Blog
/
Network
/
April 2, 2024

Darktrace's Investigation of Raspberry Robin Worm

Discover how Darktrace is leading the hunt for Raspberry Robin. Explore early insights and strategies in the battle against cyber threats.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Alexandra Sentenac
Cyber Analyst
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
02
Apr 2024

Introduction

In the face of increasingly hardened digital infrastructures and skilled security teams, malicious actors are forced to constantly adapt their attack methods, resulting in sophisticated attacks that are designed to evade human detection and bypass traditional network security measures.  

One such example that was recently investigated by Darktrace is Raspberry Robin, a highly evasive worm malware renowned for merging existing and novel techniques, as well as leveraging both physical hardware and software, to establish a foothold within organization’s networks and propagate additional malicious payloads.

What is Raspberry Robin?

Raspberry Robin, also known as ‘QNAP worm’, is a worm malware that was initially discovered at the end of 2023 [1], however, its debut in the threat landscape may have predated this, with Microsoft uncovering malicious artifacts linked to this threat (which it tracks under the name Storm-0856) dating back to 2019 [4]. At the time, little was known regarding Raspberry Robin’s objectives or operators, despite the large number of successful infections worldwide. While the identity of the actors behind Raspberry Robin still remains a mystery, more intelligence has been gathered about the malware and its end goals as it was observed delivering payloads from different malware families.

Who does Raspberry Robin target?

While it was initially reported that Raspberry Robin primarily targeted the technology and manufacturing industries, researchers discovered that the malware had actually targeted multiple sectors [3] [4]. Darktrace’s own investigations echoed this, with Raspberry Robin infections observed across various industries, including public administration, finance, manufacturing, retail education and transportation.

How does Raspberry Robin work?

Initially, it appeared that Raspberry Robin's access to compromised networks had not been utilized to deliver final-stage malware payloads, nor to steal corporate data. This uncertainty led researchers to question whether the actors involved were merely “cybercriminals playing around” or more serious threats [3]. This lack of additional exploitation was indeed peculiar, considering that attackers could easily escalate their attacks, given Raspberry Robin’s ability to bypass User Account Control using legitimate Windows tools [4].

However, at the end of July 2022, some clarity emerged regarding the operators' end goals. Microsoft researchers revealed that the access provided by Raspberry Robin was being utilized by an access broker tracked as DEV-0206 to distribute the FakeUpdates malware downloader [2]. Researchers further discovered malicious activity associated with Evil Corp TTPs (i.e., DEV-0243) [5] and payloads from the Fauppod malware family leveraging Raspberry Robin’s access [8]. This indicates that Raspberry Robin may, in fact, be an initial access broker, utilizing its presence on hundreds of infected networks to distribute additional payloads for paying malware operators. Thus far, Raspberry Robin has been observed distributing payloads linked to FIN11, Clop Gang, BumbleBee, IcedID, and TrueBot on compromised networks [12].

Raspberry Robin’s Continued Evolution

Since it first appeared in the wild, Raspberry Robin has evolved from "being a widely distributed worm with no observed post-infection actions [...] to one of the largest malware distribution platforms currently active" [8]. The fact that Raspberry Robin has become such a prevalent threat is likely due to the continual addition of new features and evasion capabilities to their malware [6] [7].  

Since its emergence, the malware has “changed its communication method and lateral movement” [6] in order to evade signature detections based on threat intelligence and previous versions. Endpoint security vendors commonly describe it as heavily obfuscated malware, employing multiple layers of evasion techniques to hinder detection and analysis. These include for example dropping a fake payload when analyzed in a sandboxed environment and using mixed-case executing commands, likely to avoid case-sensitive string-based detections.  

In more recent campaigns, Raspberry Robin further appears to have added a new distribution method as it was observed being downloaded from archive files sent as attachments using the messaging service Discord [11]. These attachments contained a legitimate and signed Windows executable, often abused by attackers for side-loading, alongside a malicious dynamic-link library (DLL) containing a Raspberry Robin sample.

Another reason for the recent success of the malware may be found in its use of one-day exploits. According to researchers, Raspberry Robin now utilizes several local privilege escalation exploits that had been recently disclosed, even before a proof of concept had been made available [9] [10]. This led cyber security professionals to believe that operators of the malware may have access to an exploit seller [6]. The use of these exploits enhances Raspberry Robin's detection evasion and persistence capabilities, enabling it to propagate on networks undetected.

