Blog
/
Network
/
October 3, 2023

Unveiling ViperSoftX: A Darktrace Investigation

Read about the ViperSoftX threat and how Darktrace's innovative detection methods exposed this cyber intrusion and its potential impacts.
Written by
Zoe Tilsiter
Cyber Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Zoe Tilsiter
Cyber Analyst
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
03
Oct 2023

Fighting Info-Stealing Malware

The escalating threat posed by information-stealing malware designed to harvest and steal the sensitive data of individuals and organizations alike has become a paramount concern for security teams across the threat landscape. In direct response to security teams improving their threat detection and prevention capabilities, threat actors are forced to continually adapt and advance their techniques, striving for greater sophistication to ensure they can achieve the malicious goals.

What is ViperSoftX?

ViperSoftX is an information stealer and Remote Access Trojan (RAT) malware known to steal privileged information such as cryptocurrency wallet addresses and password information stored in browsers and password managers. It is commonly distributed via the download of cracked software from multiple sources such as suspicious domains, torrent downloads, and key generators (keygens) from third-party sites.

ViperSoftX was first observed in the wild in 2020 [1] but more recently, new strains were identified in 2022 and 2023 utilizing more sophisticated detection evasion techniques, making it more difficult for security teams to identify and analyze. This includes using more advanced encryption methods alongside monthly changes to command-and-control servers (C2) [2], using dynamic-link library (DLL) sideloading for execution techiques, and subsequently loading a malicious browser extension upon infection which works as an independent info-stealer named VenomSoftX [3].

Between February and June 2023, Darktrace detected activity related to the VipersoftX and VenomSoftX information stealers on the networks of more than 100 customers across its fleet. Darktrace DETECT™ was able to successfully identify the anomalous network activity surrounding these emerging information stealer infections and bring them to the attention of the customers, while Darktrace RESPOND™, when enabled in autonomous response mode, was able to quickly intervene and shut down malicious downloads and data exfiltration attempts.

ViperSoftX Attack & Darktrace Coverage

In cases of ViperSoftX information stealer activity observed by Darktrace, the initial infection was caused through the download of malicious files from multimedia sites, endpoints of cracked software like Adobe Illustrator, and torrent sites. Endpoint users typically unknowingly download the malware from these endpoints with a sideloaded DLL, posing as legitimate software executables.

Darktrace detected multiple downloads from such multimedia sites and endpoints related to cracked software and BitTorrent, which were likely representative of the initial source of ViperSoftX infection. Darktrace DETECT models such as ‘Anomalous File / Anomalous Octet Stream (No User Agent)’ breached in response to this activity and were brought to the immediate attention of customer security teams. In instances where Darktrace RESPOND was configured in autonomous response mode, Darktrace was able to enforce a pattern of life on offending devices, preventing them from downloading malicious files.  This ensures that devices are limited to conducting only their pre-established expected activit, minimizing disruption to the business whilst targetedly mitigating suspicious file downloads.

The downloads are then extracted, decrypted and begin to run on the device. The now compromised device will then proceed to make external connections to C2 servers to retrieve secondary PowerShell executable. Darktrace identified that infected devices using PowerShell user agents whilst making HTTP GET requests to domain generation algorithm (DGA) ViperSoftX domains represented new, and therefore unusual, activity in a large number of cases.

For example, Darktrace detected one customer device making an HTTP GET request to the endpoint ‘chatgigi2[.]com’, using the PowerShell user agent ‘Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.2364’. This new activity triggered a number of DETECT models, including ‘Anomalous Connection / PowerShell to Rare External’ and ‘Device / New PowerShell User Agent’. Repeated connections to these endpoints also triggered C2 beaconing models including:  

  • Compromise / Agent Beacon (Short Period)
  • Compromise / Agent Beacon (Medium Period)
  • Compromise / Agent Beacon (Long Period)
  • Compromise / Quick and Regular Windows HTTP Beaconing
  • Compromise / SSL or HTTP Beacon

Although a large number of different DGA domains were detected, commonalities in URI formats were seen across affected customers which matched formats previously identified as ViperSoftX C2 communication by open-source intelligence (OSINT), and in other Darktrace investigations.  

