APTs are sophisticated threat actors with the resources to coordinate and achieve long-term objectives. Amidst the skyrocketing numbers of BEC attacks, every organization should be worried about the ability of intruders to infiltrate and exploit. This blog will look at several recent examples of complex email attacks and how Darktrace / EMAIL successfully disarmed and prevented intrusion.
What are APTs?
An Advanced Persistent Threat (APT) describes an adversary with sophisticated levels of expertise and significant resources, with the ability to carry out targeted cyber campaigns. These campaigns may penetrate an organization and remain undetected for long periods, allowing attackers to gather intelligence or cause damage over time.
Over the last few decades, the term APT has evolved from being almost exclusively associated with nation-state actors to a broader definition that includes highly skilled, well-resourced threat groups. While still distinct from mass, opportunistic cybercrime or "spray and pray" attacks, APT now refers to the elite tier of adversaries, whether state-sponsored or not, who demonstrate advanced capabilities, persistence, and a clear strategic focus. This shift reflects the growing sophistication of cyber threats, where non-state actors can now rival nation-states in executing covert, methodical intrusions to achieve long-term objectives.
These attacks are resource-intensive for threat actors to execute, but the potential rewards—ranging from financial gain to sensitive data theft—can be significant. In 2020, Business Email Compromise (BEC) attacks netted cybercriminals over $1.8 billion.1
And recently, the advent of AI has helped to automate launching these attacks, lowering the barriers to entry and making it more efficient to orchestrate the kind of attack that might previously have taken weeks to create. Research shows that AI can do 90% of a threat actor’s work2 – reducing time-to-target by automating tasks rapidly and avoiding errors in phishing communications. Email remains the most popular vector for initiating these sophisticated attacks, making it a critical battleground for cyber defense.
What makes APTs so successful?
The success of Advanced Persistent Threats (APTs) lies in their precision, persistence, and ability to exploit human and technical vulnerabilities. These attacks are carefully tailored to specific targets, using techniques like social engineering and spear phishing to gain initial access.
Once inside, attackers move laterally through networks, often remaining undetected for months or even years, silently gathering intelligence or preparing for a decisive strike. Alternatively, they might linger inside an account within the M365 environment, which could be even more valuable in terms of gathering information – in 2023 the average time to identify a breach in 2023 was 204 days.3
The subtle and long-term outlook nature of APTs makes them highly effective, as traditional security measures often fail to identify the subtle signs of compromise.
How Darktrace’s approach is designed to catch the most advanced threats
Luckily for our customers, Darktrace’s AI approach is uniquely equipped to detect and neutralize APTs. Unlike the majority of email security solutions that rely on static rules and signatures, or that train their AI on previous known-bad attack patterns, Darktrace leverages Self-Learning AI that baselines normal patterns of behavior within an organization, to immediately detect unusual activity that may signal an APT in progress.
But in the modern era of email threats, no email security solution can guarantee 100% effectiveness. Because attackers operate with great sophistication, carefully adapting their tactics to evade detection – whether by altering attachments, leveraging compromised accounts, or moving laterally across an organization – a siloed security approach risks missing these subtle, multi-domain threats. That’s why a robust defense-in-depth strategy is essential to mitigate APTs.
Real-world threat finds: Darktrace / EMAIL in action
Let’s take a look at some real-world scenarios where Darktrace / EMAIL stopped tactics associated with APT campaigns in their tracks – from adversary-in-the-middle attacks to suspicious lateral movement.
1: How Darktrace disrupted an adversary-in-the-middle attack by identifying abnormal login redirects and blocking credential exfiltration
In October 2024, Darktrace detected an adversary-in-the-middle (AiTM) attack targeting a Darktrace customer. The attack began with a phishing email from a seemingly legitimate Dropbox address, which contained multiple link payloads inviting the recipient to access a file. Other solutions would have struggled to catch this attack, as the initial AitM attack was launched through delivering a malicious URL through a trusted vendor or service. Once compromised, the threat actor could have laid low on the target account, gathering reconnaissance, without detection from the email security solution.
