Blog
/
/
May 19, 2023

Darktrace Stops Large-Scale Account Hijack

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
19
May 2023
Learn how Darktrace detected and stopped a large-scale account hijack that led to a phishing attack. Protect your business with these insights.

Introduction 

As malicious actors across the threat landscape continue to take advantage of the widespread adoption of Software-as-a-Service (SaaS) platforms and multi-factor authentication (MFA) services to gain unauthorized access to organizations’ networks, it is crucial to have appropriate security tools in place to defend against account compromise at the earliest stage.

One method frequently employed by attackers is account takeover. Account takeovers occur when a threat actor exploits credentials to login to a SaaS account, often from an unusual location where the genuine actor does not usually login from. 

Access to these accounts can be caused by harvesting credentials through phishing emails and password spray attacks, or by exploiting insecure cloud safety practices such as not having MFA enabled on user accounts, requiring only user credentials for authentication. Once the integrity of the account is compromised, the threat actor can conduct further activity, such as delivering malware, reading and exfiltrating sensitive data, and sending out phishing emails to harvest further internal and external user credentials, repeating the attack cycle [1,2]. 

In early 2023, Darktrace detected a large-scale account takeover and phishing attack on the network of a customer in the education sector that affected hundreds of accounts and resulted in thousands of emails being forwarded outside of the network. The exceptional degree of visibility provided by Darktrace DETECT™ allowed for the detection of adversarial activity at every stage of the kill chain, and direct support from the Darktrace Analyst team via the Ask the Expert (ATE) service ensured the customer was fully informed and equipped to implement remedial action. 

Details of Attack Chain

Darktrace observed the same pattern of activity on all hijacked accounts on the customer’s network; login from unfamiliar locations, enablement of a mail forwarding rule that forwards all incoming emails to malicious email addresses, and the sending of phishing emails followed by their deletion. 

Figure 1: Timeline of attack on hijacked SaaS accounts.

Initial Access

Darktrace DETECT first detected anomalous SaaS activity on the customer environment on January 14, 2023, and then again on February 3, when multiple SaaS accounts were observed logging in from atypical locations with rare IP addresses and geographically impossible travel timings, or logging in whilst the account owner was active elsewhere. Subsequent investigation using open-source intelligence (OSINT) sources revealed one of the IP addressed had recently been associated with brute-force or password spray attempt.

This pattern of unusual login behavior persisted throughout the timeframe of the attack, with more unique accounts generating model breaches each day for similarly anomalous logins. As MFA authentication was not enforced for these user logins, the initial intrusion process was enabled by requiring only credentials for authentication.

Sending Emails 

The compromised accounts were also seen sending out emails with the subject ‘Email HELP DESK’ to external and internal recipients. This was likely represented a threat actor employing social engineering tactics to gain the trust of the recipient by posing as an internal help desk.

Mail Forwarding

Following the successful logins, compromised accounts began creating email rules to forward mail to external email addresses, some of which were associated with domains that had hits for malicious activity according to OSINT sources [3].

  • chotunai[.]com
  • bymercy[.]com
  • breazeim[.]com
  • brandoza[.]com

Forwarding mail is a commonly observed tactic during SaaS compromises to control lines of communication. Malicious actors often attempt to insert themselves into ongoing correspondence for illicit purposes, such as exfiltrating sensitive information, gaining persistent access to the compromised email or redirecting invoice payments. 

Email Deletions

Shortly after the mail forwarding activity, compromised accounts were detected performing anomalous email deletions en masse. Further investigation revealed that these accounts had previously sent a large volume of phishing emails and this mass deletion likely represented an attempt to conceal these activities by deleting them from their outboxes.

On February 10, the customer applied a mass password reset on all accounts that Darktrace had identified as compromised and provisioned, privileged accounts with MFA. They have indicated that those measures successfully halted the compromise, addressing the initial point of entry.  

Darktrace Coverage

Using its Self-Learning AI, Darktrace effectively demonstrated its ability to detect unusual SaaS activity that could indicate that an account has been hijacked by malicious actors. Rather than relying on a traditional rules and signature-based approach, Darktrace models develop an understanding of the network itself and can instantly recognize when a compromised deviates from its expected pattern of life.

Figure 2: Detection of unusual SaaS activity on hijacked SaaS account.

Initial Access

Initial access was detected by the following models:

  • Security Integration / High Severity Integration Detection  
  • SaaS / Unusual Activity / Activity from Multiple Unusual IPs 
  • SaaS / Access / Unusual External Source for SaaS Credential Use 
  • SaaS / Compromise / Login From Rare Endpoint While User Is Active 

Initial access was also detected by the following Cyber AI Analyst Incidents:

  • Possible Hijack of Office365 Account 

The model breaches and AI Analyst incidents detected logins from 100% rare external IP addresses in conjunction with a lack of MFA usage, as depicted in Figure 3.

