Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Tyler Fornes
Senior Security Analyst at Expel
Share
11
Mar 2019
The following guest-authored blog post examines an advanced cyber-threat discovered by Darktrace on a customer’s network.
At Expel — a managed security provider — our analysts get to use a lot of really cool technologies every day, including Darktrace. Given its popularity among our customers, we thought it would be useful to demonstrate how Darktrace helps us identify and triage potential security threats.
Take a look at this alert. It was triggered via a violation of one of the pre-packaged model breaches for Device / AT Service Scheduled Task.
To triage this specific alert, we need to answer the following questions:
What were the triggers that caused the model to alert?
Which host was the Scheduled Task created on?
Were any files transferred?
Is this activity commonly seen between these hosts?
By answering these questions, we can determine whether or not this alert is related to malicious activity. First, we need to gather additional evidence using the Darktrace console.
At this point, we know the model breach Device / AT Service Scheduled Task was triggered. But what does that mean? Let’s view the model and explore the logic.
Looking at the logic behind this model breach, we see that any message containing the strings “atsvc” and “IPC$” will match this model breach. And because the frequency has been set to “> 0 in 60 mins,” we can assume that once this activity is seen just one time, it’ll trigger an alert. By understanding this logic, we now know:
Next, let’s grab some data. We opened the Model Breach Event Log to see the related events observed for this model breach. There was a successful DCE-RPC bind, followed by SMB Write/Read success containing the keywords “atsvc” and “IPC$.”
We turned to the View advanced search for this event feature of the Model Breach Event Log for even more info.
The advanced search results for this model breach revealed two distinct messages. There’s a successful NTLM authentication message for the account “appadmin.” Since NTLM is commonly used with SMB for authentication, this is likely the account being used by the source machine to establish the SMB session.
Immediately after this authentication, we see the following DCE-RPC message for a named pipe being created involving atsvc:
We see that the RPC bind was created referencing the SASec interface. Based on a quick online search, we learned that the SASec interface “only includes methods for manipulating account information, because most SASec-created task configuration is stored in the file system using the .JOB file format0.”
One possible explanation for this connection is that it was made to query information about a scheduled task defined within the .JOB format, rather than a new scheduled task being created on the host. However, Darktrace doesn’t show any messages mentioning a file with the extension “.JOB” within this model breach. So we kept digging for answers.
By querying “*.JOB AND SMB” within the timeframe of the activity we’ve already observed, some promising results appeared:
We observed three unique .JOB files being accessed over SMB during the exact time of our previous observations. Considering the hosts and the timeframe, we correlated this activity to the original model breach.
So we know the following:
To answer the last investigative question, we used the query “AV.job AND SMB” over the past 60 days. This query returned daily entries for identical activity dating back several months. The activity occurred around the same time each day, involving the same hosts and file paths.
This was starting to smell like legitimate activity, but we still wanted to analyze the contents of the requested file AV.job. We created a packet capture for a five-minute window around the timeframe of the source IP address observed in the model breach.
Once we collected the PCAP, we downloaded and analyzed it in Wireshark, and then extracted the transferred files using the Export Objects feature.
The contents of this file refer to an executable in the location C:\Program Files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe. Judging by the name of the .JOB file this was found in, it was likely a legitimate scheduled task created to perform an antivirus scan on the endpoint each morning.
Reviewing our original analysis questions, we could confidently answer all four questions:
Darktrace’s cyber defense platform allowed our analysts to quickly confirm and scope potential threat activity and identify network-based indicators (NBIs) related to an attack. It can also generate additional, host-based indicators (HBIs) to supplement your investigation. In summary, Darktrace AI enables our Expel analysts quickly and efficiently scope an incident or hunt for threats across the entire organization — without the need for exhaustive data collection and offline parsing by an analyst.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Mythos vs Ethos: Defending in an Era of AI‑Accelerated Vulnerability Discovery
Anthropic’s Mythos and what it means for security teams
Recent attention on systems such as Anthropic Mythos highlights a notable problem for defenders. Namely that disclosure’s role in coordinating defensive action is eroding.
As AI systems gain stronger reasoning and coding capability, their usefulness in analyzing complex software environments and identifying weaknesses naturally increases. What has changed is not attacker motivation, but the conditions under which defenders learn about and organize around risk. Vulnerability discovery and exploitation increasingly unfold in ways that turn disclosure into a retrospective signal rather than a reliable starting point for defense.
