ブログ
/
Network
/
August 2, 2023

Darktrace's Detection of Ransomware & Syssphinx

Read how Darktrace identified an attack technique by the threat group, Syssphinx. Learn how Darktrace's quick identification process can spot a threat.
Written by
Adam Potter
Senior Cyber Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Adam Potter
Senior Cyber Analyst
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
02
Aug 2023

Introduction

As the threat of costly cyber-attacks continues represent a real concern to security teams across the threat landscape, more and more organizations are strengthening their defenses with additional security tools to identify attacks and protect their networks. As a result, malicious actors are being forced to adapt their tactics, modify existing variants of malicious software, or utilize entirely new variants.  

Symantec recently released an article about Syssphinx, the financially motivated cyber threat group previously known for their point-of-sale attacks. Syssphinx attempts to deploy ransomware on customer networks via a modified version of their ‘Sardonic’ backdoor. Such activity highlights the ability of threat actors to alter the composition and presentation of payloads, tools, and tactics.

Darktrace recently detected some of the same indicators suggesting a likely Syssphinx compromise within the network of a customer trialing the Darktrace DETECT™ and RESPOND™ products. Despite the potential for variations in the construction of backdoors and payloads used by the group, Darktrace’s anomaly-based approach to threat detection allowed it to stitch together a detailed account of compromise activity and identify the malicious activity prior to disruptive events on the customer’s network.

What is Syssphinx?

Syssphinx is a notorious cyber threat entity known for its financially motivated compromises.  Also referred to as FIN8, Syssphinx has been observed as early as 2016 and is largely known to target private sector entities in the retail, hospitality, insurance, IT, and financial sectors.[1]

Although Syssphinx primarily began focusing on point-of-sale style attacks, the activity associated with the group has more recently incorporated ransomware variants into their intrusions in a potential bid to further extract funds from target organizations.[2]

Syssphinx Sardonic Backdoor

Given this gradual opportunistic incorporation of ransomware, it should not be surprising that Syssphinx has slowly expanded its repertoire of tools.  When primarily performing point-of-sale compromises, the group was known for its use of point-of-sale specific malwares including BadHatch, PoSlurp/PunchTrack, and PowerSniff/PunchBuggy/ShellTea.[3]

However, in a seeming response to updates in detection systems while using previous indicators of compromise (IoCs), Syssphinx began to modify its BadHatch malware.  This resulted in the use of a C++ derived backdoor known as “Sardonic”, which has the ability to aggregate host credentials, spawn additional command sessions, and deliver payloads to compromised devices via dynamic-link library (DLL).[4],[5]

Analysis of the latest version of Sardonic reveals further changes to the malware to elude detection. These shifts include the implementation of the backdoor in the C programming language, and additional over-the-network communication obfuscation techniques. [6]

During the post-exploitation phase, the group tends to rely on “living-off-the-land” tactics, whereby an attacker utilizes tools already present within the organization’s digital environment to avoid detection. Syssphinx seems to utilize system-native tools such as PowerShell and the Windows Management Instrumentation (WMI) interface.[7] It is also not uncommon to see Windows-based vulnerability exploits employed on compromised devices. This has been observed by researchers who have examined previous iterations of Syssphinx backdoors.[8] Syssphinx also appears to exhibit elements of strategic patience and discipline in its operations, with significant time gaps in operations noted by researchers. During this time, it appears likely that updates and tweaks were applied to Syssphinx payloads.

Compromise Details

In late April 2023, Darktrace identified an active compromise on the network of a prospective customer who was trialing Darktrace DETECT+RESPOND. The customer, a retailer in EMEA with hundreds of tracked devices, reached out to the Darktrace Analyst team via the Ask the Expert (ATE) service for support and further investigation, following the encryption of their server and backup data storage in an apparent ransomware attack. Although the encryption events fell outside Darktrace’s purview due to a limited set up of trial appliances, Darktrace was able to directly track early stages of the compromise before exfiltration and encryption events began. If a full deployment had been set up and RESPOND functionality had been configured in autonomous response mode, Darktrace may have helped mitigate such encryption events and would have aided in the early identification of this ransomware attack.

Initial Intrusion and Establishment of Command and Control (C2) Infrastructure

As noted by security researchers, Syssphinx largely relies on social engineering and phishing emails to deliver its backdoor payloads. As there were no Darktrace/Email™ products deployed for this customer, it would be difficult to directly observe the exact time and manner of initial payload delivery related to this compromise. This is compounded by the fact that the customer had only recently began using Darktrace’s products during their trial period. Given the penchant for patience and delay by Syssphinx, it is possible that the intrusion began well before Darktrace had visibility of the organization’s network.

