Darktrace identified a DPRK‑linked campaign targeting South Korean users with JSE‑based spear‑phishing lures. The attackers used government‑themed decoy documents to deploy a VS Code tunnel, enabling covert remote access via trusted Microsoft infrastructure. The activity highlights growing abuse of legitimate tools to evade detection and maintain persistent access.

Darktrace researchers observed threat actors exploiting reports of Venezuelan President Maduro’s arrest to deliver backdoor malware. Attackers often use ongoing world events make their malicious content appear more credible, increasingly the likelihood of a successful attack.

Medusa ransomware increasingly exploits remote monitoring and management (RMM) tools for persistence, lateral movement, and data exfiltration. This blog explores Medusa’s tactics, real-world detections, and how anomaly-based solutions with Autonomous Response can stop attacks.

Darktrace observed opportunistic exploitation of the React2Shell vulnerability within minutes of honeypot deployment. Attackers leveraged shell scripts, HTTP beaconing, and cryptomining activity, highlighting rapid adaptation to unpatched flaws.

Atomic Stealer is rapidly emerging as a significant macOS threat, using infostealing and backdoor capabilities to target Apple users worldwide. Darktrace observed campaigns in 24 countries, detecting activity across multiple kill chain stages and providing recommended actions to contain attacks.

TAG-150, a MaaS operator active since March 2025, uses CastleLoader and CastleRAT in multi-stage attacks. CastleLoader acts as a loader that retrieves and executes additional malware through deceptive domains and malicious GitHub repositories, while CastleRAT functions as a remote access trojan providing attackers with system control, command execution, and data theft capabilities. Darktrace detected and blocked early attack activity, leveraging Autonomous Response to prevent further compromise and protect enterprise networks.

Xillen Stealer v4/v5 introduces advanced features to evade AI detection, steal credentials, cryptocurrency, and sensitive data across browsers, password managers, and cloud environments. With polymorphic engines, container persistence, and behavioral mimicking, this Python-based malware highlights evolving threats and future AI integration in cybercrime campaigns.

Earlier this year, Darktrace investigated the Vo1d malware campaign, tracing its activity from DGA-based DNS beaconing to major cloud infrastructure and ultimately to its C2 server communications. This blog explores how Darktrace detected Vo1d and presents a detailed timeline of Cyber AI Analyst’s investigation.

Darktrace has been named the only Customers’ Choice in the 2025 Gartner® Peer Insights™ Voice of the Customer for Network Detection and Response, earning a 4.8/5 rating from 242 reviews and being named both Gartner Customers’ Choice and a Magic Quadrant Leader recognition.

Darktrace investigates a DragonForce-affiliated ransomware attack targeting the manufacturing sector. The blog details the attack lifecycle, from network scanning and credential brute-forcing to data exfiltration and file encryption.

In October 2025, Microsoft disclosed a critical vulnerability in its Windows Server Update Service (WSUS). This blog details Darktrace’s analysis of the vulnerability, focusing on two US customers where active exploitation was detected.

Darktrace delivers the next evolution of NDR, extending an industry-first bridge across the network and endpoint gap with Self-Learning AI.

Salt Typhoon, a China-linked cyber espionage group, has been observed targeting global infrastructure using stealthy techniques such as DLL sideloading and zero-day exploits. Darktrace recently identified early-stage intrusion activity consistent with Salt Typhoon’s tactics, reinforcing the importance of anomaly-based detection over traditional signature-based methods when defending against persistent, state-sponsored threat.

Starting in July 2025, Akira ransomware attacks surged globally, targeting SonicWall SSL VPN devices. In August, Darktrace detected suspicious activity in a US network, including scanning, lateral movement, and data exfiltration. A compromised SonicWall VPN server linked the incident to the broader Akira campaign exploiting known vulnerabilities.

Darktrace exposed a cybercrime-as-a-service campaign using Python and Go-based malware, Docker containerization, and a full operator UI. With DDoS-as-a-service features, modular APIs, and advanced evasion, this platform highlights the need for defenders to monitor cloud workloads, container orchestration, and API activity to counter evolving threats.

SEO poisoning is a malicious tactic where threat actors manipulate search engine rankings to promote deceptive websites. These sites often mimic legitimate software downloads, delivering malware like the Oyster backdoor. Learn about Darktrace’s investigation into the tactics used to deliver Oyster via fake PuTTY sites and manipulate search visibility.

Unifying network and email security closes critical gaps in your defenses, enabling faster detection, investigation, and response. Discover how an integrated, AI-driven approach strengthens protection across the entire attack lifecycle.

Cryptojacking attacks are rising as threat actors exploit hard-to-detect cryptomining malware. Learn how Darktrace detected and contained a cryptojacking attempt in its early stages using Autonomous Response, with expert analysis of the malware itself revealing insights into a novel cryptomining strain.

This blog outlines a real-world attack where threat actors exploited Fortinet SSL-VPN vulnerabilities to infiltrate a network. It highlights how Darktrace identified threat and took immediate actions to contain it, demonstrating the importance of proactive detection and rapid intervention in minimizing risk and disruption.

Darktrace investigates active exploitation of Ivanti EPMM vulnerabilities CVE-2025-4427 and CVE-2025-4428. Threat actors can leverage these CVEs for unauthenticated remote code execution, delivering malware like KrustyLoader. This blog explores evolving post-exploitation tactics and emphasizes the need for continuous visibility and machine-speed response across enterprise network environments.