script 2 in the Scripts section makes it easier to read. 

Obfuscated Hex Strings
Image 6: Obfuscated Hex Strings
Deobfuscated PowersShell Strings
Image 7 - Deobfuscated PowerShell Strings
Deobfuscated Process Injection
Image 8: Deobfuscated Process Injection

The second PowerShell script contains functionality to allocate memory via VirtualAlloc and to execute shellcode. VirtualAlloc is a native Windows API function that allows programs to allocate, reserve, or commit memory in a specified process. Threat actors commonly use VirtualAlloc to allocate memory for malicious code execution, making it harder for security solutions to detect or prevent code injection. The variable “$Bakteriekulturs” contains the bytes that were stored in “AppData/Roaming/Knighting.Pro” and converted from Base64 in the first part of the PowerShell Script. Marshall::Copy is used to copy the first 657 bytes of that file, which is the first shellcode. Marshall.Copy is a method that enables the transfer of data between unmanaged memory and managed arrays, allowing data exchange between managed and unmanaged code. Marshal.Copy is typically abused to inject or manipulate malicious payloads in memory, bypassing traditional detection by directly accessing and modifying memory regions used by applications. Marshall::Copy is used again to copy bytes 657 to 323880 as a second shellcode. 

First Shellcode
Image 9: First Shellcode

The first shellcode includes multiple anti-debugging techniques that make static and dynamic analysis difficult. There have been multiple evolutions of GuLoader’s evasive techniques that have been documented [1]. The main functionality of the first shellcode is to load and decrypt the second shellcode. The second shellcode adds the original PowerShell script as a Registry Key “Mannas” in HKCU/Software/Procentagiveless for persistence, with the path to PowerShell 32 bit executable stored as “Frenetic” in HKCU\Environment; however, these values change per sample. 

Registry Key created for PowerShell Script
Image 10 - Registry Key created for PowerShell Script
PowerShell bit added to Registry
Image 11 - PowerShell 32 bit added to Registry

The second shellcode is injected into the legitimate “msiexec.exe” process and appears to be reaching out to a domain to retrieve an additional payload, however at the time of analysis this request returns a 404. Based on previous research of GuLoader, the final payload is usually a RAT including Remcos, NetWire, and AgentTesla.[2]

msiexec abused to retrieve additional payload
Image 12  - msiexec abused to retrieve additional payload

Key Takeaway

Guloader malware continues to adapt its techniques to evade detection to deliver RATs. Threat actors are continually targeting specific industries in certain countries. Its resilience highlights the need for proactive security measures. To counter Guloader and other threats, organizations must stay vigilant and employ a robust security plan.

Scripts

Script 1 to deobfuscate junk characters 

import re 
import argparse 
import os 
 
def deobfuscate_powershell(input_file, output_file): 
  try: 
      with open(input_file, 'r', encoding='utf-8') as f: 
          text = f.read() 
 
      function_name_match = re.search(r"function\s+(\w+)\s*\(", text) 
      if not function_name_match: 
          print("Could not find the obfuscation function name in the file.") 
          return 
      
      function_name = function_name_match.group(1) 
      print(f"Detected obfuscation function name: {function_name}") 
 
      obfuscated_pattern = rf"(?<={function_name} ')(.*?)(?=')" 
      matches = re.findall(obfuscated_pattern, text) 
 
      for match in matches: 
          deobfuscated = match[4::5] 
          full_obfuscated_call = f"{function_name} '{match}'" 
          text = text.replace(full_obfuscated_call, deobfuscated) 
 
      with open(output_file, 'w', encoding='utf-8') as f: 
          f.write(text) 
 
      print(f"Deobfuscation complete. Output saved to {output_file}") 
 
  except Exception as e: 
      print(f"An error occurred!: {e}") 
 
if __name__ == "__main__": 
  parser = argparse.ArgumentParser(description="Deobfuscate an obfuscated PowerShell file.") 
  parser.add_argument("input_file", help="Path to the obfuscated PowerShell file.") 
  parser.add_argument("output_file", nargs='?', help="Path to save the deobfuscated file. Default is 'deobfuscated_powershell.ps1' in the same directory.", default=None) 
 
  args = parser.parse_args() 
 
  if args.output_file is None: 
      output_file = os.path.splitext(args.input_file)[0] + "_deobfuscated.ps1" 
  else: 
      output_file = args.output_file 
 
  deobfuscate_powershell(args.input_file, output_file) 

