Qatar World Cup 2022 Protected by Darktrace AI Cybersecurity
Discover how Darktrace's AI technology safeguarded the Qatar World Cup 2022 from cyber threats. Learn more about cutting-edge cybersecurity measures today!
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Karim Benslimane
VP, Field CISO
Share
15
Jan 2023
Qatar World Cup 2022 was the fifth world cup (football and rugby) I have been closely involved in from the operation and cyber security standpoint. Over the last two decades, I have witnessed a dramatic shift in the cyber landscape.
A few years back, the main challenge was to mitigate technical issues due to failures or human error by increasing the resilience with high-availability and failover design. Today, with the increased complexity of the digital infrastructure underpinning global tournaments, and the sophistication and ferocity of the threat actors (ransomware gangs, hacktivists, APT groups) seeking to disrupt them, it is no surprise that cyber security has been pushed to the top of organizers’ agendas.
This football World Cup represented a challenge like no other. The tournament introduced the world’s first ‘connected stadium’ concept whereby all eight stadiums were managed by a single unified technology from the state-of-the-art Aspire Command Centre in Doha.
Figure 1: The connected stadium concept visualized
The centre – described as the most sophisticated setup ever seen at a sporting event – managed everything, from the lighting and access gates through to communications and IT. This unified integrated technology ecosystem offers the potential to drastically increase efficiency and gave the ability to seamlessly manage multiple matches at once. Each of the eight stadiums has a ‘digital twin’, allowing the cyber security experts to detect and mitigate issues as and when they arise.
Figure 2: The Aspire Command Centre
The organizer realized the importance of protecting a digital infrastructure of this scale and complexity from attempted cyber-attacks. A football World Cup draws in a global audience – an estimated 3.75 billion were said to have tuned in for the previous final. It is difficult to overstate the financial and reputational impacts of disruption to any game – whether that be to the turnstiles within the stadium or the broadcast of the game – due to a cyber incident. Hacktivists and other cyber-criminals are acutely aware of the global stage a tournament like this provides and so these events become an obvious target for threats such as Distributed-Denial-of-Service (DDoS) and ransomware attacks.
Furthermore, the interconnectivity between IT and OT systems means that the line between cyber security and physical safety is significantly blurred. For example, having your access control and CCTV malfunctioning may lead to overcrowding within parts of stadium and leave fans vulnerable to crushes and physical injuries.
Initially, the World Cup organizer was looking to improve OT visibility. They quickly recognized that Darktrace’s technology could take them a step further than any other solutions on the market. Darktrace AI is uniquely able to monitor and protect their OT and their IT, detect unusual behaviors, and mitigate cyber-threats, and present its findings in a single pane of glass.
The host country recognized that a best-in-class event needed best-in-class technology. The nature of international events means that timing is critical and puts enormous pressure on the organizers and operators. ‘D-Day’ cannot be replayed or postponed, and so if cyber disruption occurs during the event, every minute is crucial. Darktrace was selected not only because of its unified IT and OT coverage, but because of its ability to detect, investigate, and respond at machine speed.
In the end, Darktrace played a crucial role in protecting the tournament across all eight stadiums throughout the World Cup. Supplementing the value of the AI, our team was on the ground, working alongside the cyber security team to assist with investigations. The teamwork and collaboration were second-to-none and the energy in the Command Centre was palpable when Darktrace was able to spot events of interest that would have otherwise gone under the radar.
On game day, every second counts, so pairing people with the right technology is critical. Explainable AI really came into its own during the World Cup, rapidly synthesizing information about disparate events, and generating alerts in seconds about emerging threats. That meant the team had the information they needed at their fingertips in an easily-understand format.
Our AI technology, created in 2013 in our Cambridge AI Research Centre, has disrupted the cyber security industry, and is making a big impact in the real world: from financial services and education through to critical national infrastructure like utilities, energy suppliers, and healthcare. The Qatar World Cup 2022 provided a unique and high-profile challenge. Darktrace didn’t just successfully protect the World Cup against cyber-attackers; it protected the more than 1.4 million people entering the stadiums from physical risk arising from OT attacks.