Figure 3: Breach log showing initial detection of a SaaS login from a 100% rare IP where MFA was not used.
Figure 4: Initial detection of unusual SaaS activity visualized in Darktrace's SaaS console.

Mail Forwarding

Mail forwarding was detected by the following models:

  • SaaS / Admin / Mail Forwarding Enabled 

Compromised accounts were largely detected configuring mail forwarding rules to external email addresses, ostensibly to establish persistence on the network and exfiltrate sensitive correspondence.

Figure 5: The enablement of mail forwarding was detected as 100% new or uncommon for the account in question.

Mass Email Deletion

Mass email deletion was detected by the following models:

  • SaaS / Compromise / Suspicious Login and Mass Email Deletes 
  • SaaS / Resource / Mass Email Deletes from Rare Location 
Figure 6: Compromised account deleting phishing emails it had previously sent from the outbox.

Darktrace detected accounts performing highly anomalous mass email deletions from rare locations. The actors deleted the email “Email HELP DESK” which was later confirmed as being the primary phishing email used in the attack. Deletions were observed on compromised accounts’ outboxes, presumably to conceal the malicious activity.

Darktrace also detected this linked pattern of activity in sequential models such as: 

  • SaaS / Compromise / Unusual Login, Sent Mail, Deleted Sent
  • SaaS / Compromise / Suspicious Login and Mass Email Deletes 

Ask the Expert

The customer used the ATE service to request more technical information and support concerning the attack. Darktrace’s 24/7 team of analysts were able to offer expert assistance and further details to assist in the subsequent investigations and remediation steps. 

Further Detection and Response  

Unfortunately, the customer did not have Darktrace/Email™ enabled at the time of the attack. Darktrace/Email has visibility over inbound and outbound mail-flow which provides an oversight on potential data loss incidents. In this case, Darktrace DETECT/Email would have been able to provide full visibility over the phishing emails sent by the compromised accounts, as well as the attackers attempts to spoof an internal helpdesk. Further to this, the new Analysis Outlook integration helps employees understand why an email is suspicious and enables them report emails directly to the security team, which helps to continuously build user awareness of phishing attacks. 

Darktrace/Email also enhances Darktrace/Network™ detections by triggering ‘Email Nexus’ models within Darktrace/Network, where malicious activity is detected across the digital estate, correlating moving from SaaS compromised logins to mass email spam being sent out by compromised users

Figure 7: Email Nexus models within the Darktrace/Network enhanced by Darktrace/Email

Darktrace RESPOND™ was not enabled on the customer environment at the time of the attack; if it were, Darktrace would have been able to autonomously take action against the SaaS model breaches detecting across multiple of the kill chain. RESPOND would have disabled the hijacked accounts or force them to log out for a period of time, whilst also disabling the inbox rules that had been established by malicious actors. This would have given the customer’s security team valuable time to analyze the incident and mitigate the situation, preventing the attack from escalating any further. 

Conclusion

Ultimately, Darktrace demonstrated its unparalleled visibility over customer networks which allowed for the detection of this large-scale targeted SaaS account takeover, and the subsequent phishing attack. It underscores the importance of defense in depth; critically, MFA was not enforced for this environment which likely made the targeted organization far more susceptible to compromise via credential theft. The phishing activity detected by Darktrace following this account compromise also highlights the need for email protection in any security stack. 

Darktrace’s visibility meant allowed it to detect the attack at a high degree of granularity, including the account logins, email forwarding rule creations, outbound mail, and the mass deletions of phishing emails. Darktrace’s anomaly-based detection means it does not have to rely on signatures, rules or known indicators of compromise (IoCs) when identifying an emerging threat, instead placing the emphasis on recognizing a user’s deviation from its normal behavior.

However, without the presence of an autonomous response technology able to instantly intervene and stop ongoing attacks, organizations will always be reacting to attacks once the damage is done. Darktrace RESPOND is uniquely placed to take action against suspicious activity as soon as it is detected, preventing attacks from escalating and saving customers from significant disruption to their business.

Credit to: Zoe Tilsiter, Cyber Analyst, Gernice Lee, Cyber Analyst.