Script 2 to deobfuscate hex strings obfuscation (note this will need values changed based on sample)

import re 
import argparse 
 
def brevsprkkernes(spackle): 
  if not all(c in'0123456789abcdefABCDEF'for c in spackle): 
      return f"Invalid hex: {spackle}" 
  paronomasian = 2 
  polyurethane = bytearray(len(spackle) // 2) 
 
  for forstyrrets in range(0, len(spackle), paronomasian): 
      try: 
          polyurethane[forstyrrets // 2] = int(spackle[forstyrrets:forstyrrets + 2], 16) 
          polyurethane[forstyrrets // paronomasian] ^= 173 
      except ValueError: 
          return f"Error processing hex: {spackle}" 
 
  return polyurethane.decode('ascii', errors='ignore') 
 
def process_file(input_file, output_file): 
  with open(input_file, 'r') as infile: 
      content = infile.read() 
 
  def replace_function(match): 
      hex_string = match.group(1).strip() 
      result = brevsprkkernes(hex_string) 
      return f"Brevsprkkernes '{result}'" 
 
  updated_content = re.sub(r"Brevsprkkernes\s*['\"]?([0-9A-Fa-f]+)['\"]?", replace_function, content) 
 
  with open(output_file, 'w') as outfile: 
      outfile.write(updated_content) 
 
if __name__ == "__main__": 
  parser = argparse.ArgumentParser(description="Process a PowerShell file and replace hex strings.") 
  parser.add_argument("input_file", help="Path to the input file.") 
  parser.add_argument("output_file", help="Path to save the deobufuscated file.") 
  args = parser.parse_args() 
 
  process_file(args.input_file, args.output_file) 

Indicators of compromise (IoCs)

GuLoader scripts

ZW_PCCE-010023024001.bat  36a9a24404963678edab15248ca95a4065bdc6a84e32fcb7a2387c3198641374  

ORDER_1ST.bat  26500af5772702324f07c58b04ff703958e7e0b57493276ba91c8fa87b7794ff  

IMG465244247443 GULF ORDER Opmagasinering.cmd  40b46bae5cca53c55f7b7f941b0a02aeb5ef5150d9eff7258c48f92de5435216  

EXSP 5634 HISP9005 ST MSDS DOKUME74247linierelet.bat  e0d9ebe414aca4f6d28b0f1631a969f9190b6fb2cf5599b99ccfc6b7916ed8b3  

LTEXSP 5634 HISP9005 ST MSDS DOKUME74247liniereletbrunkagerne.bat 4c697bdcbe64036ba8a79e587462960e856a37e3b8c94f9b3e7875aeb2f91959  

Quotation_final_buy_order_list_2024_po_nos_ART125673211020240000000000024.bat661f5870a5d8675719b95f123fa27c46bfcedd45001ce3479a9252b653940540  

MEC20241022001.bat  33ed102236533c8b01a224bd5ffb220cecc32900285d2984d4e41803f1b2b58d  

nMEC20241022001.iso  9617fa7894af55085e09a06b1b91488af37b8159b22616dfd5c74e6b9a081739  

Gescanneerde lijst met artikelen nr. 654398.bat  f5feabf1c367774dc162c3e29b88bf32e48b997a318e8dd03a081d7bfe6d3eb5  

DHL_Shipping_Invoices_Awb_BL_000000000102220242247820020031808174Global180030010222024.cmd f78319fcb16312d69c6d2e42689254dff3cb875315f7b2111f5c3d2b4947ab50  

Order Confirmation.bat  949cdd89ed5fb2da03c53b0e724a4d97c898c62995e03c48cbd8456502e39e57  

SKM_0001810-01-2024-GL-3762.bat  9493ad437ea4b55629ee0a8d18141977c2632de42349a995730112727549f40e  

21102024_0029_18102024_SKM_0001810-01-2024-GL-3762.iso  535dd8d9554487f66050e2f751c9f9681dadae795120bb33c3db9f71aafb472c  

\Device\CdRom1\MARSS-FILTRY_ZW015010024.BAT  e5ebe4d8925853fc1f233a5a6f7aa29fd8a7fa3a8ad27471c7d525a70f4461b6  

Myologist.cmd  51244e77587847280079e7db8cfdff143a16772fb465285b9098558b266c6b3f  

SKU_0001710-1-2024-SX-3762.bat  643cd5ba1ac50f5aa2a4c852b902152ffc61916dc39bd162f20283a0ecef39fe  

Stamcafeernes.cmd  54b8b9c01ce6f58eb6314c67f3acb32d7c3c96e70c10b9d35effabb7e227952e  

C:\Users\user\AppData\Local\Temp\j4phhdbc.lti\Bank details Form.bat  c1f810194395ff53044e3ef87829f6dff63a283c568be4a83088483b6c043ec8  

SKGCRO COMANDA FAB SRL M60_647746748846748347474.bat  8dd5fd174ee703a43ab5084fdaba84d074152e46b84d588bf63f9d5cd2f673d1  

