Lost in Translation: Darktrace Blocks Non-English Phishing Campaign Concealing Hidden Payloads
15
May 2024
This blog explores how Darktrace/Email was able to successfully identify a wave of phishing emails sent from addresses belonging to a major fast-food chain which were leveraged in a coordinated attack. Despite the use of non-English language emails and payloads hidden behind QR codes, Darktrace was able to detect the attack and block the phishing emails in the first instance.
Email – the vector of choice for threat actors
In times of unprecedented globalization and internationalization, the enormous number of emails sent and received by organizations every day has opened the door for threat actors looking to gain unauthorized access to target networks.
Now, increasingly global organizations not only need to safeguard their email environments against phishing campaigns targeting their employees in their own language, but they also need to be able to detect malicious emails sent in foreign languages too [1].
Why are non-English language phishing emails more popular?
Many traditional email security vendors rely on pre-trained English language models which, while function adequately against malicious emails composed in English, would struggle in the face of emails composed in other languages. It should, therefore, come as no surprise that this limitation is becoming increasingly taken advantage of by attackers.
Darktrace/Email™, on the other hand, focuses on behavioral analysis and its Self-Learning AI understands what is considered ‘normal’ for every user within an organization’s email environment, bypassing any limitations that would come from relying on language-trained models [1].
In March 2024, Darktrace observed anomalous emails on a customer’s network that were sent from email addresses belonging to an international fast-food chain. Despite this seeming legitimacy, Darktrace promptly identified them as phishing emails that contained malicious payloads, preventing a potentially disruptive network compromise.
Attack Overview and Darktrace Coverage
On March 3, 2024, Darktrace observed one of the customer’s employees receiving an email which would turn out to be the first of more than 50 malicious emails sent by attackers over the course of three days.
The Sender
Darktrace/Email immediately understood that the sender never had any previous correspondence with the organization or its employees, and therefore treated the emails with caution from the onset. Not only was Darktrace able to detect this new sender, but it also identified that the emails had been sent from a domain located in China and contained an attachment with a Chinese file name.
Figure 1: The phishing emails detected by Darktrace sent from a domain in China and containing an attachment with a Chinese file name.
Darktrace further detected that the phishing emails had been sent in a synchronized fashion between March 3 and March 5. Eight unique senders were observed sending a total of 55 emails to 55 separate recipients within the customer’s email environment. The format of the addresses used to send these suspicious emails was “12345@fastflavor-shack[.]cn”*. The domain “fastflavor-shack[.]cn” is the legitimate domain of the Chinese division of an international fast-food company, and the numerical username contained five numbers, with the final three digits changing which likely represented different stores.
*(To maintain anonymity, the pseudonym “Fast Flavor Shack” and its fictitious domain, “fastflavor-shack[.]cn”, have been used in this blog to represent the actual fast-food company and the domains identified by Darktrace throughout this incident.)
As these emails were sent from a legitimate domain associated with a trusted organization and seemed to be coming from the correct connection source, they were verified by Sender Policy Framework (SPF) and were able to evade the customer’s native email security measures. Darktrace/Email; however, recognized that these emails were actually sent from a user located in Singapore, not China.
Figure 2: Darktrace/Email identified that the email had been sent by a user who had logged in from Singapore, despite the connection source being in China.
The Emails
Darktrace/Email autonomously analyzed the suspicious emails and identified that they were likely phishing emails containing a malicious multistage payload.
Figure 3: Darktrace/Email identifying the presence of a malicious phishing link and a multistage payload.
There has been a significant increase in multistage payload attacks in recent years, whereby a malicious email attempts to elicit recipients to follow a series of steps, such as clicking a link or scanning a QR code, before delivering a malicious payload or attempting to harvest credentials [2].
In this case, the malicious actor had embedded a suspicious link into a QR code inside a Microsoft Word document which was then attached to the email in order to direct targets to a malicious domain. While this attempt to utilize a malicious QR code may have bypassed traditional email security tools that do not scan for QR codes, Darktrace was able to identify the presence of the QR code and scan its destination, revealing it to be a suspicious domain that had never previously been seen on the network, “sssafjeuihiolsw[.]bond”.
Figure 4: Suspicious link embedded in QR Code, which was detected and extracted by Darktrace.
