Blog
/
Network
/
May 23, 2023

Darktrace’s Detection of a Hive Ransomware-as-Service

This blog investigates a new strain of ransomware, Hive, a ransomware-as-a-service. Darktrace was able to provide full visibility over the attacks.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Emily Megan Lim
Cyber Analyst
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
23
May 2023

Update: On January 26, 2023, the Hive ransomware group was dismantled and servers associated with the sale of the ransomware were taken offline following an investigation by the FBI, German law enforcement and the National Crime Agency (NCA). The activity detailed in this blog took place in 2022, whilst the group was still active.

RaaS in Cyber Security

The threat of ransomware continues to be a constant concern for security teams across the cyber threat landscape. With the growing popularity of Ransomware-as-a-Service (RaaS), it is becoming more and more accessible for even inexperienced would-be attackers. As a result of this low barrier to entry, the volume of ransomware attacks is expected to increase significantly.

What’s more, RaaS is a highly tailorable market in which buyers can choose from varied kits and features to use in their ransomware deployments meaning attacks will rarely behave the same. To effectively detect and safeguard against these differentiations, it is crucial to implement security measures that put the emphasis on detecting anomalies and focusing on deviations in expected behavior, rather than relying on depreciated indicators of compromise (IoC) lists or playbooks that focus on attack chains unable to keep pace with the increasing speed of ransomware evolution.

In early 2022, Darktrace DETECT/Network™ identified several instances of Hive ransomware on the networks of multiple customers. Using its anomaly-based detection, Darktrace was able to successfully detect the attacks and multiple stages of the kill chain, including command and control (C2) activity, lateral movement, data exfiltration, and ultimately data encryption and the writing of ransom notes.

Hive Ransomware 

Hive ransomware is a relatively new strain that was first observed in the wild in June 2021. It is known to target a variety of industries including healthcare, energy providers, and retailers, and has reportedly attacked over 1,500 organizations, collecting more than USD 100m in ransom payments [1].

Hive is distributed via a RaaS model where its developers update and maintain the code, in return for a percentage of the eventual ransom payment, while users (or affiliates) are given the tools to carry out attacks using a highly sophisticated and complex malware they would otherwise be unable to use. Hive uses typical tactics, techniques and procedures (TTPs) associated with ransomware, though they do vary depending on the Hive affiliate carrying out the attack.

In most cases a double extortion attack is carried out, whereby data is first exfiltrated and then encrypted before a ransom demand is made. This gives attackers extra leverage as victims are at risk of having their sensitive data leaked to the public on websites such as the ‘HiveLeaks’ TOR website.

Attack Timeline

Owing to the highly customizable nature of RaaS, the tactics and methods employed by Hive actors are expected to differ on a case-by-case basis. Nonetheless in the majority of Hive ransomware incidents identified on Darktrace customer environments, Darktrace DETECT observed the following general attack stages and features. This is possibly indicative of the attacks originating from the same threat actor(s) or from a widely sold batch with a particular configuration to a variety of actors.

Figure 1: A typical timeline of a Hive attack observed by Darktrace.

Initial Access 

Although Hive actors are known to gain initial access to networks through multiple different vectors, the two primary methods reported by security researchers are the exploitation of Microsoft Exchange vulnerabilities, or the distribution of phishing emails with malicious attachments [2][3].

In the early stages of one Hive ransomware attack observed on the network of a Darktrace customer, for example, Darktrace detected a device connecting to the rare external location 23.81.246[.]84, with a PowerShell user agent via HTTP. During this connection, the device attempted to download an executable file named “file.exe”. It is possible that the file was initially accessed and delivered via a phishing email; however, as Darktrace/Email was not enabled at the time of the attack, this was outside of Darktrace’s purview. Fortunately, the connection failed the proxy authentication was thus blocked as seen in the packet capture (PCAP) in Figure 2. 

Shortly after this attempted download, the same device started to receive a high volume of incoming SSL connections from a rare external endpoint, namely 146.70.87[.]132. Darktrace logged that this endpoint was using an SSL certificate signed by Go Daddy CA, an easily obtainable and accessible SSL certificate, and that the increase in incoming SSL connections from this endpoint was unusual behavior for this device. 

It is likely that this highly anomalous activity detected by Darktrace indicates when the ransomware attack began, likely initial payload download.  

Darktrace DETECT models:

  • Anomalous Connection / Powershell to Rare External
  • Anomalous Server Activity / New Internet Facing System
Figure 2: PCAP of the HTTP connection to the rare endpoint 23.81.246[.]84 showing the failed proxy authentication.

C2 Beaconing 

Following the successful initial access, Hive actors begin to establish their C2 infrastructure on infected networks through numerous connections to C2 servers, and the download of additional stagers. 

On customer networks infected by Hive ransomware, Darktrace identified devices initiating a high volume of connections to multiple rare endpoints. This very likely represented C2 beaconing to the attacker’s infrastructure. In one particular example, further open-source intelligence (OSINT) investigation revealed that these endpoints were associated with Cobalt Strike.