URI paths for example, were always of the format /api/, /api/v1/, /v2/, or /v3/, appearing to detail version number, as can be seen in Figure 1.

Figure 1: A Packet Capture (PCAP) taken from Darktrace showing a connection made to a ViperSoftX C2 endpoint containing versioning information, consistent with ViperSoftX pattern of communication.  

Before the secondary PowerShell executables are loaded, ViperSoftX takes a digital fingerprint of the infected machine to gather its configuration details, and exfiltrates them to the C2 server. These include the computer name, username, Operating System (OS), and ensures there are no anti-virus or montoring tools on the device. If no security tool are detected, ViperSoftX then downloads, decrypts and executes the PowerShell file.

Following the GET requests Darktrace observed numerous devices performing HTTP POST requests and beaconing connections to ViperSoftX endpoints with varying globally unique identifiers (GUIDs) within the URIs. These connections represented the exfiltration of device configuration details, such as “anti-virus detected”, “app used”, and “device name”. As seen on another customer’s deployment, this caused the model ‘Anomalous Connection / Multiple HTTP POSTs to Rare Hostname’ to breach, which was also detected by Cyber AI Analyst as seen in Figure 2.

Figure 2: Cyber AI Analyst’s detection of HTTP POSTs being made to apibiling[.]com, a ViperSoftX C2 endpoint.

The malicious PowerShell download then crawls the infected device’s systems and directories looking for any cryptocurrency wallet information and password managers, and exfiltrates harvest data to the C2 infrastructure. The C2 server then provides further browser extensions to Chromium browsers to be downloaded and act as a separate stand-alone information stealer, also known as VenomSoftX.

Similar to the initial download of ViperSoftX, these malicious extensions are disguised as legitimate browser extensions to evade the detection of security teams. VenomSoft X, in turn, searches through and attempts to gather sensitive data from password managers and crypto wallets stored in user browsers. Using this information, VenomSoftX is able to redirect crypocurrency transactions by intercepting and manipulating API requests between the sender and the intended recipient, directing the cryptocurrency to the attacker instead [3].

Following investigation into VipersoftX activity across the customer base, Darktrace notified all affected customers and opened Ask the Expert (ATE) tickets through which customer’s could directly contact the analyst team for support and guidance in the face on the information stealer infection.

How did the attack bypass the rest of the security stack?

As previously mentioned, both the initial download of ViperSoftX and the subsequent download of the VenomX browser extension are disguised as legitimate software or browser downloads. This is a common technique employed by threat actors to infect target devices with malicious software, while going unnoticed by security teams traditional security measures. Furthermore, by masquerading as a legitimate piece of software endpoint users are more likely to trust and therefore download the malware, increasing the likelihood of threat actor’s successfully carrying out their objectives. Additionally, post-infection analysis of shellcode, the executable code used as the payload, is made significantly more difficult by VenomSoftX’s use of bytemapping. Bytemapping prevents the encryption of shellcodes without its corresponding byte map, meaning that the payloads cannot easily be decrypted and analysed by security researchers. [3]

ViperSoftX also takes numerous attempts to prevent their C2 infrastructure from being identified by blocking access to it on browsers, and using multiple DGA domains, thus renderring defunct traditional security measures that rely on threat intelligence and static lists of indicators of compromise (IoCs).

Fortunately for Darktrace customers, Darktrace’s anomaly-based approach to threat detection means that it was able to detect and alert customers to this suspicious activity that may have gone unnoticed by other security tools.

Insights/Conclusion

Faced with the challenge of increasingly competent and capable security teams, malicious actors are having to adopt more sophisticated techniques to successfully compromise target systems and achieve their nefarious goals.

ViperSoftX information stealer makes use of numerous tactics, techniques and procedures (TTPs) designed to fly under the radar and carry out their objectives without being detected. ViperSoftX does not rely on just one information stealing malware, but two with the subsequent injection of the VenomSoftX browser extension, adding an additional layer of sophistication to the informational stealing operation and increasing the potential yield of sensitive data. Furthermore, the use of evasion techniques like disguising malicious file downloads as legitimate software and frequently changing DGA domains means that ViperSoftX is well equipped to infiltrate target systems and exfiltrate confidential information without being detected.

