Blog
/
Network
/
May 23, 2023

Darktrace’s Detection of a Hive Ransomware-as-Service

This blog investigates a new strain of ransomware, Hive, a ransomware-as-a-service. Darktrace was able to provide full visibility over the attacks.
Written by
Emily Megan Lim
Cyber Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Emily Megan Lim
Cyber Analyst
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
23
May 2023

Update: On January 26, 2023, the Hive ransomware group was dismantled and servers associated with the sale of the ransomware were taken offline following an investigation by the FBI, German law enforcement and the National Crime Agency (NCA). The activity detailed in this blog took place in 2022, whilst the group was still active.

RaaS in Cyber Security

The threat of ransomware continues to be a constant concern for security teams across the cyber threat landscape. With the growing popularity of Ransomware-as-a-Service (RaaS), it is becoming more and more accessible for even inexperienced would-be attackers. As a result of this low barrier to entry, the volume of ransomware attacks is expected to increase significantly.

What’s more, RaaS is a highly tailorable market in which buyers can choose from varied kits and features to use in their ransomware deployments meaning attacks will rarely behave the same. To effectively detect and safeguard against these differentiations, it is crucial to implement security measures that put the emphasis on detecting anomalies and focusing on deviations in expected behavior, rather than relying on depreciated indicators of compromise (IoC) lists or playbooks that focus on attack chains unable to keep pace with the increasing speed of ransomware evolution.

In early 2022, Darktrace DETECT/Network™ identified several instances of Hive ransomware on the networks of multiple customers. Using its anomaly-based detection, Darktrace was able to successfully detect the attacks and multiple stages of the kill chain, including command and control (C2) activity, lateral movement, data exfiltration, and ultimately data encryption and the writing of ransom notes.

Hive Ransomware 

Hive ransomware is a relatively new strain that was first observed in the wild in June 2021. It is known to target a variety of industries including healthcare, energy providers, and retailers, and has reportedly attacked over 1,500 organizations, collecting more than USD 100m in ransom payments [1].

Hive is distributed via a RaaS model where its developers update and maintain the code, in return for a percentage of the eventual ransom payment, while users (or affiliates) are given the tools to carry out attacks using a highly sophisticated and complex malware they would otherwise be unable to use. Hive uses typical tactics, techniques and procedures (TTPs) associated with ransomware, though they do vary depending on the Hive affiliate carrying out the attack.

In most cases a double extortion attack is carried out, whereby data is first exfiltrated and then encrypted before a ransom demand is made. This gives attackers extra leverage as victims are at risk of having their sensitive data leaked to the public on websites such as the ‘HiveLeaks’ TOR website.

Attack Timeline

Owing to the highly customizable nature of RaaS, the tactics and methods employed by Hive actors are expected to differ on a case-by-case basis. Nonetheless in the majority of Hive ransomware incidents identified on Darktrace customer environments, Darktrace DETECT observed the following general attack stages and features. This is possibly indicative of the attacks originating from the same threat actor(s) or from a widely sold batch with a particular configuration to a variety of actors.

Figure 1: A typical timeline of a Hive attack observed by Darktrace.

Initial Access 

Although Hive actors are known to gain initial access to networks through multiple different vectors, the two primary methods reported by security researchers are the exploitation of Microsoft Exchange vulnerabilities, or the distribution of phishing emails with malicious attachments [2][3].

In the early stages of one Hive ransomware attack observed on the network of a Darktrace customer, for example, Darktrace detected a device connecting to the rare external location 23.81.246[.]84, with a PowerShell user agent via HTTP. During this connection, the device attempted to download an executable file named “file.exe”. It is possible that the file was initially accessed and delivered via a phishing email; however, as Darktrace/Email was not enabled at the time of the attack, this was outside of Darktrace’s purview. Fortunately, the connection failed the proxy authentication was thus blocked as seen in the packet capture (PCAP) in Figure 2. 

Shortly after this attempted download, the same device started to receive a high volume of incoming SSL connections from a rare external endpoint, namely 146.70.87[.]132. Darktrace logged that this endpoint was using an SSL certificate signed by Go Daddy CA, an easily obtainable and accessible SSL certificate, and that the increase in incoming SSL connections from this endpoint was unusual behavior for this device. 

It is likely that this highly anomalous activity detected by Darktrace indicates when the ransomware attack began, likely initial payload download.  