Darktrace DETECT models:

  • Anomalous Connection / Multiple Connections to New External TCP
  • Anomalous Server Activity / Anomalous External Activity from Critical Network Device
  • Compromise / High Volume of Connections with Beacon Score
  • Compromise / Sustained SSL or HTTP Increase
  • Compromise / Suspicious HTTP Beacons to Dotted Quad 
  • Compromise / SSL or HTTP Beacon
  • Device / Lateral Movement and C2 Activity

Internal Reconnaissance, Lateral Movement and Privilege Escalation

After C2 infrastructure has been established, Hive actors typically begin to uninstall antivirus products in an attempt to remain undetected on the network [3]. They also perform internal reconnaissance to look for vulnerabilities and open channels and attempt to move laterally throughout the network.

Amid the C2 connections, Darktrace was able to detect network scanning activity associated with the attack when a device on one customer network was observed initiating an unusually high volume of connections to other internal devices. A critical network device was also seen writing an executable file “mimikatz.exe” via SMB which appears to be the Mimikatz attack tool commonly used for credential harvesting. 

There were also several detections of lateral movement attempts via RDP and DCE-RPC where the attackers successfully authenticated using an “Administrator” credential. In one instance, a device was also observed performing ITaskScheduler activity. This service is used to remotely control tasks running on machines and is commonly observed as part of malicious lateral movement activity. Darktrace DETECT understood that the above activity represented a deviation from the devices’ normal pattern of behavior and the following models were breached:

Darktrace DETECT models:

  • Anomalous Connection / Anomalous DRSGetNCChanges Operation
  • Anomalous Connection / New or Uncommon Service Control
  • Anomalous Connection / Unusual Admin RDP Session
  • Anomalous Connection / Unusual SMB Version 1 Connectivity
  • Compliance / SMB Drive Write
  • Device / Anomalous ITaskScheduler Activity
  • Device / Attack and Recon Tools
  • Device / Attack and Recon Tools In SMB
  • Device / EXE Files Distributed to Multiple Devices
  • Device / Suspicious Network Scan Activity
  • Device / Increase in New RPC Services
  • User / New Admin Credentials on Server

Data Exfiltration

At this stage of the attack, Hive actors have been known to carry out data exfiltration activity on infected networks using a variety of different methods. The Cybersecurity & Infrastructure Security Agency (CISA) reported that “Hive actors exfiltrate data likely using a combination of Rclone and the cloud storage service Mega[.]nz” [4]. Darktrace DETECT identified an example of this when a device on one customer network was observed making HTTP connections to endpoints related to Mega, including “w.apa.mega.co[.]nz”, with the user agent “rclone/v1.57.0” with at least 3 GiB of data being transferred externally (Figure 3). The same device was also observed transferring at least 3.6 GiB of data via SSL to the rare external IP, 158.51.85[.]157.

Figure 3: A summary of a device’s external connections to multiple endpoints and the respective amounts of data exfiltrated to Mega storage endpoints.

In another case, a device was observed uploading over 16 GiB of data to a rare external endpoint 93.115.27[.]71 over SSH. The endpoint in question was seen in earlier beaconing activity suggesting that this was likely an exfiltration event. 

However, Hive ransomware, like any other RaaS kit, can differ greatly in its techniques and features, and it is important to note that data exfiltration may not always be present in a Hive ransomware attack. In one incident detected by Darktrace, there were no signs of any data leaving the customer environment, indicating data exfiltration was not part of the Hive actor’s objectives.

Darktrace DETECT models:

  • Anomalous Connection / Data Sent to Rare Domain
  • Anomalous Connection / Lots of New Connections
  • Anomalous Connection / Multiple HTTP POSTs to Rare Hostname
  • Anomalous Connection / Suspicious Self-Signed SSL
  • Anomalous Connection / Uncommon 1 GiB Outbound
  • Device / New User Agent and New IP
  • Unusual Activity / Unusual External Data to New Endpoints
  • Unusual Activity / Unusual External Data Transfer
  • Unusual Activity / Enhanced Unusual External Data Transfer

Ransomware Deployment

In the final stage of a typical Hive ransomware attack, the ransomware payload is deployed and begins to encrypt files on infected devices. On one customer network, Darktrace detected several devices connecting to domain controllers (DC) to read a file named “xxx.exe”. Several sources have linked this file name with the Hive ransomware payload [5].

In another example, Darktrace DETECT observed multiple devices downloading the executable files “nua64.exe” and “nua64.dll” from a rare external location, 194.156.90[.]25. OSINT investigation revealed that the files are associated with Hive ransomware.

Figure 4: Security vendor analysis of the malicious file hash [6] associated with Hive ransomware. 

Shortly after the download of this executable, multiple devices were observed performing an unusual amount of file encryption, appending randomly generated strings of characters to file extensions. 