At the time of the attack, there was no open-source intelligence (OSINT) on the domain in question as it had only been registered earlier the same day. This is significant as newly registered domains are typically much more likely to bypass gateways until traditional security tools have enough intelligence to determine that these domains are malicious, by which point a malicious actor may likely have already gained access to internal systems [4]. Despite this, Darktrace’s Self-Learning AI enabled it to recognize the activity surrounding these unusual emails as suspicious and indicative of a malicious phishing campaign, without needing to rely on existing threat intelligence.
The most commonly used sender name line for the observed phishing emails was “财务部”, meaning “finance department”, and Darktrace observed subject lines including “The document has been delivered”, “Income Tax Return Notice” and “The file has been released”, all written in Chinese. The emails also contained an attachment named “通知文件.docx” (“Notification document”), further indicating that they had been crafted to pass for emails related to financial transaction documents.
Figure 5: Darktrace/Email took autonomous mitigative action against the suspicious emails by holding the message from recipient inboxes.
Conclusion
Although this phishing attack was ultimately thwarted by Darktrace/Email, it serves to demonstrate the potential risks of relying on solely language-trained models to detect suspicious email activity. Darktrace’s behavioral and contextual learning-based detection ensures that any deviations in expected email activity, be that a new sender, unusual locations or unexpected attachments or link, are promptly identified and actioned to disrupt the attacks at the earliest opportunity.
In this example, attackers attempted to use non-English language phishing emails containing a multistage payload hidden behind a QR code. As traditional email security measures typically rely on pre-trained language models or the signature-based detection of blacklisted senders or known malicious endpoints, this multistage approach would likely bypass native protection.
Darktrace/Email, meanwhile, is able to autonomously scan attachments and detect QR codes within them, whilst also identifying the embedded links. This ensured that the customer’s email environment was protected against this phishing threat, preventing potential financial and reputation damage.
Credit to: Rajendra Rushanth, Cyber Analyst, Steven Haworth, Head of Threat Modelling, Email
Appendices
List of Indicators of Compromise (IoCs)
IoC – Type – Description
sssafjeuihiolsw[.]bond – Domain Name – Suspicious Link Domain
Oops! Something went wrong while submitting the form.
Newsletter
Enjoying the blog?
Sign up to receive the latest news and insights from the Darktrace newsletter – delivered directly to your inbox
Thanks for signing up!
Look out for your first newsletter, coming soon.
Oops! Something went wrong while submitting the form.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
There’s no question that AI is already impacting the SOC – augmenting, assisting, and filling the gaps left by staff and skills shortages. We surveyed over 1,500 cybersecurity professionals from around the world to uncover their attitudes to AI cybersecurity in 2025. Our findings revealed striking trends in how AI is changing the way security leaders think about hiring and SOC transformation. Download the full report for the big picture, available now.
Let’s start with some context. As the cybersecurity sector has rapidly evolved to integrate AI into all elements of cyber defense, the pace of technological advancement is outstripping the development of necessary skills. Given the ongoing challenges in security operations, such as employee burnout, high turnover rates, and talent shortages, recruiting personnel to bridge these skills gaps remains an immense challenge in today’s landscape.
But here, our main findings on this topic seem to contradict each other.
There’s no question over the impact of AI-powered threats – nearly three-quarters (74%) agree that AI-powered threats now pose a significant challenge for their organization.
When we look at how security leaders are defending against AI-powered threats, over 3 out of 5 (62%) see insufficient personnel to manage tools and alerts as the biggest barrier.
Yet at the same time, increasing cyber security staff is at the bottom of the priority list for survey participants, with only 11% planning to increase cybersecurity staff in 2025 – less than in 2024. What 64% of stakeholders are committed to, however, is adding new AI-powered tools onto their existing security stacks.
The conclusion? Due to pressures around hiring, defensive AI is becoming integral to the SOC as a means of augmenting understaffed teams.
How is AI plugging skills shortages in the SOC?
As explored in our recent white paper, the CISO’s Guide to Navigating the Cybersecurity Skills Shortage, 71% of organizations report unfilled cybersecurity positions, leading to the estimation that less than 10% of alerts are thoroughly vetted. In this scenario, AI has become an essential multiplier to relieve the burden on security teams.
95% of respondents agree that AI-powered solutions can significantly improve the speed and efficiency of their defenses. But how?
The area security leaders expect defensive AI to have the biggest impact is on improving threat detection, followed by autonomous response to threats and identifying exploitable vulnerabilities.