Darktrace DETECT models:

  • Anomalous Connection / Powershell to Rare External
  • Anomalous Server Activity / New Internet Facing System
Figure 2: PCAP of the HTTP connection to the rare endpoint 23.81.246[.]84 showing the failed proxy authentication.

C2 Beaconing 

Following the successful initial access, Hive actors begin to establish their C2 infrastructure on infected networks through numerous connections to C2 servers, and the download of additional stagers. 

On customer networks infected by Hive ransomware, Darktrace identified devices initiating a high volume of connections to multiple rare endpoints. This very likely represented C2 beaconing to the attacker’s infrastructure. In one particular example, further open-source intelligence (OSINT) investigation revealed that these endpoints were associated with Cobalt Strike.

Darktrace DETECT models:

  • Anomalous Connection / Multiple Connections to New External TCP
  • Anomalous Server Activity / Anomalous External Activity from Critical Network Device
  • Compromise / High Volume of Connections with Beacon Score
  • Compromise / Sustained SSL or HTTP Increase
  • Compromise / Suspicious HTTP Beacons to Dotted Quad 
  • Compromise / SSL or HTTP Beacon
  • Device / Lateral Movement and C2 Activity

Internal Reconnaissance, Lateral Movement and Privilege Escalation

After C2 infrastructure has been established, Hive actors typically begin to uninstall antivirus products in an attempt to remain undetected on the network [3]. They also perform internal reconnaissance to look for vulnerabilities and open channels and attempt to move laterally throughout the network.

Amid the C2 connections, Darktrace was able to detect network scanning activity associated with the attack when a device on one customer network was observed initiating an unusually high volume of connections to other internal devices. A critical network device was also seen writing an executable file “mimikatz.exe” via SMB which appears to be the Mimikatz attack tool commonly used for credential harvesting. 

There were also several detections of lateral movement attempts via RDP and DCE-RPC where the attackers successfully authenticated using an “Administrator” credential. In one instance, a device was also observed performing ITaskScheduler activity. This service is used to remotely control tasks running on machines and is commonly observed as part of malicious lateral movement activity. Darktrace DETECT understood that the above activity represented a deviation from the devices’ normal pattern of behavior and the following models were breached:

Darktrace DETECT models:

  • Anomalous Connection / Anomalous DRSGetNCChanges Operation
  • Anomalous Connection / New or Uncommon Service Control
  • Anomalous Connection / Unusual Admin RDP Session
  • Anomalous Connection / Unusual SMB Version 1 Connectivity
  • Compliance / SMB Drive Write
  • Device / Anomalous ITaskScheduler Activity
  • Device / Attack and Recon Tools
  • Device / Attack and Recon Tools In SMB
  • Device / EXE Files Distributed to Multiple Devices
  • Device / Suspicious Network Scan Activity
  • Device / Increase in New RPC Services
  • User / New Admin Credentials on Server

Data Exfiltration

At this stage of the attack, Hive actors have been known to carry out data exfiltration activity on infected networks using a variety of different methods. The Cybersecurity & Infrastructure Security Agency (CISA) reported that “Hive actors exfiltrate data likely using a combination of Rclone and the cloud storage service Mega[.]nz” [4]. Darktrace DETECT identified an example of this when a device on one customer network was observed making HTTP connections to endpoints related to Mega, including “w.apa.mega.co[.]nz”, with the user agent “rclone/v1.57.0” with at least 3 GiB of data being transferred externally (Figure 3). The same device was also observed transferring at least 3.6 GiB of data via SSL to the rare external IP, 158.51.85[.]157.

Figure 3: A summary of a device’s external connections to multiple endpoints and the respective amounts of data exfiltrated to Mega storage endpoints.

In another case, a device was observed uploading over 16 GiB of data to a rare external endpoint 93.115.27[.]71 over SSH. The endpoint in question was seen in earlier beaconing activity suggesting that this was likely an exfiltration event. 

However, Hive ransomware, like any other RaaS kit, can differ greatly in its techniques and features, and it is important to note that data exfiltration may not always be present in a Hive ransomware attack. In one incident detected by Darktrace, there were no signs of any data leaving the customer environment, indicating data exfiltration was not part of the Hive actor’s objectives.

