Blog
/
/
October 13, 2023

Protecting Brazilian Organizations from Malware

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
13
Oct 2023
Discover how Darktrace DETECT thwarted a banking trojan targeting Brazilian organizations, preventing data theft and informing the customer.

Nationally Targeted Cyber Attacks

As the digital world becomes more and more interconnected, the threat of cyber-attacks transcends borders and presents a significant concern to security teams worldwide. Yet despite this, some malicious actors have shown a tendency to focus their attacks on specific countries. By employing highly tailored tactics, techniques, and procedures (TTPs) to target users and organizations from one nation, rather than launching more widespread campaigns, threat actors are able to maximize the efficiency and efficacy of their attacks.

What is Guildma and how does it work?

One example can be seen in the remote access trojan (RAT) and information stealer, Guildma. Guildma, also known by the demonic moniker, Astaroth, first appeared in the wild in 2017 and is a Latin America-based banking trojan known to primarily target organizations in Brazil, although has more recently been observed in North America and Europe too [1].

By concentrating their efforts on Brazil, Guildma is able to launch attacks with a high degree of specificity, focussing their language on Brazilian norms, referencing Brazilian institutions, and tailoring their social engineering accordingly. Moreover, considering that Brazilian customers likely represent a relatively small portion of security vendors’ clientele, there may be a limited pool of available indicators of compromise (IoCs). This limitation could significantly impact the efficacy of traditional security measures that rely on signature-based detection methods in identifying emerging threats.

Darktrace vs. Guildma

In June 2023, Darktrace observed a Guildma compromise on the network of a Brazilian customer in the manufacturing sector. The anomaly-based detection capabilities of Darktrace DETECT™ allowed it to identify suspicious activity surrounding the compromise, agnostic of any IoCs or specific signatures of a threat actor. Following the successful detection of the malware, the Darktrace Security Operations Center (SOC) carried out a thorough investigation into the compromise and brought it to the attention of the customer’s security team, allowing them to quickly react and prevent any further escalation.

This early detection by Darktrace effectively shut down Guildma operations on the network before any sensitive data could be gathered and stolen by malicious actors.

Attack Overview

In the case of the Guildma RAT detected by Darktrace, the affected system was a desktop device, ostensibly used by one employee. The desktop was first observed on the customer’s network in April 2023; however, it is possible that the initial compromise took place before Darktrace had visibility over the network. Guildma compromises typically start with phishing campaigns, indicating that the initial intrusion in this case likely occurred beyond the scope of Darktrace’s monitoring [2].

Early indicators

On June 23, 2023, Darktrace DETECT observed the first instance of unusual activity being performed by the affected desktop device, namely regular HTTP POST requests to a suspicious domain, indicative of command-and-control (C2) beaconing activity. The domain used an unusual Top-Level Domain (TLD), with a plausibly meaningful (in Portuguese) second-level domain and a seemingly random 11-character third-level domain, “dn00x1o0f0h.puxaofolesanfoneiro[.]quest”.

Throughout the course of this attack, Darktrace observed additional connections like this, representing something of a signature of the attack. The suspicious domains were typically registered within six months of observation, featured an uncommon TLD, and included a seemingly randomized third-level domain of 6-11 characters, followed by a plausibly legitimate second-level domain with a minimum of 15 characters. The connections to these unusual endpoints all followed a similar two-hour beaconing period, suggesting that Guildma may rotate its C2 infrastructure, using the Multi-Stage Channels TTP (MITRE ID T1104) to evade restrictions by firewalls or other signature-based security tools that rely on static lists of IoCs and “known bads”.

Figure 1: Model Breach Event Log for the “Compromise / Agent Beacon (Long Period)”. The connections at two-hour intervals, including at unreasonably late hours, is consistent with beaconing for C2.