However, beginning on April 30, 2023, at 07:17:31 UTC, Darktrace observed the domain controller dc01.corp.XXXX  making repeated SSL connections to the endpoint 173-44-141-47[.]nip[.]io. In addition to the multiple open-source intelligence (OSINT) flags for this endpoint, the construction of the domain parallels that of the initial domain used to deliver a backdoor, as noted by Symantec in their analysis (37-10-71-215[.]nip[.]io). This activity likely represented the initial beaconing being performed by the compromised device. Additionally, an elevated level of incoming external data over port 443 was observed during this time, which may be associated with the delivery of the Sardonic backdoor payload. Given the unusual use of port 443 to perform SSH connections later seen in the kill chain of this attack, this activity could also parallel the employment of embedded backdoor payloads seen in the latest iteration of the Sardonic backdoor noted by Symantec.

Figure 1: Graph of the incoming external data surrounding the time of the initial establishment of command and control communication for the domain controller. As seen in the graph, the spike in incoming external data during this time may parallel the delivery of Syssphinx Sardonic backdoor.

Regardless, the domain controller proceeded to make repeated connections over port 443 to the noted domain.

Figure 2: Breach event log for the domain controller making repeated connections over port 443 to the rare external destination endpoint in constitute the establishment of C2 communication.

Internal Reconnaissance/Privilege Escalation

Following the establishment of C2 communication, Darktrace detected numerous elements of internal reconnaissance. On Apr 30, 2023, at 22:06:26 UTC, the desktop device desktop_02.corp.XXXX proceeded to perform more than 100 DRSGetNCChanges requests to the aforementioned domain controller. These commands, which are typically implemented over the RPC protocol on the DRSUAPI interface, are frequently utilized in Active Directory sync attacks to copy Active Directory information from domain controllers. Such activity, when not performed by new domain controllers to sync Active Directory contents, can indicate malicious domain or user enumeration, credential compromise or Active Directory enumeration.

Although the affected device made these requests to the previously noted domain controller, which was already compromised, such activity may have further enabled the compromise by allowing the threat actor to transfer these details to a more easily manageable device.

The device performing these DRSGetNCChanges requests would later be seen performing lateral movement activity and making connections to malicious endpoints.

Figure 3: Breach log highlighting the DRS operations performed by the corporate device to the destination domain controller. Such activity is rarely authorized for devices not tagged as administrative or as domain controllers.

Execution and Lateral Movement

At 23:09:53 UTC on April 30, 2023, the original domain server proceeded to make multiple uncommon WMI calls to a destination server on the same subnet (server01.corp.XXXX). Specifically, the device was observed making multiple RPC calls to IWbem endpoints on the server, which included login and ExecMethod (method execution) commands on the destination device. This destination device later proceeded to conduct additional beaconing activity to C2 endpoints and exfiltrate data.

Figure 4: Breach log for the domain controller performing WMI commands to the destination server during the lateral movement phase of the breach.

Similarly, beginning on May 1, 2023, at 00:11:09 UTC, the device desktop_02.corp.XXXX made multiple WMI requests to two additional devices, one server and one desktop, within the same subnet as the original domain controller. During this time, desktop_02.corp.XXXX  also utilized SMBv1, an outdated and typically non-compliant version communication protocol, to write the file rclone.exe to the same two destination devices. Rclone.exe, and its accompanying bat file, is a command-line tool developed by IT provider Rclone, to perform file management tasks. During this time, Darktrace also observed the device reading and deleting an unexpected numeric file on the ADMIN$ of the destination server, which may represent additional defense evasion techniques and tool staging.

Figure 5: Event log highlighting the writing of rclone.exe using the outdated SMBv1 communication protocol.
Figure 6: SMB logs indicating the reading and deletion of numeric string files on ADMIN$ shares of the destination devices during the time of the rclone.exe SMB writes. Such activity may be associated with tool staging and could indicate potential defense evasion techniques.

Given that the net loader sample analyzed by Symantec injects the backdoor into a WmiPrvSE.exe process, the use of WMI operations is not unexpected. Employment of WMI also correlates with the previously mentioned “living-off-the-land” tactics, as WMI services are commonly used for regular network and system administration purposes. Moreover, the staging of rclone.exe, a legitimate file management tool, for data exfiltration underscores attempts to blend into existing and expected network traffic and remain undetected on the customer’s network.