DHL_Shipping_Invoices_Awb_BL_000000000101620242247820020031808174Global180030010162024.bat bde5f995304e327d522291bf9886c987223a51a299b80ab62229fcc5e9d09f62  

Ciwies.cmd  b1be65efa06eb610ae0426ba7ac7f534dcb3090cd763dc8642ca0ede7a339ce7  

Zamówienie Agotech Begyndelsesord.cmd  18c0a772f0142bc8e5fb0c8931c0ba4c9e680ff97d7ceb8c496f68dea376f9da  

SKM_0001810-01-2024-GL-3762.iso  4a4c0918bdacd60e792a814ddacc5dc7edb83644268611313cb9b453991ac628  

C:\Users\user\AppData\Local\Temp\Stemmeslugerens.bat  8bedbdaa09eefac7845278d83a08b17249913e484575be3a9c61cf6c70837fd2  

Agotech Zamówienie Fjeldkammes325545235562377.bat  ff6c4c8d899df66b551c84124e73c1f3ffa04a4d348940f983cf73b2709895d3  

Agotech Zamówienie Fjeldkammes3255452355623.bat  f3e046a7769b9c977053dd32ebc1b0e1bbfe3c61789d2b8d54e51083c3d0bed5  

SKU_0001710-1-2024-SX-3762.iso  0546b035a94953d33a5c6d04bdc9521b49b2a98a51d38481b1f35667f5449326  

SKU_0001710-1-2024-SX-3762.bat  4f1b5d4bb6d0a7227948fb7ebb7765f3eb4b26288b52356453b74ea530111520  

DOKUMENTEN_TOBIAS.bat  038113f802ef095d8036e86e5c6b2cb8bc1529e18f34828bcf5f99b4cc012d6a  

IMEG238668289485293885823085802835025Urfjeld.bat  6977043d30d8c1c5024669115590b8fd154905e01ab1f2832b2408d1dc811164  

SKM_C250i24100408500.iso  6370cbcb1ac3941321f93dd0939d5daba0658fb8c85c732a6022cc0ec8f0f082  

SKU_0001710-1-2024-SX-3762.iso  7f06382b781a8ba0d3f46614f8463f8857f0ade67e0f77606b8d918909ad37c2  

\Device\CdRom1\ORDINE ELECTRICAS BC CORP PO EDC0969388.BAT  e98fa3828fa02209415640c41194875c1496bc6f0ca15902479b012243d37c47  

Quote Request #2359 Bogota.msg  0f0dfe8c5085924e5ab722fa01ea182569872532a6162547a2e87a1d2780f902  

ORDER.1ST.bat  48dca5f3a12d3952531b05b556c30accafbf9a3c6cda3ec517e4700d5845ab61  

Fortryl105.cmd  f43b78e4dc3cba2ee9c6f0f764f97841c43419059691d670ca930ce84fb7143b  

SMX-0002607-1-2024-UP-3762.iso  a60dbbe88a1c4857f009a3c06a2641332d41dfd89726dd5f2c6e500f7b25b751

Quotation_final_buy_order_list_2024_po_nos_ART1256731610202400000000000.cmd efd80337104f2acde5c8f3820549110ad40f1aa9b494da9a356938103bda82e7

a60dbbe88a1c4857f009a3c06a2641332d41dfd89726dd5f2c6e500f7b25b751.iso 0327db7b754a16a7ae29265e7d8daed7a1caa4920d5151d779e96cd1536f2fbe  

MARSS-FILTRY_ZW015010024.iso c415127bde80302a851240a169fff0592e864d2f93e9a21c7fd775fdb4788145

SKM_C250i24100408500.bat 36c464519a4cce8d0fcdb22a8974923fd51d915075eba9e62ade54a9c396844d  

UPM-0002607-1-2024-UP-3762.iso  e9fc754844df1a7196a001ac3dfbcf28b80397a718a3ceb8d397378a6375ff62  

Comanda KOMARON TRADE SRL 435635Lukketid.bat 1bf09bcb5bfa440fc6ce5c1d3f310fb274737248bf9acdd28bea98c9163a745a  

311861751714730477170144.bat f87448d722e160584e40feaad0769e170056a21588679094f7d58879cdb23623  

Estimate_buy_product_purchase_order_import_list_10_10_2024_000000101024.cmd f20670ed0cdc2d9a2a75884548e6e6a3857bbf66cfbfb4afe04a3354da9067c9  

PAYMENT TERM.bat 4c90504c86f1e77b0a75a1c7408adf1144f2a0e3661c20f2bf28d168e3408429  

