Blog
/
Network
/
December 6, 2023

How Darktrace Triumphed Over MyKings Botnet

Darktrace has provided full visibility over the MyKings botnet kill chain from the beginning of its infections to the eventual cryptocurrency mining activity.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Oluwatosin Aturaka
Analyst Team Lead, Cambridge
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
06
Dec 2023

Botnets: A persistent cyber threat

Since their appearance in the wild over three decades ago, botnets have consistently been the attack vector of choice for many threat actors. The most prevalent of these attack vectors are distributed denial of service (DDoS) and phishing campaigns. Their persistent nature means that even if a compromised device in identified, attackers can continue to operate by using the additional compromised devices they will likely have on the target network. Similarly, command and control (C2) infrastructure can easily be restructured between infected systems, making it increasingly difficult to remove the infection.  

MyKings Botnet

One of the most prevalent and sophisticated examples in recent years is the MyKings botnet, also known as Smominru or DarkCloud. Darktrace has observed numerous cases of MyKings botnet compromises across multiple customer environments in several different industries as far back as August 2022. The diverse tactics, techniques, and procedures (TTPs) and sophisticated kill chains employed by MyKings botnet may prove a challenge to traditional rule and signature-based detections.

However, Darktrace’s anomaly-centric approach enabled it to successfully detect a wide-range of indicators of compromise (IoCs) related to the MyKings botnet and bring immediate awareness to customer security teams, as it demonstrated on the network of multiple customers between March and August 2023.

Background on MyKings Botnet

MyKings has been active and spreading steadily since 2016 resulting in over 520,000 infections worldwide.[1] Although verified attribution of the botnet remains elusive, the variety of targets and prevalence of crypto-mining software on affected devices suggests the threat group behind the malware is financially motivated. The operators behind MyKings appear to be highly opportunistic, with attacks lacking an obvious specific target industry. Across Darktrace’s customer base, the organizations affected were representative of multiple industries such as entertainment, mining, education, information technology, health, and transportation.

Given its longevity, the MyKings botnet has unsurprisingly evolved since its first appearance years ago. Initial analyses of the botnet showed that the primary crypto-related activity on infected devices was the installation of Monero-mining software. However, in 2019 researchers discovered a new module within the MyKings malware that enabled clipboard-jacking, whereby the malware replaces a user's copied cryptowallet address with the operator's own wallet address in order to siphon funds.[2]

Similar to other botnets such as the Outlaw crypto-miner, the MyKings botnet can also kill running processes of unrelated malware on the compromised hosts that may have resulted from prior infection.[3] MyKings has also developed a comprehensive set of persistence techniques, including: the deployment of bootkits, initiating the botnet immediately after a system reboot, configuring Registry run keys, and generating multiple Scheduled Tasks and WMI listeners.[4] MyKings have also been observed rotating tools and payloads over time to propagate the botnet. For example, some operators have been observed utilizing PCShare, an open-source remote access trojan (RAT) customized to conduct C2 services, execute commands, and download mining software[5].

Darktrace Coverage

Across observed customer networks between March and August 2023, Darktrace identified the MyKings botnet primarily targeting Windows-based servers that supports services like MySQL, MS-SQL, Telnet, SSH, IPC, WMI, and Remote Desktop (RDP).  In the initial phase of the attack, the botnet would initiate a variety of attacks against a target including brute-forcing and exploitation of unpatched vulnerabilities on exposed servers. The botnet delivers a variety of payloads to the compromised systems including worm downloaders, trojans, executable files and scripts.

This pattern of activity was detected across the network of one particular Darktrace customer in the education sector in early March 2023. Unfortunately, this customer did not have Darktrace RESPOND™ deployed on their network at the time of the attack, meaning the MyKings botnet was able to move through the cyber kill chain ultimately achieving its goal, which in this case was mining cryptocurrency.