Appendices

Models Breached

SaaS / Access / Unusual External Source for SaaS Credential Use

SaaS / Admin / Mail Forwarding Enabled

SaaS / Compliance / Microsoft Cloud App Security Alert Detected

SaaS / Compromise / SaaS Anomaly Following Anomalous Login 

SaaS / Compromise / Unusual Login, Sent Mail, Deleted Sent

SaaS / Compromise / Suspicious Login and Mass Email Deletes 

SaaS / Resource / Mass Email Deletes from Rare Location

SaaS / Unusual Activity / Multiple Unusual External Sources For SaaS Credential

SaaS / Unusual Activity / Activity from Multiple Unusual IPs

SaaS / Unusual Activity / Multiple Unusual SaaS Activities 

Security Integration / Low Severity Integration Detection

Security Integration / High Severity Integration Detection

List of IoCs

brandoza[.]com - domain - probable domain of forwarded email address

breazeim[.]com - domain - probable domain of forwarded email address

bymercy[.]com - domain - probable domain of forwarded email address

chotunai[.]com - domain - probable domain of forwarded email address

MITRE ATT&CK Mapping

Tactic: INITIAL ACCESS, PERSISTENCE, PRIVILEGE ESCILATION, DEFENSE EVASION

Technique: T1078.004 – Cloud Accounts

Tactic: COLLECTION

Technique: T1114- Email Collection

Tactic:COLLECTION

Technique: T1114.003- Email Forwarding Rule

Tactic: IMPACT

Technique: T1485- Data Destruction

Tactic: DEFENSE EVASION

Technique: T1578.003 – Delete Cloud Instance

References

[1] Darktrace, 2022, Cloud Application Security_ Protect your SaaS with Self-Learning AI.pdf

[2] https://www.cloudflare.com/en-gb/learning/access-management/account-takeover/ 

[3] https://www.virustotal.com/gui/domain/chotunai.com 

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Author
Zoe Tilsiter
Cyber Analyst
Book a 1-1 meeting with one of our experts
Share this article

More in this series

No items found.

Blog

/

AI

/

March 18, 2025

Survey findings: How is AI Impacting the SOC?

Default blog imageDefault blog image

There’s no question that AI is already impacting the SOC – augmenting, assisting, and filling the gaps left by staff and skills shortages. We surveyed over 1,500 cybersecurity professionals from around the world to uncover their attitudes to AI cybersecurity in 2025. Our findings revealed striking trends in how AI is changing the way security leaders think about hiring and SOC transformation. Download the full report for the big picture, available now.

Download the full report to explore these findings in depth

The AI-human conundrum

Let’s start with some context. As the cybersecurity sector has rapidly evolved to integrate AI into all elements of cyber defense, the pace of technological advancement is outstripping the development of necessary skills. Given the ongoing challenges in security operations, such as employee burnout, high turnover rates, and talent shortages, recruiting personnel to bridge these skills gaps remains an immense challenge in today’s landscape.

But here, our main findings on this topic seem to contradict each other.

There’s no question over the impact of AI-powered threats – nearly three-quarters (74%) agree that AI-powered threats now pose a significant challenge for their organization.  

When we look at how security leaders are defending against AI-powered threats, over 3 out of 5 (62%) see insufficient personnel to manage tools and alerts as the biggest barrier.  

Yet at the same time, increasing cyber security staff is at the bottom of the priority list for survey participants, with only 11% planning to increase cybersecurity staff in 2025 – less than in 2024. What 64% of stakeholders are committed to, however, is adding new AI-powered tools onto their existing security stacks.

The conclusion? Due to pressures around hiring, defensive AI is becoming integral to the SOC as a means of augmenting understaffed teams.

How is AI plugging skills shortages in the SOC?

As explored in our recent white paper, the CISO’s Guide to Navigating the Cybersecurity Skills Shortage, 71% of organizations report unfilled cybersecurity positions, leading to the estimation that less than 10% of alerts are thoroughly vetted. In this scenario, AI has become an essential multiplier to relieve the burden on security teams.

95% of respondents agree that AI-powered solutions can significantly improve the speed and efficiency of their defenses. But how?

The area security leaders expect defensive AI to have the biggest impact is on improving threat detection, followed by autonomous response to threats and identifying exploitable vulnerabilities.

Interestingly, the areas that participants ranked less highly (reducing alert fatigue and running phishing simulation), are the tasks that AI already does well and can therefore be used already to relieve the burden of manual, repetitive work on the SOC.

Different perspectives from different sides of the SOC

CISOs and SecOps teams aren’t necessarily aligned on the AI defense question – while CISOs tend to see it as a strategic game-changer, SecOps teams on the front lines may be more sceptical, wary of its real-world reliability and integration into workflows.  

From the data, we see that while less than a quarter of execs doubt that AI-powered solutions will block and automatically respond to AI threats, about half of SecOps aren’t convinced. And only 17% of CISOs lack confidence in the ability of their teams to implement and use AI-powered solutions, whereas over 40% those in the team doubt their own ability to do so.