Arbitrre.cmd  8ef4cb5ad7d5053c031690b9d04d64ba5d0d90f7bf8ba5e74cb169b5388e92c5  

KZЗапрос продукта SKM_32532667622352352Arvehygiejnikernes.bat 4ddd3369a51621b0009b6d993126fcb74b52e72f8cacd71fcbc401cda03108cb  

Order_AP568.bat fda4e04894089be87f520144d8a6141074d63d33b29beb28fd042b0ecc06fbbc  

C:\Users\user\Documents\ConnectWiseControl\Temp\Blodprocenternes.cmd e5f5d9855be34b44ad4c9b1c5722d1a6dff2f4a6878a874df1209d813aea7094  

Productivenesses.cmd a7268e906b86f7c1bb926278bf88811cb12189de0db42616e5bbb3dc426a4ef5  

Doktriner.cmd 74d468acd0493a6c5d72387c8e225cc0243ae1a331cd1e2d38f75ed8812347dd  

final_buy_product_purchase_order_import_list_11_10_2024_000000111024.cmd a2127d63bc0204c17d4657e5ae6930cab6ab33ae3e65b82e285a8757f39c4da9  

ORDER_U769.bat b45d9b5dbe09b2ca45d66432925842b0f698c9d269d3c7b5148cc26bdc2a92d0  

Beschwerde-Rechtsanwalt.bat 229c4ce294708561801b16eed5a155c8cfe8c965ea99ac3cfb4717a35a1492f3  

upit nr5634 10_08_2024.cmd 5854d9536371389fb0f1152ebc1479266d36ec4e06b174619502a6db1b593d71  

C:\Users\user\AppData\Local\Temp\Doktriner.cmd 140dcb39308d044e3e90610c65a08e0abc6a3ac22f0c9797971f0c652bb29add  

Fedtsyresammenstning.cmd 0b1c44b202ede2e731b2d9ee64c2ce333764fbff17273af831576a09fc9debfa  

HENIKENPLANT PROJECT PROPOSAL BID_24-0976·pdf.cmd 31a72d94b14bf63b07d66d023ced28092b9253c92b6e68397469d092c2ffb4a6  

MAIN ORDER.bat 85d1877ceda7c04125ca6383228ee158062301ae2b4e4a4a698ef8ed94165c7c  

Narudzba ACH0036173.bat 8d7324d66484383eba389bc2a8a6d4e9c4cb68bfec45d887b7766573a306af68  

Sludger.cmd 45b7b8772d9fe59d7df359468e3510df1c914af41bd122eeb5a408d045399a14  

Glasmester.bat b0e69f895f7b0bc859df7536d78c2983d7ed0ac1d66c243f44793e57d346049d  

PERMINTAAN ANGGARAN (Universitas IPB) ID177888·pdf.cmd 09a3bb4be0a502684bd37135a9e2cbaa3ea0140a208af680f7019811b37d28d6  

C:\Users\user\Documents\ConnectWiseControl\Temp\Bidcock.cmd 0996e7b37e8b41ff0799996dd96b5a72e8237d746c81e02278d84aa4e7e8534e  

PO++380.101483.bat a9af33c8a9050ee6d9fe8ce79d734d7f28ebf36f31ad8ee109f9e3f992a8d110  

Network IOCs

91[.]109.20.161

137[.]184.191.215

185[.]248.196.6

hxxps://filedn[.]com/lK8iuOs2ybqy4Dz6sat9kSz/Frihandelsaftalen40.fla

hxxps://careerfinder[.]ro/vn/Traurigheder[.]sea

hxxp://inversionesevza[.]com/wp-includes/blocks_/Dekupere.pcz

hxxps://rareseeds[.]zendesk[.]com/attachments/token/G9SQnykXWFAnrmBcy8MzhciEs/?name=PO++380.101483.bat

Detection

Yara rule

rule GuLoader_Obfuscated_Powershell 
{ 
   meta: 
       description = "Detects Obfuscated GuLoader Powershell Scripts" 
       author = "tgould@cadosecurity.com" 
       date = "2024-10-14" 
   strings: 
      $hidden_window = { 7374617274202f6d696e20706f7765727368656c6c2e657865202d77696e646f777374796c652068696464656e2022 } 
      $for_loop = /for\s*\(\s*\$[a-zA-Z0-9_]+\s*=\s*\d+;\s*\$[a-zA-Z0-9_]+\s*-lt\s*\$[a-zA-Z0-9_]+\s*;\s*\$[a-zA-Z0-9_]+\s*\+=\s*\d+\s*\)/ 
   condition: 
      $for_loop and $hidden_window 

MITRE ATT&CK

T1566.001  Phishing: Malicious Attachment  

T1055 Process Injection  

T1204.002  User Execution: Malicious File  

T1547.001  Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder  

T1140  Deobfuscate/Decode Files or Information  

T1622  Debugger Evasion  

T1001.001  Junk Code  

T1105  Ingress Tool Transfer  

T1059.001  Command and Scripting Interpreter: Powershell  

T1497.003  Virtualization/Sandbox Evasion: Time Based Evasion  

T1071.001  Application Layer Protocol: Web Protocols

References:

[1] https://www.crowdstrike.com/en-us/blog/guloader-dissection-reveals-new-anti-analysis-techniques-and-code-injection-redundancy/  

[2] https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/guloader-malware/

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Tara Gould
Threat Researcher

More in this series

No items found.