Initial Access

On March 6, Darktrace observed an internet-facing SQL server receiving an unusually large number of incoming MySQL connections from the rare external endpoint 171.91.76[.]31 via port 1433. While it is not possible to confirm whether these suspicious connections represented the exact starting point of the infection, such a sudden influx of SQL connection from a rare external endpoint could be indicative of a malicious attempt to exploit vulnerabilities in the server's SQL database or perform password brute-forcing to gain unauthorized access. Given that MyKings typically spreads primarily through such targeting of internet-exposed devices, the pattern of activity is consistent with potential initial access by MyKings.[6]

Initial Command and Control

The device then proceeded to initiate a series of repeated HTTP connections between March 6 and March 10, to the domain www[.]back0314[.]ru (107.148.239[.]111). These connections included HTTP GET requests featuring URIs such as ‘/back.txt',  suggesting potential beaconing and C2 communication. The device continued this connectivity to the external host over the course of four days, primarily utilizing destination ports 80, and 6666. While port 80 is commonly utilized for HTTP connections, port 6666 is a non-standard port for the protocol. Such connectivity over non-standard ports can indicate potential detection evasion and obfuscation tactics by the threat actors.  During this time, the device also initiated repeated connections to additional malicious external endpoints with seemingly algorithmically generated hostnames such as pc.pc0416[.]xyz.

Darktrace UI image
Figure 1: Model breach showing details of the malicious domain generation algorithm (DGA) connections.

Tool Transfer

While this beaconing activity was taking place, the affected device also began to receive potential payloads from unusual external endpoints. On April 29, the device made an HTTP GET request for “/power.txt” to the endpoint 192.236.160[.]237, which was later discovered to have multiple open-source intelligence (OSINT) links to malware. Power.txt is a shellcode written in PowerShell which is downloaded and executed with the purpose of disabling Windows Defenders related functions.[7] After the initial script was downloaded (and likely executed), Darktrace went on to detect the device making a series of additional GET requests for several varying compressed and executable files. For example, the device made HTTP requests for '/pld/cmd.txt' to the external endpoint 104.233.224[.]173. In response the external server provided numerous files, including ‘u.exe’, and ‘upsup4.exe’ for download, both of which share file names with previously identified MyKings payloads.

MyKings deploys a diverse array of payloads to expand the botnet and secure a firm position within a compromised system. This multi-faceted approach may render conventional security measures less effective due to the intricacies of and variety of payloads involved in compromises. Darktrace, however, does not rely on static or outdated lists of IoCs in order to detect malicious activity. Instead, DETECT’s Self-Learning AI allows it to identify emerging compromise activity by recognizing the subtle deviations in an affected device’s behavior that could indicate it has fallen into the hands of malicious actors.

Figure 2: External site summary of the endpoint 103.145.106[.]242 showing the rarity of connectivity to the external host.

Achieving Objectives – Crypto-Mining

Several weeks after the initial payloads were delivered and beaconing commenced, Darktrace finally detected the initiation of crypto-mining operations. On May 27, the originally compromised server connected to the rare domain other.xmrpool[.]ru over port 1081. As seen in the domain name, this endpoint appears to be affiliated with pool mining activity and the domain has various OSINT affiliations with the cryptocurrency Monero coin. During this connection, the host was observed passing Monero credentials, activity which parallels similar mining operations observed on other customer networks that had been compromised by the MyKings botnet.

Although mining activity may not pose an immediate or urgent concern for security unauthorized cryptomining on devices can result in detrimental consequences, such as compromised hardware integrity, elevated energy costs, and reduced productivity, and even potential involvement in money laundering.

Figure 3: Event breach log showing details of the connection to the other.xmrpool[.]ru endpoint associated with cryptocurrency mining activity.

Conclusion

Detecting future iterations of the MyKings botnet will likely demand a shift away from an overreliance on traditional rules and signatures and lists of “known bads”, instead requiring organizations to employ AI-driven technology that can identify suspicious activity that represents a deviation from previously established patterns of life.

Despite the diverse range of payloads, malicious endpoints, and intricate activities that constitute a typical MyKing botnet compromise, Darktrace was able successfully detect multiple critical phases within the MyKings kill chain. Given the evolving nature of the MyKings botnet, it is highly probable the botnet will continue to expand and adapt, leveraging new tactics and technologies. By adopting Darktrace’s product of suites, including Darktrace DETECT, organizations are well-positioned to identify these evolving threats as soon as they emerge and, when coupled with the autonomous response technology of Darktrace RESPOND, threats like the MyKings botnet can be stopped in their tracks before they can achieve their ultimate goals.