Interestingly, the areas that participants ranked less highly (reducing alert fatigue and running phishing simulation), are the tasks that AI already does well and can therefore be used already to relieve the burden of manual, repetitive work on the SOC.
Different perspectives from different sides of the SOC
CISOs and SecOps teams aren’t necessarily aligned on the AI defense question – while CISOs tend to see it as a strategic game-changer, SecOps teams on the front lines may be more sceptical, wary of its real-world reliability and integration into workflows.
From the data, we see that while less than a quarter of execs doubt that AI-powered solutions will block and automatically respond to AI threats, about half of SecOps aren’t convinced. And only 17% of CISOs lack confidence in the ability of their teams to implement and use AI-powered solutions, whereas over 40% those in the team doubt their own ability to do so.
This gap feeds into the enthusiasm that executives share about adding AI-driven tools into the stack, while day-to-day users of the tools are more interested in improving security awareness training and improving cybersecurity tool integration.
Levels of AI understanding in the SOC
AI is only as powerful as the people who use it, and levels of AI expertise in the SOC can make or break its real-world impact. If security leaders want to unlock AI’s full potential, they must bridge the knowledge gap—ensuring teams understand not just the different types of AI, but where it can be applied for maximum value.
Only 42% of security professionals are confident that they fully understand all the types of AI in their organization’s security stack.
This data varies between job roles – executives report higher levels of understanding (60% say they know exactly which types of AI are being used) than participants in other roles. Despite having a working knowledge of using the tools day-to-day, SecOps practitioners were more likely to report having a “reasonable understanding” of the types of AI in use in their organization (42%).
Whether this reflects a general confidence in executives rather than technical proficiency it’s hard to say, but it speaks to the importance of AI-human collaboration – introducing AI tools for cybersecurity to plug the gaps in human teams will only be effective if security professionals are supported with the correct education and training.
The full report for Darktrace’s State of AI Cybersecurity is out now. Download the paper to dig deeper into these trends, and see how results differ by industry, region, organization size, and job title.
Darktrace's Detection of State-Linked ShadowPad Malware
An integral part of cybersecurity is anomaly detection, which involves identifying unusual patterns or behaviors in network traffic that could indicate malicious activity, such as a cyber-based intrusion. However, attribution remains one of the ever present challenges in cybersecurity. Attribution involves the process of accurately identifying and tracing the source to a specific threat actor(s).
Given the complexity of digital networks and the sophistication of attackers who often use proxies or other methods to disguise their origin, pinpointing the exact source of a cyberattack is an arduous task. Threat actors can use proxy servers, botnets, sophisticated techniques, false flags, etc. Darktrace’s strategy is rooted in the belief that identifying behavioral anomalies is crucial for identifying both known and novel threat actor campaigns.
The ShadowPad cluster
Between July 2024 and November 2024, Darktrace observed a cluster of activity threads sharing notable similarities. The threads began with a malicious actor using compromised user credentials to log in to the target organization's Check Point Remote Access virtual private network (VPN) from an attacker-controlled, remote device named 'DESKTOP-O82ILGG'. In one case, the IP from which the initial login was carried out was observed to be the ExpressVPN IP address, 194.5.83[.]25. After logging in, the actor gained access to service account credentials, likely via exploitation of an information disclosure vulnerability affecting Check Point Security Gateway devices. Recent reporting suggests this could represent exploitation of CVE-2024-24919 [27,28]. The actor then used these compromised service account credentials to move laterally over RDP and SMB, with files related to the modular backdoor, ShadowPad, being delivered to the ‘C:\PerfLogs\’ directory of targeted internal systems. ShadowPad was seen communicating with its command-and-control (C2) infrastructure, 158.247.199[.]185 (dscriy.chtq[.]net), via both HTTPS traffic and DNS tunneling, with subdomains of the domain ‘cybaq.chtq[.]net’ being used in the compromised devices’ TXT DNS queries.
Figure 1: Darktrace’s Advanced Search data showing the VPN-connected device initiating RDP connections to a domain controller (DC). The device subsequently distributes likely ShadowPad-related payloads and makes DRSGetNCChanges requests to a second DC.
Figure 2: Event Log data showing a DC making DNS queries for subdomains of ‘cbaq.chtq[.]net’ to 158.247.199[.]185 after receiving SMB and RDP connections from the VPN-connected device, DESKTOP-O82ILGG.