This gap feeds into the enthusiasm that executives share about adding AI-driven tools into the stack, while day-to-day users of the tools are more interested in improving security awareness training and improving cybersecurity tool integration.

Levels of AI understanding in the SOC

AI is only as powerful as the people who use it, and levels of AI expertise in the SOC can make or break its real-world impact. If security leaders want to unlock AI’s full potential, they must bridge the knowledge gap—ensuring teams understand not just the different types of AI, but where it can be applied for maximum value.

Only 42% of security professionals are confident that they fully understand all the types of AI in their organization’s security stack.

This data varies between job roles – executives report higher levels of understanding (60% say they know exactly which types of AI are being used) than participants in other roles. Despite having a working knowledge of using the tools day-to-day, SecOps practitioners were more likely to report having a “reasonable understanding” of the types of AI in use in their organization (42%).  

Whether this reflects a general confidence in executives rather than technical proficiency it’s hard to say, but it speaks to the importance of AI-human collaboration – introducing AI tools for cybersecurity to plug the gaps in human teams will only be effective if security professionals are supported with the correct education and training.  

Download the full report to explore these findings in depth

The full report for Darktrace’s State of AI Cybersecurity is out now. Download the paper to dig deeper into these trends, and see how results differ by industry, region, organization size, and job title.  

Continue reading
About the author
The Darktrace Community

Blog

/

Network

/

March 18, 2025

Darktrace's Detection of State-Linked ShadowPad Malware

Default blog imageDefault blog image

An integral part of cybersecurity is anomaly detection, which involves identifying unusual patterns or behaviors in network traffic that could indicate malicious activity, such as a cyber-based intrusion. However, attribution remains one of the ever present challenges in cybersecurity. Attribution involves the process of accurately identifying and tracing the source to a specific threat actor(s).

Given the complexity of digital networks and the sophistication of attackers who often use proxies or other methods to disguise their origin, pinpointing the exact source of a cyberattack is an arduous task. Threat actors can use proxy servers, botnets, sophisticated techniques, false flags, etc. Darktrace’s strategy is rooted in the belief that identifying behavioral anomalies is crucial for identifying both known and novel threat actor campaigns.

The ShadowPad cluster

Between July 2024 and November 2024, Darktrace observed a cluster of activity threads sharing notable similarities. The threads began with a malicious actor using compromised user credentials to log in to the target organization's Check Point Remote Access virtual private network (VPN) from an attacker-controlled, remote device named 'DESKTOP-O82ILGG'.  In one case, the IP from which the initial login was carried out was observed to be the ExpressVPN IP address, 194.5.83[.]25. After logging in, the actor gained access to service account credentials, likely via exploitation of an information disclosure vulnerability affecting Check Point Security Gateway devices. Recent reporting suggests this could represent exploitation of CVE-2024-24919 [27,28]. The actor then used these compromised service account credentials to move laterally over RDP and SMB, with files related to the modular backdoor, ShadowPad, being delivered to the  ‘C:\PerfLogs\’ directory of targeted internal systems. ShadowPad was seen communicating with its command-and-control (C2) infrastructure, 158.247.199[.]185 (dscriy.chtq[.]net), via both HTTPS traffic and DNS tunneling, with subdomains of the domain ‘cybaq.chtq[.]net’ being used in the compromised devices’ TXT DNS queries.

Darktrace’s Advanced Search data showing the VPN-connected device initiating RDP connections to a domain controller (DC). The device subsequently distributes likely ShadowPad-related payloads and makes DRSGetNCChanges requests to a second DC.
Figure 1: Darktrace’s Advanced Search data showing the VPN-connected device initiating RDP connections to a domain controller (DC). The device subsequently distributes likely ShadowPad-related payloads and makes DRSGetNCChanges requests to a second DC.
Event Log data showing a DC making DNS queries for subdomains of ‘cbaq.chtq[.]net’ to 158.247.199[.]185 after receiving SMB and RDP connections from the VPN-connected device, DESKTOP-O82ILGG.
Figure 2: Event Log data showing a DC making DNS queries for subdomains of ‘cbaq.chtq[.]net’ to 158.247.199[.]185 after receiving SMB and RDP connections from the VPN-connected device, DESKTOP-O82ILGG.

Darktrace observed these ShadowPad activity threads within the networks of European-based customers in the manufacturing and financial sectors.  One of these intrusions was followed a few months later by likely state-sponsored espionage activity, as detailed in the investigation of the year in Darktrace’s Annual Threat Report 2024.

Related ShadowPad activity

Additional cases of ShadowPad were observed across Darktrace’s customer base in 2024. In some cases, common C2 infrastructure with the cluster discussed above was observed, with dscriy.chtq[.]net and cybaq.chtq[.]net both involved; however, no other common features were identified. These ShadowPad infections were observed between April and November 2024, with customers across multiple regions and sectors affected.  Darktrace’s observations align with multiple other public reports that fit the timeframe of this campaign.