In all likelihood, you probably watched this year’s World Cup engrossed in the games, without giving much of a thought to cyber security. That’s the funny thing about success in the cyber security world: if all goes well, the average person wouldn’t even know it.
We are incredibly proud to have helped defend the Qatar World Cup 2022. I would like to congratulate the organizer and all security team members involved for delivering a World Cup free from cyber disruption, allowing fans both on site and the billions watching at home to simply enjoy the action on the pitch.
Learn more about how Darktrace helped protect the World Cup: Watch the video.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Adapting to new USCG cybersecurity mandates: Darktrace for ports and maritime systems
Darktrace uses AI-led OT, IoT, and IT Network Security to help secure maritime transportation systems. This blog describes some of the new mandated requirements by the USCG and demonstrates Darktrace’s security capabilities.
Revolutionizing OT Risk Prioritization with Darktrace 6.3
Darktrace / OT introduces IEC-62443 compliance reporting, expanded protocol visibility, and dynamic risk modeling, redefining how OT teams prioritize risks with contextual insights now additionally powered by firewall rule analysis and KEV scoring, all purpose-built to protect industrial operations and safety.
Pallavi Singh
Product Marketing Manager, OT Security & Compliance
Darktrace researchers have identified a custom Go-based Linux botnet named “PumaBot” targeting embedded Linux Internet of Things (IoT) devices. Rather than scanning the Internet, the malware retrieves a list of targets from a command-and-control (C2) server and attempts to brute-force SSH credentials. Upon gaining access, it receives remote commands and establishes persistence using system service files. This blog post provides a breakdown of its key functionalities, and explores binaries related to the campaign.
Technical Analysis
Filename: jierui
md5: cab6f908f4dedcdaedcdd07fdc0a8e38
The Go-based botnet gains initial access through brute-forcing SSH credentials across a list of harvested IP addresses. Once it identifies a valid credential pair, it logs in, deploys itself, and begins its replication process.
Figure 1: Overview of Jierui functions.
The domain associated with the C2 server did not resolve to an IP address at the time of analysis. The following details are a result of static analysis of the malware.
The malware begins by retrieving a list of IP addresses of likely devices with open SSH ports from the C2 server (ssh.ddos-cc[.]org) via the getIPs() function. It then performs brute-force login attempts on port 22 using credential pairs also obtained from the C2 through the readLinesFromURL(), brute(), and trySSHLogin() functions.
Within trySSHLogin(), the malware performs several environment fingerprinting checks. These are used to avoid honeypots and unsuitable execution environments, such as restricted shells. Notably, the malware checks for the presence of the string “Pumatronix”, a manufacturer of surveillance and traffic camera systems, suggesting potential IoT targeting or an effort to evade specific devices [1].
Figure 2: Fingerprinting of “Pumatronix”.
If the environment passes these checks, the malware executes uname -a to collect basic system information, including the OS name, kernel version, and architecture. This data, along with the victim's IP address, port, username, and password, is then reported back to the C2 in a JSON payload.
Of note, the bot uses X-API-KEY: jieruidashabi, within a custom header when it communicates with the C2 server over HTTP.
The malware writes itself to /lib/redis, attempting to disguise itself as a legitimate Redis system file. It then creates a persistent systemd service in /etc/systemd/system, named either redis.service or mysqI.service (note the spelling of mysql with a capital I) depending on what has been hardcoded into the malware. This allows the malware to persist across reboots while appearing benign.
[Unit] Description=redis Server Service
[Service] Type=simple Restart=always RestartSec=1 User=root ExecStart=/lib/redis e
[Install] WantedBy=multi-user.target
In addition to gaining persistence with a systemd service, the malware also adds its own SSH keys into the users’ authorized_keys file. This ensures that access can be maintained, even if the service is removed.