Additional cases of ShadowPad were observed across Darktrace’s customer base in 2024. In some cases, common C2 infrastructure with the cluster discussed above was observed, with dscriy.chtq[.]net and cybaq.chtq[.]net both involved; however, no other common features were identified. These ShadowPad infections were observed between April and November 2024, with customers across multiple regions and sectors affected. Darktrace’s observations align with multiple other public reports that fit the timeframe of this campaign.
Darktrace has also observed other cases of ShadowPad without common infrastructure since September 2024, suggesting the use of this tool by additional threat actors.
The data theft thread
One of the Darktrace customers impacted by the ShadowPad cluster highlighted above was a European manufacturer. A distinct thread of activity occurred within this organization’s network several months after the ShadowPad intrusion, in October 2024.
The thread involved the internal distribution of highly masqueraded executable files via Sever Message Block (SMB) and WMI (Windows Management Instrumentation), the targeted collection of sensitive information from an internal server, and the exfiltration of collected information to a web of likely compromised sites. This observed thread of activity, therefore, consisted of three phrases: lateral movement, collection, and exfiltration.
The lateral movement phase began when an internal user device used an administrative credential to distribute files named ‘ProgramData\Oracle\java.log’ and 'ProgramData\Oracle\duxwfnfo' to the c$ share on another internal system.
Figure 3: Darktrace model alert highlighting an SMB write of a file named ‘ProgramData\Oracle\java.log’ to the c$ share on another device.
Over the next few days, Darktrace detected several other internal systems using administrative credentials to upload files with the following names to the c$ share on internal systems:
ProgramData\Adobe\ARM\webservices.dll
ProgramData\Adobe\ARM\wksprt.exe
ProgramData\Oracle\Java\wksprt.exe
ProgramData\Oracle\Java\webservices.dll
ProgramData\Microsoft\DRM\wksprt.exe
ProgramData\Microsoft\DRM\webservices.dll
ProgramData\Abletech\Client\webservices.dll
ProgramData\Abletech\Client\client.exe
ProgramData\Adobe\ARM\rzrmxrwfvp
ProgramData\3Dconnexion\3DxWare\3DxWare.exe
ProgramData\3Dconnexion\3DxWare\webservices.dll
ProgramData\IDMComp\UltraCompare\updater.exe
ProgramData\IDMComp\UltraCompare\webservices.dll
ProgramData\IDMComp\UltraCompare\imtrqjsaqmm
Figure 4: Cyber AI Analyst highlighting an SMB write of a file named ‘ProgramData\Adobe\ARM\webservices.dll’ to the c$ share on an internal system.
The threat actor appears to have abused the Microsoft RPC (MS-RPC) service, WMI, to execute distributed payloads, as evidenced by the ExecMethod requests to the IWbemServices RPC interface which immediately followed devices’ SMB uploads.
Figure 5: Cyber AI Analyst data highlighting a thread of activity starting with an SMB data upload followed by ExecMethod requests.
Several of the devices involved in these lateral movement activities, both on the source and destination side, were subsequently seen using administrative credentials to download tens of GBs of sensitive data over SMB from a specially selected server. The data gathering stage of the threat sequence indicates that the threat actor had a comprehensive understanding of the organization’s system architecture and had precise objectives for the information they sought to extract.
Immediately after collecting data from the targeted server, devices went on to exfiltrate stolen data to multiple sites. Several other likely compromised sites appear to have been used as general C2 infrastructure for this intrusion activity. The sites used by the threat actor for C2 and data exfiltration purport to be sites for companies offering a variety of service, ranging from consultancy to web design.
Figure 6: Screenshotof one of the likely compromised sites used in the intrusion.
At least 16 sites were identified as being likely data exfiltration or C2 sites used by this threat actor in their operation against this organization. The fact that the actor had such a wide web of compromised sites at their disposal suggests that they were well-resourced and highly prepared.
Figure 7: Darktrace model alert highlighting an internal device slowly exfiltrating data to the external endpoint, yasuconsulting[.]com.
Figure 8: Darktrace model alert highlighting an internal device downloading nearly 1 GB of data from an internal system just before uploading a similar volume of data to another suspicious endpoint, www.tunemmuhendislik[.]com
Cyber AI Analyst spotlight
Figure 9: Cyber AI Analyst identifying and piecing together the various steps of a ShadowPad intrusion.
Figure 10: Cyber AI Analyst Incident identifying and piecing together the various steps of the data theft activity.
As shown in the above figures, Cyber AI Analyst’s ability to thread together the different steps of these attack chains are worth highlighting.