Credit to: Oluwatosin Aturaka, Analyst Team Lead, Cambridge, Adam Potter, Cyber Analyst

Appendix

IoC Table

IoC - Type - Description + Confidence

162.216.150[.]108- IP - C2 Infrastructure

103.145.106[.]242 - IP - C2 Infrastructure

137.175.56[.]104 - IP - C2 Infrastructure

138.197.152[.]201 - IP - C2 Infrastructure

139.59.74[.]135 - IP - C2 Infrastructure

pc.pc0416[.]xyz - Domain - C2 Infrastructure (DGA)

other.xmrpool[.]ru - Domain - Cryptomining Endpoint

xmrpool[.]ru - Domain - Cryptomining Endpoint

103.145.106[.]55 - IP - Cryptomining Endpoint

ntuser[.]rar - Zipped File - Payload

/xmr1025[.]rar - Zipped File - Payload

/20201117[.]rar - Zipped File - Payload

wmi[.]txt - File - Payload

u[.]exe - Executable File - Payload

back[.]txt - File - Payload

upsupx2[.]exe - Executable File - Payload

cmd[.]txt - File - Payload

power[.]txt - File - Payload

ups[.]html - File - Payload

xmr1025.rar - Zipped File - Payload

171.91.76[.]31- IP - Possible Initial Compromise Endpoint

www[.]back0314[.]ru - Domain - Probable C2 Infrastructure

107.148.239[.]111 - IP - Probable C2 Infrastructure

194.67.71[.]99 - IP- Probable C2 Infrastructure

Darktrace DETECT Model Breaches

  • Device / Initial Breach Chain Compromise
  • Anomalous File / Masqueraded File Transfer (x37)
  • Compromise / Large DNS Volume for Suspicious Domain
  • Compromise / Fast Beaconing to DGA
  • Device / Large Number of Model Breaches
  • Anomalous File / Multiple EXE from Rare External Locations (x30)
  • Compromise / Beacon for 4 Days (x2)
  • Anomalous Server Activity / New User Agent from Internet Facing System
  • Anomalous Connection / New User Agent to IP Without Hostname
  • Anomalous Server Activity / New Internet Facing System
  • Anomalous File / EXE from Rare External Location (x37)
  • Device / Large Number of Connections to New Endpoints
  • Anomalous Server Activity / Server Activity on New Non-Standard Port (x3)
  • Device / Threat Indicator (x3)
  • Unusual Activity / Unusual External Activity
  • Compromise / Crypto Currency Mining Activity (x37)
  • Compliance / Internet Facing SQL Server
  • Device / Anomalous Scripts Download Followed By Additional Packages
  • Device / New User Agent

MITRE ATT&CK Mapping

ATT&CK Technique - Technique ID

Reconnaissance – T1595.002 Vulnerability Scanning

Resource Development – T1608 Stage Capabilities

Resource Development – T1588.001 Malware

Initial Access – T1190 Exploit Public-Facing Application

Command and Control – T15568.002 Domain Generated Algorithms

Command and Control – T1571 Non-Standard Port

Execution – T1047 Windows Management Instrumentation

Execution – T1059.001 Command and Scripting Interpreter

Persistence – T1542.003 Pre-OS Boot

Impact – T1496 Resource Hijacking

References

[1] https://www.binarydefense.com/resources/threat-watch/mykings-botnet-is-growing-and-remains-under-the-radar/

[2] https://therecord.media/a-malware-botnet-has-made-more-than-24-7-million-since-2019

[3] https://www.darktrace.com/blog/outlaw-returns-uncovering-returning-features-and-new-tactics

[4] https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophoslabs-uncut-mykings-report.pdf

[5] https://www.antiy.com/response/20190822.html

[6] https://ethicaldebuggers.com/mykings-botnet/

[7] https://ethicaldebuggers.com/mykings-botnet/

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Oluwatosin Aturaka
Analyst Team Lead, Cambridge

More in this series

No items found.

Blog

/

Network

/

August 8, 2025

Ivanti Under Siege: Investigating the Ivanti Endpoint Manager Mobile Vulnerabilities (CVE-2025-4427 & CVE-2025-4428)

ivanti cve exploitation edge infrastructure Default blog imageDefault blog image

Ivanti & Edge infrastructure exploitation

Edge infrastructure exploitations continue to prevail in today’s cyber threat landscape; therefore, it was no surprise that recent Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities CVE-2025-4427 and CVE-2025-4428 were exploited targeting organizations in critical sectors such as healthcare, telecommunications, and finance across the globe, including across the Darktrace customer base in May 2025.