A function named cleankill() contains an infinite loop that repeatedly attempts to execute the commands “xmrig” and “networkxm”. These are launched without full paths, relying on the system's PATH variable suggesting that the binaries may be downloaded or unpacked elsewhere on the system. The use of “time.Sleep” between attempts indicates this loop is designed to ensure persistence and possibly restart mining components if they are killed or missing.
During analysis of the botnet, Darktrace discovered related binaries that appear to be part of a wider campaign targeting Linux systems.
Ddaemon is a Go-based backdoor. The malware begins by parsing command line arguments and if conditions are met, enters a loop where it periodically verifies the MD5 hash of the binary. If the check fails or an update is available, it downloads a new version from a C2 server (db.17kp[.]xyz/getDdaemonMd5), verifies it and replaces the existing binary with a file of the same name and similar functionality (8b37d3a479d1921580981f325f13780c).
The malware uses main_downloadNetwork() to retrieve the binary “networkxm” into /usr/src/bao/networkxm. Additionally, the bash script “installx.sh” is also retrieved from the C2 and executed. The binary ensures persistence by writing a custom systemd service unit that auto starts on boot and executes ddaemon.
The networkxm binary functions as an SSH brute-force tool, similar to the botnet. First it checks its own integrity using MD5 hashes and contacts the C2 server (db.17kp[.]xyz) to compare its hash with the latest version. If an update is found, it downloads and replaces itself.
Figure 3: Part of networkxm checking MD5 hash.
Figure 4: MD5 hash
After verifying its validity, it enters an infinite loop where it fetches a password list from the C2 (/getPassword), then attempts SSH connections across a list of target IPs from the /getIP endpoint. As with the other observed binaries, a systemd service is created if it doesn’t already exist for persistence in /etc/systemd/system/networkxm.service.
Figure 5: Bash script installx.sh.
Installx.sh is a simple bash script used to retrieve the script “jc.sh” from 1.lusyn[.]xyz, set permissions, execute and clear bash history.
Figure 6: Snippet of bash script jc.sh.
The script jc.sh starts by detecting the operating system type Debian-based or Red Hat-based and determines the location of the pam_unix.so file. Linux Pluggable Authentication Modules (PAM) is a framework that allows for flexible and centralized user authentication on Linux systems. PAM allows system administrators to configure how users are authenticated for services like login, SSH, or sudo by plugging in various authentication modules.
Jc.sh then attempts to fetch the current version of PAM installed on the system and formats that version to construct a URL. Using either curl or wget, the script downloads a replacement pam_unix.so file from a remote server and replaces the existing one, after disabling file immutability and backing up the original.
The script also downloads and executes an additional binary named “1” from the same remote server. Security settings are modified including enabling PAM in the SSH configuration and disabling SELinux enforcement, before restarting the SSH service. Finally, the script removes itself from the system.
Based on the PAM version that is retrieved from the bash query, the new malicious PAM replaces the existing PAM file. In this instance, pam_unix.so_v131 was retrieved from the server based on version 1.3.1. The purpose of this binary is to act as a rootkit that steals credentials by intercepting successful logins. Login data can include all accounts authenticated by PAM, local and remote (SSH). The malware retrieves the logged in user, the password and verifies that the password is valid. The details are stored in a file “con.txt” in /usr/bin/.
Figure 7: Function storing logins to con.txt
Filename: 1
md5: cb4011921894195bcffcdf4edce97135
In addition to the malicious PAM file, a binary named “1” is also retrieved from the server http://dasfsdfsdfsdfasfgbczxxc[.]lusyn[.]xyz/jc/1. The binary “1” is used as a watcher for the malicious PAM file using inotify to monitor for “con.txt” being written or moved to /usr/bin/.