Although it has been reported that earlier versions of Hive ransomware encrypted files with a “.hive” extension [7], Darktrace observed across multiple customers that encrypted files had extensions that were partially-randomized, but consistently 20 characters long, matching the regular expression “[a-zA-Z0-9\-\_]{8}[\-\_]{1}[A-Za-z0-9\-\_]{11}”.

Figure 5: Device Event Log showing SMB reads and writes of encrypted files with a randomly generated extension of 20 characters. 

Following the successful encryption of files, Hive proceeds to drop a ransom note, named “HOW_TO_DECRYPT.txt”, into each affected directory. Typically, the ransom note will contain a link to Hive’s “sales department” and, in the event that exfiltration took place, a link to the “HiveLeaks” site, where attackers threaten to publish exfiltrated data if their demands are not met (Figure 6).  In cases of Hive ransomware detected by Darktrace, multiple devices were observed attempting to contact “HiveLeaks” TOR domains, suggesting that endpoint users had followed links provided to them in ransom notes.

Figure 6: Sample of a Hive ransom note [4].

Examples of file extensions:

  • 36C-AT9-_wm82GvBoCPC
  • 36C-AT9--y6Z1G-RFHDT
  • 36C-AT9-_x2x7FctFJ_q
  • 36C-AT9-_zK16HRC3QiL
  • 8KAIgoDP-wkQ5gnYGhrd
  • kPemi_iF_11GRoa9vb29
  • kPemi_iF_0RERIS1m7x8
  • kPemi_iF_7u7e5zp6enp
  • kPemi_iF_y4u7pB3d3f3
  • U-9Xb0-k__T0U9NJPz-_
  • U-9Xb0-k_6SkA8Njo5pa
  • zm4RoSR1_5HMd_r4a5a9 

Darktrace DETECT models:

  • Anomalous Connection / SMB Enumeration
  • Anomalous Connection / Sustained MIME Type Conversion
  • Anomalous Connection / Unusual Admin SMB Session
  • Anomalous File / Internal / Additional Extension Appended to SMB File
  • Compliance / SMB Drive Write
  • Compromise / Ransomware / Suspicious SMB Activity
  • Compromise / Ransomware / Ransom or Offensive Words Written to SMB
  • Compromise / Ransomware / Possible Ransom Note Write
  • Compromise / High Priority Tor2Web
  • Compromise / Tor2Web
  • Device / EXE Files Distributed to Multiple Devices

Conclusion

As Hive ransomware attacks are carried out by different affiliates using varying deployment kits, the tactics employed tend to vary and new IoCs are regularly identified. Furthermore, in 2022 a new variant of Hive was written using the Rust programming language. This represented a major upgrade to Hive, improving its defense evasion techniques and making it even harder to detect [8]. 

Hive is just one of many RaaS offerings currently on the market, and this market is only expected to grow in usage and diversity of presentations.  As ransomware becomes more accessible and easier to deploy it is essential for organizations to adopt efficient security measures to identify ransomware at the earliest possible stage. 

Darktrace DETECT’s Self-Learning AI understands customer networks and learns the expected patterns of behavior across an organization’s digital estate. Using its anomaly-based detection Darktrace is able to identify emerging threats through the detection of unusual or unexpected behavior, without relying on rules and signatures, or known IoCs. 

Credit to: Emily Megan Lim, Cyber Analyst, Hyeongyung Yeom, Senior Cyber Analyst & Analyst Team Lead.