Living-off-the-land with BITS abuse

A week later, on June 30, 2023, the affected device was observed making an unusual Microsoft BITS connection. BitsAdmin is a deprecated administrative tool available on most Windows devices and can be leveraged by attackers to transfer malicious obfuscated payloads into and around an organization’s network. The domain observed during this connection, "cwiufv.pratkabelhaemelentmarta[.]shop”, follows the previously outlined domain naming convention. Multiple open-source intelligence (OSINT) sources indicated that the endpoint had links to malware and, when visited, redirected users to the Brazilian versions of WhatsApp and Zoom. This is likely a tactic employed by threat actors to ensure users are unaware of suspicious domains, and subsequent malware downloads, by redirected them to a trusted source.

Figure 2: A screenshot of the Model Breach log summary of the “Unusual BITS Activity” model breach. The breach log contains key details such as the ASN, hostname, and user agent used in the breaching connection.

Obfuscated Tooling Downloads

Within one minute of the suspicious BITS activity, Darktrace detected the device downloading a suspicious file from the aforementioned endpoint, (cwiufv.pratkabelhaemelentmarta[.]shop). The file in question appeared to be a ZIP file with the 17-digit numeric name query, namely “?37627343830628786”, with the filename “zodzXLWwaV.zip”.

However, Darktrace DETECT recognized that the file extension did not match its true file type and identified that it was, in fact, an executable (.exe) file masquerading as a ZIP file. By masquerading files downloads, threat actors are able to make their malicious files seem legitimate and benign to security teams and traditional security tools, thereby evading detection. In this case, the suspicious file in question was indeed identified as malicious by multiple OSINT sources.

Following the initial download of this masqueraded file, Darktrace also detected subsequent downloads of additional executable files from the same endpoint.  It is possible that these downloads represented Guildma actors attempting to download additional tooling, including the information-stealer widely known as Astaroth, in order to begin its data collection and exfiltration operations.

Figure 3: A screenshot of a graph produced by the Threat Visualizer of the affected device's external connections. The visual aid marks breaches with red and orange dots, creating a more intuitive explanation of observed behavior.

Darktrace SOC

The successful detection of the masqueraded file transfer triggered an Enhanced Monitoring model breach, a high-fidelity model designed to detect activity that is more likely indicative of an ongoing compromise.  

This breach was immediately escalated to the Darktrace SOC for analysis by Darktrace’s team of expert analysts who were able to complete a thorough investigation and notify the customer’s security team of the compromise in just over half an hour. The investigation carried out by Darktrace’s analysts confirmed that the activity was, indeed, malicious, and provided the customer’s security team with details around the extent of the compromise, the specific IoCs, and risks this compromise posed to their digital environment. This information empowered the customer’s security team to promptly address the issue, having a significant portion of the investigative burden reduced and resolved by the round-the-clock Darktrace analyst team.

In addition to this, Cyber AI Analyst™ launched an investigation into the ongoing compromise and was able to connect the anomalous HTTP connections to the subsequent suspicious file downloads, viewing them as one incident rather than two isolated events. AI Analyst completed its investigation in just three minutes, upon which it provided a detailed summary of events of the activity, further aiding the customer’s remediation process.

Figure 4: CyberAI Analyst summary of the suspicious activity. A prose summary of the breach activity and the meaning of the technical details is included to maintain an easily digestible stream of information.

Conclusion

While the combination of TTPs observed in this Guildma RAT compromise is not uncommon globally, the specificity to targeting organizations in Brazil allows it to be incredibly effective. By focussing on just one country, malicious actors are able to launch highly specialized attacks, adapting the language used and tailoring the social engineering effectively to achieve maximum success. Moreover, as Brazil likely represents a smaller segment of security vendors’ customers, therefore leading to a limited pool of IoCs, attackers are often able to evade traditional signature-based detections.

Darktrace DETECT’s anomaly-based approach to threat detection allows for effective detection, mitigation, and response to emerging threats, regardless of the specifics of the attack and without relying on threat intelligence or previous IoCs. Ultimately in this case, Darktrace was able to identify the suspicious activity surrounding the Guildma compromise and swiftly bring it to the attention of the customer’s security team, before any data gathering, or exfiltration activity took place.