Darktrace has also observed other cases of ShadowPad without common infrastructure since September 2024, suggesting the use of this tool by additional threat actors.

The data theft thread

One of the Darktrace customers impacted by the ShadowPad cluster highlighted above was a European manufacturer. A distinct thread of activity occurred within this organization’s network several months after the ShadowPad intrusion, in October 2024.

The thread involved the internal distribution of highly masqueraded executable files via Sever Message Block (SMB) and WMI (Windows Management Instrumentation), the targeted collection of sensitive information from an internal server, and the exfiltration of collected information to a web of likely compromised sites. This observed thread of activity, therefore, consisted of three phrases: lateral movement, collection, and exfiltration.

The lateral movement phase began when an internal user device used an administrative credential to distribute files named ‘ProgramData\Oracle\java.log’ and 'ProgramData\Oracle\duxwfnfo' to the c$ share on another internal system.  

Darktrace model alert highlighting an SMB write of a file named ‘ProgramData\Oracle\java.log’ to the c$ share on another device.
Figure 3: Darktrace model alert highlighting an SMB write of a file named ‘ProgramData\Oracle\java.log’ to the c$ share on another device.

Over the next few days, Darktrace detected several other internal systems using administrative credentials to upload files with the following names to the c$ share on internal systems:

ProgramData\Adobe\ARM\webservices.dll

ProgramData\Adobe\ARM\wksprt.exe

ProgramData\Oracle\Java\wksprt.exe

ProgramData\Oracle\Java\webservices.dll

ProgramData\Microsoft\DRM\wksprt.exe

ProgramData\Microsoft\DRM\webservices.dll

ProgramData\Abletech\Client\webservices.dll

ProgramData\Abletech\Client\client.exe

ProgramData\Adobe\ARM\rzrmxrwfvp

ProgramData\3Dconnexion\3DxWare\3DxWare.exe

ProgramData\3Dconnexion\3DxWare\webservices.dll

ProgramData\IDMComp\UltraCompare\updater.exe

ProgramData\IDMComp\UltraCompare\webservices.dll

ProgramData\IDMComp\UltraCompare\imtrqjsaqmm

Cyber AI Analyst highlighting an SMB write of a file named ‘ProgramData\Adobe\ARM\webservices.dll’ to the c$ share on an internal system.
Figure 4: Cyber AI Analyst highlighting an SMB write of a file named ‘ProgramData\Adobe\ARM\webservices.dll’ to the c$ share on an internal system.

The threat actor appears to have abused the Microsoft RPC (MS-RPC) service, WMI, to execute distributed payloads, as evidenced by the ExecMethod requests to the IWbemServices RPC interface which immediately followed devices’ SMB uploads.  

Cyber AI Analyst data highlighting a thread of activity starting with an SMB data upload followed by ExecMethod requests.
Figure 5: Cyber AI Analyst data highlighting a thread of activity starting with an SMB data upload followed by ExecMethod requests.

Several of the devices involved in these lateral movement activities, both on the source and destination side, were subsequently seen using administrative credentials to download tens of GBs of sensitive data over SMB from a specially selected server.  The data gathering stage of the threat sequence indicates that the threat actor had a comprehensive understanding of the organization’s system architecture and had precise objectives for the information they sought to extract.

Immediately after collecting data from the targeted server, devices went on to exfiltrate stolen data to multiple sites. Several other likely compromised sites appear to have been used as general C2 infrastructure for this intrusion activity. The sites used by the threat actor for C2 and data exfiltration purport to be sites for companies offering a variety of service, ranging from consultancy to web design.

Screenshot of one of the likely compromised sites used in the intrusion. 
Figure 6: Screenshot of one of the likely compromised sites used in the intrusion.

At least 16 sites were identified as being likely data exfiltration or C2 sites used by this threat actor in their operation against this organization. The fact that the actor had such a wide web of compromised sites at their disposal suggests that they were well-resourced and highly prepared.  

Darktrace model alert highlighting an internal device slowly exfiltrating data to the external endpoint, yasuconsulting[.]com.
Figure 7: Darktrace model alert highlighting an internal device slowly exfiltrating data to the external endpoint, yasuconsulting[.]com.
Darktrace model alert highlighting an internal device downloading nearly 1 GB of data from an internal system just before uploading a similar volume of data to another suspicious endpoint, www.tunemmuhendislik[.]com    
Figure 8: Darktrace model alert highlighting an internal device downloading nearly 1 GB of data from an internal system just before uploading a similar volume of data to another suspicious endpoint, www.tunemmuhendislik[.]com  

Cyber AI Analyst spotlight

Cyber AI Analyst identifying and piecing together the various steps of a ShadowPad intrusion.
Figure 9: Cyber AI Analyst identifying and piecing together the various steps of a ShadowPad intrusion.  
Cyber AI Analyst Incident identifying and piecing together the various steps of the data theft activity.
Figure 10: Cyber AI Analyst Incident identifying and piecing together the various steps of the data theft activity.