Appendices

MITRE AT&CK Mapping

Reconnaissance

T1595.001 – Scanning IP Blocks

T1595.002 – Vulnerability Scanning

Resource Development

T1583.006 – Web Services

Initial Access

T1078 – Valid Accounts

T1190 – Exploit Public-Facing Application

T1200 – Hardware Additions

Execution

T1053.005 – Scheduled Task

T1059.001 – PowerShell

Persistence/Privilege Escalation

T1053.005 – Scheduled Task

T1078 – Valid Accounts

Defense Evasion

T1078 – Valid Accounts

T1207 – Rogue Domain Controller

T1550.002 – Pass the Hash

Discovery

T1018 – Remote System Discovery

T1046 – Network Service Discovery

T1083 – File and Directory Discovery

T1135 – Network Share Discovery

Lateral Movement

T1021.001 – Remote Desktop Protocol

T1021.002 – SMB/Windows Admin Shares

T1021.003 – Distributed Component Object Model

T1080 – Taint Shared Content

T1210 – Exploitation of Remote Services

T1550.002 – Pass the Hash

T1570 – Lateral Tool Transfer

Collection

T1185 – Man in the Browser

Command and Control

T1001 – Data Obfuscation

T1071 – Application Layer Protocol

T1071.001 – Web Protocols

T1090.003 – Multi-hop proxy

T1095 – Non-Application Layer Protocol

T1102.003 – One-Way Communication

T1571 – Non-Standard Port

Exfiltration

T1041 – Exfiltration Over C2 Channel

T1567.002 – Exfiltration to Cloud Storage

Impact

T1486 – Data Encrypted for Impact

T1489 – Service Stop

List of IoCs 

23.81.246[.]84 - IP Address - Likely Malicious File Download Endpoint

146.70.87[.]132 - IP Address - Possible Ransomware Endpoint

5.199.162[.]220 - IP Address - C2 Endpoint

23.227.178[.]65 - IP Address - C2 Endpoint

46.166.161[.]68 - IP Address - C2 Endpoint

46.166.161[.]93 - IP Address - C2 Endpoint

93.115.25[.]139 - IP Address - C2 Endpoint

185.150.1117[.]189 - IP Address - C2 Endpoint

192.53.123[.]202 - IP Address - C2 Endpoint

209.133.223[.]164 - IP Address - Likely C2 Endpoint

cltrixworkspace1[.]com - Domain - C2 Endpoint

vpnupdaters[.]com - Domain - C2 Endpoint

93.115.27[.]71 - IP Address - Possible Exfiltration Endpoint

158.51.85[.]157 - IP Address - Possible Exfiltration Endpoint

w.api.mega.co[.]nz - Domain - Possible Exfiltration Endpoint

*.userstorage.mega.co[.]nz - Domain - Possible Exfiltration Endpoint

741cc67d2e75b6048e96db9d9e2e78bb9a327e87 - SHA1 Hash - Hive Ransomware File

2f9da37641b204ef2645661df9f075005e2295a5 - SHA1 Hash - Likely Hive Ransomware File

hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd[.]onion - TOR Domain - Likely Hive Endpoint

References

[1] https://www.justice.gov/opa/pr/us-department-justice-disrupts-hive-ransomware-variant

[2] https://www.varonis.com/blog/hive-ransomware-analysis

[3] https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-hive 

[4]https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-321a

[5] https://www.trendmicro.com/en_us/research/22/c/nokoyawa-ransomware-possibly-related-to-hive-.html

[6] https://www.virustotal.com/gui/file/60f6a63e366e6729e97949622abd9de6d7988bba66f85a4ac8a52f99d3cb4764/detection

[7] https://heimdalsecurity.com/blog/what-is-hive-ransomware/

[8] https://www.microsoft.com/en-us/security/blog/2022/07/05/hive-ransomware-gets-upgrades-in-rust/ 

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Emily Megan Lim
Cyber Analyst

More in this series

No items found.

Blog

/

Compliance

/

June 9, 2025

Modernising UK Cyber Regulation: Implications of the Cyber Security and Resilience Bill

Two individuals sitting at a desk working on a documentDefault blog imageDefault blog image

The need for security and continued cyber resilience

The UK government has made national security a key priority, and the new Cyber Security and Resilience Bill (CSRB) is a direct reflection of that focus. In introducing the Bill, Secretary of State for Science, Innovation and Technology, Peter Kyle, recognised that the UK is “desperately exposed” to cyber threats—from criminal groups to hostile nation-states that are increasingly targeting the UK's digital systems and critical infrastructure[1].

Context and timeline for the new legislation

First announced during the King’s Speech of July 2024, and elaborated in a Department for Science, Innovation and Technology (DSIT) policy statement published in April 2025, the CSRB is expected to be introduced in Parliament during the 2025-26 legislative session.

For now, organisations in the UK remain subject to the 2018 Network and Information Systems (NIS) Regulations – an EU-derived law which was drafted before today’s increasing digitisation of critical services, rise in cloud adoption and emergence of AI-powered threats.

Why modernisation is critical

Without modernisation, the Government believes UK’s infrastructure and economy risks falling behind international peers. The EU, which revised its cybersecurity regulation under the NIS2 Directive, already imposes stricter requirements on a broader set of sectors.

The urgency of the Bill is also underscored by recent high-impact incidents, including the Synnovis attack which targeted the National Health Service (NHS) suppliers and disrupted thousands of patient appointments and procedures[2]. The Government has argued that such events highlight a systemic failure to keep pace with a rapidly evolving threat landscape[3].

What the Bill aims to achieve

This Bill represents a decisive shift. According to the Government, it will modernise and future‑proof the UK’s cyber laws, extending oversight to areas where risk has grown but regulation has not kept pace[4]. While the legislation builds on previous consultations and draws lessons from international frameworks like the EU’s NIS2 directive, it also aims to tailor solutions to the UK’s unique threat environment.

Importantly, the Government is framing cybersecurity not as a barrier to growth, but as a foundation for it. The policy statement emphasises that strong digital resilience will create the stability businesses need to thrive, innovate, and invest[5]. Therefore, the goals of the Bill will not only be to enhance security but also act as an enabler to innovation and economic growth.

Recognition that AI changes cyber threats

The CSRB policy statement recognises that AI is fundamentally reshaping the threat landscape, with adversaries now leveraging AI and commercial cyber tools to exploit vulnerabilities in critical infrastructure and supply chains. Indeed, the NCSC has recently assessed that AI will almost certainly lead to “an increase in the frequency and intensity of cyber threats”[6]. Accordingly, the policy statement insists that the UK’s regulatory framework “must keep pace and provide flexibility to respond to future threats as and when they emerge”[7].