Darktrace DETECT models:

  • Anomalous Connection / Data Sent to Rare Domain
  • Anomalous Connection / Lots of New Connections
  • Anomalous Connection / Multiple HTTP POSTs to Rare Hostname
  • Anomalous Connection / Suspicious Self-Signed SSL
  • Anomalous Connection / Uncommon 1 GiB Outbound
  • Device / New User Agent and New IP
  • Unusual Activity / Unusual External Data to New Endpoints
  • Unusual Activity / Unusual External Data Transfer
  • Unusual Activity / Enhanced Unusual External Data Transfer

Ransomware Deployment

In the final stage of a typical Hive ransomware attack, the ransomware payload is deployed and begins to encrypt files on infected devices. On one customer network, Darktrace detected several devices connecting to domain controllers (DC) to read a file named “xxx.exe”. Several sources have linked this file name with the Hive ransomware payload [5].

In another example, Darktrace DETECT observed multiple devices downloading the executable files “nua64.exe” and “nua64.dll” from a rare external location, 194.156.90[.]25. OSINT investigation revealed that the files are associated with Hive ransomware.

Figure 4: Security vendor analysis of the malicious file hash [6] associated with Hive ransomware. 

Shortly after the download of this executable, multiple devices were observed performing an unusual amount of file encryption, appending randomly generated strings of characters to file extensions. 

Although it has been reported that earlier versions of Hive ransomware encrypted files with a “.hive” extension [7], Darktrace observed across multiple customers that encrypted files had extensions that were partially-randomized, but consistently 20 characters long, matching the regular expression “[a-zA-Z0-9\-\_]{8}[\-\_]{1}[A-Za-z0-9\-\_]{11}”.

Figure 5: Device Event Log showing SMB reads and writes of encrypted files with a randomly generated extension of 20 characters. 

Following the successful encryption of files, Hive proceeds to drop a ransom note, named “HOW_TO_DECRYPT.txt”, into each affected directory. Typically, the ransom note will contain a link to Hive’s “sales department” and, in the event that exfiltration took place, a link to the “HiveLeaks” site, where attackers threaten to publish exfiltrated data if their demands are not met (Figure 6).  In cases of Hive ransomware detected by Darktrace, multiple devices were observed attempting to contact “HiveLeaks” TOR domains, suggesting that endpoint users had followed links provided to them in ransom notes.

Figure 6: Sample of a Hive ransom note [4].

Examples of file extensions:

  • 36C-AT9-_wm82GvBoCPC
  • 36C-AT9--y6Z1G-RFHDT
  • 36C-AT9-_x2x7FctFJ_q
  • 36C-AT9-_zK16HRC3QiL
  • 8KAIgoDP-wkQ5gnYGhrd
  • kPemi_iF_11GRoa9vb29
  • kPemi_iF_0RERIS1m7x8
  • kPemi_iF_7u7e5zp6enp
  • kPemi_iF_y4u7pB3d3f3
  • U-9Xb0-k__T0U9NJPz-_
  • U-9Xb0-k_6SkA8Njo5pa
  • zm4RoSR1_5HMd_r4a5a9 

Darktrace DETECT models:

  • Anomalous Connection / SMB Enumeration
  • Anomalous Connection / Sustained MIME Type Conversion
  • Anomalous Connection / Unusual Admin SMB Session
  • Anomalous File / Internal / Additional Extension Appended to SMB File
  • Compliance / SMB Drive Write
  • Compromise / Ransomware / Suspicious SMB Activity
  • Compromise / Ransomware / Ransom or Offensive Words Written to SMB
  • Compromise / Ransomware / Possible Ransom Note Write
  • Compromise / High Priority Tor2Web
  • Compromise / Tor2Web
  • Device / EXE Files Distributed to Multiple Devices

Conclusion

As Hive ransomware attacks are carried out by different affiliates using varying deployment kits, the tactics employed tend to vary and new IoCs are regularly identified. Furthermore, in 2022 a new variant of Hive was written using the Rust programming language. This represented a major upgrade to Hive, improving its defense evasion techniques and making it even harder to detect [8]. 

Hive is just one of many RaaS offerings currently on the market, and this market is only expected to grow in usage and diversity of presentations.  As ransomware becomes more accessible and easier to deploy it is essential for organizations to adopt efficient security measures to identify ransomware at the earliest possible stage. 

Darktrace DETECT’s Self-Learning AI understands customer networks and learns the expected patterns of behavior across an organization’s digital estate. Using its anomaly-based detection Darktrace is able to identify emerging threats through the detection of unusual or unexpected behavior, without relying on rules and signatures, or known IoCs. 