Darktrace’s Coverage of Raspberry Robin

Through two separate investigations carried out by Darktrace’s Threat Research team, first in late 2022 and then in November 2023, it became evident that Raspberry Robin was capable of integrating new functionalities and tactics, techniques and procedures (TTPs) into its attacks. Darktrace DETECT™ provided full visibility over the evolving campaign activity, allowing for a comparison of the threat across both investigations. Additionally, if Darktrace RESPOND™ was enabled on affected networks, it was able to quickly mitigate and contain emerging activity during the initial stages, thwarting the further escalation of attacks.

Raspberry Robin Initial Infection

The most prevalent initial infection vector appears to be the introduction of an infected external drive, such as a USB stick, containing a malicious .LNK file (i.e., a Windows shortcut file) disguised as a thumb drive or network share. When clicked, the LNK file automatically launches cmd.exe to execute the malicious file stored on the external drive, and msiexec.exe to connect to a Raspberry Robin command-and-control (C2) endpoint and download the main malware component. The whole process leverages legitimate Windows processes and is therefore less likely to raise any alarms from more traditional security solutions. However, Darktrace DETECT was able to identify the use of Msiexec to connect to a rare endpoint as anomalous in every case investigated.

Little is currently known regarding how the external drives are infected and distributed, but it has been reported that affected USB drives had previously been used for printing at printing and copying shops, suggesting that the infection may have originated from such stores [13].

A method as simple as leaving an infected USB on a desk in a public location can be a highly effective social engineering tactic for attackers. Exploiting both curiosity and goodwill, unsuspecting individuals may innocently plug in a found USB, hoping to identify its owner, unaware that they have unwittingly compromised their device.

As Darktrace primarily operates on the network layer, the insertion of a USB endpoint device would not be within its visibility. Nevertheless, Darktrace did observe several instances wherein multiple Microsoft endpoints were contacted by compromised devices prior to the first connection to a Raspberry Robin domain. For example, connections to the URI '/fwlink/?LinkID=252669&clcid=0x409' were observed in multiple customer environments prior to the first Raspberry Robin external connection. This connectivity seems to be related to Windows attempting to retrieve information about installed hardware, such as a printer, and could also be related to the inserting of an external USB drive.

Figure 1: Device Event Log showing an affected device making connections to Microsoft endpoints, prior to contacting the Raspberry Robin C2 endpoint ‘vqdn[.]net’.
Figure 1: Device Event Log showing an affected device making connections to Microsoft endpoints, prior to contacting the Raspberry Robin C2 endpoint ‘vqdn[.]net’.

Raspberry Robin Command-and-Control Activity

In all cases investigated by Darktrace, compromised devices were detected making HTTP GET connections via the unusual port 8080 to Raspberry Robin C2 endpoints using the new user agent 'Windows Installer'.

The C2 hostnames observed were typically short and matched the regex /[a-zA-Z0-9]{2,4}.[a-zA-Z0-9]{2,6}/, and were hosted on various top-level domains (TLD) such as ‘.rocks’, ‘.pm’, and ‘.wf’. On one customer network, Darktrace observed the download of an MSI file from the Raspberry Robin domain ‘wak[.]rocks’. This package contained a heavily protected malicious DLL file whose purpose was unknown at the time.  

However, in September 2022, external researchers revealed that the main purpose of this DLL was to download further payloads and enable lateral movement, persistence and privilege escalation on compromised devices, as well as exfiltrating sensitive information about the device. As worm infections spread through networks automatically, exfiltrating device data is an essential process for threat actor to keep track of which systems have been infected.

On affected networks investigated by Darktrace, compromised devices were observed making C2 connections that contained sensitive device information, including hostnames and credentials, with additional host information likely found within the data packets [12].

Figure 2: Model Breach Event Log displaying the events that triggered the the ‘New User Agent and Suspicious Request Data’ DETECT model breach.
Figure 2: Model Breach Event Log displaying the events that triggered the the ‘New User Agent and Suspicious Request Data’ DETECT model breach.

As for C2 infrastructure, Raspberry Robin leverages compromised Internet of Things (IoT) devices such as QNAP network attached storage (NAS) systems with hijacked DNS settings [13]. NAS devices are data storage servers that provide access to the files they store from anywhere in the world. These features have been abused by Raspberry Robin operators to distribute their malicious payloads, as any uploaded file could be stored and shared easily using NAS features.

