Blog
/
Network
/
March 12, 2025

Darktrace's Detection of State-Linked ShadowPad Malware

In 2024, Darktrace identified a cluster of intrusions involving the state-linked malware, ShadowPad. This blog will detail ShadowPad and the associated activities detected by Darktrace.
Written by
Sam Lister
Specialist Security Researcher
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Sam Lister
Specialist Security Researcher
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
12
Mar 2025


An integral part of cybersecurity is anomaly detection, which involves identifying unusual patterns or behaviors in network traffic that could indicate malicious activity, such as a cyber-based intrusion. However, attribution remains one of the ever present challenges in cybersecurity. Attribution involves the process of accurately identifying and tracing the source to a specific threat actor(s).

Given the complexity of digital networks and the sophistication of attackers who often use proxies or other methods to disguise their origin, pinpointing the exact source of a cyberattack is an arduous task. Threat actors can use proxy servers, botnets, sophisticated techniques, false flags, etc. Darktrace’s strategy is rooted in the belief that identifying behavioral anomalies is crucial for identifying both known and novel threat actor campaigns.

The ShadowPad cluster

Between July 2024 and November 2024, Darktrace observed a cluster of activity threads sharing notable similarities. The threads began with a malicious actor using compromised user credentials to log in to the target organization's Check Point Remote Access virtual private network (VPN) from an attacker-controlled, remote device named 'DESKTOP-O82ILGG'.  In one case, the IP from which the initial login was carried out was observed to be the ExpressVPN IP address, 194.5.83[.]25. After logging in, the actor gained access to service account credentials, likely via exploitation of an information disclosure vulnerability affecting Check Point Security Gateway devices. Recent reporting suggests this could represent exploitation of CVE-2024-24919 [27,28]. The actor then used these compromised service account credentials to move laterally over RDP and SMB, with files related to the modular backdoor, ShadowPad, being delivered to the  ‘C:\PerfLogs\’ directory of targeted internal systems. ShadowPad was seen communicating with its command-and-control (C2) infrastructure, 158.247.199[.]185 (dscriy.chtq[.]net), via both HTTPS traffic and DNS tunneling, with subdomains of the domain ‘cybaq.chtq[.]net’ being used in the compromised devices’ TXT DNS queries.

Darktrace’s Advanced Search data showing the VPN-connected device initiating RDP connections to a domain controller (DC). The device subsequently distributes likely ShadowPad-related payloads and makes DRSGetNCChanges requests to a second DC.
Figure 1: Darktrace’s Advanced Search data showing the VPN-connected device initiating RDP connections to a domain controller (DC). The device subsequently distributes likely ShadowPad-related payloads and makes DRSGetNCChanges requests to a second DC.
Event Log data showing a DC making DNS queries for subdomains of ‘cbaq.chtq[.]net’ to 158.247.199[.]185 after receiving SMB and RDP connections from the VPN-connected device, DESKTOP-O82ILGG.
Figure 2: Event Log data showing a DC making DNS queries for subdomains of ‘cbaq.chtq[.]net’ to 158.247.199[.]185 after receiving SMB and RDP connections from the VPN-connected device, DESKTOP-O82ILGG.

Darktrace observed these ShadowPad activity threads within the networks of European-based customers in the manufacturing and financial sectors.  One of these intrusions was followed a few months later by likely state-sponsored espionage activity, as detailed in the investigation of the year in Darktrace’s Annual Threat Report 2024.

[related-resource]

Related ShadowPad activity

Additional cases of ShadowPad were observed across Darktrace’s customer base in 2024. In some cases, common C2 infrastructure with the cluster discussed above was observed, with dscriy.chtq[.]net and cybaq.chtq[.]net both involved; however, no other common features were identified. These ShadowPad infections were observed between April and November 2024, with customers across multiple regions and sectors affected.  Darktrace’s observations align with multiple other public reports that fit the timeframe of this campaign.

Darktrace has also observed other cases of ShadowPad without common infrastructure since September 2024, suggesting the use of this tool by additional threat actors.

The data theft thread

One of the Darktrace customers impacted by the ShadowPad cluster highlighted above was a European manufacturer. A distinct thread of activity occurred within this organization’s network several months after the ShadowPad intrusion, in October 2024.

The thread involved the internal distribution of highly masqueraded executable files via Sever Message Block (SMB) and WMI (Windows Management Instrumentation), the targeted collection of sensitive information from an internal server, and the exfiltration of collected information to a web of likely compromised sites. This observed thread of activity, therefore, consisted of three phrases: lateral movement, collection, and exfiltration.