Credit to: Emily Megan Lim, Cyber Analyst, Hyeongyung Yeom, Senior Cyber Analyst & Analyst Team Lead.

Appendices

MITRE AT&CK Mapping

Reconnaissance

T1595.001 – Scanning IP Blocks

T1595.002 – Vulnerability Scanning

Resource Development

T1583.006 – Web Services

Initial Access

T1078 – Valid Accounts

T1190 – Exploit Public-Facing Application

T1200 – Hardware Additions

Execution

T1053.005 – Scheduled Task

T1059.001 – PowerShell

Persistence/Privilege Escalation

T1053.005 – Scheduled Task

T1078 – Valid Accounts

Defense Evasion

T1078 – Valid Accounts

T1207 – Rogue Domain Controller

T1550.002 – Pass the Hash

Discovery

T1018 – Remote System Discovery

T1046 – Network Service Discovery

T1083 – File and Directory Discovery

T1135 – Network Share Discovery

Lateral Movement

T1021.001 – Remote Desktop Protocol

T1021.002 – SMB/Windows Admin Shares

T1021.003 – Distributed Component Object Model

T1080 – Taint Shared Content

T1210 – Exploitation of Remote Services

T1550.002 – Pass the Hash

T1570 – Lateral Tool Transfer

Collection

T1185 – Man in the Browser

Command and Control

T1001 – Data Obfuscation

T1071 – Application Layer Protocol

T1071.001 – Web Protocols

T1090.003 – Multi-hop proxy

T1095 – Non-Application Layer Protocol

T1102.003 – One-Way Communication

T1571 – Non-Standard Port

Exfiltration

T1041 – Exfiltration Over C2 Channel

T1567.002 – Exfiltration to Cloud Storage

Impact

T1486 – Data Encrypted for Impact

T1489 – Service Stop

List of IoCs 

23.81.246[.]84 - IP Address - Likely Malicious File Download Endpoint

146.70.87[.]132 - IP Address - Possible Ransomware Endpoint

5.199.162[.]220 - IP Address - C2 Endpoint

23.227.178[.]65 - IP Address - C2 Endpoint

46.166.161[.]68 - IP Address - C2 Endpoint

46.166.161[.]93 - IP Address - C2 Endpoint

93.115.25[.]139 - IP Address - C2 Endpoint

185.150.1117[.]189 - IP Address - C2 Endpoint

192.53.123[.]202 - IP Address - C2 Endpoint

209.133.223[.]164 - IP Address - Likely C2 Endpoint

cltrixworkspace1[.]com - Domain - C2 Endpoint

vpnupdaters[.]com - Domain - C2 Endpoint

93.115.27[.]71 - IP Address - Possible Exfiltration Endpoint

158.51.85[.]157 - IP Address - Possible Exfiltration Endpoint

w.api.mega.co[.]nz - Domain - Possible Exfiltration Endpoint

*.userstorage.mega.co[.]nz - Domain - Possible Exfiltration Endpoint

741cc67d2e75b6048e96db9d9e2e78bb9a327e87 - SHA1 Hash - Hive Ransomware File

2f9da37641b204ef2645661df9f075005e2295a5 - SHA1 Hash - Likely Hive Ransomware File

hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd[.]onion - TOR Domain - Likely Hive Endpoint

References

[1] https://www.justice.gov/opa/pr/us-department-justice-disrupts-hive-ransomware-variant

[2] https://www.varonis.com/blog/hive-ransomware-analysis

[3] https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-hive 

[4]https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-321a

[5] https://www.trendmicro.com/en_us/research/22/c/nokoyawa-ransomware-possibly-related-to-hive-.html

[6] https://www.virustotal.com/gui/file/60f6a63e366e6729e97949622abd9de6d7988bba66f85a4ac8a52f99d3cb4764/detection

[7] https://heimdalsecurity.com/blog/what-is-hive-ransomware/

[8] https://www.microsoft.com/en-us/security/blog/2022/07/05/hive-ransomware-gets-upgrades-in-rust/ 

Written by
Emily Megan Lim
Cyber Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Emily Megan Lim
Cyber Analyst

WSUS Exploited: Darktrace’s Analysis of Post-Exploitation Activities Related to CVE-2025-59287