To address the threat, the Bill signals new obligations for MSPs and data centres, timely incident reporting and dynamic guidance that can be refreshed without fresh primary legislation, making it essential for firms to follow best practices.

What might change in day-to-day practice?

New organisations in scope of regulation

Under the existing Network and Information Systems (NIS) Regulations[8], the UK already supervises operators in five critical sectors—energy, transport, drinking water, health (Operators of Essential Services, OES) and digital infrastructure (Relevant Digital Service Providers, RDSPs).

The Cyber Security and Resilience Bill retains this foundation and adds Managed Service Providers (MSPs) and data centres to the scope of regulation to “better recognise the increasing reliance on digital services and the vulnerabilities posed by supply chains”[9]. It also grants the Secretary of State for Science, Innovation and Technology the power to add new sectors or sub‑sectors via secondary legislation, following consultation with Parliament and industry.

Managed service providers (MSPs)

MSPs occupy a central position within the UK’s enterprise information‑technology infrastructure. Because they remotely run or monitor clients’ systems, networks and data, they hold privileged, often continuous access to multiple environments. This foothold makes them an attractive target for malicious actors.

The Bill aims to bring MSPs in scope of regulation by making them subject to the same duties as those placed on firms that provide digital services under the 2018 NIS Regulations. By doing so, the Bill seeks to raise baseline security across thousands of customer environments and to provide regulators with better visibility of supply‑chain risk.

The proposed definition for MSPs is a service which:

  1. Is provided to another organisation
  2. Relies on the use of network and information systems to deliver the service
  3. Relates to ongoing management support, active administration and/or monitoring of AI systems, IT infrastructure, applications, and/or IT networks, including for the purpose of activities relating to cyber security.
  4. Involves a network connection and/or access to the customer’s network and information systems.

Data centres

Building on the September 2024 designation of data centres as critical national infrastructure, the CSRB will fold data infrastructure into the NIS-style regime by naming it an “relevant sector" and data centres as “essential service”[10].

About 182 colocation facilities run by 64 operators will therefore come under statutory duties to notify the regulator, maintain proportionate CAF-aligned controls and report significant incidents, regardless of who owns them or what workloads they host.

New requirements for regulated organisations

Incident reporting processes

There could be stricter timelines or broader definitions of what counts as a reportable incident. This might nudge organisations to formalise detection, triage, and escalation procedures.

The Government is proposing to introduce a new two-stage incident reporting process. This would include an initial notification which would be submitted within 24 hours of becoming aware of a significant incident, followed by a full incident report which should be submitted within 72 hours of the same.

Supply chain assurance requirements

Supply chains for the UK's most critical services are becoming increasingly complex and present new and serious vulnerabilities for cyber-attacks. The recent Synnovis ransomware attacks on the NHS[11] exemplify the danger posed by attacks against the supply chains of important services and organisations. This is concerning when reflecting on the latest Cyber Security Breaches survey conducted by DSIT, which highlights that fewer than 25% of large businesses review their supply chain risks[12].

Despite these risks, the UK’s legacy cybersecurity regulatory regime does not explicitly cover supply chain risk management. The UK instead relies on supporting and non-statutory guidance to close this gap, such as the NCSC’s Cyber Assessment Framework (CAF)[13].

The CSRB policy statement acts on this regulatory shortcoming and recognises that “a single supplier’s disruption can have far-reaching impacts on the delivery of essential or digital services”[14].

To address this, the Bill would make in-scope organisations (OES and RDPS) directly accountable for the cybersecurity of their supply chains. Secondary legislation would spell out these duties in detail, ensuring that OES and RDSPs systematically assess and mitigate third-party cyber risks.

Updated and strengthened security requirements

By placing the CAF into a firmer footing and backing it with a statutory Code of Practice, the Government is setting clearer expectations about government expectations on technical standards and methods organisations will need to follow to prove their resilience.

How Darktrace can help support affected organizations

Demonstrate resilience

Darktrace’s Self-Learning AITM continuously monitors your digital estate across cloud, network, OT, email, and endpoint to detect, investigate, and autonomously respond to emerging threats in real time. This persistent visibility and defense posture helps organizations demonstrate cyber resilience to regulators with confidence.

Streamline incident reporting and compliance

Darktrace surfaces clear alerts and automated investigation reports, complete with timeline views and root cause analysis. These insights reduce the time and complexity of regulatory incident reporting and support internal compliance workflows with auditable, AI-generated evidence.

Improve supply chain visibility

With full visibility across connected systems and third-party activity, Darktrace detects early indicators of lateral movement, account compromise, and unusual behavior stemming from vendor or partner access, reducing the risk of supply chain-originated cyber-attacks.

Ensure MSPs can meet new standards

For managed service providers, Darktrace offers native multi-tenant support and autonomous threat response that can be embedded directly into customer environments. This ensures consistent, scalable security standards across clients—helping MSPs address increasing regulatory obligations.