As shown in the above figures, Cyber AI Analyst’s ability to thread together the different steps of these attack chains are worth highlighting.

In the ShadowPad attack chains, Cyber AI Analyst was able to identify SMB writes from the VPN subnet to the DC, and the C2 connections from the DC. It was also able to weave together this activity into a single thread representing the attacker’s progression.

Similarly, in the data exfiltration attack chain, Cyber AI Analyst identified and connected multiple types of lateral movement over SMB and WMI and external C2 communication to various external endpoints, linking them in a single, connected incident.

These Cyber AI Analyst actions enabled a quicker understanding of the threat actor sequence of events and, in some cases, faster containment.

Attribution puzzle

Publicly shared research into ShadowPad indicates that it is predominantly used as a backdoor in People’s Republic of China (PRC)-sponsored espionage operations [5][6][7][8][9][10]. Most publicly reported intrusions involving ShadowPad  are attributed to the China-based threat actor, APT41 [11][12]. Furthermore, Google Threat Intelligence Group (GTIG) recently shared their assessment that ShadowPad usage is restricted to clusters associated with APT41 [13]. Interestingly, however, there have also been public reports of ShadowPad usage in unattributed intrusions [5].

The data theft activity that later occurred in the same Darktrace customer network as one of these ShadowPad compromises appeared to be the targeted collection and exfiltration of sensitive data. Such an objective indicates the activity may have been part of a state-sponsored operation. The tactics, techniques, and procedures (TTPs), artifacts, and C2 infrastructure observed in the data theft thread appear to resemble activity seen in previous Democratic People’s Republic of Korea (DPRK)-linked intrusion activities [15] [16] [17] [18] [19].

The distribution of payloads to the following directory locations appears to be a relatively common behavior in DPRK-sponsored intrusions.

Observed examples:

C:\ProgramData\Oracle\Java\  

C:\ProgramData\Adobe\ARM\  

C:\ProgramData\Microsoft\DRM\  

C:\ProgramData\Abletech\Client\  

C:\ProgramData\IDMComp\UltraCompare\  

C:\ProgramData\3Dconnexion\3DxWare\

Additionally, the likely compromised websites observed in the data theft thread, along with some of the target URI patterns seen in the C2 communications to these sites, resemble those seen in previously reported DPRK-linked intrusion activities.

No clear evidence was found to link the ShadowPad compromise to the subsequent data theft activity that was observed on the network of the manufacturing customer. It should be noted, however, that no clear signs of initial access were found for the data theft thread – this could suggest the ShadowPad intrusion itself represents the initial point of entry that ultimately led to data exfiltration.

Motivation-wise, it seems plausible for the data theft thread to have been part of a DPRK-sponsored operation. DPRK is known to pursue targets that could potentially fulfil its national security goals and had been publicly reported as being active in months prior to this intrusion [21]. Furthermore, the timing of the data theft aligns with the ratification of the mutual defense treaty between DPRK and Russia and the subsequent accused activities [20].

Darktrace assesses with medium confidence that a nation-state, likely DPRK, was responsible, based on our investigation, the threat actor applied resources, patience, obfuscation, and evasiveness combined with external reporting, collaboration with the cyber community, assessing the attacker’s motivation and world geopolitical timeline, and undisclosed intelligence.

Conclusion

When state-linked cyber activity occurs within an organization’s environment, previously unseen C2 infrastructure and advanced evasion techniques will likely be used. State-linked cyber actors, through their resources and patience, are able to bypass most detection methods, leaving anomaly-based methods as a last line of defense.

Two threads of activity were observed within Darktrace’s customer base over the last year: The first operation involved the abuse of Check Point VPN credentials to log in remotely to organizations’ networks, followed by the distribution of ShadowPad to an internal domain controller. The second operation involved highly targeted data exfiltration from the network of one of the customers impacted by the previously mentioned ShadowPad activity.

Despite definitive attribution remaining unresolved, both the ShadowPad and data exfiltration activities were detected by Darktrace’s Self-Learning AI, with Cyber AI Analyst playing a significant role in identifying and piecing together the various steps of the intrusion activities.  

Credit to Sam Lister (R&D Detection Analyst), Emma Foulger (Principal Cyber Analyst), Nathaniel Jones (VP), and the Darktrace Threat Research team.