However, Darktrace found that QNAP servers are not the only devices being exploited by Raspberry Robin, with DETECT identifying other IoT devices being used as C2 infrastructure, including a Cerio wireless access point in one example. Darktrace recognized that this connection was new to the environment and deemed it as suspicious, especially as it also used new software and an unusual port for the HTTP protocol (i.e., 8080 rather than 80).

In several instances, Darktrace observed Raspberry Robin utilizing TOR exit notes as backup C2 infrastructure, with compromised devices detected connecting to TOR endpoints.

Figure 3: Raspberry Robin C2 endpoint when viewed in a sandbox environment.
Figure 3: Raspberry Robin C2 endpoint when viewed in a sandbox environment.
Figure 4: Raspberry Robin C2 endpoint when viewed in a sandbox environment.
Figure 4: Raspberry Robin C2 endpoint when viewed in a sandbox environment.

Raspberry Robin in 2022 vs 2023

Despite the numerous updates and advancements made to Raspberry Robin between the investigations carried out in 2022 and 2023, Darktrace’s detection of the malware was largely the same.

DETECT models breached during first investigation at the end of 2022:

  • Device / New User Agent
  • Anomalous Server Activity / New User Agent from Internet Facing System
  • Device / New User Agent and New IP
  • Compromise / Suspicious Request Data
  • Compromise / Uncommon Tor Usage
  • Possible Tor Usage

DETECT models breached during second investigation in late 2023:

  • Device / New User Agent and New IP
  • Device / New User Agent and Suspicious Request Data
  • Device / New User Agent
  • Device / Suspicious Domain
  • Possible Tor Usage

Darktrace’s anomaly-based approach to threat detection enabled it to consistently detect the TTPs and IoCs associated with Raspberry Robin across the two investigations, despite the operator’s efforts to make it stealthier and more difficult to analyze.

In the first investigation in late 2022, Darktrace detected affected devices downloading addition executable (.exe) files following connections to the Raspberry Robin C2 endpoint, including a numeric executable file that appeared to be associated with the Vidar information stealer. Considering the advanced evasion techniques and privilege escalation capabilities of Raspberry Robin, early detection is key to prevent the malware from downloading additional malicious payloads.

In one affected customer environment investigated in late 2023, a total of 12 devices were compromised between mid-September and the end of October. As this particular customer did not have Darktrace RESPOND, the Raspberry Robin infection was able to spread through the network unabated until the customer acted upon Darktrace DETECT’s alerts.

Had Darktrace RESPOND been enabled in autonomous response mode, it would have been able to take immediate action following the first observed connection to a Raspberry Robin C2 endpoint, by blocking connections to the suspicious endpoint and enforcing a device’s normal ‘pattern of life’.

By enforcing a pattern of life on an affected device, RESPOND would prevent it from carrying out any activity that deviates from this learned pattern, including connections to new endpoints using new software as was the case in Figure 5, effectively shutting down the attack in the first instance.

Model Breach Event Log showing RESPOND’s actions against connections to Raspberry Robin C2 endpoints.
Figure 5: Model Breach Event Log showing RESPOND’s actions against connections to Raspberry Robin C2 endpoints.

Conclusion

Raspberry Robin is a highly evasive and adaptable worm known to evolve and change its TTPs on a regular basis in order to remain undetected on target networks for as long as possible. Due to its ability to drop additional malware variants onto compromised devices, it is crucial for organizations and their security teams to detect Raspberry Robin infections at the earliest possible stage to prevent the deployment of potentially disruptive secondary attacks.

Despite its continued evolution, Darktrace's detection of Raspberry Robin remained largely unchanged across the two investigations. Rather than relying on previous IoCs or leveraging existing threat intelligence, Darktrace DETECT’s anomaly-based approach allows it to identify emerging compromises by detecting the subtle deviations in a device’s learned behavior that would typically come with a malware compromise.

By detecting the attacks at an early stage, Darktrace gave its customers full visibility over malicious activity occurring on their networks, empowering them to identify affected devices and remove them from their environments. In cases where Darktrace RESPOND was active, it would have been able to take autonomous follow-up action to halt any C2 communication and prevent the download of any additional malicious payloads.  

