Summary: Addressing common vulnerabilities & exposures (CVEs) is crucial for cybersecurity, but it has some limitations. Darktrace explains why in this guide.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
While increased public focus and funding are urgently needed, they are only the first steps in achieving stronger security for critical infrastructure. For these efforts to be successful, the Biden administration needs to turn its focus to cutting-edge capabilities and direct its funding toward sophisticated technologies that can achieve these ends.
Focusing on achieving the right security capabilities
For years, the security community for operational technology (OT) and Industrial Control Systems (ICS) has put a strong emphasis on mapping and patching common vulnerabilities and exposures (CVEs). While this vulnerability tracking is often necessary, mapping and patching vulnerabilities alone is not a sufficient strategy to arm organizations against attacks.
First, known vulnerabilities simply do not represent all risks, as attackers frequently leverage unknown vulnerabilities called zero-days and misuse legitimate operations in ways that cannot be trivially recognized as malicious. This is particularly true for control system environments, with one-third of ICS flaws designated as zero-days when disclosed.
Devices with zero or few known vulnerabilities may also simply lack specific research into them, rather than being more secure. For example, millions of devices are put at risk by a recently discovered vulnerability in control systems used in building systems — including heating and air conditioning — and this also affects PLCs widely used in manufacturing and energy utilities.
Rather than merely tracking and patching CVEs, Biden’s recent National Security Memorandum realigns OT security to place focus onto the right security goals. The memorandum candidly addresses the problem with vulnerability tracking and other legacy security approaches, as this document affirms that “we cannot address threats we cannot see.”
Investing in the right security technologies
The memorandum specifically focuses on “facilitating deployment of technologies and systems that provide threat visibility, indications, detection, and warnings, and that facilitate response capabilities” for ICS and OT. The next step in achieving these aims is to identify the technologies that can provide these capabilities.
By learning a sense of ‘self’ from scratch for every human, device, and the whole ecosystem of an organization, Self-Learning AI autonomously implements machine-speed detection, investigations, and response. This solution is particularly effective at stopping ransomware before operation disruption, which would have allowed Colonial Pipeline to avoid manual shutdowns.
AI is also uniquely capable of thwarting insider threats. It could have immediately identified the threat in the Florida water facility incident, as its understanding of the ‘pattern of life’ for every user, device, and all the connections between them would have illuminated the insider’s subtle unusual behavior.
The sensitivity and essential nature of critical infrastructure demand the most sophisticated technologies for robust cyber defense. Fortunately, Self-Learning AI technology is already available and currently used by all 16 critical infrastructure sectors designated by CISA. As the threat continues to grow, and the Biden administration’s efforts are pursued more aggressively, Self-Learning AI stands ready to safeguard the systems that our society relies on.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
How a Compromised eScan Update Enabled Multi‑Stage Malware and Blockchain C2
The rise of supply chain attacks
In recent years, the abuse of trusted software has become increasingly common, with supply chain compromises emerging as one of the fastest growing vectors for cyber intrusions. As highlighted in Darktrace’s Annual Threat Report 2026, attackers and state-actors continue to find significant value in gaining access to networks through compromised trusted links, third-party tools, or legitimate software. In January 2026, a supply chain compromise affecting MicroWorld Technologies’ eScan antivirus product was reported, with malicious updates distributed to customers through the legitimate update infrastructure. This, in turn, resulted in a multi‑stage loader malware being deployed on compromised devices [1][2].
An overview of eScan exploitation
According to eScan’s official threat advisory, unauthorized access to a regional update server resulted in an “incorrect file placed in the update distribution path” [3]. Customers associated with the affected update servers who downloaded the update during a two-hour window on January 20 were impacted, with affected Windows devices subsequently have experiencing various errors related to update functions and notifications [3].
While eScan did not specify which regional update servers were affected by the malicious update, all impacted Darktrace customer environments were located in the Europe, Middle East, and Africa (EMEA) region.
External research reported that a malicious 32-bit executable file , “Reload.exe”, was first installed on affected devices, which then dropped the 64-bit downloader, “CONSCTLX.exe”. This downloader establishes persistence by creating scheduled tasks such as “CorelDefrag”, which are responsible for executing PowerShell scripts. Subsequently, it evades detection by tampering with the Windows HOSTS file and eScan registry to prevent future remote updates intended for remediation. Additional payloads are then downloaded from its command-and-control (C2) server [1].