Darktrace / EMAIL identified the abnormal login redirects and flagged the suspicious activity. Darktrace / IDENTITY then detected unusual login patterns and blocked credential exfiltration attempts, effectively disrupting the attack and preventing the adversary from gaining unauthorized access. Read more.
Figure 1: Overview of the malicious email in the Darktrace / EMAIL console, highlighting Dropbox associated content/link payloads
2: How Darktrace stopped lateral movement to block NTLM hash theft
In early 2024, Darktrace detected an attack by the TA577 threat group, which aimed to steal NTLM hashes to gain unauthorized access to systems. The attack began with phishing emails containing ZIP files that connected to malicious infrastructure.
A traditional email security solution would have likely missed this attack by focusing too heavily on analyzing the zip file payloads or relying on reputation analysis to understand whether the infrastructure was registered as bad before this activity was a recognized IoC.
Because it correlates activity across domains, Darktrace identified unusual lateral movement within the network and promptly blocked the attempts to steal NTLM hashes, effectively preventing the attackers from accessing sensitive credentials and securing the network. Read more.
Figure 2: A summary of anomaly indicators seen for a campaign email sent by TA577, as detected by Darktrace / EMAIL
3: How Darktrace prevented the WarmCookie backdoor deployment embedded in phishing emails
In mid-2024, Darktrace identified a phishing campaign targeting organizations with emails impersonating recruitment firms. These emails contained malicious links that, when clicked, deployed the WarmCookie backdoor.
These emails are difficult to detect, as they use social engineering tactics to manipulate users into engaging with emails and following the embedded malicious links – but if a security solution is not analysing content and context, these could be allowed through.
In several observed cases across customer environments, Darktrace detected and blocked the suspicious behavior associated with WarmCookie that had already managed to evade customers’ native email security. By using behavioral analysis to correlate anomalous activity across the digital estate, Darktrace was able to identify the backdoor malware strain and notify customers. Read more.
Conclusion
These threat examples highlight a key principle of the Darktrace approach – that a backwards-facing approach grounded in threat intelligence will always be one step behind.
Most threat actors operate in campaigns, carefully crafting attacks and testing them across multiple targets. Once a campaign is identified, good defenders and traditional security solutions quickly update their defenses with new threat intelligence, rules, and signatures. However, APTs have the resources to rapidly adapt – spinning up new infrastructure, modifying payloads and altering their attack footprint to evade detection.
This is where Darktrace / EMAIL excels. Only by analyzing each user, message and interaction can an email security solution hope to catch the types of highly-sophisticated attacks that have the potential to cause major reputational and financial damage. Darktrace / EMAIL ensures that even the most subtle threats are detected and blocked with autonomous response, before causing impact – helping organizations remain one step ahead of increasingly adaptive threat actors.
Discover the most advanced cloud-native AI email security solution to protect your domain and brand while preventing phishing, novel social engineering, business email compromise, account takeover, and data loss.
Gain up to 13 days of earlier threat detection and maximize ROI on your current email security
Experience 20-25% more threat blocking power with Darktrace / EMAIL
Stop the 58% of threats bypassing traditional email security
Oops! Something went wrong while submitting the form.
Newsletter
Enjoying the blog?
Sign up to receive the latest news and insights from the Darktrace newsletter – delivered directly to your inbox
Thanks for signing up!
Look out for your first newsletter, coming soon.
Oops! Something went wrong while submitting the form.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Author
Carlos Gray
Product Manager
Carlos Gonzalez Gray is a Product Marketing Manager at Darktrace, based in the Madrid Office. As an email security Subject Matter Expert he collaborates with the global product team to align each product with the company’s ethos and ensures Darktrace are continuously pushing the boundaries of innovation. His prior role at Darktrace was in Sales Engineering, leading the Iberian team and specializing in both the email and OT sectors. Additionally, his prior experience as a consultant to IBEX 35 companies in Spain has made him well-versed in compliance, auditing, and data privacy. Carlos holds an Honors BA in Political Science and a Masters in Cybersecurity from IE University.