The lateral movement phase began when an internal user device used an administrative credential to distribute files named ‘ProgramData\Oracle\java.log’ and 'ProgramData\Oracle\duxwfnfo' to the c$ share on another internal system.  

Darktrace model alert highlighting an SMB write of a file named ‘ProgramData\Oracle\java.log’ to the c$ share on another device.
Figure 3: Darktrace model alert highlighting an SMB write of a file named ‘ProgramData\Oracle\java.log’ to the c$ share on another device.

Over the next few days, Darktrace detected several other internal systems using administrative credentials to upload files with the following names to the c$ share on internal systems:

ProgramData\Adobe\ARM\webservices.dll

ProgramData\Adobe\ARM\wksprt.exe

ProgramData\Oracle\Java\wksprt.exe

ProgramData\Oracle\Java\webservices.dll

ProgramData\Microsoft\DRM\wksprt.exe

ProgramData\Microsoft\DRM\webservices.dll

ProgramData\Abletech\Client\webservices.dll

ProgramData\Abletech\Client\client.exe

ProgramData\Adobe\ARM\rzrmxrwfvp

ProgramData\3Dconnexion\3DxWare\3DxWare.exe

ProgramData\3Dconnexion\3DxWare\webservices.dll

ProgramData\IDMComp\UltraCompare\updater.exe

ProgramData\IDMComp\UltraCompare\webservices.dll

ProgramData\IDMComp\UltraCompare\imtrqjsaqmm

Cyber AI Analyst highlighting an SMB write of a file named ‘ProgramData\Adobe\ARM\webservices.dll’ to the c$ share on an internal system.
Figure 4: Cyber AI Analyst highlighting an SMB write of a file named ‘ProgramData\Adobe\ARM\webservices.dll’ to the c$ share on an internal system.

The threat actor appears to have abused the Microsoft RPC (MS-RPC) service, WMI, to execute distributed payloads, as evidenced by the ExecMethod requests to the IWbemServices RPC interface which immediately followed devices’ SMB uploads.  

Cyber AI Analyst data highlighting a thread of activity starting with an SMB data upload followed by ExecMethod requests.
Figure 5: Cyber AI Analyst data highlighting a thread of activity starting with an SMB data upload followed by ExecMethod requests.

Several of the devices involved in these lateral movement activities, both on the source and destination side, were subsequently seen using administrative credentials to download tens of GBs of sensitive data over SMB from a specially selected server.  The data gathering stage of the threat sequence indicates that the threat actor had a comprehensive understanding of the organization’s system architecture and had precise objectives for the information they sought to extract.

Immediately after collecting data from the targeted server, devices went on to exfiltrate stolen data to multiple sites. Several other likely compromised sites appear to have been used as general C2 infrastructure for this intrusion activity. The sites used by the threat actor for C2 and data exfiltration purport to be sites for companies offering a variety of service, ranging from consultancy to web design.

Screenshot of one of the likely compromised sites used in the intrusion. 
Figure 6: Screenshot of one of the likely compromised sites used in the intrusion.

At least 16 sites were identified as being likely data exfiltration or C2 sites used by this threat actor in their operation against this organization. The fact that the actor had such a wide web of compromised sites at their disposal suggests that they were well-resourced and highly prepared.  

Darktrace model alert highlighting an internal device slowly exfiltrating data to the external endpoint, yasuconsulting[.]com.
Figure 7: Darktrace model alert highlighting an internal device slowly exfiltrating data to the external endpoint, yasuconsulting[.]com.
Darktrace model alert highlighting an internal device downloading nearly 1 GB of data from an internal system just before uploading a similar volume of data to another suspicious endpoint, www.tunemmuhendislik[.]com    
Figure 8: Darktrace model alert highlighting an internal device downloading nearly 1 GB of data from an internal system just before uploading a similar volume of data to another suspicious endpoint, www.tunemmuhendislik[.]com  

Cyber AI Analyst spotlight

Cyber AI Analyst identifying and piecing together the various steps of a ShadowPad intrusion.
Figure 9: Cyber AI Analyst identifying and piecing together the various steps of a ShadowPad intrusion.  
Cyber AI Analyst Incident identifying and piecing together the various steps of the data theft activity.
Figure 10: Cyber AI Analyst Incident identifying and piecing together the various steps of the data theft activity.

As shown in the above figures, Cyber AI Analyst’s ability to thread together the different steps of these attack chains are worth highlighting.

In the ShadowPad attack chains, Cyber AI Analyst was able to identify SMB writes from the VPN subnet to the DC, and the C2 connections from the DC. It was also able to weave together this activity into a single thread representing the attacker’s progression.