However, the anomaly-based detection capabilities of Darktrace DETECT allows it to identify subtle changes in a device’s behavior, that could be indicative of an emerging compromise, and bring it to the customer’s security team. Darktrace RESPOND is then autonomously able to take action against suspicious activity and shut it down without latency, minimizing disruption to the business and preventing potentially significant financial losses.

Credit to: Zoe Tilsiter, Senior Cyber Analyst, Nathan Lorenzo, Cyber Analyst.

Appendices

References

[1] https://www.fortinet.com/blog/threat-research/vipersoftx-new-javascript-threat

[2] https://www.trendmicro.com/en_us/research/23/d/vipersoftx-updates-encryption-steals-data.html

[3] https://decoded.avast.io/janrubin/vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx/

Darktrace DETECT Model Detections

·       Anomalous File / Anomalous Octet Stream (No User Agent)

·       Anomalous Connection / PowerShell to Rare External

·       Anomalous Connection / Multiple HTTP POSTs to Rare Hostname

·       Anomalous Connection / Lots of New Connections

·       Anomalous Connection / Multiple Failed Connections to Rare Endpoint

·       Anomalous Server Activity / Outgoing from Server

·       Compromise / Large DNS Volume for Suspicious Domain

·       Compromise / Quick and Regular Windows HTTP Beaconing

·       Compromise / Beacon for 4 Days

·       Compromise / Suspicious Beaconing Behaviour

·       Compromise / Large Number of Suspicious Failed Connections

·       Compromise / Large Number of Suspicious Successful Connections

·       Compromise / POST and Beacon to Rare External

·       Compromise / DGA Beacon

·       Compromise / Agent Beacon (Long Period)

·       Compromise / Agent Beacon (Medium Period)

·       Compromise / Agent Beacon (Short Period)

·       Compromise / Fast Beaconing to DGA

·       Compromise / SSL or HTTP Beacon

·       Compromise / Slow Beaconing Activity To External Rare

·       Compromise / Beaconing Activity To External Rare

·       Compromise / Excessive Posts to Root

·       Compromise / Connections with Suspicious DNS

·       Compromise / HTTP Beaconing to Rare Destination

·       Compromise / High Volume of Connections with Beacon Score

·       Compromise / Sustained SSL or HTTP Increase

·       Device / New PowerShell User Agent

·       Device / New User Agent and New IP

Darktrace RESPOND Model Detections

·       Antigena / Network / External Threat / Antigena Suspicious File Block

·       Antigena / Network / External Threat / Antigena File then New Outbound Block

·       Antigena / Network / External Threat / Antigena Watched Domain Block

·       Antigena / Network / Significant Anomaly / Antigena Significant Anomaly from Client Block

·       Antigena / Network / External Threat / Antigena Suspicious Activity Block

·       Antigena / Network / Significant Anomaly / Antigena Breaches Over Time Block

·       Antigena / Network / Insider Threat / Antigena Large Data Volume Outbound Block

·       Antigena / Network / External Threat / Antigena Suspicious File Pattern of Life Block

·       Antigena / Network / Significant Anomaly / Antigena Controlled and Model Breach