Following the daemonize() function, the binary is run daemonized ensuring it runs silently in the background. The function read_and_send_files() is called which reads the contents of “/usr/bin/con.txt”, queries the system IP with ifconfig.me, queries SSH ports and sends the data to the remote C2 (http://dasfsdfsdfsdfasfgbczxxc[.]lusyn[.]xyz/api/).
Figure 8: Command querying SSH ports.
For persistence, a systemd service (my_daemon.service) is created to autostart the binary and ensure it restarts if the service has been terminated. Finally, con.txt is deleted, presumably to remove traces of the malware.
Conclusion
The botnet represents a persistent Go-based SSH threat that leverages automation, credential brute-forcing, and native Linux tools to gain and maintain control over compromised systems. By mimicking legitimate binaries (e.g., Redis), abusing systemd for persistence, and embedding fingerprinting logic to avoid detection in honeypots or restricted environments, it demonstrates an intent to evade defenses.
While it does not appear to propagate automatically like a traditional worm, it does maintain worm-like behavior by brute-forcing targets, suggesting a semi-automated botnet campaign focused on device compromise and long-term access.
Recommendations
Monitor for anomalous SSH login activity, especially failed login attempts across a wide IP range, which may indicate brute-force attempts.
Audit systemd services regularly. Look for suspicious entries in /etc/systemd/system/ (e.g., misspelled or duplicate services like mysqI.service) and binaries placed in non-standard locations such as /lib/redis.
Inspect authorized_keys files across user accounts for unknown SSH keys that may enable unauthorized access.
Filter or alert on outbound HTTP requests with non-standard headers, such as X-API-KEY: jieruidashabi, which may indicate botnet C2 communication.
Apply strict firewall rules to limit SSH exposure rather than exposing port 22 to the internet.
From Rockstar2FA to FlowerStorm: Investigating a Blooming Phishing-as-a-Service Platform
What is FlowerStorm?
FlowerStorm is a Phishing-as-a-Service (PhaaS) platform believed to have gained traction following the decline of the former PhaaS platform Rockstar2FA. It employs Adversary-in-the-Middle (AitM) attacks to target Microsoft 365 credentials. After Rockstar2FA appeared to go dormant, similar PhaaS portals began to emerge under the name FlowerStorm. This naming is likely linked to the plant-themed terminology found in the HTML titles of its phishing pages, such as 'Sprout' and 'Blossom'. Given the abrupt disappearance of Rockstar2FA and the near-immediate rise of FlowerStorm, it is possible that the operators rebranded to reduce exposure [1].
External researchers identified several similarities between Rockstar2FA and FlowerStorm, suggesting a shared operational overlap. Both use fake login pages, typically spoofing Microsoft, to steal credentials and multi-factor authentication (MFA) tokens, with backend infrastructure hosted on .ru and .com domains. Their phishing kits use very similar HTML structures, including randomized comments, Cloudflare turnstile elements, and fake security prompts. Despite Rockstar2FA typically being known for using automotive themes in their HTML titles, while FlowerStorm shifted to a more botanical theme, the overall design remained consistent [1].
Despite these stylistic differences, both platforms use similar credential capture methods and support MFA bypass. Their domain registration patterns and synchronized activity spikes through late 2024 suggest shared tooling or coordination [1].
FlowerStorm, like Rockstar2FA, also uses their phishing portal to mimic legitimate login pages such as Microsoft 365 for the purpose of stealing credentials and MFA tokens while the portals are relying heavily on backend servers using top-level domains (TLDs) such as .ru, .moscow, and .com. Starting in June 2024, some of the phishing pages began utilizing Cloudflare services with domains such as pages[.]dev. Additionally, usage of the file “next.php” is used to communicate with their backend servers for exfiltration and data communication. FlowerStorm’s platform focuses on credential harvesting using fields such as email, pass, and session tracking tokens in addition to supporting email validation and MFA authentications via their backend systems [1].