Darktrace’s coverage of eScan exploitation
Initial Access and Blockchain as multi-distributed C2 Infrastructure
On January 20, the same day as the aforementioned two‑hour exploit window, Darktrace observed multiple devices across affected networks downloading .dlz package files from eScan update servers, followed by connections to an anomalous endpoint, vhs.delrosal[.]net, which belongs to the attackers’ C2 infrastructure.
The endpoint contained a self‑signed SSL certificate with the string “O=Internet Widgits Pty Ltd, ST=SomeState, C=AU”, a default placeholder commonly used in SSL/TLS certificates for testing and development environments, as well as in malicious C2 infrastructure [4].
Utilizing a multi‑distributed C2 infrastructure, the attackers also leveraged domains linked with the Solana open‑source blockchain for C2 purposes, namely “.sol”. These domains were human‑readable names that act as aliases for cryptocurrency wallet addresses. As browsers do not natively resolve .sol domains, the Solana Naming System (formerly known as Bonfida, an independent contributor within the Solana ecosystem) provides a proxy service, through endpoints such as sol-domain[.]org, to enable browser access.
Darktrace observed devices connecting to blackice.sol-domain[.]org, indicating that attackers were likely using this proxy to reach a .sol domain for C2 activity. Given this behavior, it is likely that the attackers leveraged .sol domains as a dead drop resolver, a C2 technique in which threat actors host information on a public and legitimate service, such as a blockchain. Additional proxy resolver endpoints, such as sns-resolver.bonfida.workers[.]dev, were also observed.
Solana transactions are transparent, allowing all activity to be viewed publicly. When Darktrace analysts examined the transactions associated with blackice[.]sol, they observed that the earliest records dated November 7, 2025, which coincides with the creation date of the known C2 endpoint vhs[.]delrosal[.]net as shown in WHOIS Lookup information [4][5].
Figure 1: WHOIS Look records of the C2 endpoint vhs[.]delrosal[.]net.
Figure 2: Earliest observed transaction record for blackice[.]sol on public ledgers.
Subsequent instructions found within the transactions contained strings such as “CNAME= vhs[.]delrosal[.]net”, indicating attempts to direct the device toward the malicious endpoint. A more recent transaction recorded on January 28 included strings such as “hxxps://96.9.125[.]243/i;code=302”, suggesting an effort to change C2 endpoints. Darktrace observed multiple alerts triggered for these endpoints across affected devices.
Similar blockchain‑related endpoints, such as “tumama.hns[.]to”, were also observed in C2 activities. The hns[.]to service allows web browsers to access websites registered on Handshake, a decentralized blockchain‑based framework designed to replace centralized authorities and domain registries for top‑level domains. This shift toward decentralized, blockchain‑based infrastructure likely reflects increased efforts by attackers to evade detection.
In outgoing connections to these malicious endpoints across affected networks, Darktrace / NETWORK recognized that the activity was 100% rare and anomalous for both the devices and the wider networks, likely indicative of malicious beaconing, regardless of the underlying trusted infrastructure. In addition to generating multiple model alerts to capture this malicious activity across affected networks, Darktrace’s Cyber AI Analyst was able to compile these separate events into broader incidents that summarized the entire attack chain, allowing customers’ security teams to investigate and remediate more efficiently. Moreover, in customer environments where Darktrace’s Autonomous Response capability was enabled, Darktrace took swift action to contain the attack by blocking beaconing connections to the malicious endpoints, even when those endpoints were associated with seemingly trustworthy services.
Conclusion
Attacks targeting trusted relationships continue to be a popular strategy among threat actors. Activities linked to trusted or widely deployed software are often unintentionally whitelisted by existing security solutions and gateways. Darktrace observed multiple devices becoming impacted within a very short period, likely because tools such as antivirus software are typically mass‑deployed across numerous endpoints. As a result, a single compromised delivery mechanism can greatly expand the attack surface.
Attackers are also becoming increasingly creative in developing resilient C2 infrastructure and exploiting legitimate services to evade detection. Defenders are therefore encouraged to closely monitor anomalous connections and file downloads. Darktrace’s ability to detect unusual activity amidst ever‑changing tactics and indicators of compromise (IoCs) helps organizations maintain a proactive and resilient defense posture against emerging threats.