[related-resource]

References

[1] https://www.theguardian.com/uk-news/article/2024/jul/29/uk-desperately-exposed-to-cyber-threats-and-pandemics-says-minister

[2] https://www.england.nhs.uk/2024/06/synnovis-cyber-attack-statement-from-nhs-england/

[3] https://www.gov.uk/government/publications/cyber-security-and-resilience-bill-policy-statement/cyber-security-and-resilience-bill-policy-statement

[4] https://www.gov.uk/government/publications/cyber-security-and-resilience-bill-policy-statement/cyber-security-and-resilience-bill-policy-statement

[5] https://www.gov.uk/government/publications/cyber-security-and-resilience-bill-policy-statement/cyber-security-and-resilience-bill-policy-statement

[6] https://www.ncsc.gov.uk/report/impact-ai-cyber-threat-now-2027

[7] https://www.gov.uk/government/publications/cyber-security-and-resilience-bill-policy-statement/cyber-security-and-resilience-bill-policy-statement

[8] https://www.gov.uk/government/collections/nis-directive-and-nis-regulations-2018

[9] https://www.gov.uk/government/publications/cyber-security-and-resilience-bill-policy-statement/cyber-security-and-resilience-bill-policy-statement

[10] https://www.gov.uk/government/publications/cyber-security-and-resilience-bill-policy-statement/cyber-security-and-resilience-bill-policy-statement

[11] https://www.england.nhs.uk/2024/06/synnovis-cyber-attack-statement-from-nhs-england/

[12] https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2025/cyber-security-breaches-survey-2025

[13] https://www.ncsc.gov.uk/collection/cyber-assessment-framework

[14] https://www.gov.uk/government/publications/cyber-security-and-resilience-bill-policy-statement/cyber-security-and-resilience-bill-policy-statement

Continue reading
About the author
The Darktrace Community

Blog

/

Network

/

June 5, 2025

Unpacking ClickFix: Darktrace’s detection of a prolific social engineering tactic

Woman on laptop in office buildingDefault blog imageDefault blog image

What is ClickFix and how does it work?

Amid heightened security awareness, threat actors continue to seek stealthy methods to infiltrate target networks, often finding the human end user to be the most vulnerable and easily exploited entry point.

ClickFix baiting is an exploitation of the end user, making use of social engineering techniques masquerading as error messages or routine verification processes, that can result in malicious code execution.

Since March 2024, the simplicity of this technique has drawn attention from a range of threat actors, from individual cybercriminals to Advanced Persistent Threat (APT) groups such as APT28 and MuddyWater, linked to Russia and Iran respectively, introducing security threats on a broader scale [1]. ClickFix campaigns have been observed affecting organizations in across multiple industries, including healthcare, hospitality, automotive and government [2][3].

Actors carrying out these targeted attacks typically utilize similar techniques, tools and procedures (TTPs) to gain initial access. These include spear phishing attacks, drive-by compromises, or exploiting trust in familiar online platforms, such as GitHub, to deliver malicious payloads [2][3]. Often, a hidden link within an email or malvertisements on compromised legitimate websites redirect the end user to a malicious URL [4]. These take the form of ‘Fix It’ or fake CAPTCHA prompts [4].

From there, users are misled into believing they are completing a human verification step, registering a device, or fixing a non-existent issue such as a webpage display error. As a result, they are guided through a three-step process that ultimately enables the execution of malicious PowerShell commands:

  1. Open a Windows Run dialog box [press Windows Key + R]
  2. Automatically or manually copy and paste a malicious PowerShell command into the terminal [press CTRL+V]
  3. And run the prompt [press ‘Enter’] [2]

Once the malicious PowerShell command is executed, threat actors then establish command and control (C2) communication within the targeted environment before moving laterally through the network with the intent of obtaining and stealing sensitive data [4]. Malicious payloads associated with various malware families, such as XWorm, Lumma, and AsyncRAT, are often deployed [2][3].

Attack timeline of ClickFix cyber attack

Based on investigations conducted by Darktrace’s Threat Research team in early 2025, this blog highlights Darktrace’s capability to detect ClickFix baiting activity following initial access.

Darktrace’s coverage of a ClickFix attack chain

Darktrace identified multiple ClickFix attacks across customer environments in both Europe, the Middle East, and Africa (EMEA) and the United States. The following incident details a specific attack on a customer network that occurred on April 9, 2025.

Although the initial access phase of this specific attack occurred outside Darktrace’s visibility, other affected networks showed compromise beginning with phishing emails or fake CAPTCHA prompts that led users to execute malicious PowerShell commands.

Darktrace’s visibility into the compromise began when the threat actor initiated external communication with their C2 infrastructure, with Darktrace / NETWORK detecting the use of a new PowerShell user agent, indicating an attempt at remote code execution.

Darktrace / NETWORK's detection of a device making an HTTP connection with new PowerShell user agent, indicating PowerShell abuse for C2 communications.
Figure 1: Darktrace / NETWORK's detection of a device making an HTTP connection with new PowerShell user agent, indicating PowerShell abuse for C2 communications.