Exploiting these types of vulnerabilities remains a popular choice for threat actors seeking to enter an organization’s network to perform malicious activity such as cyber espionage, data exfiltration and ransomware detonation.

Vulnerabilities in Ivanti EPMM

Ivanti EPMM allows organizations to manage and configure enterprise mobile devices. On May 13, 2025, Ivanti published a security advisory [1] for their Ivanti Endpoint Manager Mobile (EPMM) devices addressing a medium and high severity vulnerability:

  • CVE-2025-4427, CVSS: 5.6: An authentication bypass vulnerability
  • CVE-2025-4428, CVSS: 7.2: Remote code execution vulnerability

Successfully exploiting both vulnerabilities at the same time could lead to unauthenticated remote code execution from an unauthenticated threat actor, which could allow them to control, manipulate, and compromise managed devices on a network [2].

Shortly after the disclosure of these vulnerabilities, external researchers uncovered evidence that they were being actively exploited in the wild and identified multiple indicators of compromise (IoCs) related to post-exploitation activities for these vulnerabilities [2] [3]. Research drew particular attention to the infrastructure utilized in ongoing exploitation activity, such as leveraging the two vulnerabilities to eventually deliver malware contained within ELF files from Amazon Web Services (AWS) S3 bucket endpoints and to deliver KrustyLoader malware for persistence. KrustyLoader is a Rust based malware that was discovered being downloaded in compromised Ivanti Connect Secure systems back in January 2024 when the zero-day critical vulnerabilities; CVE-2024-21887 and CVE-2023-46805 [10].

This suggests the involvement of the threat actor UNC5221, a suspected China-nexus espionage actor [3].

In addition to exploring the post-exploit tactics, techniques, and procedures (TTPs) observed for these vulnerabilities across Darktrace’s customer base, this blog will also examine the subtle changes and similarities in the exploitation of earlier Ivanti vulnerabilities—specifically Ivanti Connect Secure (CS) and Policy Secure (PS) vulnerabilities CVE-2023-46805 and CVE-2024-21887 in early 2024, as well as CVE-2025-0282 and CVE-2025-0283, which affected CS, PS, and Zero Trust Access (ZTA) in January 2025.

Darktrace Coverage

In May 2025, shortly after Ivanti disclosed vulnerabilities in their EPMM product, Darktrace’s Threat Research team identified attack patterns potentially linked to the exploitation of these vulnerabilities across multiple customer environments. The most noteworthy attack chain activity observed included exploit validation, payload delivery via AWS S3 bucket endpoints, subsequent delivery of script-based payloads, and connections to dpaste[.]com, possibly for dynamic payload retrieval. In a limited number of cases, connections were also made to an IP address associated with infrastructure linked to SAP NetWeaver vulnerability CVE-2025-31324, which has been investigated by Darktrace in an earlier case.

Exploit Validation

Darktrace observed devices within multiple customer environments making connections related to Out-of-Band Application Security Testing (OAST). These included a range of DNS requests and connections, most of which featured a user agent associated with the command-line tool cURL, directed toward associated endpoints. The hostnames of these endpoints consisted of a string of randomly generated characters followed by an OAST domain, such as 'oast[.]live', 'oast[.]pro', 'oast[.]fun', 'oast[.]site', 'oast[.]online', or 'oast[.]me'. OAST endpoints can be leveraged by malicious actors to trigger callbacks from targeted systems, such as for exploit validation. This activity, likely representing the initial phase of the attack chain observed across multiple environments, was also seen in the early stages of previous investigations into the exploitation of Ivanti vulnerabilities [4]. Darktrace also observed similar exploit validation activity during investigations conducted in January 2024 into the Ivanti CS vulnerabilities CVE-2023-46805 and CVE-2024-21887.

Payload Delivery via AWS

Devices across multiple customer environments were subsequently observed downloading malicious ELF files—often with randomly generated filenames such as 'NVGAoZDmEe'—from AWS S3 bucket endpoints like 's3[.]amazonaws[.]com'. These downloads occurred over HTTP connections, typically using wget or cURL user agents. Some of the ELF files were later identified to be KrustyLoader payloads using open-source intelligence (OSINT). External researchers have reported that the KrustyLoader malware is executed in cases of Ivanti EPMM exploitation to gain and maintain a foothold in target networks [2].