List of IoCs

Indicator - Type - Description

ahoravideo-blog[.]com - Hostname - ViperSoftX C2 endpoint

ahoravideo-blog[.]xyz - Hostname - ViperSoftX C2 endpoint

ahoravideo-cdn[.]com - Hostname - ViperSoftX C2 endpoint

ahoravideo-cdn[.]xyz - Hostname - ViperSoftX C2 endpoint

ahoravideo-chat[.]com - Hostname - ViperSoftX C2 endpoint

ahoravideo-chat[.]xyz - Hostname - ViperSoftX C2 endpoint

ahoravideo-endpoint[.]xyz - Hostname - ViperSoftX C2 endpoint

ahoravideo-schnellvpn[.]com - Hostname - ViperSoftX C2 endpoint

ahoravideo-schnellvpn[.]xyz - Hostname - ViperSoftX C2 endpoint

apibilng[.]com - Hostname - ViperSoftX C2 endpoint

arrowlchat[.]com - Hostname - ViperSoftX C2 endpoint

bideo-blog[.]com - Hostname - ViperSoftX C2 endpoint

bideo-blog[.]xyz - Hostname - ViperSoftX C2 endpoint

bideo-cdn[.]com - Hostname - ViperSoftX C2 endpoint

bideo-cdn[.]xyz - Hostname - ViperSoftX C2 endpoint

bideo-chat[.]com - Hostname - ViperSoftX C2 endpoint

bideo-chat[.]xyz - Hostname - ViperSoftX C2 endpoint

bideo-endpoint[.]com - Hostname - ViperSoftX C2 endpoint

bideo-endpoint[.]xyz - Hostname - ViperSoftX C2 endpoint

bideo-schnellvpn[.]com - Hostname - ViperSoftX C2 endpoint

chatgigi2[.]com - Hostname - ViperSoftX C2 endpoint

counter[.]wmail-service[.]com - Hostname - ViperSoftX C2 endpoint

fairu-cdn[.]xyz - Hostname - ViperSoftX C2 endpoint

fairu-chat[.]xyz - Hostname - ViperSoftX C2 endpoint

fairu-endpoint[.]com - Hostname - ViperSoftX C2 endpoint

fairu-schnellvpn[.]com - Hostname - ViperSoftX C2 endpoint

fairu-schnellvpn[.]xyz - Hostname - ViperSoftX C2 endpoint

privatproxy-blog[.]com - Hostname - ViperSoftX C2 endpoint

privatproxy-blog[.]xyz - Hostname - ViperSoftX C2 endpoint

privatproxy-cdn[.]com - Hostname - ViperSoftX C2 endpoint

privatproxy-cdn[.]xyz - Hostname - ViperSoftX C2 endpoint

privatproxy-endpoint[.]xyz - Hostname - ViperSoftX C2 endpoint

privatproxy-schnellvpn[.]com - Hostname - ViperSoftX C2 endpoint

privatproxy-schnellvpn[.]xyz - Hostname - ViperSoftX C2 endpoint

static-cdn-349[.]net - Hostname - ViperSoftX C2 endpoint

wmail-blog[.]com - Hostname - ViperSoftX C2 endpoint

wmail-cdn[.]xyz - Hostname - ViperSoftX C2 endpoint

wmail-chat[.]com - Hostname - ViperSoftX C2 endpoint

wmail-schnellvpn[.]com - Hostname - ViperSoftX C2 endpoint

wmail-schnellvpn[.]xyz - Hostname - ViperSoftX C2 endpoint

Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.2364 - User Agent -PowerShell User Agent

MITRE ATT&CK Mapping

Tactic - Technique - Notes

Command and Control - T1568.002 Dynamic Resolution: Domain Generation Algorithms

Command and Control - T1321 Data Encoding

Credential Access - T1555.005 Credentials from Password Stores: Password Managers

Defense Evasion - T1027 Obfuscated Files or Information

Execution - T1059.001 Command and Scripting Interpreter: PowerShell

Execution - T1204 User Execution T1204.002 Malicious File

Persistence - T1176 Browser Extensions - VenomSoftX specific

Persistence, Privilege Escalation, Defense Evasion - T1574.002 Hijack Execution Flow: DLL Side-Loading

Written by
Zoe Tilsiter
Cyber Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Zoe Tilsiter
Cyber Analyst

CastleLoader & CastleRAT: Behind TAG150’s Modular Malware Delivery System

Network
November 26, 2025
Tyler Rhea
Senior Cyber Analyst
Watch the NIS2 Webinar
Trending blogs
1
Pre-CVE Threat Detection: 10 Examples Identifying Malicious Activity Prior to Public Disclosure of a Vulnerability
Jul 2, 2025
2
Darktrace Recognized as a Leader in the 2025 Gartner® Magic Quadrant™ for Network Detection and Response
Jun 2, 2025
3
Evaluating Email Security: How to Select the Best Solution for Your Organization
May 21, 2025
4
2025 Cyber Threat Landscape: Darktrace’s Mid-Year Review
Aug 5, 2025
5
Introducing the AI Maturity Model for Cybersecurity
Jul 16, 2025