Similarly, in the data exfiltration attack chain, Cyber AI Analyst identified and connected multiple types of lateral movement over SMB and WMI and external C2 communication to various external endpoints, linking them in a single, connected incident.

These Cyber AI Analyst actions enabled a quicker understanding of the threat actor sequence of events and, in some cases, faster containment.

Attribution puzzle

Publicly shared research into ShadowPad indicates that it is predominantly used as a backdoor in People’s Republic of China (PRC)-sponsored espionage operations [5][6][7][8][9][10]. Most publicly reported intrusions involving ShadowPad  are attributed to the China-based threat actor, APT41 [11][12]. Furthermore, Google Threat Intelligence Group (GTIG) recently shared their assessment that ShadowPad usage is restricted to clusters associated with APT41 [13]. Interestingly, however, there have also been public reports of ShadowPad usage in unattributed intrusions [5].

The data theft activity that later occurred in the same Darktrace customer network as one of these ShadowPad compromises appeared to be the targeted collection and exfiltration of sensitive data. Such an objective indicates the activity may have been part of a state-sponsored operation. The tactics, techniques, and procedures (TTPs), artifacts, and C2 infrastructure observed in the data theft thread appear to resemble activity seen in previous Democratic People’s Republic of Korea (DPRK)-linked intrusion activities [15] [16] [17] [18] [19].

The distribution of payloads to the following directory locations appears to be a relatively common behavior in DPRK-sponsored intrusions.

Observed examples:

C:\ProgramData\Oracle\Java\  

C:\ProgramData\Adobe\ARM\  

C:\ProgramData\Microsoft\DRM\  

C:\ProgramData\Abletech\Client\  

C:\ProgramData\IDMComp\UltraCompare\  

C:\ProgramData\3Dconnexion\3DxWare\

Additionally, the likely compromised websites observed in the data theft thread, along with some of the target URI patterns seen in the C2 communications to these sites, resemble those seen in previously reported DPRK-linked intrusion activities.

No clear evidence was found to link the ShadowPad compromise to the subsequent data theft activity that was observed on the network of the manufacturing customer. It should be noted, however, that no clear signs of initial access were found for the data theft thread – this could suggest the ShadowPad intrusion itself represents the initial point of entry that ultimately led to data exfiltration.

Motivation-wise, it seems plausible for the data theft thread to have been part of a DPRK-sponsored operation. DPRK is known to pursue targets that could potentially fulfil its national security goals and had been publicly reported as being active in months prior to this intrusion [21]. Furthermore, the timing of the data theft aligns with the ratification of the mutual defense treaty between DPRK and Russia and the subsequent accused activities [20].

Darktrace assesses with medium confidence that a nation-state, likely DPRK, was responsible, based on our investigation, the threat actor applied resources, patience, obfuscation, and evasiveness combined with external reporting, collaboration with the cyber community, assessing the attacker’s motivation and world geopolitical timeline, and undisclosed intelligence.


Conclusion

When state-linked cyber activity occurs within an organization’s environment, previously unseen C2 infrastructure and advanced evasion techniques will likely be used. State-linked cyber actors, through their resources and patience, are able to bypass most detection methods, leaving anomaly-based methods as a last line of defense.

Two threads of activity were observed within Darktrace’s customer base over the last year: The first operation involved the abuse of Check Point VPN credentials to log in remotely to organizations’ networks, followed by the distribution of ShadowPad to an internal domain controller. The second operation involved highly targeted data exfiltration from the network of one of the customers impacted by the previously mentioned ShadowPad activity.

Despite definitive attribution remaining unresolved, both the ShadowPad and data exfiltration activities were detected by Darktrace’s Self-Learning AI, with Cyber AI Analyst playing a significant role in identifying and piecing together the various steps of the intrusion activities.  

Credit to Sam Lister (R&D Detection Analyst), Emma Foulger (Principal Cyber Analyst), Nathaniel Jones (VP), and the Darktrace Threat Research team.

Appendices

Darktrace / NETWORK model alerts

User / New Admin Credentials on Client

Anomalous Connection / Unusual Admin SMB Session

Compliance / SMB Drive Write  

Device / Anomalous SMB Followed By Multiple Model Breaches

Anomalous File / Internal / Unusual SMB Script Write

User / New Admin Credentials on Client  

Anomalous Connection / Unusual Admin SMB Session

Compliance / SMB Drive Write

Device / Anomalous SMB Followed By Multiple Model Breaches

Anomalous File / Internal / Unusual SMB Script Write

Device / New or Uncommon WMI Activity

Unusual Activity / Internal Data Transfer

Anomalous Connection / Download and Upload

Anomalous Server Activity / Rare External from Server

Compromise / Beacon to Young Endpoint

Compromise / Agent Beacon (Short Period)