In the ShadowPad attack chains, Cyber AI Analyst was able to identify SMB writes from the VPN subnet to the DC, and the C2 connections from the DC. It was also able to weave together this activity into a single thread representing the attacker’s progression.
Similarly, in the data exfiltration attack chain, Cyber AI Analyst identified and connected multiple types of lateral movement over SMB and WMI and external C2 communication to various external endpoints, linking them in a single, connected incident.
These Cyber AI Analyst actions enabled a quicker understanding of the threat actor sequence of events and, in some cases, faster containment.
Attribution puzzle
Publicly shared research into ShadowPad indicates that it is predominantly used as a backdoor in People’s Republic of China (PRC)-sponsored espionage operations [5][6][7][8][9][10]. Most publicly reported intrusions involving ShadowPad are attributed to the China-based threat actor, APT41 [11][12]. Furthermore, Google Threat Intelligence Group (GTIG) recently shared their assessment that ShadowPad usage is restricted to clusters associated with APT41 [13]. Interestingly, however, there have also been public reports of ShadowPad usage in unattributed intrusions [5].
The data theft activity that later occurred in the same Darktrace customer network as one of these ShadowPad compromises appeared to be the targeted collection and exfiltration of sensitive data. Such an objective indicates the activity may have been part of a state-sponsored operation. The tactics, techniques, and procedures (TTPs), artifacts, and C2 infrastructure observed in the data theft thread appear to resemble activity seen in previous Democratic People’s Republic of Korea (DPRK)-linked intrusion activities [15] [16] [17] [18] [19].
The distribution of payloads to the following directory locations appears to be a relatively common behavior in DPRK-sponsored intrusions.
Observed examples:
C:\ProgramData\Oracle\Java\
C:\ProgramData\Adobe\ARM\
C:\ProgramData\Microsoft\DRM\
C:\ProgramData\Abletech\Client\
C:\ProgramData\IDMComp\UltraCompare\
C:\ProgramData\3Dconnexion\3DxWare\
Additionally, the likely compromised websites observed in the data theft thread, along with some of the target URI patterns seen in the C2 communications to these sites, resemble those seen in previously reported DPRK-linked intrusion activities.
No clear evidence was found to link the ShadowPad compromise to the subsequent data theft activity that was observed on the network of the manufacturing customer. It should be noted, however, that no clear signs of initial access were found for the data theft thread – this could suggest the ShadowPad intrusion itself represents the initial point of entry that ultimately led to data exfiltration.
Motivation-wise, it seems plausible for the data theft thread to have been part of a DPRK-sponsored operation. DPRK is known to pursue targets that could potentially fulfil its national security goals and had been publicly reported as being active in months prior to this intrusion [21]. Furthermore, the timing of the data theft aligns with the ratification of the mutual defense treaty between DPRK and Russia and the subsequent accused activities [20].
Darktrace assesses with medium confidence that a nation-state, likely DPRK, was responsible, based on our investigation, the threat actor applied resources, patience, obfuscation, and evasiveness combined with external reporting, collaboration with the cyber community, assessing the attacker’s motivation and world geopolitical timeline, and undisclosed intelligence.
Conclusion
When state-linked cyber activity occurs within an organization’s environment, previously unseen C2 infrastructure and advanced evasion techniques will likely be used. State-linked cyber actors, through their resources and patience, are able to bypass most detection methods, leaving anomaly-based methods as a last line of defense.
Two threads of activity were observed within Darktrace’s customer base over the last year: The first operation involved the abuse of Check Point VPN credentials to log in remotely to organizations’ networks, followed by the distribution of ShadowPad to an internal domain controller. The second operation involved highly targeted data exfiltration from the network of one of the customers impacted by the previously mentioned ShadowPad activity.
Despite definitive attribution remaining unresolved, both the ShadowPad and data exfiltration activities were detected by Darktrace’s Self-Learning AI, with Cyber AI Analyst playing a significant role in identifying and piecing together the various steps of the intrusion activities.
Credit to Sam Lister (R&D Detection Analyst), Emma Foulger (Principal Cyber Analyst), Nathaniel Jones (VP), and the Darktrace Threat Research team.
Appendices
Darktrace / NETWORK model alerts
User / New Admin Credentials on Client
Anomalous Connection / Unusual Admin SMB Session
Compliance / SMB Drive Write
Device / Anomalous SMB Followed By Multiple Model Breaches