Network
October 29, 2025
Emma Foulger
Global Threat Research Operations Lead
Watch the NIS2 Webinar
Trending blogs
1
Pre-CVE Threat Detection: 10 Examples Identifying Malicious Activity Prior to Public Disclosure of a Vulnerability
Jul 2, 2025
2
How Empowering End Users can Improve Your Email Security and Decrease the Burden on the SOC
May 8, 2024
3
Elevating Network Security: Confronting Trust, Ransomware, & Novel Attacks
Jun 21, 2024
4
The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners
Apr 9, 2024
5
The State of AI in Cybersecurity: The Impact of AI on Cybersecurity Solutions
May 13, 2024

More in this series

No items found.
Continue reading
Network
October 29, 2025

WSUS Exploited: Darktrace’s Analysis of Post-Exploitation Activities Related to CVE-2025-59287

In October 2025, Microsoft disclosed a critical vulnerability in its Windows Server Update Service (WSUS). This blog details Darktrace’s analysis of the vulnerability, focusing on two US customers where active exploitation was detected.
Emma Foulger
Global Threat Research Operations Lead
Read more
Network
October 23, 2025

Darktrace Redefines NDR: Industry-First Autonomous Threat Investigation from Network to Endpoint with Agentic AI

Darktrace delivers the next evolution of NDR, extending an industry-first bridge across the network and endpoint gap with Self-Learning AI.
Mikey Anderson
Product Marketing Manager, Network Detection & Response
Read more
Network
October 9, 2025

Inside Akira’s SonicWall Campaign: Darktrace’s Detection and Response

Starting in July 2025, Akira ransomware attacks surged globally, targeting SonicWall SSL VPN devices. In August, Darktrace detected suspicious activity in a US network, including scanning, lateral movement, and data exfiltration. A compromised SonicWall VPN server linked the incident to the broader Akira campaign exploiting known vulnerabilities.
Emily Megan Lim
Cyber Analyst
Read more

Blog

/

Network

/

October 30, 2025

WSUS Exploited: Darktrace’s Analysis of Post-Exploitation Activities Related to CVE-2025-59287

WSUS Exploited: Darktrace’s Analysis of Post-Exploitation Activities Related to CVE-2025-59287Default blog imageDefault blog image

Introduction

On October 14, 2025, Microsoft disclosed a new critical vulnerability affecting the Windows Server Update Service (WSUS), CVE-2025-59287.  Exploitation of the vulnerability could allow an unauthenticated attacker to remotely execute code [1][6].

WSUS allows for centralized distribution of Microsoft product updates [3]; a server running WSUS is likely to have significant privileges within a network making it a valuable target for threat actors. While WSUS servers are not necessarily expected to be open to the internet, open-source intelligence (OSINT) has reported  thousands of publicly exposed instances that may be vulnerable to exploitation [2].

Microsoft’s initial ‘Patch Tuesday’ update for this vulnerability did not fully mitigate the risk, and so an out-of-band update followed on October 23 [4][5] . Widespread exploitation of this vulnerability started to be observed shortly after the security update [6], prompting CISA to add CVE-2025-59287 to its Known Exploited Vulnerability Catalog (KEV) on October 24 [7].

Attack Overview

The Darktrace Threat Research team have recently identified multiple potential cases of CVE-2025-59287 exploitation, with two detailed here. While the likely initial access method is consistent across the cases, the follow-up activities differed, demonstrating the variety in which such a CVE can be exploited to fulfil each attacker’s specific goals.

The first signs of suspicious activity across both customers were detected by Darktrace on October 24, the same day this vulnerability was added to CISA’s KEV. Both cases discussed here involve customers based in the United States.

Case Study 1

The first case, involving a customer in the Information and Communication sector, began with an internet-facing device making an outbound connection to the hostname webhook[.]site. Observed network traffic indicates the device was a WSUS server.

OSINT has reported abuse of the workers[.]dev service in exploitation of CVE-2025-59287, where enumerated network information gathered through running a script on the compromised device was exfiltrated using this service [8].

In this case, the majority of connectivity seen to webhook[.]site involved a PowerShell user agent; however, cURL user agents were also seen with some connections taking the form of HTTP POSTs. This connectivity appears to align closely with OSINT reports of CVE-2025-59287 post-exploitation behaviour [8][9].

Connections to webhook[.]site continued until October 26. A single URI was seen consistently until October 25, after which the connections used a second URI with a similar format.