Anomalous Server Activity / Anomalous External Activity from Critical Network Device

Anomalous Connection / POST to PHP on New External Host

Compromise / Sustained SSL or HTTP Increase

Compromise / Sustained TCP Beaconing Activity To Rare Endpoint

Anomalous Connection / Multiple Failed Connections to Rare Endpoint

Device / Multiple C2 Model Alerts

Anomalous Connection / Data Sent to Rare Domain

Anomalous Connection / Download and Upload

Unusual Activity / Unusual External Data Transfer

Anomalous Connection / Low and Slow Exfiltration

Anomalous Connection / Uncommon 1 GiB Outbound  

MITRE ATT&CK mapping

(Technique name – Tactic ID)

ShadowPad malware threads

Initial Access - Valid Accounts: Domain Accounts (T1078.002)

Initial Access - External Remote Services (T1133)

Privilege Escalation - Exploitation for Privilege Escalation (T1068)

Privilege Escalation - Valid Accounts: Default Accounts (T1078.001)

Defense Evasion - Masquerading: Match Legitimate Name or Location (T1036.005)

Lateral Movement - Remote Services: Remote Desktop Protocol (T1021.001)

Lateral Movement - Remote Services: SMB/Windows Admin Shares (T1021.002)

Command and Control - Proxy: Internal Proxy (T1090.001)

Command and Control - Application Layer Protocol: Web Protocols (T1071.001)

Command and Control - Encrypted Channel: Asymmetric Cryptography (T1573.002)

Command and Control - Application Layer Protocol: DNS (T1071.004)

Data theft thread

Resource Development - Compromise Infrastructure: Domains (T1584.001)

Privilege Escalation - Valid Accounts: Default Accounts (T1078.001)

Privilege Escalation - Valid Accounts: Domain Accounts (T1078.002)

Execution - Windows Management Instrumentation (T1047)

Defense Evasion - Masquerading: Match Legitimate Name or Location (T1036.005)

Defense Evasion - Obfuscated Files or Information (T1027)

Lateral Movement - Remote Services: SMB/Windows Admin Shares (T1021.002)

Collection - Data from Network Shared Drive (T1039)

Command and Control - Application Layer Protocol: Web Protocols (T1071.001)

Command and Control - Encrypted Channel: Asymmetric Cryptography (T1573.002)

Command and Control - Proxy: External Proxy (T1090.002)

Exfiltration - Exfiltration Over C2 Channel (T1041)

Exfiltration - Data Transfer Size Limits (T1030)

List of indicators of compromise (IoCs)

IP addresses and/or domain names (Mid-high confidence):

ShadowPad thread

- dscriy.chtq[.]net • 158.247.199[.]185 (endpoint of C2 comms)

- cybaq.chtq[.]net (domain name used for DNS tunneling)  

Data theft thread

- yasuconsulting[.]com (45.158.12[.]7)

- hobivan[.]net (94.73.151[.]72)

- mediostresbarbas.com[.]ar (75.102.23[.]3)

- mnmathleague[.]org (185.148.129[.]24)

- goldenborek[.]com (94.138.200[.]40)

- tunemmuhendislik[.]com (94.199.206[.]45)

- anvil.org[.]ph (67.209.121[.]137)

- partnerls[.]pl (5.187.53[.]50)

- angoramedikal[.]com (89.19.29[.]128)

- awork-designs[.]dk (78.46.20[.]225)

- digitweco[.]com (38.54.95[.]190)

- duepunti-studio[.]it (89.46.106[.]61)

- scgestor.com[.]br (108.181.92[.]71)

- lacapannadelsilenzio[.]it (86.107.36[.]15)

- lovetamagotchith[.]com (203.170.190[.]137)

- lieta[.]it (78.46.146[.]147)

File names (Mid-high confidence):

ShadowPad thread:

- perflogs\1.txt

- perflogs\AppLaunch.exe

- perflogs\F4A3E8BE.tmp

- perflogs\mscoree.dll

Data theft thread

- ProgramData\Oracle\java.log

- ProgramData\Oracle\duxwfnfo

- ProgramData\Adobe\ARM\webservices.dll

- ProgramData\Adobe\ARM\wksprt.exe

- ProgramData\Oracle\Java\wksprt.exe

- ProgramData\Oracle\Java\webservices.dll

- ProgramData\Microsoft\DRM\wksprt.exe

- ProgramData\Microsoft\DRM\webservices.dll

- ProgramData\Abletech\Client\webservices.dll

- ProgramData\Abletech\Client\client.exe

- ProgramData\Adobe\ARM\rzrmxrwfvp

- ProgramData\3Dconnexion\3DxWare\3DxWare.exe

- ProgramData\3Dconnexion\3DxWare\webservices.dll

- ProgramData\IDMComp\UltraCompare\updater.exe

- ProgramData\IDMComp\UltraCompare\webservices.dll

- ProgramData\IDMComp\UltraCompare\imtrqjsaqmm

- temp\HousecallLauncher64.exe

Attacker-controlled device hostname (Mid-high confidence)