Darktrace’s coverage of FlowerStorm Microsoft phishing
While multiple suspected instances of the FlowerStorm PhaaS platform were identified during Darktrace’s investigation, this blog will focus on a specific case from March 2025. Darktrace’s Threat Research team analyzed the affected customer environment and discovered that threat actors were accessing a Software-as-a-Service (SaaS) account from several rare external IP addresses and ASNs.
Around a week before the first indicators of FlowerStorm were observed, Darktrace detected anomalous logins via Microsoft Office 365 products, including Office365 Shell WCSS-Client and Microsoft PowerApps. Although not confirmed in this instance, Microsoft PowerApps could potentially be leveraged by attackers to create phishing applications or exploit vulnerabilities in data connections [2].
Figure 1: Darktrace’s detection of the unusual SaaS credential use.
Following this initial login, Darktrace observed subsequent login activity from the rare source IP, 69.49.230[.]198. Multiple open-source intelligence (OSINT) sources have since associated this IP with the FlowerStorm PhaaS operation [3][4]. Darktrace then observed the SaaS user resetting the password on the Core Directory of the Azure Active Directory using the user agent, O365AdminPortal.
Given FlowerStorm’s known use of AitM attacks targeting Microsoft 365 credentials, it seems highly likely that this activity represents an attacker who previously harvested credentials and is now attempting to escalate their privileges within the target network.
Figure 2: Darktrace / IDENTITY’s detection of privilege escalation on a compromised SaaS account, highlighting unusual login activity and a password reset event.
Notably, Darktrace’s Cyber AI Analyst also detected anomalies during a number of these login attempts, which is significant given FlowerStorm’s known capability to bypass MFA and steal session tokens.
Figure 3: Cyber AI Analyst’s detection of new login behavior for the SaaS user, including abnormal MFA usage.
Figure 4: Multiple login and failed login events were observed from the anomalous source IP over the month prior, as seen in Darktrace’s Advanced Search.
In response to the suspicious SaaS activity, Darktrace recommended several Autonomous Response actions to contain the threat. These included blocking the user from making further connections to the unusual IP address 69.49.230[.]198 and disabling the user account to prevent any additional malicious activity. In this instance, Darktrace’s Autonomous Response was configured in Human Confirmation mode, requiring manual approval from the customer’s security team before any mitigative actions could be applied. Had the system been configured for full autonomous response, it would have immediately blocked the suspicious connections and disabled any users deviating from their expected behavior—significantly reducing the window of opportunity for attackers.
Figure 5: Autonomous Response Actions recommended on this account behavior; This would result in disabling the user and blocking further sign-in activity from the source IP.
Conclusion
The FlowerStorm platform, along with its predecessor, RockStar2FA is a PhaaS platform known to leverage AitM attacks to steal user credentials and bypass MFA, with threat actors adopting increasingly sophisticated toolkits and techniques to carry out their attacks.
In this incident observed within a Darktrace customer's SaaS environment, Darktrace detected suspicious login activity involving abnormal VPN usage from a previously unseen IP address, which was subsequently linked to the FlowerStorm PhaaS platform. The subsequent activity, specifically a password reset, was deemed highly suspicious and likely indicative of an attacker having obtained SaaS credentials through a prior credential harvesting attack.
Darktrace’s prompt detection of these SaaS anomalies and timely notifications from its Security Operations Centre (SOC) enabled the customer to mitigate and remediate the threat before attackers could escalate privileges and advance the attack, effectively shutting it down in its early stages.
Credit to Justin Torres (Senior Cyber Analyst), Vivek Rajan (Cyber Analyst), Ryan Traill (Analyst Content Lead)
Appendices
Darktrace Model Alert Detections
· SaaS / Access / M365 High Risk Level Login
· SaaS / Access / Unusual External Source for SaaS Credential Use
· SaaS / Compromise / Login from Rare High-Risk Endpoint
· SaaS / Compromise / SaaS Anomaly Following Anomalous Login
· SaaS / Compromise / Unusual Login and Account Update