In one customer environment, after connections were made to the endpoint fconnect[.]s3[.]amazonaws[.]com, Darktrace observed the target system downloading the ELF file mnQDqysNrlg via the user agent Wget/1.14 (linux-gnu). Further investigation of the file’s SHA1 hash (1dec9191606f8fc86e4ae4fdf07f09822f8a94f2) linked it to the KrustyLoader malware [5]. In another customer environment, connections were instead made to tnegadge[.]s3[.]amazonaws[.]com using the same user agent, from which the ELF file “/dfuJ8t1uhG” was downloaded. This file was also linked to KrustyLoader through its SHA1 hash (c47abdb1651f9f6d96d34313872e68fb132f39f5) [6].

The pattern of activity observed so far closely mirrors previous exploits associated with the Ivanti vulnerabilities CVE-2023-46805 and CVE-2024-21887 [4]. As in those cases, Darktrace observed exploit validation using OAST domains and services, along with the use of AWS endpoints to deliver ELF file payloads. However, in this instance, the delivered payload was identified as KrustyLoader malware.

Later-stage script file payload delivery

In addition to the ELF file downloads, Darktrace also detected other file downloads across several customer environments, potentially representing the delivery of later-stage payloads.

The downloaded files included script files with the .sh extension, featuring randomly generated alphanumeric filenames. One such example is “4l4md4r.sh”, which was retrieved during a connection to the IP address 15.188.246[.]198 using a cURL-associated user agent. This IP address was also linked to infrastructure associated with the SAP NetWeaver remote code execution vulnerability CVE-2025-31324, which enables remote code execution on NetWeaver Visual Composer. External reporting has attributed this infrastructure to a China-nexus state actor [7][8][9].

In addition to the script file downloads, devices on some customer networks were also observed making connections to pastebin[.]com and dpaste[.]com, two sites commonly used to host or share malicious payloads or exploitation instructions [2]. Exploits, including those targeting Ivanti EPMM vulnerabilities, can dynamically fetch malicious commands from sites like dpaste[.]com, enabling threat actors to update payloads. Unlike the previously detailed activity, this behavior was not identified in any prior Darktrace investigations into Ivanti-related vulnerabilities, suggesting a potential shift in the tactics used in post-exploitation stages of Ivanti attacks.

Conclusion

Edge infrastructure vulnerabilities, such as those found in Ivanti EPMM and investigated across customer environments with Darktrace / NETWORK, have become a key tool in the arsenal of attackers in today’s threat landscape. As highlighted in this investigation, while many of the tactics employed by threat actors following successful exploitation of vulnerabilities remain the same, subtle shifts in their methods can also be seen.

These subtle and often overlooked changes enable threat actors to remain undetected within networks, highlighting the critical need for organizations to maintain continuous extended visibility, leverage anomaly based behavioral analysis, and deploy machine speed intervention across their environments.

Credit to Nahisha Nobregas (Senior Cyber Analyst) and Anna Gilbertson (Senior Cyber Analyst)

Appendices

Mid-High Confidence IoCs

(IoC – Type - Description)

-       trkbucket.s3.amazonaws[.]com – Hostname – C2 endpoint

-       trkbucket.s3.amazonaws[.]com/NVGAoZDmEe – URL – Payload

-       tnegadge.s3.amazonaws[.]com – Hostname – C2 endpoint

-       tnegadge.s3.amazonaws[.]com/dfuJ8t1uhG – URL – Payload

-       c47abdb1651f9f6d96d34313872e68fb132f39f5 - SHA1 File Hash – Payload

-       4abfaeadcd5ab5f2c3acfac6454d1176 - MD5 File Hash - Payload

-       fconnect.s3.amazonaws[.]com – Hostname – C2 endpoint

-       fconnect.s3.amazonaws[.]com/mnQDqysNrlg – URL - Payload

-       15.188.246[.]198 – IP address – C2 endpoint

-       15.188.246[.]198/4l4md4r.sh?grep – URL – Payload

-       185.193.125[.]65 – IP address – C2 endpoint

-       185.193.125[.]65/c4qDsztEW6/TIGHT_UNIVERSITY – URL – C2 endpoint

-       d8d6fe1a268374088fb6a5dc7e5cbb54 – MD5 File Hash – Payload

-       64.52.80[.]21 – IP address – C2 endpoint

-       0d8da2d1.digimg[.]store – Hostname – C2 endpoint

-       134.209.107[.]209 – IP address – C2 endpoint

Darktrace Model Detections

-       Compromise / High Priority Tunnelling to Bin Services (Enhanced Monitoring Model)