Faster discovery was inevitable and is already visible
The acceleration of vulnerability discovery was already observable across the ecosystem. Publicly disclosed vulnerabilities (CVEs) have grown at double-digit rates for the past two years, including a 32% increase in 2024 according to NIST, driven in part by AI even prior to Anthropic’s Mythos model. Most notably XBOW topped the HackerOne US bug bounty leaderboard, marking the first time an autonomous penetration tester had done so.
The technical frontier for AI capabilities has been described elsewhere as jagged, and the implication is that Mythos is exceptional but not unique in this capability. While Mythos appears to make significant progress in complex vulnerability analysis, many other models are already able to find and exploit weaknesses to varying degrees.
What matters here is not which model performs best, but the fact that vulnerability discovery is no longer a scarce or tightly bounded capability.
The consequence of this shift is not simply earlier discovery. It is a change in the defender-attacker race condition. Disclosure once acted as a rough synchronization point. While attackers sometimes had earlier knowledge, disclosure generally marked the moment when risk became visible and defensive action could be broadly coordinated. Increasingly, that coordination will no longer exist. Exploitation may be underway well before a CVE is published, if it is published at all.
Why patch velocity alone is not the answer
The instinctive response to this shift is to focus on patching faster, but treating patch velocity as the primary solution misunderstands the problem. Most organizations are already constrained in how quickly they can remediate vulnerabilities. Asset sprawl, operational risk, testing requirements, uptime commitments, and unclear ownership all limit response speed, even when vulnerabilities are well understood.
If discovery and exploitation now routinely precede disclosure, then patching cannot be the first line of defense. It becomes one necessary control applied within a timeline that has already shifted. This does not imply that organizations should patch less. It means that patching cannot serve as the organizing principle for defense.
Defense needs a more stable anchor
If disclosure no longer defines when defense begins, then defense needs a reference point that does not depend on knowing the vulnerability in advance.
Every digital environment has a behavioral character. Systems authenticate, communicate, execute processes, and access resources in relatively consistent ways over time. These patterns are not static rules or signatures. They are learned behaviors that reflect how an organization operates.
When exploitation occurs, even via previously unknown vulnerabilities, those behavioral patterns change.
Attackers may use novel techniques, but they still need to gain access, create processes, move laterally, and will ultimately interact with systems in ways that diverge from what is expected. That deviation is observable regardless of whether the underlying weakness has been formally named.
In an environment where disclosure can no longer be relied on for timing or coordination, behavioral understanding is no longer an optional enhancement; it becomes the only consistently available defensive signal.
Detecting risk before disclosure
Darktrace’s threat research has consistently shown that malicious activity often becomes visible before public disclosure.
This reflects a defensive approach grounded in ‘Ethos’, in contrast to the unbounded exploration represented by ‘Mythos’. Here, Mythos describes continuous vulnerability discovery at speed and scale. Ethos reflects an understanding of what is normal and expected within a specific environment, grounded in observed behavior.
Revisiting assume breach
These conditions reinforce a principle long embedded in Zero Trust thinking: assume breach.
If exploitation can occur before disclosure, patching vulnerabilities can no longer act as the organizing principle for defense. Instead, effective defense must focus on monitoring for misuse and constraining attacker activity once access is achieved. Behavioral monitoring allows organizations to identify early‑stage compromise and respond while uncertainty remains, rather than waiting for formal verification.
AI plays a critical role here, not by predicting every exploit, but by continuously learning what normal looks like within a specific environment and identifying meaningful deviation at machine speed. Identifying that deviation enables defenders to respond by constraining activity back towards normal patterns of behavior.
Not an arms race, but an asymmetry
AI is often framed as fueling an arms race between attackers and defenders. In practice, the more important dynamic is asymmetry.
Attackers operate broadly, scanning many environments for opportunities. Defenders operate deeply within their own systems, and it’s this business context which is so significant. Behavioral understanding gives defenders a durable advantage. Attackers may automate discovery, but they cannot easily reproduce what belonging looks like inside a particular organization.
A changed defensive model
AI‑accelerated vulnerability discovery does not mean defenders have lost. It does mean that disclosure‑driven, patch‑centric models no longer provide a sufficient foundation for resilience.