Darktrace's Detection of State-Linked ShadowPad Malware
An integral part of cybersecurity is anomaly detection, which involves identifying unusual patterns or behaviors in network traffic that could indicate malicious activity, such as a cyber-based intrusion. However, attribution remains one of the ever present challenges in cybersecurity. Attribution involves the process of accurately identifying and tracing the source to a specific threat actor(s).
Given the complexity of digital networks and the sophistication of attackers who often use proxies or other methods to disguise their origin, pinpointing the exact source of a cyberattack is an arduous task. Threat actors can use proxy servers, botnets, sophisticated techniques, false flags, etc. Darktrace’s strategy is rooted in the belief that identifying behavioral anomalies is crucial for identifying both known and novel threat actor campaigns.
The ShadowPad cluster
Between July 2024 and November 2024, Darktrace observed a cluster of activity threads sharing notable similarities. The threads began with a malicious actor using compromised user credentials to log in to the target organization's Check Point Remote Access virtual private network (VPN) from an attacker-controlled, remote device named 'DESKTOP-O82ILGG'. In one case, the IP from which the initial login was carried out was observed to be the ExpressVPN IP address, 194.5.83[.]25. After logging in, the actor gained access to service account credentials, likely via exploitation of an information disclosure vulnerability affecting Check Point Security Gateway devices. Recent reporting suggests this could represent exploitation of CVE-2024-24919 [27,28]. The actor then used these compromised service account credentials to move laterally over RDP and SMB, with files related to the modular backdoor, ShadowPad, being delivered to the ‘C:\PerfLogs\’ directory of targeted internal systems. ShadowPad was seen communicating with its command-and-control (C2) infrastructure, 158.247.199[.]185 (dscriy.chtq[.]net), via both HTTPS traffic and DNS tunneling, with subdomains of the domain ‘cybaq.chtq[.]net’ being used in the compromised devices’ TXT DNS queries.
Figure 1: Darktrace’s Advanced Search data showing the VPN-connected device initiating RDP connections to a domain controller (DC). The device subsequently distributes likely ShadowPad-related payloads and makes DRSGetNCChanges requests to a second DC.
Figure 2: Event Log data showing a DC making DNS queries for subdomains of ‘cbaq.chtq[.]net’ to 158.247.199[.]185 after receiving SMB and RDP connections from the VPN-connected device, DESKTOP-O82ILGG.
Additional cases of ShadowPad were observed across Darktrace’s customer base in 2024. In some cases, common C2 infrastructure with the cluster discussed above was observed, with dscriy.chtq[.]net and cybaq.chtq[.]net both involved; however, no other common features were identified. These ShadowPad infections were observed between April and November 2024, with customers across multiple regions and sectors affected. Darktrace’s observations align with multiple other public reports that fit the timeframe of this campaign.
Darktrace has also observed other cases of ShadowPad without common infrastructure since September 2024, suggesting the use of this tool by additional threat actors.
The data theft thread
One of the Darktrace customers impacted by the ShadowPad cluster highlighted above was a European manufacturer. A distinct thread of activity occurred within this organization’s network several months after the ShadowPad intrusion, in October 2024.
The thread involved the internal distribution of highly masqueraded executable files via Sever Message Block (SMB) and WMI (Windows Management Instrumentation), the targeted collection of sensitive information from an internal server, and the exfiltration of collected information to a web of likely compromised sites. This observed thread of activity, therefore, consisted of three phrases: lateral movement, collection, and exfiltration.
The lateral movement phase began when an internal user device used an administrative credential to distribute files named ‘ProgramData\Oracle\java.log’ and 'ProgramData\Oracle\duxwfnfo' to the c$ share on another internal system.
Figure 3: Darktrace model alert highlighting an SMB write of a file named ‘ProgramData\Oracle\java.log’ to the c$ share on another device.