Blog

/

OT

/

September 4, 2025

Rethinking Signature-Based Detection for Power Utility Cybersecurity

Default blog imageDefault blog image

Lessons learned from OT cyber attacks

Over the past decade, some of the most disruptive attacks on power utilities have shown the limits of signature-based detection and reshaped how defenders think about OT security. Each incident reinforced that signatures are too narrow and reactive to serve as the foundation of defense.

2015: BlackEnergy 3 in Ukraine

According to CISA, on December 23, 2015, Ukrainian power companies experienced unscheduled power outages affecting a large number of customers — public reports indicate that the BlackEnergy malware was discovered on the companies’ computer networks.

2016: Industroyer/CrashOverride

CISA describes CrashOverride malwareas an “extensible platform” reported to have been used against critical infrastructure in Ukraine in 2016. It was capable of targeting industrial control systems using protocols such as IEC‑101, IEC‑104, and IEC‑61850, and fundamentally abused legitimate control system functionality to deliver destructive effects. CISA emphasizes that “traditional methods of detection may not be sufficient to detect infections prior to the malware execution” and recommends behavioral analysis techniques to identify precursor activity to CrashOverride.

2017: TRITON Malware

The U.S. Department of the Treasury reports that the Triton malware, also known as TRISIS or HatMan, was “designed specifically to target and manipulate industrial safety systems” in a petrochemical facility in the Middle East. The malware was engineered to control Safety Instrumented System (SIS) controllers responsible for emergency shutdown procedures. During the attack, several SIS controllers entered a failed‑safe state, which prevented the malware from fully executing.

The broader lessons

These events revealed three enduring truths:

  • Signatures have diminishing returns: BlackEnergy showed that while signatures can eventually identify adapted IT malware, they arrive too late to prevent OT disruption.
  • Behavioral monitoring is essential: CrashOverride demonstrated that adversaries abuse legitimate industrial protocols, making behavioral and anomaly detection more effective than traditional signature methods.
  • Critical safety systems are now targets: TRITON revealed that attackers are willing to compromise safety instrumented systems, elevating risks from operational disruption to potential physical harm.

The natural progression for utilities is clear. Static, file-based defenses are too fragile for the realities of OT.  

These incidents showed that behavioral analytics and anomaly detection are far more effective at identifying suspicious activity across industrial systems, regardless of whether the malicious code has ever been seen before.

Strategic risks of overreliance on signatures

  • False sense of security: Believing signatures will block advanced threats can delay investment in more effective detection methods.
  • Resource drain: Constantly updating, tuning, and maintaining signature libraries consumes valuable staff resources without proportional benefit.
  • Adversary advantage: Nation-state and advanced actors understand the reactive nature of signature defenses and design attacks to circumvent them from the start.

Recommended Alternatives (with real-world OT examples)

 Alternative strategies for detecting cyber attacks in OT
Figure 1: Alternative strategies for detecting cyber attacks in OT

Behavioral and anomaly detection

Rather than relying on signatures, focusing on behavior enables detection of threats that have never been seen before—even trusted-looking devices.

Real-world insight:

In one OT setting, a vendor inadvertently left a Raspberry Pi on a customer’s ICS network. After deployment, Darktrace’s system flagged elastic anomalies in its HTTPS and DNS communication despite the absence of any known indicators of compromise. The alerting included sustained SSL increases, agent‑beacon activity, and DNS connections to unusual endpoints, revealing a possible supply‑chain or insider risk invisible to static tools.  

Darktrace’s AI-driven threat detection aligns with the zero-trust principle of assuming the risk of a breach. By leveraging AI that learns an organization’s specific patterns of life, Darktrace provides a tailored security approach ideal for organizations with complex supply chains.

Threat intelligence sharing & building toward zero-trust philosophy

Frameworks such as MITRE ATT&CK for ICS provide a common language to map activity against known adversary tactics, helping teams prioritize detections and response strategies. Similarly, information-sharing communities like E-ISAC and regional ISACs give utilities visibility into the latest tactics, techniques, and procedures (TTPs) observed across the sector. This level of intel can help shift the focus away from chasing individual signatures and toward building resilience against how adversaries actually operate.