Darktrace’s threat detection capabilities coupled with its expert analyst team and round-the-clock SOC response is a highly effective addition to an organization’s defense-in-depth, whether in Brazil or anywhere else around the world.

Credit to Roberto Romeu, Senior SOC Analyst, Taylor Breland, Analyst Team Lead, San Francisco

References

https://malpedia.caad.fkie.fraunhofer.de/details/win.astaroth

https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/  

Appendices

Darktrace DETECT Model Breaches

  • Compromise / Agent Beacon (Long Period)
  • Device / Unusual BITS Activity
  • Anomalous File / Anomalous Octet Stream (No User Agent)
  • Anomalous File / Masqueraded File Transfer (Enhanced Monitoring Model)
  • Anomalous File / EXE from Rare External Location
  • Anomalous File / Multiple EXE from Rare External Locations

List of IoCs

IoC Type - Description + Confidence

5q710e1srxk.broilhasoruikaliventiladorrta[.]shop - Domain - Likely C2 server

m2pkdlse8md.roilhasohlcortinartai[.]hair - Domain - Likely C2 server

cwiufv.pratkabelhaemelentmarta[.]shop - Domain - C2 server

482w5pct234.jaroilcasacorkalilc[.]ru[.]com - Domain - C2 server

dn00x1o0f0h.puxaofolesanfoneiro[.]quest - Domain - Likely C2 server

10v7mybga55.futurefrontier[.]cyou - Domain - Likely C2 server

f788gbgdclp.growthgenerator[.]cyou - Domain - Likely C2 server

6nieek.satqabelhaeiloumelsmarta[.]shop - Domain - Likely C2 server

zodzXLWwaV.zip (SHA1 Hash: 2a4062e10a5de813f5688221dbeb3f3ff33eb417 ) - File hash - Malware

IZJQCAOXQb.zip (SHA1 Hash: eaec1754a69c50eac99e774b07ef156a1ca6de06 ) - File hash - Likely malware

MITRE ATT&CK Mapping

ATT&CK Technique - Technique ID

Multi-Stage Channels - T1104

BITS Jobs - T1197

Application Layer Protocol: Web Protocols - T1071.001

Acquire Infrastructure: Web Services - T1583.006

Obtain Capabilities: Malware - T1588.001

Masquerading - T1036

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Author
Roberto Romeu
Senior SOC Analyst
Watch the NIS2 Webinar
Book a 1-1 meeting with one of our experts
Get in touch
Share this article
Trending blogs
1
Our Annual Survey Reveals How Security Teams Are Adapting to AI-Powered Threats
Mar 4, 2025
2
Darktrace Releases Annual 2024 Threat Insights
Feb 19, 2025
3
From Hype to Reality: How AI is Transforming Cybersecurity Practices
Feb 10, 2025
4
From Containment to Remediation: Darktrace / CLOUD & Cado Reducing MTTR
Mar 6, 2025
5
RansomHub Ransomware: Darktrace’s Investigation of the Newest Tool in ShadowSyndicate's Arsenal
Jan 14, 2025

More in this series

No items found.

Blog

/

Cloud

/

April 2, 2025

Fusing Vulnerability and Threat Data: Enhancing the Depth of Attack Analysis

Default blog imageDefault blog image

Cado Security, recently acquired by Darktrace, is excited to announce a significant enhancement to its data collection capabilities, with the addition of a vulnerability discovery feature for Linux-based cloud resources. According to Darktrace’s Annual Threat Report 2024, the most significant campaigns observed in 2024 involved the ongoing exploitation of significant vulnerabilities in internet-facing systems. Cado’s new vulnerability discovery capability further deepens its ability to provide extensive context to security teams, enabling them to make informed decisions about threats, faster than ever.

Deep context to accelerate understanding and remediation

Context is critical when understanding the circumstances surrounding a threat. It can also take many forms – alert data, telemetry, file content, business context (for example asset criticality, core function of the resource), and risk context, such as open vulnerabilities.