Later on October 26, an escalation in command-and-control (C2) communication appears to have occurred, with the device starting to make repeated connections to two rare workers[.]dev subdomains (royal-boat-bf05.qgtxtebl.workers[.]dev & chat.hcqhajfv.workers[.]dev), consistent with C2 beaconing. While workers[.]dev is associated with the legitimate Cloudflare Workers service, the service is commonly abused by malicious actors for C2 infrastructure. The anomalous nature of the connections to both webhook[.]site and workers[.]dev led to Darktrace generating multiple alerts including high-fidelity Enhanced Monitoring alerts and alerts for Darktrace’s Autonomous Response.

Infrastructure insight

Hosted on royal-boat-bf05.qgtxtebl.workers[.]dev is a Microsoft Installer file (MSI) named v3.msi.

Screenshot of v3.msi content.
Figure 1: Screenshot of v3.msi content.

Contained in the MSI file is two Cabinet files named “Sample.cab” and “part2.cab”. After extracting the contents of the cab files, a file named “Config” and a binary named “ServiceEXE”. ServiceEXE is the legitimate DFIR tool Velociraptor, and “Config” contains the configuration details, which include chat.hcqhajfv.workers[.]dev as the server_url, suggesting that Velociraptor is being used as a tunnel to the C2. Additionally, the configuration points to version 0.73.4, a version of Velociraptor that is vulnerable to CVE-2025-6264, a privilege escalation vulnerability.

Screenshot of Config file.
Figure 2: Screenshot of Config file.

Velociraptor, a legitimate security tool maintained by Rapid7, has been used recently in malicious campaigns. A vulnerable version of tool has been used by threat actors for command execution and endpoint takeover, while other campaigns have used Velociraptor to create a tunnel to the C2, similar to what was observed in this case [10] .

The workers[.]dev communication continued into the early hours of October 27. The most recent suspicious behavior observed on the device involved an outbound connection to a new IP for the network - 185.69.24[.]18/singapure - potentially indicating payload retrieval.

The payload retrieved from “/singapure” is a UPX packed Windows binary. After unpacking the binary, it is an open-source Golang stealer named “Skuld Stealer”. Skuld Stealer has the capabilities to steal crypto wallets, files, system information, browser data and tokens. Additionally, it contains anti-debugging and anti-VM logic, along with a UAC bypass [11].

A timeline outlining suspicious activity on the device alerted by Darktrace.
Figure 3: A timeline outlining suspicious activity on the device alerted by Darktrace.

Case Study 2

The second case involved a customer within the Education sector. The affected device was also internet-facing, with network traffic indicating it was a WSUS server

Suspicious activity in this case once again began on October 24, notably only a few seconds after initial signs of compromise were observed in the first case. Initial anomalous behaviour also closely aligned, with outbound PowerShell connections to webhook[.]site, and then later connections, including HTTP POSTs, to the same endpoint with a cURL user agent.

While Darktrace did not observe any anomalous network activity on the device after October 24, the customer’s security integration resulted in an additional alert on October 27 for malicious activity, suggesting that the compromise may have continued locally.

By leveraging Darktrace’s security integrations, customers can investigate activity across different sources in a seamless manner, gaining additional insight and context to an attack.

A timeline outlining suspicious activity on the device alerted by Darktrace.
Figure 4: A timeline outlining suspicious activity on the device alerted by Darktrace.

Conclusion

Exploitation of a CVE can lead to a wide range of outcomes. In some cases, it may be limited to just a single device with a focused objective, such as exfiltration of sensitive data. In others, it could lead to lateral movement and a full network compromise, including ransomware deployment. As the threat of internet-facing exploitation continues to grow, security teams must be prepared to defend against such a possibility, regardless of the attack type or scale.

By focussing on detection of anomalous behaviour rather than relying on signatures associated with a specific CVE exploit, Darktrace is able to alert on post-exploitation activity regardless of the kind of behaviour seen. In addition, leveraging security integrations provides further context on activities beyond the visibility of Darktrace / NETWORKTM, enabling defenders to investigate and respond to attacks more effectively.

With adversaries weaponizing even trusted incident response tools, maintaining broad visibility and rapid response capabilities becomes critical to mitigating post-exploitation risk.