Download of Malicious Files for Lateral Movement

A few minutes later, the compromised device was observed downloading a numerically named file. Numeric files like this are often intentionally nondescript and associated with malware. In this case, the file name adhered to a specific pattern, matching the regular expression: /174(\d){7}/. Further investigation into the file revealed that it contained additional malicious code designed to further exploit remote services and gather device information.

Darktrace / NETWORK's detection of a numeric file, one minute after the new PowerShell User Agent alert.
Figure 2: Darktrace / NETWORK's detection of a numeric file, one minute after the new PowerShell User Agent alert.

The file contained a script that sent system information to a specified IP address using an HTTP POST request, which also processed the response. This process was verified through packet capture (PCAP) analysis conducted by the Darktrace Threat Research team.

By analyzing the body content of the HTTP GET request, it was observed that the command converts the current time to Unix epoch time format (i.e., 9 April 2025 13:26:40 GMT), resulting in an additional numeric file observed in the URI: /1744205200.

PCAP highlighting the HTTP GET request that sends information to the specific IP, 193.36.38[.]237, which then generates another numeric file titled per the current time.
Figure 3: PCAP highlighting the HTTP GET request that sends information to the specific IP, 193.36.38[.]237, which then generates another numeric file titled per the current time.

Across Darktrace’s investigations into other customers' affected by ClickFix campaigns, both internal information discovery events and further execution of malicious code were observed.

Data Exfiltration

By following the HTTP stream in the same PCAP, the Darktrace Threat Research Team assessed the activity as indicative of data exfiltration involving system and device information to the same command-and-control (C2) endpoint, , 193.36.38[.]237. This endpoint was flagged as malicious by multiple open-source intelligence (OSINT) vendors [5].

PCAP highlighting HTTP POST connection with the numeric file per the URI /1744205200 that indicates data exfiltration to 193.36.38[.]237.
Figure 4: PCAP highlighting HTTP POST connection with the numeric file per the URI /1744205200 that indicates data exfiltration to 193.36.38[.]237.

Further analysis of Darktrace’s Advanced Search logs showed that the attacker’s malicious code scanned for internal system information, which was then sent to a C2 server via an HTTP POST request, indicating data exfiltration

Advanced Search further highlights Darktrace's observation of the HTTP POST request, with the second numeric file representing data exfiltration.
Figure 5: Advanced Search further highlights Darktrace's observation of the HTTP POST request, with the second numeric file representing data exfiltration.

Actions on objectives

Around ten minutes after the initial C2 communications, the compromised device was observed connecting to an additional rare endpoint, 188.34.195[.]44. Further analysis of this endpoint confirmed its association with ClickFix campaigns, with several OSINT vendors linking it to previously reported attacks [6].

In the final HTTP POST request made by the device, Darktrace detected a file at the URI /init1234 in the connection logs to the malicious endpoint 188.34.195[.]44, likely depicting the successful completion of the attack’s objective, automated data egress to a ClickFix C2 server.

Darktrace / NETWORK grouped together the observed indicators of compromise (IoCs) on the compromised device and triggered an Enhanced Monitoring model alert, a high-priority detection model designed to identify activity indicative of the early stages of an attack. These models are monitored and triaged 24/7 by Darktrace’s Security Operations Center (SOC) as part of the Managed Threat Detection service, ensuring customers are promptly notified of malicious activity as soon as it emerges.

Darktrace correlated the separate malicious connections that pertained to a single campaign.
Figure 6: Darktrace correlated the separate malicious connections that pertained to a single campaign.

Darktrace Autonomous Response

In the incident outlined above, Darktrace was not configured in Autonomous Response mode. As a result, while actions to block specific connections were suggested, they had to be manually implemented by the customer’s security team. Due to the speed of the attack, this need for manual intervention allowed the threat to escalate without interruption.

However, in a different example, Autonomous Response was fully enabled, allowing Darktrace to immediately block connections to the malicious endpoint (138.199.156[.]22) just one second after the initial connection in which a numerically named file was downloaded [7].

Darktrace Autonomous Response blocked connections to a suspicious endpoint following the observation of the numeric file download.
Figure 7: Darktrace Autonomous Response blocked connections to a suspicious endpoint following the observation of the numeric file download.

This customer was also subscribed to our Managed Detection and Response service, Darktrace’s SOC extended a ‘Quarantine Device’ action that had already been autonomously applied in order to buy their security team additional time for remediation.

Autonomous Response blocked connections to malicious endpoints, including 138.199.156[.]22, 185.250.151[.]155, and rkuagqnmnypetvf[.]top, and also quarantined the affected device. These actions were later manually reinforced by the Darktrace SOC.
Figure 8: Autonomous Response blocked connections to malicious endpoints, including 138.199.156[.]22, 185.250.151[.]155, and rkuagqnmnypetvf[.]top, and also quarantined the affected device. These actions were later manually reinforced by the Darktrace SOC.