Credit to Alexandra Sentenac, Cyber Analyst, Trent Kessler, Senior Cyber Analyst, Victoria Baldie, Director of Incident Management

Appendices

Darktrace DETECT Model Coverage

Device / New User Agent and New IP

Device / New User Agent and Suspicious Request Data

Device / New User Agent

Compromise / Possible Tor Usage

Compromise / Uncommon Tor Usage

MITRE ATT&CK Mapping

Tactic - Technique

Command & Control - T1090.003 Multi-hop Proxy

Lateral Movement - T1210 Exploitation of remote services

Exfiltration over C2 Data - T1041 Exfiltration over C2 Channel

Data Obfuscation - T1001 Data Obfuscation

Vulnerability Scanning - T1595.002 Vulnerability Scanning

Non-Standard Port - T1571 Non-Standard Port

Persistence - T1176 Browser Extensions

Initial Access - T1189 Drive By Compromise / T1566.002  Spearphishing Link

Collection - T1185 Man in the browser

List of IoCs

IoC - Type - Description + Confidence

vqdn[.]net - Hostname - C2 Server

mwgq[.]net - Hostname - C2 Server

wak[.]rocks - Hostname - C2 Server

o7car[.]com - Hostname - C2 Server

6t[.]nz - Hostname - C2 Server

fcgz[.]net - Hostname - Possible C2 Server

d0[.]wf - Hostname - C2 Server

e0[.]wf - Hostname - C2 Server

c4z[.]pl - Hostname - C2 Server

5g7[.]at - Hostname - C2 Server

5ap[.]nl - Hostname - C2 Server

4aw[.]ro - Hostname - C2 Server

0j[.]wf - Hostname - C2 Server

f0[.]tel - Hostname - C2 Server

h0[.]pm - Hostname - C2 Server

y0[.]pm - Hostname - C2 Server

5qy[.]ro - Hostname - C2 Server

g3[.]rs - Hostname - C2 Server

5qe8[.]com - Hostname - C2 Server

4j[.]pm - Hostname - C2 Server

m0[.]yt - Hostname - C2 Server

zk4[.]me - Hostname - C2 Server

59.15.11[.]49 - IP address - Likely C2 Server

82.124.243[.]57 - IP address - C2 Server

114.32.120[.]11 - IP address - Likely C2 Server

203.186.28[.]189 - IP address - Likely C2 Server

70.124.238[.]72 - IP address - C2 Server

73.6.9[.]83 - IP address - Likely C2 Server

References

[1] https://redcanary.com/blog/raspberry-robin/  

[2] https://www.bleepingcomputer.com/news/security/microsoft-links-raspberry-robin-malware-to-evil-corp-attacks/

[3] https://7095517.fs1.hubspotusercontent-na1.net/hubfs/7095517/FLINT%202022-016%20-%20QNAP%20worm_%20who%20benefits%20from%20crime%20(1).pdf

[4] https://www.bleepingcomputer.com/news/security/microsoft-finds-raspberry-robin-worm-in-hundreds-of-windows-networks/

[5] https://therecord.media/microsoft-ties-novel-raspberry-robin-malware-to-evil-corp-cybercrime-syndicate

[6] https://securityaffairs.com/158969/malware/raspberry-robin-1-day-exploits.html

[7] https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/

[8] https://redmondmag.com/articles/2022/10/28/microsoft-details-threat-actors-leveraging-raspberry-robin-worm.aspx

[9] https://www.bleepingcomputer.com/news/security/raspberry-robin-malware-evolves-with-early-access-to-windows-exploits/

[10] https://www.bleepingcomputer.com/news/security/raspberry-robin-worm-drops-fake-malware-to-confuse-researchers/

[11] https://thehackernews.com/2024/02/raspberry-robin-malware-upgrades-with.html

[12] https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/

[13] https://blog.bushidotoken.net/2023/05/raspberry-robin-global-usb-malware.html

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Alexandra Sentenac
Cyber Analyst

More in this series

No items found.

Blog

/

Network

/

August 8, 2025

Ivanti Under Siege: Investigating the Ivanti Endpoint Manager Mobile Vulnerabilities (CVE-2025-4427 & CVE-2025-4428)

ivanti cve exploitation edge infrastructure Default blog imageDefault blog image

Ivanti & Edge infrastructure exploitation

Edge infrastructure exploitations continue to prevail in today’s cyber threat landscape; therefore, it was no surprise that recent Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities CVE-2025-4427 and CVE-2025-4428 were exploited targeting organizations in critical sectors such as healthcare, telecommunications, and finance across the globe, including across the Darktrace customer base in May 2025.