Real-world insight:

Darktrace’s AI embodies zero‑trust by assuming breach potential and continually evaluating all device behavior, even those deemed trusted. This approach allowed the detection of an anomalous SharePoint phishing attempt coming from a trusted supplier, intercepted by spotting subtle patterns rather than predefined rules. If a cloud account is compromised, unauthorized access to sensitive information could lead to extortion and lateral movement into mission-critical systems for more damaging attacks on critical-national infrastructure.

This reinforces the need to monitor behavioral deviations across the supply chain, not just known bad artifacts.

Defense-in-Depth with OT context & unified visibility

OT environments demand visibility that spans IT, OT, and IoT layers, supported by risk-based prioritization.

Real-world insight:

Darktrace / OT offers unified AI‑led investigations that break down silos between IT and OT. Smaller teams can see unusual outbound traffic or beaconing from unknown OT devices, swiftly investigate across domains, and get clear visibility into device behavior, even when they lack specialized OT security expertise.  

Moreover, by integrating contextual risk scoring, considering real-world exploitability, device criticality, firewall misconfiguration, and legacy hardware exposure, utilities can focus on the vulnerabilities that genuinely threaten uptime and safety, rather than being overwhelmed by CVE noise.  

Regulatory alignment and positive direction

Industry regulations are beginning to reflect this evolution in strategy. NERC CIP-015 requires internal network monitoring that detects anomalies, and the standard references anomalies 15 times. In contrast, signature-based detection is not mentioned once.

This regulatory direction shows that compliance bodies understand the limitations of static defenses and are encouraging utilities to invest in anomaly-based monitoring and analytics. Utilities that adopt these approaches will not only be strengthening their resilience but also positioning themselves for regulatory compliance and operational success.

Conclusion

Signature-based detection retains utility for common IT malware, but it cannot serve as the backbone of security for power utilities. History has shown that major OT attacks are rarely stopped by signatures, since each campaign targets specific systems with customized tools. The most dangerous adversaries, from insiders to nation-states, actively design their operations to avoid detection by signature-based tools.

A more effective strategy prioritizes behavioral analytics, anomaly detection, and community-driven intelligence sharing. These approaches not only catch known threats, but also uncover the subtle anomalies and novel attack techniques that characterize tomorrow’s incidents.

Continue reading
About the author
Daniel Simonds
Director of Operational Technology

Blog

/

Identity

/

August 21, 2025

From VPS to Phishing: How Darktrace Uncovered SaaS Hijacks through Virtual Infrastructure Abuse

Default blog imageDefault blog image

What is a VPS and how are they abused?

A Virtual Private Server (VPS) is a virtualized server that provides dedicated resources and control to users on a shared physical device.  VPS providers, long used by developers and businesses, are increasingly misused by threat actors to launch stealthy, scalable attacks. While not a novel tactic, VPS abuse is has seen an increase in Software-as-a-Service (SaaS)-targeted campaigns as it enables attackers to bypass geolocation-based defenses by mimicking local traffic, evade IP reputation checks with clean, newly provisioned infrastructure, and blend into legitimate behavior [3].

VPS providers like Hyonix and Host Universal offer rapid setup and minimal open-source intelligence (OSINT) footprint, making detection difficult [1][2]. These services are not only fast to deploy but also affordable, making them attractive to attackers seeking anonymous, low-cost infrastructure for scalable campaigns. Such attacks tend to be targeted and persistent, often timed to coincide with legitimate user activity, a tactic that renders traditional security tools largely ineffective.

Darktrace’s investigation into Hyonix VPS abuse

In May 2025, Darktrace’s Threat Research team investigated a series of incidents across its customer base involving VPS-associated infrastructure. The investigation began with a fleet-wide review of alerts linked to Hyonix (ASN AS931), revealing a noticeable spike in anomalous behavior from this ASN in March 2025. The alerts included brute-force attempts, anomalous logins, and phishing campaign-related inbox rule creation.

Darktrace identified suspicious activity across multiple customer environments around this time, but two networks stood out. In one instance, two internal devices exhibited mirrored patterns of compromise, including logins from rare endpoints, manipulation of inbox rules, and the deletion of emails likely used in phishing attacks. Darktrace traced the activity back to IP addresses associated with Hyonix, suggesting a deliberate use of VPS infrastructure to facilitate the attack.

On the second customer network, the attack was marked by coordinated logins from rare IPs linked to multiple VPS providers, including Hyonix. This was followed by the creation of inbox rules with obfuscated names and attempts to modify account recovery settings, indicating a broader campaign that leveraged shared infrastructure and techniques.