Credit to Emma Foulger (Global Threat Research Operations Lead), Tara Gould (Threat Research Lead), Eugene Chua (Principal Cyber Analyst & Analyst Team Lead), Nathaniel Jones (VP, Security & AI Strategy, Field CISO),

Edited by Ryan Traill (Analyst Content Lead)

Appendices

References

1.        https://nvd.nist.gov/vuln/detail/CVE-2025-59287

2.    https://www.bleepingcomputer.com/news/security/hackers-now-exploiting-critical-windows-server-wsus-flaw-in-attacks/

3.    https://learn.microsoft.com/en-us/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus

4.    https://www.cisa.gov/news-events/alerts/2025/10/24/microsoft-releases-out-band-security-update-mitigate-windows-server-update-service-vulnerability-cve

5.    https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287

6.    https://thehackernews.com/2025/10/microsoft-issues-emergency-patch-for.html

7.    https://www.cisa.gov/known-exploited-vulnerabilities-catalog

8.    https://www.huntress.com/blog/exploitation-of-windows-server-update-services-remote-code-execution-vulnerability

9.    https://unit42.paloaltonetworks.com/microsoft-cve-2025-59287/

10. https://blog.talosintelligence.com/velociraptor-leveraged-in-ransomware-attacks/

11. https://github.com/hackirby/skuld

Darktrace Model Detections

·       Device / New PowerShell User Agent

·       Anomalous Connection / Powershell to Rare External

·       Compromise / Possible Tunnelling to Bin Services

·       Compromise / High Priority Tunnelling to Bin Services

·       Anomalous Server Activity / New User Agent from Internet Facing System

·       Device / New User Agent

·       Device / Internet Facing Device with High Priority Alert

·       Anomalous Connection / Multiple HTTP POSTs to Rare Hostname

·       Anomalous Server Activity / Rare External from Server

·       Compromise / Agent Beacon (Long Period)

·       Device / Large Number of Model Alerts

·       Compromise / Agent Beacon (Medium Period)

·       Device / Long Agent Connection to New Endpoint

·       Compromise / Slow Beaconing Activity To External Rare

·       Security Integration / Low Severity Integration Detection

·       Antigena / Network / Significant Anomaly / Antigena Alerts Over Time Block

·       Antigena / Network / Significant Anomaly / Antigena Enhanced Monitoring from Server Block

·       Antigena / Network / External Threat / Antigena Suspicious Activity Block

·       Antigena / Network / Significant Anomaly / Antigena Significant Server Anomaly Block

List of Indicators of Compromise (IoCs)

IoC - Type - Description + Confidence

o   royal-boat-bf05.qgtxtebl.workers[.]dev – Hostname – Likely C2 Infrastructure

o   royal-boat-bf05.qgtxtebl.workers[.]dev/v3.msi - URI – Likely payload

o   chat.hcqhajfv.workers[.]dev – Hostname – Possible C2 Infrastructure

o   185.69.24[.]18 – IP address – Possible C2 Infrastructure

o   185.69.24[.]18/bin.msi - URI – Likely payload

o   185.69.24[.]18/singapure - URI – Likely payload

The content provided in this blog is published by Darktrace for general informational purposes only and reflects our understanding of cybersecurity topics, trends, incidents, and developments at the time of publication. While we strive to ensure accuracy and relevance, the information is provided “as is” without any representations or warranties, express or implied. Darktrace makes no guarantees regarding the completeness, accuracy, reliability, or timeliness of any information presented and expressly disclaims all warranties.

Nothing in this blog constitutes legal, technical, or professional advice, and readers should consult qualified professionals before acting on any information contained herein. Any references to third-party organizations, technologies, threat actors, or incidents are for informational purposes only and do not imply affiliation, endorsement, or recommendation.

Darktrace, its affiliates, employees, or agents shall not be held liable for any loss, damage, or harm arising from the use of or reliance on the information in this blog.

The cybersecurity landscape evolves rapidly, and blog content may become outdated or superseded. We reserve the right to update, modify, or remove any content

Continue reading
About the author
Emma Foulger
Global Threat Research Operations Lead

Blog

/

/

October 24, 2025

Patch Smarter, Not Harder: Now Empowering Security Teams with Business-Aligned Threat Context Agents

Patch Smarter, Not Harder: Now Empowering Security Teams with Business-Aligned Threat Context Agents Default blog imageDefault blog image

Most risk management programs remain anchored in enumeration: scanning every asset, cataloging every CVE, and drowning in lists that rarely translate into action. Despite expensive scanners, annual pen tests, and countless spreadsheets, prioritization still falters at two critical points.

Context gaps at the device level: It’s hard to know which vulnerabilities actually matter to your business given existing privileges, what software it runs, and what controls already reduce risk.