Exploiting these types of vulnerabilities remains a popular choice for threat actors seeking to enter an organization’s network to perform malicious activity such as cyber espionage, data exfiltration and ransomware detonation.

Vulnerabilities in Ivanti EPMM

Ivanti EPMM allows organizations to manage and configure enterprise mobile devices. On May 13, 2025, Ivanti published a security advisory [1] for their Ivanti Endpoint Manager Mobile (EPMM) devices addressing a medium and high severity vulnerability:

  • CVE-2025-4427, CVSS: 5.6: An authentication bypass vulnerability
  • CVE-2025-4428, CVSS: 7.2: Remote code execution vulnerability

Successfully exploiting both vulnerabilities at the same time could lead to unauthenticated remote code execution from an unauthenticated threat actor, which could allow them to control, manipulate, and compromise managed devices on a network [2].

Shortly after the disclosure of these vulnerabilities, external researchers uncovered evidence that they were being actively exploited in the wild and identified multiple indicators of compromise (IoCs) related to post-exploitation activities for these vulnerabilities [2] [3]. Research drew particular attention to the infrastructure utilized in ongoing exploitation activity, such as leveraging the two vulnerabilities to eventually deliver malware contained within ELF files from Amazon Web Services (AWS) S3 bucket endpoints and to deliver KrustyLoader malware for persistence. KrustyLoader is a Rust based malware that was discovered being downloaded in compromised Ivanti Connect Secure systems back in January 2024 when the zero-day critical vulnerabilities; CVE-2024-21887 and CVE-2023-46805 [10].

This suggests the involvement of the threat actor UNC5221, a suspected China-nexus espionage actor [3].

In addition to exploring the post-exploit tactics, techniques, and procedures (TTPs) observed for these vulnerabilities across Darktrace’s customer base, this blog will also examine the subtle changes and similarities in the exploitation of earlier Ivanti vulnerabilities—specifically Ivanti Connect Secure (CS) and Policy Secure (PS) vulnerabilities CVE-2023-46805 and CVE-2024-21887 in early 2024, as well as CVE-2025-0282 and CVE-2025-0283, which affected CS, PS, and Zero Trust Access (ZTA) in January 2025.

Darktrace Coverage

In May 2025, shortly after Ivanti disclosed vulnerabilities in their EPMM product, Darktrace’s Threat Research team identified attack patterns potentially linked to the exploitation of these vulnerabilities across multiple customer environments. The most noteworthy attack chain activity observed included exploit validation, payload delivery via AWS S3 bucket endpoints, subsequent delivery of script-based payloads, and connections to dpaste[.]com, possibly for dynamic payload retrieval. In a limited number of cases, connections were also made to an IP address associated with infrastructure linked to SAP NetWeaver vulnerability CVE-2025-31324, which has been investigated by Darktrace in an earlier case.

Exploit Validation

Darktrace observed devices within multiple customer environments making connections related to Out-of-Band Application Security Testing (OAST). These included a range of DNS requests and connections, most of which featured a user agent associated with the command-line tool cURL, directed toward associated endpoints. The hostnames of these endpoints consisted of a string of randomly generated characters followed by an OAST domain, such as 'oast[.]live', 'oast[.]pro', 'oast[.]fun', 'oast[.]site', 'oast[.]online', or 'oast[.]me'. OAST endpoints can be leveraged by malicious actors to trigger callbacks from targeted systems, such as for exploit validation. This activity, likely representing the initial phase of the attack chain observed across multiple environments, was also seen in the early stages of previous investigations into the exploitation of Ivanti vulnerabilities [4]. Darktrace also observed similar exploit validation activity during investigations conducted in January 2024 into the Ivanti CS vulnerabilities CVE-2023-46805 and CVE-2024-21887.

Payload Delivery via AWS

Devices across multiple customer environments were subsequently observed downloading malicious ELF files—often with randomly generated filenames such as 'NVGAoZDmEe'—from AWS S3 bucket endpoints like 's3[.]amazonaws[.]com'. These downloads occurred over HTTP connections, typically using wget or cURL user agents. Some of the ELF files were later identified to be KrustyLoader payloads using open-source intelligence (OSINT). External researchers have reported that the KrustyLoader malware is executed in cases of Ivanti EPMM exploitation to gain and maintain a foothold in target networks [2].

