This blog introduces new innovations in Darktrace / Proactive Exposure Management that bring precision and clarity to vulnerability prioritization. Learn how No-Telemetry Endpoints provide real device context without network data and how new Cost-Benefit Analysis capabilities quantify patching ROI—helping teams cut noise, act faster, and strengthen proactive risk management.

This blog explores how Continuous Threat Exposure Management (CTEM) is reshaping defense strategies and how new Darktrace / Attack Surface Management capabilities, including Exploit Prediction Assessment and Deep & Dark Web Monitoring, help organizations turn CTEM from strategy into action.

Darktrace delivers the next evolution of NDR, extending an industry-first bridge across the network and endpoint gap with Self-Learning AI.

Salt Typhoon, a China-linked cyber espionage group, has been observed targeting global infrastructure using stealthy techniques such as DLL sideloading and zero-day exploits. Darktrace recently identified early-stage intrusion activity consistent with Salt Typhoon’s tactics, reinforcing the importance of anomaly-based detection over traditional signature-based methods when defending against persistent, state-sponsored threat.

This civil engineering company maintains much of the highway infrastructure across the UK. After legacy tools failed to stop advanced email threats, the company adopted Darktrace’s AI, which autonomously detected and neutralized attacks—proving its value and driving broader deployment.

Starting in July 2025, Akira ransomware attacks surged globally, targeting SonicWall SSL VPN devices. In August, Darktrace detected suspicious activity in a US network, including scanning, lateral movement, and data exfiltration. A compromised SonicWall VPN server linked the incident to the broader Akira campaign exploiting known vulnerabilities.

The latest release of Darktrace / OT brings powerful new innovations to security teams defending industrial infrastructure. With a dedicated OT dashboard, segmentation-aware risk modeling, and expanded visibility into edge assets and automation protocols, Darktrace / OT empowers engineers and defenders with the context and control they need to protect today’s converged environments, from IT to the industrial edge.

Phishing emails from compromised vendors are increasingly difficult to distinguish from genuine correspondence. They challenge workers, security teams and traditional email SEGs alike. Anomaly detection can be a game-changer in spotting the subtle signs of these meticulous attacks.

Following the announcement of Darktrace / Forensic Acquisition & Investigation, we’re excited to share how Darktrace / CLOUD is evolving to deliver a truly unified approach to cloud security. For the first time, security teams can detect novel cloud threats in real time, automatically investigate them with forensic depth, and respond decisively — all within a single solution built for hybrid and multi-cloud environments.

The launch of Darktrace / Forensic Acquisition & Investigation marks a breakthrough moment for cloud security, bringing automated forensic investigations — once reserved for the largest organizations and specialized DFIR teams — to security teams of every size.

Darktrace exposed a cybercrime-as-a-service campaign using Python and Go-based malware, Docker containerization, and a full operator UI. With DDoS-as-a-service features, modular APIs, and advanced evasion, this platform highlights the need for defenders to monitor cloud workloads, container orchestration, and API activity to counter evolving threats.

The Canadian federal Government introduced Bill C-8 which would enact the Critical Cyber Systems Protection Act (CCSPA). The CCSPA will formalize baseline cybersecurity duties for operators in federally regulated critical sectors.

Cado Security (now part of Darktrace) analyzed "Cthulhu Stealer," a macOS malware-as-a-service written in Go. It impersonates legitimate software, prompts for user and MetaMask passwords, and steals credentials, cryptocurrency wallets, and game accounts. Functionally similar to Atomic Stealer, Cthulhu was rented via an underground marketplace, but its operators faced complaints and a ban for alleged exit scamming.

Cloud has changed everything, but investigations haven’t kept up. With breaches hitting cloud data and attackers moving faster than ever, legacy forensics are too slow, too manual, and too fragmented. It’s time for a cloud-first approach: automated, unified, and built for today’s speed of attack.

Cado researchers (now part of Darktrace) identified a campaign by the threat actor Diicot, focusing on SSH brute-forcing and cryptojacking. Diicot utilizes custom tools, modified packers, and Discord for C2, and has expanded its capabilities to include doxxing and DDoS attacks via a Mirai-based botnet.

Cado Security Labs researchers (now part of Darktrace) encountered Legion, an emerging Python-based credential harvester and hacktool. Legion exploits various services for the purpose of email abuse.

Cado Labs (now part of Darktrace) discovered an updated version of the Legion hacktool. This new iteration has enhanced capabilities, including SSH abuse and exploiting additional AWS services like DynamoDB, CloudWatch, and AWS Owl, by harvesting credentials from misconfigured web servers.

SEO poisoning is a malicious tactic where threat actors manipulate search engine rankings to promote deceptive websites. These sites often mimic legitimate software downloads, delivering malware like the Oyster backdoor. Learn about Darktrace’s investigation into the tactics used to deliver Oyster via fake PuTTY sites and manipulate search visibility.

Cado Security Labs (now part of Darktrace) identified two new campaigns exploiting misconfigured Selenium Grid instances for cryptomining and proxyjacking. Attackers injected scripts to deploy reverse shells, IPRoyal Pawn, EarnFM, TraffMonetizer, and WatchTower for proxyjacking, and a Golang binary to install a cryptominer. These attacks highlight the critical need for Selenium Grid users to enable authentication.

Unifying network and email security closes critical gaps in your defenses, enabling faster detection, investigation, and response. Discover how an integrated, AI-driven approach strengthens protection across the entire attack lifecycle.

This blog details a simulation of a ransomware attack that bypassed EDR, simulated via a ClickFix social engineering technique. The attack used an obfuscated HTML and custom C++ binary to encrypt files and establish a reverse shell. Cado's forensic platform then demonstrated how to trace the attack chain, highlighting the need for robust DFIR beyond EDR.

Darktrace identified anomalous activity within its customer base linked to a supply chain attack exploiting Salesloft integrations in August 2025. Learn about the campaign and how Darktrace detects and responds to such threats using AI-driven threat detection and Autonomous Response capabilities.

Cado Security Labs (now part of Darktrace) identified a "Meeten" campaign deploying a cross-platform (macOS/Windows) infostealer called Realst. Threat actors create fake Web3 companies with AI-generated content and social media to trick targets into downloading malicious meeting applications.

"Commando Cat" is a novel cryptojacking campaign exploiting exposed Docker API endpoints. This campaign demonstrates the continued determination attackers have to exploit the service and achieve a variety of objectives.

Migo is a cryptojacking campaign targeting Redis servers, that uses novel system-weakening techniques for initial access. It deploys a Golang ELF binary for cryptocurrency mining, which employs compile-time obfuscation and achieves persistence on Linux hosts. Migo also utilizes a modified user-mode rootkit to hide its processes and on-disk artifacts, complicating analysis and forensics.