More in this series

No items found.
Continue reading
Network
November 26, 2025

CastleLoader & CastleRAT: Behind TAG150’s Modular Malware Delivery System

TAG-150, a MaaS operator active since March 2025, uses CastleLoader and CastleRAT in multi-stage attacks. CastleLoader acts as a loader that retrieves and executes additional malware through deceptive domains and malicious GitHub repositories, while CastleRAT functions as a remote access trojan providing attackers with system control, command execution, and data theft capabilities. Darktrace detected and blocked early attack activity, leveraging Autonomous Response to prevent further compromise and protect enterprise networks.
Tyler Rhea
Senior Cyber Analyst
Read more
Network
November 20, 2025

Xillen Stealer Updates to Version 5 to Evade AI Detection

Xillen Stealer v4/v5 introduces advanced features to evade AI detection, steal credentials, cryptocurrency, and sensitive data across browsers, password managers, and cloud environments. With polymorphic engines, container persistence, and behavioral mimicking, this Python-based malware highlights evolving threats and future AI integration in cybercrime campaigns.
Tara Gould
Threat Researcher
Read more
Network
November 12, 2025

Unmasking Vo1d: Inside Darktrace’s Botnet Detection

Earlier this year, Darktrace investigated the Vo1d malware campaign, tracing its activity from DGA-based DNS beaconing to major cloud infrastructure and ultimately to its C2 server communications. This blog explores how Darktrace detected Vo1d and presents a detailed timeline of Cyber AI Analyst’s investigation.
Christina Kreza
Cyber Analyst
Read more

Blog

/

Network

/

November 26, 2025

CastleLoader & CastleRAT: Behind TAG150’s Modular Malware Delivery System

CastleLoader & CastleRAT: Behind TAG150’s Modular Malware Delivery SystemDefault blog imageDefault blog image

What is TAG-150?

TAG-150, a relatively new Malware-as-a-Service (MaaS) operator, has been active since March 2025, demonstrating rapid development and an expansive, evolving infrastructure designed to support its malicious operations. The group employs two custom malware families, CastleLoader and CastleRAT, to compromise target systems, with a primary focus on the United States [1]. TAG-150’s infrastructure included numerous victim-facing components, such as IP addresses and domains functioning as command-and-control (C2) servers associated with malware families like SecTopRAT and WarmCookie, in addition to CastleLoader and CastleRAT [2].

As of May 2025, CastleLoader alone had infected a reported 469 devices, underscoring the scale and sophistication of TAG-150’s campaign [1].

What are CastleLoader and CastleRAT?

CastleLoader is a loader malware, primarily designed to download and install additional malware, enabling chain infections across compromised systems [3]. TAG-150 employs a technique known as ClickFix, which uses deceptive domains that mimic document verification systems or browser update notifications to trick victims into executing malicious scripts. Furthermore, CastleLoader leverages fake GitHub repositories that impersonate legitimate tools as a distribution method, luring unsuspecting users into downloading and installing malware on their devices [4].

CastleRAT, meanwhile, is a remote access trojan (RAT) that serves as one of the primary payloads delivered by CastleLoader. Once deployed, CastleRAT grants attackers extensive control over the compromised system, enabling capabilities such as keylogging, screen capturing, and remote shell access.

TAG-150 leverages CastleLoader as its initial delivery mechanism, with CastleRAT acting as the main payload. This two-stage attack strategy enhances the resilience and effectiveness of their operations by separating the initial infection vector from the final payload deployment.

How are they deployed?

Castleloader uses code-obfuscation methods such as dead-code insertion and packing to hinder both static and dynamic analysis. After the payload is unpacked, it connects to its command-and-control server to retrieve and running additional, targeted components.