Appendices

Darktrace / NETWORK model alerts

User / New Admin Credentials on Client

Anomalous Connection / Unusual Admin SMB Session

Compliance / SMB Drive Write  

Device / Anomalous SMB Followed By Multiple Model Breaches

Anomalous File / Internal / Unusual SMB Script Write

User / New Admin Credentials on Client  

Anomalous Connection / Unusual Admin SMB Session

Compliance / SMB Drive Write

Device / Anomalous SMB Followed By Multiple Model Breaches

Anomalous File / Internal / Unusual SMB Script Write

Device / New or Uncommon WMI Activity

Unusual Activity / Internal Data Transfer

Anomalous Connection / Download and Upload

Anomalous Server Activity / Rare External from Server

Compromise / Beacon to Young Endpoint

Compromise / Agent Beacon (Short Period)

Anomalous Server Activity / Anomalous External Activity from Critical Network Device

Anomalous Connection / POST to PHP on New External Host

Compromise / Sustained SSL or HTTP Increase

Compromise / Sustained TCP Beaconing Activity To Rare Endpoint

Anomalous Connection / Multiple Failed Connections to Rare Endpoint

Device / Multiple C2 Model Alerts

Anomalous Connection / Data Sent to Rare Domain

Anomalous Connection / Download and Upload

Unusual Activity / Unusual External Data Transfer

Anomalous Connection / Low and Slow Exfiltration

Anomalous Connection / Uncommon 1 GiB Outbound  

MITRE ATT&CK mapping

(Technique name – Tactic ID)

ShadowPad malware threads

Initial Access - Valid Accounts: Domain Accounts (T1078.002)

Initial Access - External Remote Services (T1133)

Privilege Escalation - Exploitation for Privilege Escalation (T1068)

Privilege Escalation - Valid Accounts: Default Accounts (T1078.001)

Defense Evasion - Masquerading: Match Legitimate Name or Location (T1036.005)

Lateral Movement - Remote Services: Remote Desktop Protocol (T1021.001)

Lateral Movement - Remote Services: SMB/Windows Admin Shares (T1021.002)

Command and Control - Proxy: Internal Proxy (T1090.001)

Command and Control - Application Layer Protocol: Web Protocols (T1071.001)

Command and Control - Encrypted Channel: Asymmetric Cryptography (T1573.002)

Command and Control - Application Layer Protocol: DNS (T1071.004)

Data theft thread

Resource Development - Compromise Infrastructure: Domains (T1584.001)

Privilege Escalation - Valid Accounts: Default Accounts (T1078.001)

Privilege Escalation - Valid Accounts: Domain Accounts (T1078.002)

Execution - Windows Management Instrumentation (T1047)

Defense Evasion - Masquerading: Match Legitimate Name or Location (T1036.005)

Defense Evasion - Obfuscated Files or Information (T1027)

Lateral Movement - Remote Services: SMB/Windows Admin Shares (T1021.002)

Collection - Data from Network Shared Drive (T1039)

Command and Control - Application Layer Protocol: Web Protocols (T1071.001)

Command and Control - Encrypted Channel: Asymmetric Cryptography (T1573.002)

Command and Control - Proxy: External Proxy (T1090.002)

Exfiltration - Exfiltration Over C2 Channel (T1041)

Exfiltration - Data Transfer Size Limits (T1030)

List of indicators of compromise (IoCs)

IP addresses and/or domain names (Mid-high confidence):

ShadowPad thread

- dscriy.chtq[.]net • 158.247.199[.]185 (endpoint of C2 comms)

- cybaq.chtq[.]net (domain name used for DNS tunneling)  

Data theft thread

- yasuconsulting[.]com (45.158.12[.]7)

- hobivan[.]net (94.73.151[.]72)

- mediostresbarbas.com[.]ar (75.102.23[.]3)

- mnmathleague[.]org (185.148.129[.]24)

- goldenborek[.]com (94.138.200[.]40)

- tunemmuhendislik[.]com (94.199.206[.]45)

- anvil.org[.]ph (67.209.121[.]137)

- partnerls[.]pl (5.187.53[.]50)

- angoramedikal[.]com (89.19.29[.]128)

- awork-designs[.]dk (78.46.20[.]225)

- digitweco[.]com (38.54.95[.]190)

- duepunti-studio[.]it (89.46.106[.]61)

- scgestor.com[.]br (108.181.92[.]71)

- lacapannadelsilenzio[.]it (86.107.36[.]15)

- lovetamagotchith[.]com (203.170.190[.]137)

- lieta[.]it (78.46.146[.]147)

File names (Mid-high confidence):

ShadowPad thread:

- perflogs\1.txt

- perflogs\AppLaunch.exe

- perflogs\F4A3E8BE.tmp

- perflogs\mscoree.dll

Data theft thread

- ProgramData\Oracle\java.log

- ProgramData\Oracle\duxwfnfo

- ProgramData\Adobe\ARM\webservices.dll

- ProgramData\Adobe\ARM\wksprt.exe

- ProgramData\Oracle\Java\wksprt.exe

- ProgramData\Oracle\Java\webservices.dll

- ProgramData\Microsoft\DRM\wksprt.exe

- ProgramData\Microsoft\DRM\webservices.dll

- ProgramData\Abletech\Client\webservices.dll

- ProgramData\Abletech\Client\client.exe

- ProgramData\Adobe\ARM\rzrmxrwfvp

- ProgramData\3Dconnexion\3DxWare\3DxWare.exe

- ProgramData\3Dconnexion\3DxWare\webservices.dll

- ProgramData\IDMComp\UltraCompare\updater.exe

- ProgramData\IDMComp\UltraCompare\webservices.dll

- ProgramData\IDMComp\UltraCompare\imtrqjsaqmm

- temp\HousecallLauncher64.exe

Attacker-controlled device hostname (Mid-high confidence)

- DESKTOP-O82ILGG

References  

[1] https://www.kaspersky.com/about/press-releases/shadowpad-how-attackers-hide-backdoor-in-software-used-by-hundreds-of-large-companies-around-the-world  

[2] https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/08/07172148/ShadowPad_technical_description_PDF.pdf

[3] https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities

[4] https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/

[5] https://assets.sentinelone.com/c/Shadowpad?x=P42eqA

[6] https://www.cyfirma.com/research/the-origins-of-apt-41-and-shadowpad-lineage/

[7] https://www.csoonline.com/article/572061/shadowpad-has-become-the-rat-of-choice-for-several-state-sponsored-chinese-apts.html

[8] https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/shadowpad-new-activity-from-the-winnti-group

[9] https://cymulate.com/threats/shadowpad-privately-sold-malware-espionage-tool/

[10] https://www.secureworks.com/research/shadowpad-malware-analysis

[11] https://blog.talosintelligence.com/chinese-hacking-group-apt41-compromised-taiwanese-government-affiliated-research-institute-with-shadowpad-and-cobaltstrike-2/

[12] https://hackerseye.net/all-blog-items/tails-from-the-shadow-apt-41-injecting-shadowpad-with-sideloading/

[13] https://cloud.google.com/blog/topics/threat-intelligence/scatterbrain-unmasking-poisonplug-obfuscator

[14] https://www.domaintools.com/wp-content/uploads/conceptualizing-a-continuum-of-cyber-threat-attribution.pdf

[15] https://www.nccgroup.com/es/research-blog/north-korea-s-lazarus-their-initial-access-trade-craft-using-social-media-and-social-engineering/  

[16] https://www.microsoft.com/en-us/security/blog/2021/01/28/zinc-attacks-against-security-researchers/

[17] https://www.microsoft.com/en-us/security/blog/2022/09/29/zinc-weaponizing-open-source-software/  

[18] https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/  

[19] https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html  

[20] https://usun.usmission.gov/joint-statement-on-the-unlawful-arms-transfer-by-the-democratic-peoples-republic-of-korea-to-russia/

[21] https://media.defense.gov/2024/Jul/25/2003510137/-1/-1/1/Joint-CSA-North-Korea-Cyber-Espionage-Advance-Military-Nuclear-Programs.PDF  

[22] https://kyivindependent.com/first-north-korean-troops-deployed-to-front-line-in-kursk-oblast-ukraines-military-intelligence-says/

[23] https://www.microsoft.com/en-us/security/blog/2024/12/04/frequent-freeloader-part-i-secret-blizzard-compromising-storm-0156-infrastructure-for-espionage/  

[24] https://www.microsoft.com/en-us/security/blog/2024/12/11/frequent-freeloader-part-ii-russian-actor-secret-blizzard-using-tools-of-other-groups-to-attack-ukraine/  

[25] https://www.sentinelone.com/labs/chamelgang-attacking-critical-infrastructure-with-ransomware/    

[26] https://thehackernews.com/2022/06/state-backed-hackers-using-ransomware.html/  

[27] https://blog.checkpoint.com/security/check-point-research-explains-shadow-pad-nailaolocker-and-its-protection/

[28] https://www.orangecyberdefense.com/global/blog/cert-news/meet-nailaolocker-a-ransomware-distributed-in-europe-by-shadowpad-and-plugx-backdoors

Continue reading
About the author
Sam Lister
SOC Analyst
Your data. Our AI.
Elevate your network security with Darktrace AI