Credit to Joanna Ng (Associate Principal Cybersecurity Analyst) and Min Kim (Associate Principal Cybersecurity Analyst) and Tara Gould (Malware Researcher Lead)
Edited by Ryan Traill (Content Manager)
Appendices
Darktrace Model Detections
Anomalous File::Zip or Gzip from Rare External Location
How AI is breaking the patch-and-prevent security model
The business world was upended last week by the news that Anthropic has developed a powerful new AI model, Claude Mythos, which poses unprecedented risk because of its ability to expose flaws in IT systems.
Whether it’s Mythos or OpenAI’s GPT-5.4-Cyber, which was just announced on Tuesday, supercharged AI models in the hands of hackers will allow them to carry out attacks at machine speed, much faster than most businesses can stop them.
This news underscores a stark reality for all leaders: Patching holes alone is not a sufficient control against modern cyberattacks. You must assume that your software is already vulnerable right now. And while LLMs are very good at spotting vulnerabilities, they’re pretty bad at reliably patching them.
Project Glasswing members say it could take months or years for patches to be applied. While that work is done, enterprises must be protected against Zero-Day attacks, or security holes that are still undiscovered.
Most cybersecurity strategies today are built like a daily multivitamin: broad, preventative, and designed to keep the system generally healthy over time. Patch regularly. Update software. Reduce known vulnerabilities. It’s necessary, disciplined, and foundational. But it’s also built for a world where the risks are well known and defined, cycles are predictable, and exposure unfolds at a manageable pace.
What happens when that model no longer holds?
The AI cyber advantage: Behavioral AI
The vulnerabilities exposed by AI systems like Mythos aren’t the well-understood risks your “multivitamin” was designed to address. They are transient, fast-emerging entry points that exist just long enough to be exploited.
In that environment, prevention alone isn’t enough. You don’t need more vitamins—you need a painkiller. The future of cybersecurity won’t be defined by how well you maintain baseline health. It will be defined by how quickly you respond when something breaks and every second counts.
That’s why behavioral AI gives businesses a durable cyber advantage. Rather than trying to figure out what the attacker looks like, it learns what “normal” looks like across the digital ecosystem of each individual business.
That’s exactly how behavioral AI works. It understands the self, or what's normal for the organization, and then it can spot deviations in from normal that are actually early-stage attacks.
The Darktrace approach to cybersecurity
At Darktrace, we’ve been defending our 10,000 customers using behavioral AI cybersecurity developed in our AI Research Centre in Cambridge, U.K.
Darktrace was built on the understanding that attacks do not arrive neatly labeled, and that the most damaging threats often emerge before signatures, indicators, or public disclosures can catch up.
Our AI algorithms learn in real time from your personalized business data to learn what’s normal for every person and every asset, and the flows of data within your organization. By continuously understanding “normal” across your entire digital ecosystem, Darktrace identifies and contains threats emerging from unknown vulnerabilities and compromised supply chain dependencies, autonomously curtailing attacks at machine speed.
As AI reshapes how vulnerabilities are found and exploited, cybersecurity must be anchored in something more durable than a list of known flaws. It requires a real-time understanding of the business itself: what belongs, what does not, and what must be stopped immediately.
What leaders should do right now
The leadership priority must shift accordingly.
First, stop treating unknown vulnerabilities as an edge case. AI‑driven discovery makes them the norm. Security programs built primarily around known flaws, signatures, and threat intelligence will always lag behind an attacker that is operating in real time.
Second, insist on an understanding of what is actually normal across the business. When threats are novel, labels are useless. The earliest and most reliable signal of danger is abnormal behavior—systems, users, or data flows that suddenly depart from what is expected. If you cannot see that deviation as it happens, you are effectively blind during the most critical window.
Finally, assume that the next serious incident will occur before remediation guidance is available. Ask what happens in those first minutes and hours. The organizations that maintain resilience are not the ones waiting for disclosure cycles to catch up—they are the ones that can autonomously identify and contain emerging threats as they unfold.
This is the reality of cybersecurity in an AI‑shaped world. Patching and prevention remain important foundations, but the advantage now belongs to those who can respond instantly when the unpredictable occurs.
Behavioral AI is security designed not just for known threats, but for the ones that AI will discover next.
![WHOIS Look records of the C2 endpoint vhs[.]delrosal[.]net.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/69e6bd15391fbfb9bc810102_Screenshot%202026-04-20%20at%204.56.01%E2%80%AFPM.png)
![Earliest observed transaction record for blackice[.]sol on public ledgers.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/69e6bd3a9035e7b16c8df83c_Screenshot%202026-04-20%20at%204.56.40%E2%80%AFPM.png)