Darktrace’s Autonomous Response capability was not enabled in either customer environment during these attacks. As a result, no automated containment actions were triggered, allowing the attack to escalate without interruption. Had Autonomous Response been active, Darktrace would have automatically blocked connections from the unusual VPS endpoints upon detection, effectively halting the compromise in its early stages.

Case 1

Timeline of activity for Case 1 - Unusual VPS logins and deletion of phishing emails.
Figure 1: Timeline of activity for Case 1 - Unusual VPS logins and deletion of phishing emails.

Initial Intrusion

On May 19, 2025, Darktrace observed two internal devices on one customer environment initiating logins from rare external IPs associated with VPS providers, namely Hyonix and Host Universal (via Proton VPN). Darktrace recognized that these logins had occurred within minutes of legitimate user activity from distant geolocations, indicating improbable travel and reinforcing the likelihood of session hijacking. This triggered Darktrace / IDENTITY model “Login From Rare Endpoint While User Is Active”, which highlights potential credential misuse when simultaneous logins occur from both familiar and rare sources.  

Shortly after these logins, Darktrace observed the threat actor deleting emails referring to invoice documents from the user’s “Sent Items” folder, suggesting an attempt to hide phishing emails that had been sent from the now-compromised account. Though not directly observed, initial access in this case was likely achieved through a similar phishing or account hijacking method.

 Darktrace / IDENTITY model "Login From Rare Endpoint While User Is Active", which detects simultaneous logins from both a common and a rare source to highlight potential credential misuse.
Figure 2: Darktrace / IDENTITY model "Login From Rare Endpoint While User Is Active", which detects simultaneous logins from both a common and a rare source to highlight potential credential misuse.

Case 2

Timeline of activity for Case 2 – Coordinated inbox rule creation and outbound phishing campaign.
Figure 3: Timeline of activity for Case 2 – Coordinated inbox rule creation and outbound phishing campaign.

In the second customer environment, Darktrace observed similar login activity originating from Hyonix, as well as other VPS providers like Mevspace and Hivelocity. Multiple users logged in from rare endpoints, with Multi-Factor Authentication (MFA) satisfied via token claims, further indicating session hijacking.

Establishing control and maintaining persistence

Following the initial access, Darktrace observed a series of suspicious SaaS activities, including the creation of new email rules. These rules were given minimal or obfuscated names, a tactic often used by attackers to avoid drawing attention during casual mailbox reviews by the SaaS account owner or automated audits. By keeping rule names vague or generic, attackers reduce the likelihood of detection while quietly redirecting or deleting incoming emails to maintain access and conceal their activity.

One of the newly created inbox rules targeted emails with subject lines referencing a document shared by a VIP at the customer’s organization. These emails would be automatically deleted, suggesting an attempt to conceal malicious mailbox activity from legitimate users.

Mirrored activity across environments

While no direct lateral movement was observed, mirrored activity across multiple user devices suggested a coordinated campaign. Notably, three users had near identical similar inbox rules created, while another user had a different rule related to fake invoices, reinforcing the likelihood of a shared infrastructure and technique set.

Privilege escalation and broader impact

On one account, Darktrace observed “User registered security info” activity was shortly after anomalous logins, indicating attempts to modify account recovery settings. On another, the user reset passwords or updated security information from rare external IPs. In both cases, the attacker’s actions—including creating inbox rules, deleting emails, and maintaining login persistence—suggested an intent to remain undetected while potentially setting the stage for data exfiltration or spam distribution.

On a separate account, outbound spam was observed, featuring generic finance-related subject lines such as 'INV#. EMITTANCE-1'. At the network level, Darktrace / NETWORK detected DNS requests from a device to a suspicious domain, which began prior the observed email compromise. The domain showed signs of domain fluxing, a tactic involving frequent changes in IP resolution, commonly used by threat actors to maintain resilient infrastructure and evade static blocklists. Around the same time, Darktrace detected another device writing a file named 'SplashtopStreamer.exe', associated with the remote access tool Splashtop, to a domain controller. While typically used in IT support scenarios, its presence here may suggest that the attacker leveraged it to establish persistent remote access or facilitate lateral movement within the customer’s network.

Conclusion

This investigation highlights the growing abuse of VPS infrastructure in SaaS compromise campaigns. Threat actors are increasingly leveraging these affordable and anonymous hosting services to hijack accounts, launch phishing attacks, and manipulate mailbox configurations, often bypassing traditional security controls.

Despite the stealthy nature of this campaign, Darktrace detected the malicious activity early in the kill chain through its Self-Learning AI. By continuously learning what is normal for each user and device, Darktrace surfaced subtle anomalies, such as rare login sources, inbox rule manipulation, and concurrent session activity, that likely evade traditional static, rule-based systems.