Conclusion

ClickFix baiting is a widely used tactic in which threat actors exploit human error to bypass security defenses. By tricking end point users into performing seemingly harmless, everyday actions, attackers gain initial access to systems where they can access and exfiltrate sensitive data.

Darktrace’s anomaly-based approach to threat detection identifies early indicators of targeted attacks without relying on prior knowledge or IoCs. By continuously learning each device’s unique pattern of life, Darktrace detects subtle deviations that may signal a compromise. In this case, Darktrace's Autonomous Response, when operating in a fully autonomous mode, was able to swiftly contain the threat before it could progress further along the attack lifecycle.

Credit to Keanna Grelicha (Cyber Analyst) and Jennifer Beckett (Cyber Analyst)

Appendices

NETWORK Models

  • Device / New PowerShell User Agent
  • Anomalous Connection / New User Agent to IP Without Hostname
  • Anomalous Connection / Posting HTTP to IP Without Hostname
  • Anomalous Connection / Powershell to Rare External
  • Device / Suspicious Domain
  • Device / New User Agent and New IP
  • Anomalous File / New User Agent Followed By Numeric File Download (Enhanced Monitoring Model)
  • Device / Initial Attack Chain Activity (Enhanced Monitoring Model)

Autonomous Response Models

  • Antigena / Network::Significant Anomaly::Antigena Significant Anomaly from Client Block
  • Antigena / Network::Significant Anomaly::Antigena Enhanced Monitoring from Client Block
  • Antigena / Network::External Threat::Antigena File then New Outbound Block
  • Antigena / Network::External Threat::Antigena Suspicious File Block
  • Antigena / Network::Significant Anomaly::Antigena Alerts Over Time Block
  • Antigena / Network::External Threat::Antigena Suspicious File Block

IoC - Type - Description + Confidence

·       141.193.213[.]11 – IP address – Possible C2 Infrastructure

·       141.193.213[.]10 – IP address – Possible C2 Infrastructure

·       64.94.84[.]217 – IP address – Possible C2 Infrastructure

·       138.199.156[.]22 – IP address – C2 server

·       94.181.229[.]250 – IP address – Possible C2 Infrastructure

·       216.245.184[.]181 – IP address – Possible C2 Infrastructure

·       212.237.217[.]182 – IP address – Possible C2 Infrastructure

·       168.119.96[.]41 – IP address – Possible C2 Infrastructure

·       193.36.38[.]237 – IP address – C2 server

·       188.34.195[.]44 – IP address – C2 server

·       205.196.186[.]70 – IP address – Possible C2 Infrastructure

·       rkuagqnmnypetvf[.]top – Hostname – C2 server

·       shorturl[.]at/UB6E6 – Hostname – Possible C2 Infrastructure

·       tlgrm-redirect[.]icu – Hostname – Possible C2 Infrastructure

·       diagnostics.medgenome[.]com – Hostname – Compromised Website

·       /1741714208 – URI – Possible malicious file

·       /1741718928 – URI – Possible malicious file

·       /1743871488 – URI – Possible malicious file

·       /1741200416 – URI – Possible malicious file

·       /1741356624 – URI – Possible malicious file

·       /ttt – URI – Possible malicious file

·       /1741965536 – URI – Possible malicious file

·       /1.txt – URI – Possible malicious file

·       /1744205184 – URI – Possible malicious file

·       /1744139920 – URI – Possible malicious file

·       /1744134352 – URI – Possible malicious file

·       /1744125600 – URI – Possible malicious file

·       /1[.]php?s=527 – URI – Possible malicious file

·       34ff2f72c191434ce5f20ebc1a7e823794ac69bba9df70721829d66e7196b044 – SHA-256 Hash – Possible malicious file

·       10a5eab3eef36e75bd3139fe3a3c760f54be33e3 – SHA-1 Hash – Possible malicious file

MITRE ATT&CK Mapping

Tactic – Technique – Sub-Technique  

Spearphishing Link - INITIAL ACCESS - T1566.002 - T1566

Drive-by Compromise - INITIAL ACCESS - T1189

PowerShell - EXECUTION - T1059.001 - T1059

Exploitation of Remote Services - LATERAL MOVEMENT - T1210

Web Protocols - COMMAND AND CONTROL - T1071.001 - T1071

Automated Exfiltration - EXFILTRATION - T1020 - T1020.001

References

[1] https://www.logpoint.com/en/blog/emerging-threats/clickfix-another-deceptive-social-engineering-technique/

[2] https://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape

[3] https://cyberresilience.com/threatonomics/understanding-the-clickfix-attack/

[4] https://www.group-ib.com/blog/clickfix-the-social-engineering-technique-hackers-use-to-manipulate-victims/

[5] https://www.virustotal.com/gui/ip-address/193.36.38.237/detection

[6] https://www.virustotal.com/gui/ip-address/188.34.195.44/community

[7] https://www.virustotal.com/gui/ip-address/138.199.156.22/detection

Continue reading
About the author
Keanna Grelicha
Cyber Analyst
Your data. Our AI.
Elevate your network security with Darktrace AI