Over the next few days, Darktrace detected several other internal systems using administrative credentials to upload files with the following names to the c$ share on internal systems:
ProgramData\Adobe\ARM\webservices.dll
ProgramData\Adobe\ARM\wksprt.exe
ProgramData\Oracle\Java\wksprt.exe
ProgramData\Oracle\Java\webservices.dll
ProgramData\Microsoft\DRM\wksprt.exe
ProgramData\Microsoft\DRM\webservices.dll
ProgramData\Abletech\Client\webservices.dll
ProgramData\Abletech\Client\client.exe
ProgramData\Adobe\ARM\rzrmxrwfvp
ProgramData\3Dconnexion\3DxWare\3DxWare.exe
ProgramData\3Dconnexion\3DxWare\webservices.dll
ProgramData\IDMComp\UltraCompare\updater.exe
ProgramData\IDMComp\UltraCompare\webservices.dll
ProgramData\IDMComp\UltraCompare\imtrqjsaqmm
Figure 4: Cyber AI Analyst highlighting an SMB write of a file named ‘ProgramData\Adobe\ARM\webservices.dll’ to the c$ share on an internal system.
The threat actor appears to have abused the Microsoft RPC (MS-RPC) service, WMI, to execute distributed payloads, as evidenced by the ExecMethod requests to the IWbemServices RPC interface which immediately followed devices’ SMB uploads.
Figure 5: Cyber AI Analyst data highlighting a thread of activity starting with an SMB data upload followed by ExecMethod requests.
Several of the devices involved in these lateral movement activities, both on the source and destination side, were subsequently seen using administrative credentials to download tens of GBs of sensitive data over SMB from a specially selected server. The data gathering stage of the threat sequence indicates that the threat actor had a comprehensive understanding of the organization’s system architecture and had precise objectives for the information they sought to extract.
Immediately after collecting data from the targeted server, devices went on to exfiltrate stolen data to multiple sites. Several other likely compromised sites appear to have been used as general C2 infrastructure for this intrusion activity. The sites used by the threat actor for C2 and data exfiltration purport to be sites for companies offering a variety of service, ranging from consultancy to web design.
Figure 6: Screenshotof one of the likely compromised sites used in the intrusion.
At least 16 sites were identified as being likely data exfiltration or C2 sites used by this threat actor in their operation against this organization. The fact that the actor had such a wide web of compromised sites at their disposal suggests that they were well-resourced and highly prepared.
Figure 7: Darktrace model alert highlighting an internal device slowly exfiltrating data to the external endpoint, yasuconsulting[.]com.
Figure 8: Darktrace model alert highlighting an internal device downloading nearly 1 GB of data from an internal system just before uploading a similar volume of data to another suspicious endpoint, www.tunemmuhendislik[.]com
Cyber AI Analyst spotlight
Figure 9: Cyber AI Analyst identifying and piecing together the various steps of a ShadowPad intrusion.
Figure 10: Cyber AI Analyst Incident identifying and piecing together the various steps of the data theft activity.
As shown in the above figures, Cyber AI Analyst’s ability to thread together the different steps of these attack chains are worth highlighting.
In the ShadowPad attack chains, Cyber AI Analyst was able to identify SMB writes from the VPN subnet to the DC, and the C2 connections from the DC. It was also able to weave together this activity into a single thread representing the attacker’s progression.
Similarly, in the data exfiltration attack chain, Cyber AI Analyst identified and connected multiple types of lateral movement over SMB and WMI and external C2 communication to various external endpoints, linking them in a single, connected incident.
These Cyber AI Analyst actions enabled a quicker understanding of the threat actor sequence of events and, in some cases, faster containment.
Attribution puzzle
Publicly shared research into ShadowPad indicates that it is predominantly used as a backdoor in People’s Republic of China (PRC)-sponsored espionage operations [5][6][7][8][9][10]. Most publicly reported intrusions involving ShadowPad are attributed to the China-based threat actor, APT41 [11][12]. Furthermore, Google Threat Intelligence Group (GTIG) recently shared their assessment that ShadowPad usage is restricted to clusters associated with APT41 [13]. Interestingly, however, there have also been public reports of ShadowPad usage in unattributed intrusions [5].