In one customer environment, after connections were made to the endpoint fconnect[.]s3[.]amazonaws[.]com, Darktrace observed the target system downloading the ELF file mnQDqysNrlg via the user agent Wget/1.14 (linux-gnu). Further investigation of the file’s SHA1 hash (1dec9191606f8fc86e4ae4fdf07f09822f8a94f2) linked it to the KrustyLoader malware [5]. In another customer environment, connections were instead made to tnegadge[.]s3[.]amazonaws[.]com using the same user agent, from which the ELF file “/dfuJ8t1uhG” was downloaded. This file was also linked to KrustyLoader through its SHA1 hash (c47abdb1651f9f6d96d34313872e68fb132f39f5) [6].

The pattern of activity observed so far closely mirrors previous exploits associated with the Ivanti vulnerabilities CVE-2023-46805 and CVE-2024-21887 [4]. As in those cases, Darktrace observed exploit validation using OAST domains and services, along with the use of AWS endpoints to deliver ELF file payloads. However, in this instance, the delivered payload was identified as KrustyLoader malware.

Later-stage script file payload delivery

In addition to the ELF file downloads, Darktrace also detected other file downloads across several customer environments, potentially representing the delivery of later-stage payloads.

The downloaded files included script files with the .sh extension, featuring randomly generated alphanumeric filenames. One such example is “4l4md4r.sh”, which was retrieved during a connection to the IP address 15.188.246[.]198 using a cURL-associated user agent. This IP address was also linked to infrastructure associated with the SAP NetWeaver remote code execution vulnerability CVE-2025-31324, which enables remote code execution on NetWeaver Visual Composer. External reporting has attributed this infrastructure to a China-nexus state actor [7][8][9].

In addition to the script file downloads, devices on some customer networks were also observed making connections to pastebin[.]com and dpaste[.]com, two sites commonly used to host or share malicious payloads or exploitation instructions [2]. Exploits, including those targeting Ivanti EPMM vulnerabilities, can dynamically fetch malicious commands from sites like dpaste[.]com, enabling threat actors to update payloads. Unlike the previously detailed activity, this behavior was not identified in any prior Darktrace investigations into Ivanti-related vulnerabilities, suggesting a potential shift in the tactics used in post-exploitation stages of Ivanti attacks.

Conclusion

Edge infrastructure vulnerabilities, such as those found in Ivanti EPMM and investigated across customer environments with Darktrace / NETWORK, have become a key tool in the arsenal of attackers in today’s threat landscape. As highlighted in this investigation, while many of the tactics employed by threat actors following successful exploitation of vulnerabilities remain the same, subtle shifts in their methods can also be seen.

These subtle and often overlooked changes enable threat actors to remain undetected within networks, highlighting the critical need for organizations to maintain continuous extended visibility, leverage anomaly based behavioral analysis, and deploy machine speed intervention across their environments.

Credit to Nahisha Nobregas (Senior Cyber Analyst) and Anna Gilbertson (Senior Cyber Analyst)

Appendices

Mid-High Confidence IoCs

(IoC – Type - Description)

-       trkbucket.s3.amazonaws[.]com – Hostname – C2 endpoint

-       trkbucket.s3.amazonaws[.]com/NVGAoZDmEe – URL – Payload

-       tnegadge.s3.amazonaws[.]com – Hostname – C2 endpoint

-       tnegadge.s3.amazonaws[.]com/dfuJ8t1uhG – URL – Payload

-       c47abdb1651f9f6d96d34313872e68fb132f39f5 - SHA1 File Hash – Payload

-       4abfaeadcd5ab5f2c3acfac6454d1176 - MD5 File Hash - Payload

-       fconnect.s3.amazonaws[.]com – Hostname – C2 endpoint

-       fconnect.s3.amazonaws[.]com/mnQDqysNrlg – URL - Payload

-       15.188.246[.]198 – IP address – C2 endpoint

-       15.188.246[.]198/4l4md4r.sh?grep – URL – Payload

-       185.193.125[.]65 – IP address – C2 endpoint

-       185.193.125[.]65/c4qDsztEW6/TIGHT_UNIVERSITY – URL – C2 endpoint

-       d8d6fe1a268374088fb6a5dc7e5cbb54 – MD5 File Hash – Payload

-       64.52.80[.]21 – IP address – C2 endpoint

-       0d8da2d1.digimg[.]store – Hostname – C2 endpoint

-       134.209.107[.]209 – IP address – C2 endpoint

Darktrace Model Detections

-       Compromise / High Priority Tunnelling to Bin Services (Enhanced Monitoring Model)