-       Compromise / Possible Tunnelling to Bin Services

-       Anomalous Server Activity / New User Agent from Internet Facing System

-       Compliance / Pastebin

-       Device / Internet Facing Device with High Priority Alert

-       Anomalous Connection / Callback on Web Facing Device

-       Anomalous File / Script from Rare External Location

-       Anomalous File / Incoming ELF File

-       Device / Suspicious Domain

-       Device / New User Agent

-       Anomalous Connection / Multiple Connections to New External TCP Port

-       Anomalous Connection / New User Agent to IP Without Hostname

-       Anomalous File / EXE from Rare External Location

-       Anomalous File / Internet Facing System File Download

-       Anomalous File / Multiple EXE from Rare External Locations

-       Compromise / Suspicious HTTP and Anomalous Activity

-       Device / Attack and Recon Tools

-       Device / Initial Attack Chain Activity

-       Device / Large Number of Model Alerts

-       Device / Large Number of Model Alerts from Critical Network Device

References

1.     https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM?language=en_US

2.     https://blog.eclecticiq.com/china-nexus-threat-actor-actively-exploiting-ivanti-endpoint-manager-mobile-cve-2025-4428-vulnerability

3.     https://www.wiz.io/blog/ivanti-epmm-rce-vulnerability-chain-cve-2025-4427-cve-2025-4428

4.     https://www.darktrace.com/blog/the-unknown-unknowns-post-exploitation-activities-of-ivanti-cs-ps-appliances

5.     https://www.virustotal.com/gui/file/ac91c2c777c9e8638ec1628a199e396907fbb7dcf9c430ca712ec64a6f1fcbc9/community

6.     https://www.virustotal.com/gui/file/f3e0147d359f217e2aa0a3060d166f12e68314da84a4ecb5cb205bd711c71998/community

7.     https://www.virustotal.com/gui/ip-address/15.188.246.198

8.     https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures

9.     https://www.darktrace.com/blog/tracking-cve-2025-31324-darktraces-detection-of-sap-netweaver-exploitation-before-and-after-disclosure

10.  https://www.synacktiv.com/en/publications/krustyloader-rust-malware-linked-to-ivanti-connectsecure-compromises

The content provided in this blog is published by Darktrace for general informational purposes only and reflects our understanding of cybersecurity topics, trends, incidents, and developments at the time of publication. While we strive to ensure accuracy and relevance, the information is provided “as is” without any representations or warranties, express or implied. Darktrace makes no guarantees regarding the completeness, accuracy, reliability, or timeliness of any information presented and expressly disclaims all warranties.

Nothing in this blog constitutes legal, technical, or professional advice, and readers should consult qualified professionals before acting on any information contained herein.

Any references to third-party organizations, technologies, threat actors, or incidents are for informational purposes only and do not imply affiliation, endorsement, or recommendation.

Darktrace, its affiliates, employees, or agents shall not be held liable for any loss, damage, or harm arising from the use of or reliance on the information in this blog.

The cybersecurity landscape evolves rapidly, and blog content may become outdated or superseded. We reserve the right to update, modify, or remove any content without notice.

Continue reading
About the author
Nahisha Nobregas
SOC Analyst

Blog

/

Cloud

/

August 7, 2025

How CDR & Automated Forensics Transform Cloud Incident Response

cloud security investigation guy on computer doing workDefault blog imageDefault blog image

Introduction: Cloud investigations

In cloud security, speed, automation and clarity are everything. However, for many SOC teams, responding to incidents in the cloud is often very difficult especially when attackers move fast, infrastructure is ephemeral, and forensic skills are scarce.

In this blog we will walk through an example that shows exactly how Darktrace Cloud Detection and Response (CDR) and automated cloud forensics together, solve these challenges, automating cloud detection, and deep forensic investigation in a way that’s fast, scalable, and deeply insightful.

The Problem: Cloud incidents are hard to investigate

Security teams often face three major hurdles when investigating cloud detections:

Lack of forensic expertise: Most SOCs and security teams aren’t natively staffed with forensics specialists.

Ephemeral infrastructure: Cloud assets spin up and down quickly, leaving little time to capture evidence.