The data theft activity that later occurred in the same Darktrace customer network as one of these ShadowPad compromises appeared to be the targeted collection and exfiltration of sensitive data. Such an objective indicates the activity may have been part of a state-sponsored operation. The tactics, techniques, and procedures (TTPs), artifacts, and C2 infrastructure observed in the data theft thread appear to resemble activity seen in previous Democratic People’s Republic of Korea (DPRK)-linked intrusion activities [15] [16] [17] [18] [19].
The distribution of payloads to the following directory locations appears to be a relatively common behavior in DPRK-sponsored intrusions.
Observed examples:
C:\ProgramData\Oracle\Java\
C:\ProgramData\Adobe\ARM\
C:\ProgramData\Microsoft\DRM\
C:\ProgramData\Abletech\Client\
C:\ProgramData\IDMComp\UltraCompare\
C:\ProgramData\3Dconnexion\3DxWare\
Additionally, the likely compromised websites observed in the data theft thread, along with some of the target URI patterns seen in the C2 communications to these sites, resemble those seen in previously reported DPRK-linked intrusion activities.
No clear evidence was found to link the ShadowPad compromise to the subsequent data theft activity that was observed on the network of the manufacturing customer. It should be noted, however, that no clear signs of initial access were found for the data theft thread – this could suggest the ShadowPad intrusion itself represents the initial point of entry that ultimately led to data exfiltration.
Motivation-wise, it seems plausible for the data theft thread to have been part of a DPRK-sponsored operation. DPRK is known to pursue targets that could potentially fulfil its national security goals and had been publicly reported as being active in months prior to this intrusion [21]. Furthermore, the timing of the data theft aligns with the ratification of the mutual defense treaty between DPRK and Russia and the subsequent accused activities [20].
Darktrace assesses with medium confidence that a nation-state, likely DPRK, was responsible, based on our investigation, the threat actor applied resources, patience, obfuscation, and evasiveness combined with external reporting, collaboration with the cyber community, assessing the attacker’s motivation and world geopolitical timeline, and undisclosed intelligence.
Conclusion
When state-linked cyber activity occurs within an organization’s environment, previously unseen C2 infrastructure and advanced evasion techniques will likely be used. State-linked cyber actors, through their resources and patience, are able to bypass most detection methods, leaving anomaly-based methods as a last line of defense.
Two threads of activity were observed within Darktrace’s customer base over the last year: The first operation involved the abuse of Check Point VPN credentials to log in remotely to organizations’ networks, followed by the distribution of ShadowPad to an internal domain controller. The second operation involved highly targeted data exfiltration from the network of one of the customers impacted by the previously mentioned ShadowPad activity.
Despite definitive attribution remaining unresolved, both the ShadowPad and data exfiltration activities were detected by Darktrace’s Self-Learning AI, with Cyber AI Analyst playing a significant role in identifying and piecing together the various steps of the intrusion activities.
Credit to Sam Lister (R&D Detection Analyst), Emma Foulger (Principal Cyber Analyst), Nathaniel Jones (VP), and the Darktrace Threat Research team.
Appendices
Darktrace / NETWORK model alerts
User / New Admin Credentials on Client
Anomalous Connection / Unusual Admin SMB Session
Compliance / SMB Drive Write
Device / Anomalous SMB Followed By Multiple Model Breaches
Survey findings: AI Cyber Threats are a Reality, the People are Acting Now
Artificial intelligence is changing the cybersecurity field as fast as any other, both on the offensive and defensive side. We surveyed over 1,500 cybersecurity professionals from around the world to uncover their attitudes, understanding, and priorities when it comes to AI cybersecurity in 2025. Our full report, unearthing some telling trends, is out now.
Nearly 74% of participants say AI-powered threats are a major challenge for their organization and 90% expect these threats to have a significant impact over the next one to two years, a slight increase from last year. These statistics highlight that AI is not just an emerging risk but a present and evolving one.
As attackers harness AI to automate and scale their operations, security teams must adapt just as quickly. Organizations that fail to prioritize AI-specific security measures risk falling behind, making proactive defense strategies more critical than ever.