-       Compromise / Possible Tunnelling to Bin Services

-       Anomalous Server Activity / New User Agent from Internet Facing System

-       Compliance / Pastebin

-       Device / Internet Facing Device with High Priority Alert

-       Anomalous Connection / Callback on Web Facing Device

-       Anomalous File / Script from Rare External Location

-       Anomalous File / Incoming ELF File

-       Device / Suspicious Domain

-       Device / New User Agent

-       Anomalous Connection / Multiple Connections to New External TCP Port

-       Anomalous Connection / New User Agent to IP Without Hostname

-       Anomalous File / EXE from Rare External Location

-       Anomalous File / Internet Facing System File Download

-       Anomalous File / Multiple EXE from Rare External Locations

-       Compromise / Suspicious HTTP and Anomalous Activity

-       Device / Attack and Recon Tools

-       Device / Initial Attack Chain Activity

-       Device / Large Number of Model Alerts

-       Device / Large Number of Model Alerts from Critical Network Device

References

1.     https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM?language=en_US

2.     https://blog.eclecticiq.com/china-nexus-threat-actor-actively-exploiting-ivanti-endpoint-manager-mobile-cve-2025-4428-vulnerability

3.     https://www.wiz.io/blog/ivanti-epmm-rce-vulnerability-chain-cve-2025-4427-cve-2025-4428

4.     https://www.darktrace.com/blog/the-unknown-unknowns-post-exploitation-activities-of-ivanti-cs-ps-appliances

5.     https://www.virustotal.com/gui/file/ac91c2c777c9e8638ec1628a199e396907fbb7dcf9c430ca712ec64a6f1fcbc9/community

6.     https://www.virustotal.com/gui/file/f3e0147d359f217e2aa0a3060d166f12e68314da84a4ecb5cb205bd711c71998/community

7.     https://www.virustotal.com/gui/ip-address/15.188.246.198

8.     https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures

9.     https://www.darktrace.com/blog/tracking-cve-2025-31324-darktraces-detection-of-sap-netweaver-exploitation-before-and-after-disclosure

10.  https://www.synacktiv.com/en/publications/krustyloader-rust-malware-linked-to-ivanti-connectsecure-compromises

The content provided in this blog is published by Darktrace for general informational purposes only and reflects our understanding of cybersecurity topics, trends, incidents, and developments at the time of publication. While we strive to ensure accuracy and relevance, the information is provided “as is” without any representations or warranties, express or implied. Darktrace makes no guarantees regarding the completeness, accuracy, reliability, or timeliness of any information presented and expressly disclaims all warranties.

Nothing in this blog constitutes legal, technical, or professional advice, and readers should consult qualified professionals before acting on any information contained herein.

Any references to third-party organizations, technologies, threat actors, or incidents are for informational purposes only and do not imply affiliation, endorsement, or recommendation.

Darktrace, its affiliates, employees, or agents shall not be held liable for any loss, damage, or harm arising from the use of or reliance on the information in this blog.

The cybersecurity landscape evolves rapidly, and blog content may become outdated or superseded. We reserve the right to update, modify, or remove any content without notice.

Continue reading
About the author
Nahisha Nobregas
SOC Analyst

Blog

/

Cloud

/

August 7, 2025

How CDR & Automated Forensics Transform Cloud Incident Response

cloud security investigation guy on computer doing workDefault blog imageDefault blog image

Introduction: Cloud investigations

In cloud security, speed, automation and clarity are everything. However, for many SOC teams, responding to incidents in the cloud is often very difficult especially when attackers move fast, infrastructure is ephemeral, and forensic skills are scarce.

In this blog we will walk through an example that shows exactly how Darktrace Cloud Detection and Response (CDR) and automated cloud forensics together, solve these challenges, automating cloud detection, and deep forensic investigation in a way that’s fast, scalable, and deeply insightful.

The Problem: Cloud incidents are hard to investigate

Security teams often face three major hurdles when investigating cloud detections:

Lack of forensic expertise: Most SOCs and security teams aren’t natively staffed with forensics specialists.