Its modular architecture enables it to function both as a delivery mechanism and a staging utility, allowing threat actors to decouple the initial infection from payload deployment. CastleLoader typically delivers its payloads as Portable Executables (PEs) containing embedded shellcode. This shellcode activates the loader’s core module, which then connects to the C2 server to retrieve and execute the next-stage malware.[6]

Following this, attackers deploy the ClickFix technique, impersonating legitimate software distribution platforms like Google Meet or browser update notifications. These deceptive sites trick victims into copying and executing PowerShell commands, thereby initiating the infection kill chain. [1]

When a user clicks on a spoofed Cloudflare “Verification Stepprompt, a background request is sent to a PHP script on the distribution domain (e.g., /s.php?an=0). The server’s response is then automatically copied to the user’s clipboard using the ‘unsecuredCopyToClipboard()’ function. [7].

The Python-based variant of CastleRAT, known as “PyNightShade,” has been engineered with stealth in mind, showing minimal detection across antivirus platforms [2]. As illustrated in Figure 1, PyNightShade communicates with the geolocation API service ip-api[.]com, demonstrating both request and response behavior

Packet Capture (PCAP) of PyNightShade, the Python-based variant of CastleRAT, communicating with the geolocation API service ip-api[.]com.
Figure 1: Packet Capture (PCAP) of PyNightShade, the Python-based variant of CastleRAT, communicating with the geolocation API service ip-api[.]com.

Darktrace Coverage

In mid-2025, Darktrace observed a range of anomalous activities across its customer base that appeared linked to CastleLoader, including the example below from a US based organization.

The activity began on June 26, when a device on the customer’s network was observed connecting to the IP address 173.44.141[.]89, a previously unseen IP for this network along with the use of multiple user agents, which was also rare for the user.  It was later determined that the IP address was a known indicator of compromise (IoC) associated with TAG-150’s CastleRAT and CastleLoader operations [2][5].

Figure 2: Darktrace’s detection of a device making unusual connections to the malicious endpoint 173.44.141[.]89.

The device was observed downloading two scripts from this endpoint, namely ‘/service/download/data_5x.bin’ and ‘/service/download/data_6x.bin’, which have both been linked to CastleLoader infections by open-source intelligence (OSINT) [8]. The archives contains embedded shellcode, which enables attackers to execute arbitrary code directly in memory, bypassing disk writes and making detection by endpoint detection and response (EDR) tools significantly more difficult [2].

Darktrace’s detection of two scripts from the malicious endpoint.
Figure 3: Darktrace’s detection of two scripts from the malicious endpoint.

In addition to this, the affected device exhibited a high volume of internal connections to a broad range of endpoints, indicating potential scanning activity. Such behavior is often associated with reconnaissance efforts aimed at mapping internal infrastructure.

Darktrace / NETWORK correlated these behaviors and generated an Enhanced Monitoring model, a high-fidelity security model designed to detect activity consistent with the early stages of an attack. These high-priority models are continuously monitored and triaged by Darktrace’s Security Operations Center (SOC) as part of the Managed Threat Detection and Managed Detection & Response services, ensuring that subscribed customers are promptly alerted to emerging threats.

Darktrace detected an unusual ZIP file download alongside the anomalous script, followed by internal connectivity. This activity was correlated under an Enhanced Monitoring model.
Figure 4: Darktrace detected an unusual ZIP file download alongside the anomalous script, followed by internal connectivity. This activity was correlated under an Enhanced Monitoring model.

Darktrace Autonomous Response

Fortunately, Darktrace’s Autonomous Response capability was fully configured, enabling it to take immediate action against the offending device by blocking any further connections external to the malicious endpoint, 173.44.141[.]89. Additionally, Darktrace enforced a ‘group pattern of life’ on the device, restricting its behavior to match other devices in its peer group, ensuring it could not deviate from expected activity, while also blocking connections over 443, shutting down any unwanted internal scanning.

Figure 5: Actions performed by Darktrace’s Autonomous Response to contain the ongoing attack.