Some of the most pressing AI-driven cyber threats include:
AI-powered social engineering: Attackers are leveraging AI to craft highly personalized and convincing phishing emails, making them harder to detect and more likely to bypass traditional defenses.
More advanced attacks at speed and scale: AI lowers the barrier for less skilled threat actors, allowing them to launch sophisticated attacks with minimal effort.
Attacks targeting AI systems: Cybercriminals are increasingly going after AI itself, compromising machine learning models, tampering with training data, and exploiting vulnerabilities in AI-driven applications and APIs.
Safe and secure use of AI
AI is having an effect on the cyber-threat landscape, but it also is starting to impact every aspect of a business – from marketing to HR to operations. The accessibility of AI tools for employees improves workflows, but also poses risks like data privacy violations, shadow AI, and violation of industry regulations.
How are security practitioners accommodating for this uptick in AI use across business?
Among survey participants 45% of security practitioners say they had already established a policy on the safe and secure use of AI and around 50% are in discussions to do so.
While almost all participants acknowledge that this is a topic that needs to be addressed, the gap between discussion and execution could underscore a need for greater insight, stronger leadership commitment, and adaptable security frameworks to keep pace with AI advancements in the workplace. The most popular actions taken are:
Implemented security controls to prevent unwanted exposure of corporate data when using AI technology (67%)
Implemented security controls to protect against other threats/risks associated with using AI technology (62%)
This year specifically, we see further action being taken with the implementation of security controls, training, and oversight.
For a more detailed breakdown that includes results based on industry and organizational size, download the full report here.
AI threats are rising, but security teams still face major challenges
78% of CISOs say AI-powered cyber-threats are already having a significant impact on their organization, a 5% increase from last year.
While cyber professionals feel more prepared for AI powered threats than they did 12 months ago, 45% still say their organization is not adequately prepared—down from 60% last year.
Despite this optimism, key challenges remain, including:
A shortage of personnel to manage tools and alerts
Gaps in knowledge and skills related to AI-driven countermeasures
Confidence in traditional security tools vs. new AI based tools
This year, 73% of survey participants expressed confidence in their security team’s proficiency in using AI within their tool stack, marking an increase from the previous year.
However, only 50% of participants have confidence in traditional cybersecurity tools to detect and block AI-powered threats. In contrast, 75% of participants are confident in AI-powered security solutions for detecting and blocking such threats and attacks.
As leading organizations continue to implement and optimize their use of AI, they are incorporating it into an increasing number of workflows. This growing familiarity with AI is likely to boost the confidence levels of practitioners even further.
The data indicates a clear trend towards greater reliance on AI-powered security solutions over traditional tools. As organizations become more adept at integrating AI into their operations, their confidence in these advanced technologies grows.
This shift underscores the importance of staying current with AI advancements and ensuring that security teams are well-trained in utilizing these tools effectively. The increasing confidence in AI-driven solutions reflects their potential to enhance cybersecurity measures and better protect against sophisticated threats.
The full report for Darktrace’s State of AI Cybersecurity is out now. Download the paper to dig deeper into these trends, and see how results differ by industry, region, organization size, and job title.
.jpg)
![Event Log data showing a DC making DNS queries for subdomains of ‘cbaq.chtq[.]net’ to 158.247.199[.]185 after receiving SMB and RDP connections from the VPN-connected device, DESKTOP-O82ILGG.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/67d1dbda2020b168dc1d83c2_Screenshot%202025-03-12%20at%2012.07.41%E2%80%AFPM.png)
![Darktrace model alert highlighting an internal device slowly exfiltrating data to the external endpoint, yasuconsulting[.]com.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/67d1dd09fe9cf54a67c48f13_Screenshot%202025-03-12%20at%2012.14.04%E2%80%AFPM.png)
![Darktrace model alert highlighting an internal device downloading nearly 1 GB of data from an internal system just before uploading a similar volume of data to another suspicious endpoint, www.tunemmuhendislik[.]com](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/67d1dd45f3743ebe06d81d89_Screenshot%202025-03-12%20at%2012.14.46%E2%80%AFPM.png)