When performing an investigation, it is common practice to understand the risk profile of the resource impacted, specifically determining open vulnerabilities and how they may relate to the threat. For example, if an analyst is triaging an alert related to an internet-facing Webserver running Apache, it would greatly benefit the analyst to understand open vulnerabilities in the Apache version that is running, if any of them are exploitable, whether a fix is available, etc. This dataset also serves as an invaluable source when developing a remediation plan, identifying specific vulnerabilities to be prioritised for patching.

Data acquisition in Cado

Cado is the only platform with the ability to perform full forensic captures as well as utilize instant triage collection methods, which is why fusing host-based artifact data with vulnerability data is such an exciting and compelling development.

The vulnerability discovery feature can be run as part of an acquisition – full or triage – as well as independently using a fast ‘Scan only’ mode.

Figure 1: A fast vulnerability scan being performed on the acquired evidence

Once the acquisition has completed, the user will have access to a ‘Vulnerabilities’ table within their investigation, where they are able to view and filter open vulnerabilities (by Severity, CVE ID, Resource, and other properties), as well as pivot to the full Event Timeline. In the Event Timeline, the user will be able to identify whether there is any malicious, suspicious or other interesting activity surrounding the vulnerable package, given the unified timeline presents a complete chronological dataset of all evidence and context collected.

Figure 2: Vulnerabilities discovered on the acquired evidence
Figure 3: Pivot from the Vulnerabilities table to the Event Timeline provides an in-depth view of file and process data associated with the vulnerable package selected. In this example, Apache2.

Future work

In the coming months, we’ll be releasing initial versions of highly anticipated integrations between Cado and Darktrace, including the ability to ingest Darktrace / CLOUD alerts which will automatically trigger a forensic capture (as well as a vulnerability discovery) of the impacted assets.

To learn more about how Cado and Darktrace will combine forces, request a demo today.

Continue reading
About the author
Paul Bottomley
Director of Product Management, Cado

Blog

/

OT

/

March 28, 2025

Darktrace Recognized as the Only Visionary in the 2025 Gartner® Magic Quadrant™ for CPS Protection Platforms

Default blog imageDefault blog image

We are thrilled to announce that Darktrace has been named the only Visionary in the inaugural Gartner® Magic Quadrant™ for Cyber-Physical Systems (CPS) Protection Platforms. We feel This recognition highlights Darktrace’s AI-driven approach to securing industrial environments, where conventional security solutions struggle to keep pace with increasing cyber threats.

A milestone for CPS security

It's our opinion that the first-ever Gartner Magic Quadrant for CPS Protection Platforms reflects a growing industry shift toward purpose-built security solutions for critical infrastructure. As organizations integrate IT, OT, and cloud-connected systems, the cyber risk landscape continues to expand. Gartner evaluated 17 vendors based on their Ability to Execute and Completeness of Vision, establishing a benchmark for security leaders looking to enhance cyber resilience in industrial environments.

We believe the Gartner recognition of Darktrace as the only Visionary reaffirms the platform’s ability to proactively defend against cyber risks through AI-driven anomaly detection, autonomous response, and risk-based security strategies. With increasingly sophisticated attacks targeting industrial control systems, organizations need a solution that continuously evolves to defend against both known and unknown threats.

AI-driven security for CPS environments

Securing CPS environments requires an approach that adapts to the dynamic nature of industrial operations. Traditional security tools rely on static signatures and predefined rules, leaving gaps in protection against novel and sophisticated threats. Darktrace / OT takes a different approach, leveraging Self-Learning AI to detect and neutralize threats in real time, even in air-gapped or highly regulated environments.

Darktrace / OT continuously analyzes network behaviors to establish a deep understanding of what is “normal” for each industrial environment. This enables it to autonomously identify deviations that signal potential cyber threats, providing early warning and proactive defense before attacks can disrupt operations. Unlike rule-based security models that require constant manual updates, Darktrace / OT improves with the environment, ensuring long-term resilience against emerging cyber risks.

