The latest release of Darktrace / OT brings powerful new innovations to security teams defending industrial infrastructure. With a dedicated OT dashboard, segmentation-aware risk modeling, and expanded visibility into edge assets and automation protocols, Darktrace / OT empowers engineers and defenders with the context and control they need to protect today’s converged environments, from IT to the industrial edge.

Phishing emails from compromised vendors are increasingly difficult to distinguish from genuine correspondence. They challenge workers, security teams and traditional email SEGs alike. Anomaly detection can be a game-changer in spotting the subtle signs of these meticulous attacks.

Following the announcement of Darktrace / Forensic Acquisition & Investigation, we’re excited to share how Darktrace / CLOUD is evolving to deliver a truly unified approach to cloud security. For the first time, security teams can detect novel cloud threats in real time, automatically investigate them with forensic depth, and respond decisively — all within a single solution built for hybrid and multi-cloud environments.

The launch of Darktrace / Forensic Acquisition & Investigation marks a breakthrough moment for cloud security, bringing automated forensic investigations — once reserved for the largest organizations and specialized DFIR teams — to security teams of every size.

Darktrace exposed a cybercrime-as-a-service campaign using Python and Go-based malware, Docker containerization, and a full operator UI. With DDoS-as-a-service features, modular APIs, and advanced evasion, this platform highlights the need for defenders to monitor cloud workloads, container orchestration, and API activity to counter evolving threats.

The Canadian federal Government introduced Bill C-8 which would enact the Critical Cyber Systems Protection Act (CCSPA). The CCSPA will formalize baseline cybersecurity duties for operators in federally regulated critical sectors.

Cado Security (now part of Darktrace) analyzed "Cthulhu Stealer," a macOS malware-as-a-service written in Go. It impersonates legitimate software, prompts for user and MetaMask passwords, and steals credentials, cryptocurrency wallets, and game accounts. Functionally similar to Atomic Stealer, Cthulhu was rented via an underground marketplace, but its operators faced complaints and a ban for alleged exit scamming.

Cloud has changed everything, but investigations haven’t kept up. With breaches hitting cloud data and attackers moving faster than ever, legacy forensics are too slow, too manual, and too fragmented. It’s time for a cloud-first approach: automated, unified, and built for today’s speed of attack.

Cado researchers (now part of Darktrace) identified a campaign by the threat actor Diicot, focusing on SSH brute-forcing and cryptojacking. Diicot utilizes custom tools, modified packers, and Discord for C2, and has expanded its capabilities to include doxxing and DDoS attacks via a Mirai-based botnet.

Cado Security Labs researchers (now part of Darktrace) encountered Legion, an emerging Python-based credential harvester and hacktool. Legion exploits various services for the purpose of email abuse.

Cado Labs (now part of Darktrace) discovered an updated version of the Legion hacktool. This new iteration has enhanced capabilities, including SSH abuse and exploiting additional AWS services like DynamoDB, CloudWatch, and AWS Owl, by harvesting credentials from misconfigured web servers.

SEO poisoning is a malicious tactic where threat actors manipulate search engine rankings to promote deceptive websites. These sites often mimic legitimate software downloads, delivering malware like the Oyster backdoor. Learn about Darktrace’s investigation into the tactics used to deliver Oyster via fake PuTTY sites and manipulate search visibility.

Cado Security Labs (now part of Darktrace) identified two new campaigns exploiting misconfigured Selenium Grid instances for cryptomining and proxyjacking. Attackers injected scripts to deploy reverse shells, IPRoyal Pawn, EarnFM, TraffMonetizer, and WatchTower for proxyjacking, and a Golang binary to install a cryptominer. These attacks highlight the critical need for Selenium Grid users to enable authentication.

Unifying network and email security closes critical gaps in your defenses, enabling faster detection, investigation, and response. Discover how an integrated, AI-driven approach strengthens protection across the entire attack lifecycle.

This blog details a simulation of a ransomware attack that bypassed EDR, simulated via a ClickFix social engineering technique. The attack used an obfuscated HTML and custom C++ binary to encrypt files and establish a reverse shell. Cado's forensic platform then demonstrated how to trace the attack chain, highlighting the need for robust DFIR beyond EDR.

Darktrace identified anomalous activity within its customer base linked to a supply chain attack exploiting Salesloft integrations in August 2025. Learn about the campaign and how Darktrace detects and responds to such threats using AI-driven threat detection and Autonomous Response capabilities.

Cado Security Labs (now part of Darktrace) identified a "Meeten" campaign deploying a cross-platform (macOS/Windows) infostealer called Realst. Threat actors create fake Web3 companies with AI-generated content and social media to trick targets into downloading malicious meeting applications.

"Commando Cat" is a novel cryptojacking campaign exploiting exposed Docker API endpoints. This campaign demonstrates the continued determination attackers have to exploit the service and achieve a variety of objectives.

Migo is a cryptojacking campaign targeting Redis servers, that uses novel system-weakening techniques for initial access. It deploys a Golang ELF binary for cryptocurrency mining, which employs compile-time obfuscation and achieves persistence on Linux hosts. Migo also utilizes a modified user-mode rootkit to hide its processes and on-disk artifacts, complicating analysis and forensics.

Signature-based detection has been a mainstay of IT security for decades, but the unique realities of operational technology (OT) environments make it a poor return on investment for power utilities. While signatures can still provide value for commodity IT malware, they fail against insider misuse, zero-day exploits, and custom-built malware designed for grid operations. Historical evidence shows signatures rarely generalize across different utilities, and overreliance creates strategic blind spots. To effectively defend critical energy infrastructure, utilities should prioritize behavioral analytics, anomaly detection, and intelligence sharing across the community.

A practical guide to the key detection and response updates in CAF v4.0, including anomaly-based detection, machine-led threat hunting, and proactive security posture requirements.

Cado Security Labs identified a GuLoader campaign targeting European industrial companies via spearphishing emails with compressed batch files. This malware uses obfuscated PowerShell scripts and shellcode with anti-debugging techniques to establish persistence and inject into legitimate processes, to deliver Remote Access Trojans. GuLoader's ongoing evolution highlights the need for robust security.

Cado Security Labs (now part of Darktrace) identified a Docusign spearphishing campaign targeting tech executives. Attackers use compromised Japanese business emails and malicious links redirecting to credential-stealing sites. The campaign leverages obfuscated JavaScript to mimic legitimate login pages, aiming to steal credentials for further attacks like BEC scams.

Cado Security Labs (now part of Darktrace) identified Triton RAT, a Python-based open-source tool controlled via Telegram.

Cado Security Labs (now part of Darktrace) identified a malware campaign targeting the Royal Thai Police, attributed to Chinese APT group Mustang Panda. The campaign uses a disguised LNK file and PDF decoy to deliver the Yokai backdoor.