Lack of existing automation: Gathering forensic-level data often requires manual effort and leaves teams scrambling around during incidents — accessing logs, snapshots, and system states before they disappear. This process is slow and often blocked by permissions, tooling gaps, or lack of visibility.

How Darktrace augments cloud investigations

1. Darktrace’s CDR finds anomalous activity in the cloud

An alert is generated for a large outbound data transfer from an externally facing EC2 instance to a rare external endpoint. It’s anomalous, unexpected, and potentially serious.

2. AI-led investigation stitches together the incident for a SOC analyst to look into

When a security incident unfolds, Darktrace’s Cyber AI Analyst TM is the first to surface it, automatically correlating behaviors, surfacing anomalies, and presenting a cohesive incident summary. It’s fast, detailed, and invaluable.

Once the incident is created, more questions are raised.

  • How were the impacted resources compromised?
  • How did the attack unfold over time – what tools and malware were used?
  • What data was accessed and exfiltrated?

What you’ll see as a SOC analyst: The incident begins in Darktrace’s Threat Visualizer, where a Cyber AI Analyst incident has been generated automatically highlighting large anomalous data transfer to a suspicious external IP. This isn’t just another alert, it’s a high-fidelity signal backed by Darktrace’s Self-Learning AI.

Cyber AI Analyst incident created for anomalous outbound data transfer
Figure 1: Cyber AI Analyst incident created for anomalous outbound data transfer

The analyst can then immediately pivot to Darktrace / CLOUD’s architecture view (see below), gaining context on the asset’s environment, ingress/egress points, connected systems, potential attack paths and whether there are any current misconfigurations detected on the asset.

Darktrace / CLOUD architecture view providing critical cloud context
Figure 2: Darktrace / CLOUD architecture view providing critical cloud context

3. Automated forensic capture — No expertise required

Then comes the game-changer, Darktrace’s recent acquisition of Cado enhances its cloud forensics capabilities. From the first alert triggered, Darktrace has already kicked in and automatically processed and analyzed a full volume capture of the EC2. Everything, past and present, is preserved. No need for manual snapshots, CLI commands, or specialist intervention.

Darktrace then provides a clear timeline highlighting the evidence and preserving it. In our example we identify:

  • A brute-force attempt on a file management app, followed by a successful login
  • A reverse shell used to gain unauthorized remote access to the EC2
  • A reverse TCP connection to the same suspicious IP flagged by Darktrace
  • Attacker commands showing how the data was split and prepared for exfiltration
  • A file (a.tar) created from two sensitive archives: product_plans.zip and research_data.zip

All of this is surfaced through the timeline view, ranked by significance using machine learning. The analyst can pivot through time, correlate events, and build a complete picture of the attack — without needing cloud forensics expertise.

Darktrace even gives the ability to:

  • Download and inspect gathered files in full detail, enabling teams to verify exactly what data was accessed or exfiltrated.
  • Interact with the file system as if it were live, allowing investigators to explore directories, uncover hidden artifacts, and understand attacker movement with precision.
Figure 3 Cado critical forensic investigation automated insights
Figure 3: Cado critical forensic investigation automated insights
Figure 4: Cado forensic file analysis of reverse shell and download option
Figure 5: a.tar created from two sensitive archives: product_plans.zip and research_data.zip
Figure 6: Traverse the full file system of the asset

Why this matters?

This workflow solves the hardest parts of cloud investigation:

  1. Capturing evidence before it disappears
  2. Understanding attacker behavior in detail - automatically
  3. Linking detections to impact with full incident visibility

This kind of insight is invaluable for organizations especially regulated industries, where knowing exactly what data was affected is critical for compliance and reporting. It’s also a powerful tool for detecting insider threats, not just external attackers.

Darktrace / CLOUD and Cado together acts as a force multiplier helping with:

  • Reducing investigation time from hours to minutes
  • Preserving ephemeral evidence automatically
  • Empowering analysts with forensic-level visibility

Cloud threats aren’t slowing down. Your response shouldn’t either. Darktrace / CLOUD + Cado gives your SOC the tools to detect, contain, and investigate cloud incidents — automatically, accurately, and at scale.

[related-resource]

Continue reading
About the author
Adam Stevens
Director of Product, Cloud Security
Your data. Our AI.
Elevate your network security with Darktrace AI