As attackers continue to exploit trusted infrastructure and mimic legitimate user behavior, organizations should adopt behavioral-based detection and response strategies. Proactively monitoring for indicators such as improbable travel, unusual login sources, and mailbox rule changes, and responding swiftly with autonomous actions, is critical to staying ahead of evolving threats.

Credit to Rajendra Rushanth (Cyber Analyst), Jen Beckett (Cyber Analyst) and Ryan Traill (Analyst Content Lead)

References

·      1: https://cybersecuritynews.com/threat-actors-leveraging-vps-hosting-providers/

·      2: https://threatfox.abuse.ch/asn/931/

·      3: https://www.cyfirma.com/research/vps-exploitation-by-threat-actors/

Appendices

Darktrace Model Detections

•   SaaS / Compromise / Unusual Login, Sent Mail, Deleted Sent

•   SaaS / Compromise / Suspicious Login and Mass Email Deletes

•   SaaS / Resource / Mass Email Deletes from Rare Location

•   SaaS / Compromise / Unusual Login and New Email Rule

•   SaaS / Compliance / Anomalous New Email Rule

•   SaaS / Resource / Possible Email Spam Activity

•   SaaS / Unusual Activity / Multiple Unusual SaaS Activities

•   SaaS / Unusual Activity / Multiple Unusual External Sources For SaaS Credential

•   SaaS / Access / Unusual External Source for SaaS Credential Use

•   SaaS / Compromise / High Priority Login From Rare Endpoint

•   SaaS / Compromise / Login From Rare Endpoint While User Is Active

List of Indicators of Compromise (IoCs)

Format: IoC – Type – Description

•   38.240.42[.]160 – IP – Associated with Hyonix ASN (AS931)

•   103.75.11[.]134 – IP – Associated with Host Universal / Proton VPN

•   162.241.121[.]156 – IP – Rare IP associated with phishing

•   194.49.68[.]244 – IP – Associated with Hyonix ASN

•   193.32.248[.]242 – IP – Used in suspicious login activity / Mullvad VPN

•   50.229.155[.]2 – IP – Rare login IP / AS 7922 ( COMCAST-7922 )

•   104.168.194[.]248 – IP – Rare login IP / AS 54290 ( HOSTWINDS )

•   38.255.57[.]212 – IP – Hyonix IP used during MFA activity

•   103.131.131[.]44 – IP – Hyonix IP used in login and MFA activity

•   178.173.244[.]27 – IP – Hyonix IP

•   91.223.3[.]147 – IP – Mevspace Poland, used in multiple logins

•   2a02:748:4000:18:0:1:170b[:]2524 – IPv6 – Hivelocity VPS, used in multiple logins and MFA activity

•   51.36.233[.]224 – IP – Saudi ASN, used in suspicious login

•   103.211.53[.]84 – IP – Excitel Broadband India, used in security info update

MITRE ATT&CK Mapping

Tactic – Technique – Sub-Technique

•   Initial Access – T1566 – Phishing

                       T1566.001 – Spearphishing Attachment

•   Execution – T1078 – Valid Accounts

•   Persistence – T1098 – Account Manipulation

                       T1098.002 – Exchange Email Rules

•   Command and Control – T1071 – Application Layer Protocol

                       T1071.001 – Web Protocols

•   Defense Evasion – T1036 – Masquerading

•   Defense Evasion – T1562 – Impair Defenses

                       T1562.001 – Disable or Modify Tools

•   Credential Access – T1556 – Modify Authentication Process

                       T1556.004 – MFA Bypass

•   Discovery – T1087 – Account Discovery

•      Impact – T1531 – Account Access Removal

The content provided in this blog is published by Darktrace for general informational purposes only and reflects our understanding of cybersecurity topics, trends, incidents, and developments at the time of publication. While we strive to ensure accuracy and relevance, the information is provided “as is” without any representations or warranties, express or implied. Darktrace makes no guarantees regarding the completeness, accuracy, reliability, or timeliness of any information presented and expressly disclaims all warranties.

Nothing in this blog constitutes legal, technical, or professional advice, and readers should consult qualified professionals before acting on any information contained herein. Any references to third-party organizations, technologies, threat actors, or incidents are for informational purposes only and do not imply affiliation, endorsement, or recommendation.

Darktrace, its affiliates, employees, or agents shall not be held liable for any loss, damage, or harm arising from the use of or reliance on the information in this blog.

The cybersecurity landscape evolves rapidly, and blog content may become outdated or superseded. We reserve the right to update, modify, or remove any content without notice.

Continue reading
About the author
Rajendra Rushanth
Cyber Analyst
Your data. Our AI.
Elevate your network security with Darktrace AI