Conclusion

The rise of the MaaS ecosystem, coupled with attackers’ growing ability to customize tools and techniques for specific targets, is making intrusion prevention increasingly challenging for security teams. Many threat actors now leverage modular toolkits, dynamic infrastructure, and tailored payloads to evade static defenses and exploit even minor visibility gaps. In this instance, Darktrace demonstrated its capability to counter these evolving tactics by identifying early-stage attack chain behaviors such as network scanning and the initial infection attempt. Autonomous Response then blocked the CastleLoader IP delivering the malicious ZIP payload, halting the attack before escalation and protecting the organization from a potentially damaging multi-stage compromise

Credit to Ahmed Gardezi (Cyber Analyst) Tyler Rhea (Senior Cyber Analyst)
Edited by Ryan Traill (Analyst Content Lead)

Appendices

Darktrace Model Detections

  • Anomalous Connection / Unusual Internal Connections
  • Anomalous File / Zip or Gzip from Rare External Location
  • Anomalous File / Script from Rare External Location
  • Initial Attack Chain Activity (Enhanced Monitoring Model)

MITRE ATT&CK Mapping

  • T15588.001 - Resource Development – Malware
  • TG1599 – Defence Evasion – Network Boundary Bridging
  • T1046 – Discovery – Network Service Scanning
  • T1189 – Initial Access

List of IoCs
IoC - Type - Description + Confidence

  • 173.44.141[.]89 – IP – CastleLoader C2 Infrastructure
  • 173.44.141[.]89/service/download/data_5x.bin – URI – CastleLoader Script
  • 173.44.141[.]89/service/download/data_6x.bin – URI  - CastleLoader Script
  • wsc.zip – ZIP file – Possible Payload

References

[1] - https://blog.polyswarm.io/castleloader

[2] - https://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations

[3] - https://www.pcrisk.com/removal-guides/34160-castleloader-malware

[4] - https://www.scworld.com/brief/malware-loader-castleloader-targets-devices-via-fake-github-clickfix-phishing

[5] https://www.virustotal.com/gui/ip-address/173.44.141.89/community

[6] https://thehackernews.com/2025/07/castleloader-malware-infects-469.html

[7] https://www.cryptika.com/new-castleloader-attack-using-cloudflare-themed-clickfix-technique-to-infect-windows-computers/

[8] https://www.cryptika.com/castlebot-malware-as-a-service-deploys-range-of-payloads-linked-to-ransomware-attacks/

Continue reading
About the author
Tyler Rhea
Senior Cyber Analyst

Blog

/

Compliance

/

November 26, 2025

UK Cyber Security & Resilience Bill: What Organizations Need to Know

Default blog imageDefault blog image

Why the Bill has been introduced

The UK’s cyber threat landscape has evolved dramatically since the 2018 NIS regime was introduced. Incidents such as the Synnovis attack against hospitals and the British Library ransomware attack show how quickly operational risk can become public harm. In this context, the UK Department for Science, Innovation and Technology estimates that cyber-attacks cost UK businesses around £14.7 billion each year.

At the same time, the widespread adoption of AI has expanded organisations’ attack surfaces and empowered threat actors to launch more effective and sophisticated activities, including crafting convincing phishing campaigns, exploiting vulnerabilities and initiating ransomware attacks at unprecedented speed and scale.  

The CSRB responds to these challenges by widening who is regulated, accelerating incident reporting and tightening supply chain accountability, while enabling rapid updates that keep pace with technology and emerging risks.

Key provisions of the Cyber Security and Resilience Bill

A wider set of organisations in scope

The Bill significantly broadens the range of organisations regulated under the NIS framework.

  • Managed service providers (MSPs) - medium and large MSPs, including MSSPs, managed SOCs, SIEM providers and similar services,will now fall under NIS obligations due to their systemic importance and privileged access to client systems. The Information Commissioner’s Office (ICO) will act as the regulator. Government analysis anticipates that a further 900 to 1,100 MSPs will be in scope.
  • Data infrastructure is now recognised as essential to the functioning of the economy and public services. Medium and large data centres, as well as enterprise facilities meeting specified thresholds, will be required to implement appropriate and proportionate measures to manage cyber risk. Oversight will be shared between DSIT and Ofcom, with Ofcom serving as the operational regulator.
  • Organisations that manage electrical loads for smart appliances, such as those supporting EV charging during peak times, are now within scope.

These additions sit alongside existing NIS-regulated sectors such as transport, energy, water, health, digital infrastructure, and certain digital services (including online marketplaces, search engines, and cloud computing).