- DESKTOP-O82ILGG

References  

[1] https://www.kaspersky.com/about/press-releases/shadowpad-how-attackers-hide-backdoor-in-software-used-by-hundreds-of-large-companies-around-the-world  

[2] https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/08/07172148/ShadowPad_technical_description_PDF.pdf

[3] https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities

[4] https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/

[5] https://assets.sentinelone.com/c/Shadowpad?x=P42eqA

[6] https://www.cyfirma.com/research/the-origins-of-apt-41-and-shadowpad-lineage/

[7] https://www.csoonline.com/article/572061/shadowpad-has-become-the-rat-of-choice-for-several-state-sponsored-chinese-apts.html

[8] https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/shadowpad-new-activity-from-the-winnti-group

[9] https://cymulate.com/threats/shadowpad-privately-sold-malware-espionage-tool/

[10] https://www.secureworks.com/research/shadowpad-malware-analysis

[11] https://blog.talosintelligence.com/chinese-hacking-group-apt41-compromised-taiwanese-government-affiliated-research-institute-with-shadowpad-and-cobaltstrike-2/

[12] https://hackerseye.net/all-blog-items/tails-from-the-shadow-apt-41-injecting-shadowpad-with-sideloading/

[13] https://cloud.google.com/blog/topics/threat-intelligence/scatterbrain-unmasking-poisonplug-obfuscator

[14] https://www.domaintools.com/wp-content/uploads/conceptualizing-a-continuum-of-cyber-threat-attribution.pdf

[15] https://www.nccgroup.com/es/research-blog/north-korea-s-lazarus-their-initial-access-trade-craft-using-social-media-and-social-engineering/  

[16] https://www.microsoft.com/en-us/security/blog/2021/01/28/zinc-attacks-against-security-researchers/

[17] https://www.microsoft.com/en-us/security/blog/2022/09/29/zinc-weaponizing-open-source-software/  

[18] https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/  

[19] https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html  

[20] https://usun.usmission.gov/joint-statement-on-the-unlawful-arms-transfer-by-the-democratic-peoples-republic-of-korea-to-russia/

[21] https://media.defense.gov/2024/Jul/25/2003510137/-1/-1/1/Joint-CSA-North-Korea-Cyber-Espionage-Advance-Military-Nuclear-Programs.PDF  

[22] https://kyivindependent.com/first-north-korean-troops-deployed-to-front-line-in-kursk-oblast-ukraines-military-intelligence-says/

[23] https://www.microsoft.com/en-us/security/blog/2024/12/04/frequent-freeloader-part-i-secret-blizzard-compromising-storm-0156-infrastructure-for-espionage/  

[24] https://www.microsoft.com/en-us/security/blog/2024/12/11/frequent-freeloader-part-ii-russian-actor-secret-blizzard-using-tools-of-other-groups-to-attack-ukraine/  

[25] https://www.sentinelone.com/labs/chamelgang-attacking-critical-infrastructure-with-ransomware/    

[26] https://thehackernews.com/2022/06/state-backed-hackers-using-ransomware.html/  

[27] https://blog.checkpoint.com/security/check-point-research-explains-shadow-pad-nailaolocker-and-its-protection/

[28] https://www.orangecyberdefense.com/global/blog/cert-news/meet-nailaolocker-a-ransomware-distributed-in-europe-by-shadowpad-and-plugx-backdoors

[related-resource]

AI Cybersecurity: Insights for 2025

We surveyed 1,500+ cybersecurity professionals globally to explore their views, knowledge, and priorities on AI cybersecurity in 2025.