Data Exfiltration and Impact

Initial stages of data exfiltration actually began prior to some of the lateral movement events described above. On April 30, 2023, 23:09:47 the device server01.corp.XXXX, transferred nearly 11 GB of data to 173.44[.]141[.]47, as well as to the rare external IP address 170.130[.]55[.]77, which appears to have served as the main exfiltration destination during this compromise. Furthermore, the host made repeated connections to the same external IP associated with the initial suspicious beaconing activity (173.44[.]141[.]47) over SSL.

While the data exfiltration event unfolded, the device, server01.corp.XXXX, made multiple HTTP requests to 37.10[.]71[.]215, which featured URIs requesting the rclone.exe and rclone.bat files. This IP address was directly involved in the sample analyzed by Symantec. Furthermore, one of the devices that received the SMB file writes of rclone.exe and the WMI commands from desktop_02.corp.XXXX also performed SSL beaconing to endpoints associated with the compromise.

Between 01:20:45 - 03:31:41 UTC on May 1, 2023, a Darktrace detected a series of devices on the network performing a repeated pattern of activity, namely external connectivity followed by suspicious file downloads and external data transfer operations. Specifically, each affected device made multiple HTTP requests to 37.10[.]71[.]215 for rclone files. The devices proceeded to download the executable and/or binary files, and then transfer large amounts of data to the aforementioned endpoints, 170.130[.]55[.]77 and or 173-44-141-47[.]nip[.]io. Although the devices involved in data exfiltration utilized port 443 as a destination port, the connections actually used the SSH protocol. Darktrace recognized this behavior as unusual as port 443 is typically associated with the SSL protocol, while port 22 is reserved for SSH. Therefore, this activity may represent the threat actor’s attempts to remain undetected by security tools.

This unexpected use of SSH over port 443 also correlates with the descriptions of the new Sardonic backdoor according to threat researchers. Further beaconing and exfiltration activity was performed by an additional host one day later whereby the device made suspicious repeated connections to the aforementioned external hosts.

Figure 7: Connection details highlighting the use of port 443 for SSH connections during the exfiltration events.

In total, nine separate devices were involved in this pattern of activity. Five of these devices were labeled as ‘administrative’ devices according to their hostnames. Over the course of the entire exfiltration event, the attackers exfiltrated almost 61 GB of data from the organization’s environment.

Figure 8: Graph showing the levels of external data transfer from a breach device for one day on either side of the breach time. There is a large spike in such activity during the time of the breach that underscores the exfiltration events.

In addition to the individual anomaly detections by DETECT, Darktrace’s Cyber AI Analyst™ launched an autonomous investigation into the unusual behavior carried out by affected devices, connecting and collating multiple security events into one AI Analyst Incident. AI Analyst ensures that Darktrace can recognize and link the individual steps of a wider attack, rather than just identifying isolated incidents. While traditional security tools may mistake individual breaches as standalone activity, Darktrace’s AI allows it to provide unparalleled visibility over emerging attacks and their kill chains. Furthermore, Cyber AI Analyst’s instant autonomous investigations help to save customer security teams invaluable time in triaging incidents in comparison with human teams who would have to commit precious time and resources to conduct similar pattern analysis.

In this specific case, AI Analyst identified 44 separate security events from 18 different devices and was able to tie them together into one incident. The events that made up this AI Analyst Incident included:

  • Possible SSL Command and Control
  • Possible HTTP Command and Control
  • Unusual Repeated Connections
  • Suspicious Directory Replication ServiceActivity
  • Device / New or Uncommon WMI Activity
  • SMB Write of Suspicious File
  • Suspicious File Download
  • Unusual External Data Transfer
  • Unusual External Data Transfer to MultipleRelated Endpoints
Figure 9: Cyber AI Incident log highlighting multiple unusual anomalies and connecting them into one incident.

Had Darktrace RESPOND been enabled in autonomous response mode on the network of this prospective customer, it would have been able to take rapid mitigative action to block the malicious external connections used for C2 communication and subsequent data exfiltration, ideally halting the attack at this stage. As previously discussed, the limited network configuration of this trial customer meant that the encryption events unfortunately took place outside of Darktrace’s scope. When fully configured on a customer environment, Darktrace DETECT can identify such encryption attempts as soon as they occur. Darktrace RESPOND, in turn, would be able to immediately intervene by applying preventative actions like blocking internal connections that may represent file encryption, or limiting potentially compromised devices to a previously established pattern of life, ensuring they cannot carry out any suspicious activity.