Stronger supply chain requirements

Under the CSRB, regulators can now designate third-party suppliers as ‘designated critical suppliers’ (DCS) when certain threshold criteria are met and where disruption could have significant knock-on effects. Designated suppliers will be subject to the same security and incident-reporting obligations as Operators of Essential Services (OES) and Relevant Digital Service Providers (RDSPs).

Government will scope the supply chain duties for OES and RDSPs via secondary legislation, following consultation. infrastructure incidents where a single supplier’s compromise caused widespread disruption.

Faster incident reporting

Sector-specific regulators, 12 in total, will be responsible for implementing the CSRB, allowing for more effective and consistent reporting. In addition, the CSRB introduces a two-stage reporting process and expands incident reporting criteria. Regulated entities must submit an initial notification within 24 hours of becoming aware of a significant incident, followed by an incident report within 72 hours. Incident reporting criteria are also broadened to capture incidents beyond those which actually resulted in an interruption, ensuring earlier visibility for regulators and the National Cyber Security Centre (NCSC). The importance of information sharing across agencies, law enforcement and regulators is also facilitated by the CSRB.

The reforms also require data centres and managed service providers to notify affected customers where they are likely to have been impacted by a cyber incident.

An agile regulatory framework

To keep pace with technological change, the CSRB will enable the Secretary of State to update elements of the framework via secondary legislation. Supporting materials such as the NCSC Cyber Assessment Framework (CAF) are to be "put on a stronger footing” allowing for requirements to be more easily followed, managed and updated. Regulators will also now be able to recover full costs associated with NIS duties meaning they are better resourced to carry out their associated responsibilities.

Relevant Managed Service Providers must identify and take appropriate and proportionate measures to manage risks to the systems they rely on for providing services within the UK. Importantly, these measures must, having regard to the state of the art, ensure a level of security appropriate to the risk posed, and prevent or minimise the impact of incidents.

The Secretary of State will also be empowered to issue a Statement of Strategic Priorities, setting cross-regime outcomes to drive consistency across the 12 competent authorities responsible for implementation.

Penalties

The enforcement framework will be strengthened, with maximum fines aligned with comparable regimes such as the GDPR, which incorporate maximums tied to turnover. Under the CSRB, maximum penalties for more serious breaches could be up to £17 million or 4% of global turnover, whichever is higher.

Next steps

The Bill is expected to progress through Parliament over the course of 2025 and early 2026, with Royal Assent anticipated in 2026. Once enacted, most operational measures will not take immediate effect. Instead, Government will bring key components into force through secondary legislation following further consultation, providing regulators and industry with time to adjust practices and prepare for compliance.

Anticipated timeline

  • 2025-2026: Parliamentary scrutiny and passage;
  • 2026: Royal Assent;  
  • 2026 consultation: DSIT intends to consult on detailed implementation;
  • From 2026 onwards: Phased implementation via secondary legislation, following further consultation led by DSIT.

How Darktrace can help

The CSRB represents a step change in how the UK approaches digital risk, shifting the focus from compliance to resilience.

Darktrace can help organisations operationalise this shift by using AI to detect, investigate and respond to emerging threats at machine speed, before they escalate into incidents requiring regulatory notification. Proactive tools which can be included in the Darktrace platform allow security teams to stress-test defences, map supply chain exposure and rehearse recovery scenarios, directly supporting the CSRB’s focus on resilience, transparency and rapid response. If an incident does occur, Darktrace’s autonomous agent, Cyber AI Analyst, can accelerate investigations and provide a view of every stage of the attack chain, supporting timely reporting.  

Darktrace’s AI can provide organisations with a vital lens into both internal and external cyber risk. By continuously learning patterns of behaviour across interconnected systems, Darktrace can flag potential compromise or disruption to detect supply chain risk before it impacts your organisation.

In a landscape where compliance and resilience go hand in hand, Darktrace can equip organisations to stay ahead of both evolving threats and evolving regulatory requirements.

[related-resource]

Continue reading
About the author
The Darktrace Community
Your data. Our AI.
Elevate your network security with Darktrace AI