Written by
Sam Lister
Specialist Security Researcher
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Sam Lister
Specialist Security Researcher

Xillen Stealer Updates to Version 5 to Evade AI Detection

Network
November 20, 2025
Tara Gould
Threat Researcher
Watch the NIS2 Webinar
Trending blogs
1
Pre-CVE Threat Detection: 10 Examples Identifying Malicious Activity Prior to Public Disclosure of a Vulnerability
Jul 2, 2025
2
Darktrace Recognized as a Leader in the 2025 Gartner® Magic Quadrant™ for Network Detection and Response
Jun 2, 2025
3
Evaluating Email Security: How to Select the Best Solution for Your Organization
May 21, 2025
4
2025 Cyber Threat Landscape: Darktrace’s Mid-Year Review
Aug 5, 2025
5
Introducing the AI Maturity Model for Cybersecurity
Jul 16, 2025

More in this series

No items found.
Continue reading
Network
November 20, 2025

Xillen Stealer Updates to Version 5 to Evade AI Detection

Xillen Stealer v4/v5 introduces advanced features to evade AI detection, steal credentials, cryptocurrency, and sensitive data across browsers, password managers, and cloud environments. With polymorphic engines, container persistence, and behavioral mimicking, this Python-based malware highlights evolving threats and future AI integration in cybercrime campaigns.
Tara Gould
Threat Researcher
Read more
Network
November 12, 2025

Unmasking Vo1d: Inside Darktrace’s Botnet Detection

Earlier this year, Darktrace investigated the Vo1d malware campaign, tracing its activity from DGA-based DNS beaconing to major cloud infrastructure and ultimately to its C2 server communications. This blog explores how Darktrace detected Vo1d and presents a detailed timeline of Cyber AI Analyst’s investigation.
Christina Kreza
Cyber Analyst
Read more
Network
November 6, 2025

Darktrace Named the Only 2025 Gartner® Peer Insights™ Customers’ Choice for Network Detection and Response

Darktrace has been named the only Customers’ Choice in the 2025 Gartner® Peer Insights™ Voice of the Customer for Network Detection and Response, earning a 4.8/5 rating from 242 reviews and being named both Gartner Customers’ Choice and a Magic Quadrant Leader recognition.
Mikey Anderson
Product Marketing Manager, Network Detection & Response
Read more

Blog

/

Compliance

/

November 25, 2025

UK Cyber Security & Resilience Bill: What Organizations Need to Know

Default blog imageDefault blog image

Why the Bill has been introduced

The UK’s cyber threat landscape has evolved dramatically since the 2018 NIS regime was introduced. Incidents such as the Synnovis attack against hospitals and the British Library ransomware attack show how quickly operational risk can become public harm. In this context, the UK Department for Science, Innovation and Technology estimates that cyber-attacks cost UK businesses around £14.7 billion each year.

At the same time, the widespread adoption of AI has expanded organisations’ attack surfaces and empowered threat actors to launch more effective and sophisticated activities, including crafting convincing phishing campaigns, exploiting vulnerabilities and initiating ransomware attacks at unprecedented speed and scale.  

The CSRB responds to these challenges by widening who is regulated, accelerating incident reporting and tightening supply chain accountability, while enabling rapid updates that keep pace with technology and emerging risks.

Key provisions of the Cyber Security and Resilience Bill

A wider set of organisations in scope

The Bill significantly broadens the range of organisations regulated under the NIS framework.

  • Managed service providers (MSPs) - medium and large MSPs, including MSSPs, managed SOCs, SIEM providers and similar services,will now fall under NIS obligations due to their systemic importance and privileged access to client systems. The Information Commissioner’s Office (ICO) will act as the regulator. Government analysis anticipates that a further 900 to 1,100 MSPs will be in scope.
  • Data infrastructure is now recognised as essential to the functioning of the economy and public services. Medium and large data centres, as well as enterprise facilities meeting specified thresholds, will be required to implement appropriate and proportionate measures to manage cyber risk. Oversight will be shared between DSIT and Ofcom, with Ofcom serving as the operational regulator.
  • Organisations that manage electrical loads for smart appliances, such as those supporting EV charging during peak times, are now within scope.

These additions sit alongside existing NIS-regulated sectors such as transport, energy, water, health, digital infrastructure, and certain digital services (including online marketplaces, search engines, and cloud computing).

Stronger supply chain requirements

Under the CSRB, regulators can now designate third-party suppliers as ‘designated critical suppliers’ (DCS) when certain threshold criteria are met and where disruption could have significant knock-on effects. Designated suppliers will be subject to the same security and incident-reporting obligations as Operators of Essential Services (OES) and Relevant Digital Service Providers (RDSPs).

Government will scope the supply chain duties for OES and RDSPs via secondary legislation, following consultation. infrastructure incidents where a single supplier’s compromise caused widespread disruption.

Faster incident reporting

Sector-specific regulators, 12 in total, will be responsible for implementing the CSRB, allowing for more effective and consistent reporting. In addition, the CSRB introduces a two-stage reporting process and expands incident reporting criteria. Regulated entities must submit an initial notification within 24 hours of becoming aware of a significant incident, followed by an incident report within 72 hours. Incident reporting criteria are also broadened to capture incidents beyond those which actually resulted in an interruption, ensuring earlier visibility for regulators and the National Cyber Security Centre (NCSC). The importance of information sharing across agencies, law enforcement and regulators is also facilitated by the CSRB.