Bridging the IT-OT security gap

A major challenge for organizations protecting CPS environments is the disconnect between IT and OT security. While IT security has traditionally focused on data

protection and compliance, OT security is driven by operational uptime and safety, leading to siloed security programs that leave critical gaps in visibility and response.

Darktrace / OT eliminates these silos by providing unified visibility across IT, OT, and IoT assets, ensuring that security teams have a complete picture of their attack surface. Its AI-driven approach enables cross-domain threat detection, recognizing risks that move laterally between IT and OT environments. By seamlessly integrating with existing security architectures, Darktrace / OT helps organizations close security gaps without disrupting industrial processes.

Proactive OT risk management and resilience

Beyond detection and response, Darktrace / OT strengthens organizations’ ability to manage cyber risk proactively. By mapping vulnerabilities to real-world attack paths, it prioritizes remediation actions based on actual exploitability and business impact, rather than relying on isolated CVE scores. This risk-based approach enables security teams to focus resources where they matter most, reducing overall exposure to cyber threats.

With autonomous threat response capabilities, Darktrace / OT not only identifies risks but also contains them in real time, preventing attackers from escalating intrusions. Whether mitigating ransomware, insider threats, or sophisticated nation-state attacks, Darktrace / OT ensures that industrial environments remain secure, operational, and resilient, no matter how threats evolve.

AI-powered incident response and SOC automation

Security teams are facing an overwhelming volume of alerts, making it difficult to prioritize threats and respond effectively. Darktrace / OT’s Cyber AI Analyst acts as a force multiplier for security teams by automating threat investigation, alert triage, and response actions. By mimicking the workflow of a human SOC analyst, Cyber AI Analyst provides contextual insights that accelerate incident response and reduce the manual workload on security teams.

With 24/7 autonomous monitoring, Darktrace / OT ensures that threats are continuously detected and investigated in real time. Whether facing ransomware, insider threats, or sophisticated nation-state attacks, organizations can rely on AI-driven security to contain threats before they disrupt operations.

Trusted by customers: Darktrace / OT recognized in Gartner Peer Insights

Source: Gartner Peer Insights (Oct 28th)

Beyond our recognition in the Gartner Magic Quadrant, we feel Darktrace / OT is one of the highest-rated CPS security solutions on Gartner Peer Insights, reflecting strong customer trust and validation. With a 4.9/5 overall rating and the highest "Willingness to Recommend" score among CPS vendors, organizations across critical infrastructure and industrial sectors recognize the impact of our AI-driven security approach. Source: Gartner Peer Insights (Oct 28th)

This strong customer endorsement underscores why leading enterprises trust Darktrace / OT to secure their CPS environments today and in the future.

Redefining the future of CPS security

It's our view that Darktrace’s recognition as the only Visionary in the Gartner Magic Quadrant for CPS Protection Platforms validates its leadership in next-generation industrial security. As cyber threats targeting critical infrastructure continue to rise, organizations must adopt AI-driven security solutions that can adapt, respond, and mitigate risks in real time.

We believe this recognition reinforces our commitment to innovation and our mission to secure the world’s most essential systems. This recognition reinforces our commitment to innovation and our mission to secure the world’s most essential systems.

® Download the full Gartner Magic Quadrant for CPS Protection Platforms

® Request a demo to see Darktrace OT in action.

Gartner, Magic Quadrant for CPS Protection Platforms , Katell Thielemann, Wam Voster, Ruggero Contu 12 February 2025

Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

GARTNER is a registered trademark and service mark of Gartner and Magic Quadrant and Peer Insights are a registered trademark, of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved. Gartner Peer Insights content consists of the opinions of individual end users based on their own experiences with the vendors listed on the platform, should not be construed as statements of fact, nor do they represent the views of Gartner or its affiliates. Gartner does not endorse any vendor, product or service depicted in this content nor makes any warranties, expressed or implied, with respect to this content, about its accuracy or completeness, including any warranties of merchantability or fitness for a particular purpose.

Continue reading
About the author
Pallavi Singh
Product Marketing Manager, OT Security & Compliance
Your data. Our AI.
Elevate your network security with Darktrace AI