Conclusion

Despite the limitations posed by the customer’s trial configuration, Darktrace demonstrated its ability to detect malicious activity associated with Syssphinx and track it across multiple stages of the kill chain.

Darktrace’s ability to identify the early stages of a compromise and various steps of the kill chain, highlights the necessity for machine learning-enabled, anomaly-based detection. In the face of threats such as Syssphinx, that exhibit the propensity to recast backdoor payloads and incorporate on “living-off-the-land” tactics, signatures and rules-based detection may not prove as effective. While Syssphinx and other threat groups will continue to adopt new tools, methods, and techniques, Darktrace’s Self-Learning AI is uniquely positioned to meet the challenge of such threats.

Appendix

DETECT Model Breaches Observed

•      Anomalous Server Activity / Anomalous External Activity from Critical Network Device

•      Anomalous Connection / Anomalous DRSGetNCChanges Operation

•      Device / New or Uncommon WMI Activity

•      Compliance / SMB Drive Write

•      Anomalous Connection / Data Sent to Rare Domain

•      Anomalous Connection / Uncommon 1 GiB Outbound

•      Unusual Activity / Unusual External Data Transfer

•      Unusual Activity / Unusual External Data to New Endpoints

•      Compliance / SSH to Rare External Destination

•      Anomalous Connection / Unusual SMB Version 1 Connectivity

•      Anomalous File / EXE from Rare External Location

•      Anomalous File / Script from Rare External Location

•      Compromise / Suspicious File and C2

•      Device / Initial Breach Chain Compromise

AI Analyst Incidents Observed

•      Possible SSL Command and Control

•      Possible HTTP Command and Control

•      Unusual Repeated Connections

•      Suspicious Directory Replication Service Activity

•      Device / New or Uncommon WMI Activity

•      SMB Write of Suspicious File

•      Suspicious File Download

•      Unusual External Data Transfer

•      Unusual External Data Transfer to Multiple Related Endpoints

IoCs

IoC - Type - Description

37.10[.]71[.]215 – IP – C2 + payload endpoint

173-44-141-47[.]nip[.]io – Hostname – C2 – payload

173.44[.]141[.]47 – IP – C2 + potential payload

170.130[.]55[.]77 – IP – Data exfiltration endpoint

Rclone.exe – Exe File – Common data tool

Rclone.bat – Script file – Common data tool

MITRE ATT&CK Mapping

Command and Control

T1071 - Application Layer Protocol

T1071.001 – Web protocols

T1573 – Encrypted channels

T1573.001 – Symmetric encryption

T1573.002 – Asymmetric encryption

T1571 – Non-standard port

T1105 – Ingress tool transfer

Execution

T1047 – Windows Management Instrumentation

Credential Access

T1003 – OS Credential Dumping

T1003.006 – DCSync

Lateral Movement

T1570 – Lateral Tool Transfer

T1021 - Remote Services

T1021.002 - SMB/Windows Admin Shares

T1021.006 – Windows Remote Management

Exfiltration

T1048 - Exfiltration Over Alternative Protocol

T1048.001 - Exfiltration Over Symmetric Encrypted Non-C2 Protocol

T1048.002 - Exfiltration Over Symmetric Encrypted Non-C2 Protocol

T1041 - Exfiltration Over C2 Channel

References

[1] https://cyberscoop.com/syssphinx-cybercrime-ransomware/

[2] https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/Syssphinx-FIN8-backdoor

[3] https://www.bleepingcomputer.com/news/security/fin8-deploys-alphv-ransomware-using-sardonic-malware-variant/

[4] https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/Syssphinx-FIN8-backdoor

[5] https://thehackernews.com/2023/07/fin8-group-using-modified-sardonic.html

[6] https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/Syssphinx-FIN8-backdoor

[7] https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/Syssphinx-FIN8-backdoor

[8] https://www.mandiant.com/resources/blog/windows-zero-day-payment-cards

執筆者
Adam Potter
Senior Cyber Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Adam Potter
Senior Cyber Analyst

When Reality Diverges from the Playbook: Darktrace Identifies Encryption in a World Leaks Ransomware Attack