The reforms also require data centres and managed service providers to notify affected customers where they are likely to have been impacted by a cyber incident.

An agile regulatory framework

To keep pace with technological change, the CSRB will enable the Secretary of State to update elements of the framework via secondary legislation. Supporting materials such as the NCSC Cyber Assessment Framework (CAF) are to be "put on a stronger footing” allowing for requirements to be more easily followed, managed and updated. Regulators will also now be able to recover full costs associated with NIS duties meaning they are better resourced to carry out their associated responsibilities.

Relevant Managed Service Providers must identify and take appropriate and proportionate measures to manage risks to the systems they rely on for providing services within the UK. Importantly, these measures must, having regard to the state of the art, ensure a level of security appropriate to the risk posed, and prevent or minimise the impact of incidents.

The Secretary of State will also be empowered to issue a Statement of Strategic Priorities, setting cross-regime outcomes to drive consistency across the 12 competent authorities responsible for implementation.

Penalties

The enforcement framework will be strengthened, with maximum fines aligned with comparable regimes such as the GDPR, which incorporate maximums tied to turnover. Under the CSRB, maximum penalties for more serious breaches could be up to £17 million or 4% of global turnover, whichever is higher.

Next steps

The Bill is expected to progress through Parliament over the course of 2025 and early 2026, with Royal Assent anticipated in 2026. Once enacted, most operational measures will not take immediate effect. Instead, Government will bring key components into force through secondary legislation following further consultation, providing regulators and industry with time to adjust practices and prepare for compliance.

Anticipated timeline

  • 2025-2026: Parliamentary scrutiny and passage;
  • 2026: Royal Assent;  
  • 2026 consultation: DSIT intends to consult on detailed implementation;
  • From 2026 onwards: Phased implementation via secondary legislation, following further consultation led by DSIT.

How Darktrace can help

The CSRB represents a step change in how the UK approaches digital risk, shifting the focus from compliance to resilience.

Darktrace can help organisations operationalise this shift by using AI to detect, investigate and respond to emerging threats at machine speed, before they escalate into incidents requiring regulatory notification. Proactive tools which can be included in the Darktrace platform allow security teams to stress-test defences, map supply chain exposure and rehearse recovery scenarios, directly supporting the CSRB’s focus on resilience, transparency and rapid response. If an incident does occur, Darktrace’s autonomous agent, Cyber AI Analyst, can accelerate investigations and provide a view of every stage of the attack chain, supporting timely reporting.  

Darktrace’s AI can provide organisations with a vital lens into both internal and external cyber risk. By continuously learning patterns of behaviour across interconnected systems, Darktrace can flag potential compromise or disruption to detect supply chain risk before it impacts your organisation.

In a landscape where compliance and resilience go hand in hand, Darktrace can equip organisations to stay ahead of both evolving threats and evolving regulatory requirements.

[related-resource]

Continue reading
About the author
The Darktrace Community

Blog

/

OT

/

November 20, 2025

Managing OT Remote Access with Zero Trust Control & AI Driven Detection

managing OT remote access with zero trust control and ai driven detectionDefault blog imageDefault blog image

The shift toward IT-OT convergence

Recently, industrial environments have become more connected and dependent on external collaboration. As a result, truly air-gapped OT systems have become less of a reality, especially when working with OEM-managed assets, legacy equipment requiring remote diagnostics, or third-party integrators who routinely connect in.

This convergence, whether it’s driven by digital transformation mandates or operational efficiency goals, are making OT environments more connected, more automated, and more intertwined with IT systems. While this convergence opens new possibilities, it also exposes the environment to risks that traditional OT architectures were never designed to withstand.

The modernization gap and why visibility alone isn’t enough

The push toward modernization has introduced new technology into industrial environments, creating convergence between IT and OT environments, and resulting in a lack of visibility. However, regaining that visibility is just a starting point. Visibility only tells you what is connected, not how access should be governed. And this is where the divide between IT and OT becomes unavoidable.

Security strategies that work well in IT often fall short in OT, where even small missteps can lead to environmental risk, safety incidents, or costly disruptions. Add in mounting regulatory pressure to enforce secure access, enforce segmentation, and demonstrate accountability, and it becomes clear: visibility alone is no longer sufficient. What industrial environments need now is precision. They need control. And they need to implement both without interrupting operations. All this requires identity-based access controls, real-time session oversight, and continuous behavioral detection.