As vulnerability volumes grow and exploitation timelines compress, effective defense increasingly depends on continuous behavioral understanding, detection that does not rely on prior disclosure, and rapid containment to limit impact. In this model, CVEs confirm risk rather than define when defense begins.
The industry has already seen this approach work in practice. As AI continues to reshape both offense and defense, behavioral detection will move from being complementary to being essential.
To observe adversary behavior in real time, Darktrace operates a global honeypot network known as “CloudyPots”, designed to capture malicious activity across a wide range of services, protocols, and cloud platforms. These honeypots provide valuable insights into the techniques, tools, and malware actively targeting internet‑facing infrastructure.
How attackers used a Jenkins honeypot to deploy the botnet
One such software honeypotted by Darktrace is Jenkins, a CI build system that allows developers to build code and run tests automatically. The instance of Jenkins in Darktrace’s honeypot is intentionally configured with a weak password, allowing attackers to obtain remote code execution on the service.
In one instance observed by Darktrace on March 18, 2026, a threat actor seemingly attempted to target Darktrace’s Jenkins honeypot to deploy a distributed denial-of-service (DDoS) botnet. Further analysis by Darktrace’s Threat Research team revealed the botnet was intended to specifically target video game servers.
How the Jenkins scriptText endpoint was used for remote code execution
The Jenkins build system features an endpoint named scriptText, which enables users to programmatically send new jobs, in the form of a Groovy script. Groovy is a programming language with similar syntax to Java and runs using the Java Virtual Machine (JVM). An attacker can abuse the scriptText endpoint to run a malicious script, achieving code execution on the victim host.
Figure 1: Request sent to the scriptText endpoint containing the malicious script.
The malicious script is sent using the form-data content type, which results in the contents of the script being URL encoded. This encoding can be decoded to recover the original script, as shown in Figure 2, where Darktrace Analysts decoded the script using CyberChef,
Figure 2: The malicious script decoded using CyberChef.
What happens after Jenkins is compromised
As Jenkins can be deployed on both Microsoft Windows and Linux systems, the script includes separate branches to target each platform.
In the case of Windows, the script performs the following actions:
Downloads a payload from 103[.]177.110.202/w.exe and saves it to C:\Windows\Temp\update.dat.
Renames the “update.dat” file to “win_sys.exe” (within the same folder)
Runs the Unblock-File command is used to remove security restrictions typically applied to files downloaded from the internet.
Adds a firewall allow rule is added for TCP port 5444, which the payload uses for command-and-control (C2) communications.
On Linux systems, the script will instead use a Bash one-liner to download the payload from 103[.]177.110.202/bot_x64.exe to /tmp/bot and execute it.
Why this botnet uses a single IP for delivery and command and control
The IP 103[.]177.110.202 belongs to Webico Company Limited, specifically its Tino brand, a Vietnamese company that offers domain registrar services and server hosting. Geolocation data indicates that the IP is located in Ho Chi Minh City. Open-source intelligence (OSINT) analysis revealed multiple malicious associations tied to the IP [1].
Darktrace’s analysis found that the IP 103[.]177.110.202 is used for multiple stages of an attack, including spreading and initial access, delivering payloads, and C2 communication. This is an unusual combination, as many malware families separate their spreading servers from their C2 infrastructure. Typically, malware distribution activity results in a high volume of abuse complaints, which may result in server takedowns or service suspension by internet providers. Separate C2 infrastructure ensures that existing infections remain controllable even if the spreading server is disrupted.
How the malware evades detection and maintains persistence
Analysis of the Linux payload (bot _x64)
The sample begins by setting the environmental variables BUILD_ID and JENKINS_NODE_COOKIE to “dontKillMe”. By default, Jenkins terminates long-running scripts after a defined timeout period; however, setting these variables to “dontKillMe” bypasses this check, allowing the script to continue running uninterrupted.
The script then performs several stealth behaviors to evade detection. First, it deletes the original executable from disk and then renames itself to resemble the legitimate kernel processes “ksoftirqd/0” or “kworker”, which are found on Linux installations by default. It then uses a double fork to daemonize itself, enabling it to run in the background, before redirecting standard input, standard output, and standard error to /dev/null, hiding any logging from the malware. Finally, the script creates a signal handler for signals such as SIGTERM, causing them to be ignored and making it harder to stop the process.
Figure 3: Stealth component of the main function
How the botnet communicates with command and control (C2)
The sample then connects to the C2 server and sends the detected architecture of the system on which the agent was installed. The malware then enters a loop to handle incoming commands.