Ephemeral infrastructure: Cloud assets spin up and down quickly, leaving little time to capture evidence.

Lack of existing automation: Gathering forensic-level data often requires manual effort and leaves teams scrambling around during incidents — accessing logs, snapshots, and system states before they disappear. This process is slow and often blocked by permissions, tooling gaps, or lack of visibility.

How Darktrace augments cloud investigations

1. Darktrace’s CDR finds anomalous activity in the cloud

An alert is generated for a large outbound data transfer from an externally facing EC2 instance to a rare external endpoint. It’s anomalous, unexpected, and potentially serious.

2. AI-led investigation stitches together the incident for a SOC analyst to look into

When a security incident unfolds, Darktrace’s Cyber AI Analyst TM is the first to surface it, automatically correlating behaviors, surfacing anomalies, and presenting a cohesive incident summary. It’s fast, detailed, and invaluable.

Once the incident is created, more questions are raised.

  • How were the impacted resources compromised?
  • How did the attack unfold over time – what tools and malware were used?
  • What data was accessed and exfiltrated?

What you’ll see as a SOC analyst: The incident begins in Darktrace’s Threat Visualizer, where a Cyber AI Analyst incident has been generated automatically highlighting large anomalous data transfer to a suspicious external IP. This isn’t just another alert, it’s a high-fidelity signal backed by Darktrace’s Self-Learning AI.

Cyber AI Analyst incident created for anomalous outbound data transfer
Figure 1: Cyber AI Analyst incident created for anomalous outbound data transfer

The analyst can then immediately pivot to Darktrace / CLOUD’s architecture view (see below), gaining context on the asset’s environment, ingress/egress points, connected systems, potential attack paths and whether there are any current misconfigurations detected on the asset.

Darktrace / CLOUD architecture view providing critical cloud context
Figure 2: Darktrace / CLOUD architecture view providing critical cloud context

3. Automated forensic capture — No expertise required

Then comes the game-changer, Darktrace’s recent acquisition of Cado enhances its cloud forensics capabilities. From the first alert triggered, Darktrace has already kicked in and automatically processed and analyzed a full volume capture of the EC2. Everything, past and present, is preserved. No need for manual snapshots, CLI commands, or specialist intervention.

Darktrace then provides a clear timeline highlighting the evidence and preserving it. In our example we identify:

  • A brute-force attempt on a file management app, followed by a successful login
  • A reverse shell used to gain unauthorized remote access to the EC2
  • A reverse TCP connection to the same suspicious IP flagged by Darktrace
  • Attacker commands showing how the data was split and prepared for exfiltration
  • A file (a.tar) created from two sensitive archives: product_plans.zip and research_data.zip

All of this is surfaced through the timeline view, ranked by significance using machine learning. The analyst can pivot through time, correlate events, and build a complete picture of the attack — without needing cloud forensics expertise.

Darktrace even gives the ability to:

  • Download and inspect gathered files in full detail, enabling teams to verify exactly what data was accessed or exfiltrated.
  • Interact with the file system as if it were live, allowing investigators to explore directories, uncover hidden artifacts, and understand attacker movement with precision.
Figure 3 Cado critical forensic investigation automated insights
Figure 3: Cado critical forensic investigation automated insights
Figure 4: Cado forensic file analysis of reverse shell and download option
Figure 5: a.tar created from two sensitive archives: product_plans.zip and research_data.zip
Figure 6: Traverse the full file system of the asset

Why this matters?

This workflow solves the hardest parts of cloud investigation:

  1. Capturing evidence before it disappears
  2. Understanding attacker behavior in detail - automatically
  3. Linking detections to impact with full incident visibility

This kind of insight is invaluable for organizations especially regulated industries, where knowing exactly what data was affected is critical for compliance and reporting. It’s also a powerful tool for detecting insider threats, not just external attackers.

Darktrace / CLOUD and Cado together acts as a force multiplier helping with:

  • Reducing investigation time from hours to minutes
  • Preserving ephemeral evidence automatically
  • Empowering analysts with forensic-level visibility

Cloud threats aren’t slowing down. Your response shouldn’t either. Darktrace / CLOUD + Cado gives your SOC the tools to detect, contain, and investigate cloud incidents — automatically, accurately, and at scale.

[related-resource]

Continue reading
About the author
Adam Stevens
Director of Product, Cloud Security
Your data. Our AI.
Elevate your network security with Darktrace AI