The risk of unmonitored remote access

This risk becomes most evident during critical moments, such as when an OEM needs urgent access to troubleshoot a malfunctioning asset.

Under that time pressure, access is often provisioned quickly with minimal verification, bypassing established processes. Once inside, there’s little to no real-time oversight of user actions whether they’re executing commands, changing configurations, or moving laterally across the network. These actions typically go unlogged or unnoticed until something breaks. At that point, teams are stuck piecing together fragmented logs or post-incident forensics, with no clear line of accountability.  

In environments where uptime is critical and safety is non-negotiable, this level of uncertainty simply isn’t sustainable.

The visibility gap: Who’s doing what, and when?

The fundamental issue we encounter is the disconnect between who has access and what they are doing with it.  

Traditional access management tools may validate credentials and restrict entry points, but they rarely provide real-time visibility into in-session activity. Even fewer can distinguish between expected vendor behavior and subtle signs of compromise, misuse or misconfiguration.  

As a result, OT and security teams are often left blind to the most critical part of the puzzle, intent and behavior.

Closing the gaps with zero trust controls and AI‑driven detection

Managing remote access in OT is no longer just about granting a connection, it’s about enforcing strict access parameters while continuously monitoring for abnormal behavior. This requires a two-pronged approach: precision access control, and intelligent, real-time detection.

Zero Trust access controls provide the foundation. By enforcing identity-based, just-in-time permissions, OT environments can ensure that vendors and remote users only access the systems they’re explicitly authorized to interact with, and only for the time they need. These controls should be granular enough to limit access down to specific devices, commands, or functions. By applying these principles consistently across the Purdue Model, organizations can eliminate reliance on catch-all VPN tunnels, jump servers, and brittle firewall exceptions that expose the environment to excess risk.

Access control is only one part of the equation

Darktrace / OT complements zero trust controls with continuous, AI-driven behavioral detection. Rather than relying on static rules or pre-defined signatures, Darktrace uses Self-Learning AI to build a live, evolving understanding of what’s “normal” in the environment, across every device, protocol, and user. This enables real-time detection of subtle misconfigurations, credential misuse, or lateral movement as they happen, not after the fact.

By correlating user identity and session activity with behavioral analytics, Darktrace gives organizations the full picture: who accessed which system, what actions they performed, how those actions compared to historical norms, and whether any deviations occurred. It eliminates guesswork around remote access sessions and replaces it with clear, contextual insight.

Importantly, Darktrace distinguishes between operational noise and true cyber-relevant anomalies. Unlike other tools that lump everything, from CVE alerts to routine activity, into a single stream, Darktrace separates legitimate remote access behavior from potential misuse or abuse. This means organizations can both audit access from a compliance standpoint and be confident that if a session is ever exploited, the misuse will be surfaced as a high-fidelity, cyber-relevant alert. This approach serves as a compensating control, ensuring that even if access is overextended or misused, the behavior is still visible and actionable.

If a session deviates from learned baselines, such as an unusual command sequence, new lateral movement path, or activity outside of scheduled hours, Darktrace can flag it immediately. These insights can be used to trigger manual investigation or automated enforcement actions, such as access revocation or session isolation, depending on policy.

This layered approach enables real-time decision-making, supports uninterrupted operations, and delivers complete accountability for all remote activity, without slowing down critical work or disrupting industrial workflows.

Where Zero Trust Access Meets AI‑Driven Oversight:

  • Granular Access Enforcement: Role-based, just-in-time access that aligns with Zero Trust principles and meets compliance expectations.
  • Context-Enriched Threat Detection: Self-Learning AI detects anomalous OT behavior in real time and ties threats to access events and user activity.
  • Automated Session Oversight: Behavioral anomalies can trigger alerting or automated controls, reducing time-to-contain while preserving uptime.
  • Full Visibility Across Purdue Layers: Correlated data connects remote access events with device-level behavior, spanning IT and OT layers.
  • Scalable, Passive Monitoring: Passive behavioral learning enables coverage across legacy systems and air-gapped environments, no signatures, agents, or intrusive scans required.

Complete security without compromise

We no longer have to choose between operational agility and security control, or between visibility and simplicity. A Zero Trust approach, reinforced by real-time AI detection, enables secure remote access that is both permission-aware and behavior-aware, tailored to the realities of industrial operations and scalable across diverse environments.

Because when it comes to protecting critical infrastructure, access without detection is a risk and detection without access control is incomplete.

Continue reading
About the author
Pallavi Singh
Product Marketing Manager, OT Security & Compliance
Your data. Our AI.
Elevate your network security with Darktrace AI