The sample features two types of commands, utility commands used to manage the malware, and commands to trigger attacks. Three special commands are defined: “PING” (which replies with PONG as a keep-alive mechanism), “!stop” which causes the malware to exit, and “!update”, which triggers the malware to download a new version from the C2 server and restart itself.
Figure 4: Initial connection to the C2 sever.
What DDoS attack techniques this botnet uses
The attack commands consist of the following:
Many of these commands invoke the same function despite appearing to be different attack techniques. For example, specialized attacks such as Cloudflare bypass (cfbypass, uam) use the exact same function as a standard HTTP attack. This may indicate the threat actor is attempting to make the botnet look like it has more capabilities than it actually has, or it could suggest that these commands are placeholders for future attack functionality that has yet to be implemented
All the commands take three arguments: IP, port to attack, and the duration of the attack.
attack_udp and attack_udp_pps
The attack_udp and attack_udp_pps functions both use a basic loop and sendto system call to send UDP packets to the victim’s IP, either targeting a predetermined port or a random port. The attack_udp function sends packets with 1,450 bytes of data, aimed at bandwidth saturation, while the attack_udp_pps function sends smaller 64-byte packets. In both cases, the data body of the packet consists of entirely random data.
Figure 5: Code for the UDP attack method
attack_dayz
The attack_dayz function follows a similar structure to the attack_udp function; however, instead of sending random data, it will instead send a TSource Engine Query. This command is specific to Valve Source Engine servers and is designed to return a large volume of data about the targeted server. By repeatedly flooding this request, an attacker can exhaust the resources of a server using a comparatively small amount of data.
The Valve Source Engine server, also called Source Engine Dedicated server, is a server developed by video game company Valve that enables multiplayer gameplay for titles built using the Source game engine, which is also developed by Valve. The Source engine is used in games such as Counterstrike and Team Fortress 2. Curiously, the function attack_dayz, appears to be named after another popular online multiplayer game, DayZ; however, DayZ does not use the Valve Source Engine, making it unclear why this name was chosen.
Figure 6: The code for the “attack_dayz” attack function.
attack_tcp_push
The attack_tcp_push function establishes a TCP socket with the non-blocking flag set, allowing it to rapidly call functions such as connect() and send() without waiting for their completion. For the duration of the attack, it enters a while loop in which it repeatedly connects to the victim, sends 1,024 bytes of random data, and then closes the connection. This process repeats until the attack duration ends. If the mode flag is set to 1, the function also configures the socket with TCP no-delay enabled, allowing for packets to be sent immediately without buffering, resulting in a higher packet rate and a more effective attack.
Figure 7: The code for the TCP attack function.
attack_http
Similar to attach_tcp_push, attack_http configures a socket with no-delay enabled and non-blocking set. After establishing the connection, it sends 64 HTTP GET requests before closing the socket.
Figure 8: The code for the HTTP attack function.
attack_special
The attack_special function creates a UDP socket and sets the port and payload based on the value of the mode flag:
Mode 0: Port 53 (DNS), sending a 10-byte malformed data packet.
Mode 1: Port 27015 (Valve Source Engine), sending the previously observed TSource Engine Query packet.
Mode 2: Port 123 (NTP), sending the start of an NTP control request.
Figure 9: The code for the attack_special function.
What this botnet reveals about opportunistic attacks on internet-facing systems
Jenkins is one of the less frequently exploited services honeypotted by Darktrace, with only a handful campaigns observed. Nonetheless, the emergence of this new DDoS botnet demonstrates that attackers continue to opportunistically exploit any internet-facing misconfiguration at scale to grow the botnet strength.
While the hosts most commonly affected by these opportunistic attacks are usually “lower-value” systems, this distinction is largely irrelevant for botnets, where numbers alone are more important to overall effectiveness
The presence of game-specific DoS techniques further highlights that the gaming industry continues to be extensively targeted by cyber attackers, with Cloudflare reporting it as the fourth most targeted industry [2]. This botnet has likely already been used against game servers, serving as a reminder for server operators to ensure appropriate mitigations are in place.
Credit to Nathaniel Bill (Malware Research Engineer) Edited by Ryan Traill (Content Manager)
Indicators of Compromise (IoCs)
103[.]177.110.202 - Attacker and command-and-control IP