Business translation: Even when the technical priority is clear, justifying effort and spend in financial terms—especially across many affected devices—can delay action. Especially if it means halting other areas of the business that directly generate revenue.

The result is familiar: alert fatigue, “too many highs,” and remediation that trails behind the threat landscape. Darktrace / Proactive Exposure Management addresses this by pairing precise, endpoint‑level context with clear, financial insight so teams can prioritize confidently and mobilize faster.

A powerful combination: No-Telemetry Endpoint Agent + Cost-Benefit Analysis

Darktrace / Proactive Exposure Management now uniquely combines technical precision with business clarity in a single workflow.  With this release, Darktrace / Proactive Exposure Management delivers a more holistic approach, uniting technical context and financial insight to drive proactive risk reduction. The result is a single solution that helps security teams stay ahead of threats while reducing noise, delays, and complexity.

  • No-Telemetry Endpoint: Collects installed software data and maps it to known CVEs—without network traffic—providing device-level vulnerability context and operational relevance.
  • Cost-Benefit Analysis for Patching: Calculates ROI by comparing patching effort with potential exploit impact, factoring in headcount time, device count, patch difficulty, and automation availability.

Introducing the No-Telemetry Endpoint Agent

Darktrace’s new endpoint agent inventories installed software on devices and maps it to known CVEs without collecting network data so you can prioritize using real device context and available security controls.

By grounding vulnerability findings in the reality of each endpoint, including its software footprint and existing controls, teams can cut through generic severity scores and focus on what matters most. The agent is ideal for remote devices, BYOD-adjacent fleets, or environments standardizing on Darktrace, and is available without additional licensing cost.

Darktrace / Proactive Exposure Management user interface
Figure 1: Darktrace / Proactive Exposure Management user interface

Built-In Cost-Benefit Analysis for Patching

Security teams often know what needs fixing but stakeholders need to understand why now. Darktrace’s new cost-benefit calculator compares the total cost to patch against the potential cost of exploit, producing an ROI for the patch action that expresses security action in clear financial terms.

Inputs like engineer time, number of affected devices, patch difficulty, and automation availability are factored in automatically. The result is a business-aligned justification for every patching decision—helping teams secure buy-in, accelerate approvals, and move work forward with one-click ticketing, CSV export, or risk acceptance.

Darktrace / Proactive Exposure Management Cost Benefit Analysis
Figure 2: Darktrace / Proactive Exposure Management Cost Benefit Analysis

A Smarter, Faster Approach to Exposure Management

Together, the no-telemetry endpoint and Cost–Benefit Analysis advance the CTEM motion from theory to practice. You gain higher‑fidelity discovery and validation signals at the device level, paired with business‑ready justification that accelerates mobilization. The result is fewer distractions, clearer priorities, and faster measurable risk reduction. This is not from chasing every alert, but by focusing on what moves the needle now.

  • Smarter Prioritization: Device‑level context trims noise and spotlights the exposures that matter for your business.
  • Faster Decisions: Built‑in ROI turns technical urgency into executive clarity—speeding approvals and action.
  • Practical Execution: Privacy‑conscious endpoint collection and ticketing/export options fit neatly into existing workflows.
  • Better Outcomes: Close the loop faster—discover, prioritize, validate, and mobilize—on the same operating surface.

Committed to innovation

These updates are part of the broader Darktrace release, which also included:

1. Major innovations in cloud security with the launch of the industry’s first fully automated cloud forensics solution, reinforcing Darktrace’s leadership in AI-native security.

2. Darktrace Network Endpoint eXtended Telemetry (NEXT) is revolutionizing NDR with the industry’s first mixed-telemetry agent using Self-Learning AI.

3. Improvements to our OT product, purpose built for industrial infrastructure, Darktrace / OT now brings dedicated OT dashboard, segmentation-aware risk modeling, and expanded visibility into edge assets and automation protocols.

Join our Live Launch Event

When? 

December 9, 2025

What will be covered?

Join our live broadcast to experience how Darktrace is eliminating blind spots for detection and response across your complete enterprise with new innovations in Agentic AI across our ActiveAI Security platform. Industry leaders from IDC will join Darktrace customers to discuss challenges in cross-domain security, with a live walkthrough reshaping the future of Network Detection & Response, Endpoint Detection & Response, Email Security, and SecOps in novel threat detection and autonomous investigations.

Continue reading
About the author
Kelland Goodin
Product Marketing Specialist
Your data. Our AI.
Elevate your network security with Darktrace AI