Network
March 17, 2026
Tiana Kelly
Senior Cyber Analyst & Team Lead
Watch the NIS2 Webinar
よく読まれているブログ
1
Securing Generative AI: Managing Risk in Amazon Bedrock with Darktrace / CLOUD
Nov 19, 2025
2
How Empowering End Users can Improve Your Email Security and Decrease the Burden on the SOC
May 8, 2024
3
Elevating Network Security: Confronting Trust, Ransomware, & Novel Attacks
Jun 21, 2024
4
The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners
Apr 9, 2024
5
The State of AI in Cybersecurity: The Impact of AI on Cybersecurity Solutions
May 13, 2024

More in this series

No items found.
さらに読む
Network
March 17, 2026

When Reality Diverges from the Playbook: Darktrace Identifies Encryption in a World Leaks Ransomware Attack

World Leaks, a rebrand of Hunters International, are known for their extortion-only attack model, abandoning the tactic of file encryption. However, contrary to these claims, Darktrace detected a World Leaks compromise where a ransomware payload was deployed, and customer data was encrypted.
Tiana Kelly
Senior Cyber Analyst & Team Lead
Read more
Network
March 10, 2026

NetSupport RAT: How Legitimate Tools Can Be as Damaging as Malware

NetSupport RAT is the malicious abuse of the legitimate NetSupport Manager remote administration tool. Originally designed for IT support, threat actors exploit it to gain unauthorized system access, exfiltrate data, and deploy malware or info‑stealers, turning trusted functionality into a dangerous attack vector.
George Kim
Analyst Consulting Lead – AMS
Read more
Network
February 13, 2026

CVE-2026-1731: How Darktrace Sees the BeyondTrust Exploitation Wave Unfolding

A new exploitation wave targeting BeyondTrust products has emerged following disclosure of CVE‑2026‑1731. Darktrace is observing early malicious activity across customer environments and highlights the importance of proactive defenses.
Emma Foulger
Global Threat Research Operations Lead
Read more

Blog

/

Network

/

March 18, 2026

When Reality Diverges from the Playbook: Darktrace Identifies Encryption in a World Leaks Ransomware Attack

Default blog imageDefault blog image

As-a-Service Cybercrime Models

As-a-Service cybercrime models reduce the barrier to entry for cyber criminals as they no longer need expertise in every domain. Threat actors can increasingly outsource or supplement missing skills through the broader cybercrime-as-a-service ecosystem, and thus these models continue to grow in popularity within the cybercriminal underground. This has led to multiple templates in this sphere, such as Phishing-as-a-Service, Botnet-as-a-Service, DDoS-as-a-Service, and notably Ransomware-as-a-Service (RaaS) [1].

What is Extortion-as-a-Service?

Extortion-as-a-Service (EaaS) businesses function as a formalized way for cyber threat actors to offer extortion services to others for a fee or profit share and represents an evolution of extortion operations from the double-extortion ransomware model. Advancing from the RaaS model, extortion has become a distinct profit stream, separate from the encryption payload. This separation of functions, data theft, negotiation, and publicity, sets the stage for EaaS [1].

The EaaS model reflects a broader trend in cybercriminal activity, in which threat actors increasingly prioritize data theft and public exposure over traditional ransomware encryption. This shift reduces operational complexity while increasing pressure on victims through reputational damage. This approach has become increasingly popular among threat actors as, unlike encryption-based attacks, these operations are more difficult to detect and remediate [2]. It reflects a trend of ‘hack-and-leak’ operations that prioritize stealth, speed, and reputational damage over traditional encryption-based ransomware attacks [3].

World Leaks Overview

World Leaks emerged in early 2024 as a direct rebrand of the Hunters International ransomware group, which was notorious for encrypting victims’ data and demanding payment for decryption keys. In mid-2025, Hunters International shifted to an extortion-only model due to law enforcement scrutiny and reduced profitability, rebranding itself as World Leaks.

World Leaks functions as an affiliate-based EaaS operation which provides proprietary Storage Software exfiltration tooling to affiliates while maintaining a four-platform infrastructure consisting of a main data leak site hosted on the Dark Web where victim data is published, a victim negotiation portal with live chat, an affiliate management panel, and an insider journalist platform granting media outlets 24-hour advance access to stolen data before public release [4]. Since its emergence, World Leaks has published data stolen from dozens of organizations globally on its data leak site, serving both as a pressure tactic and a means for building reputation among cyber criminals.

World Leaks (known associations include Hive Ransomware, Secp0 Ransomware, and UNC6148) have been known to target the industrial (manufacturing) sector, along with healthcare organizations, technology firms and more generally, industries with valuable intellectual property [4]. Victims targeted have spanned multiple countries, with most located in the US, as well as Canada and several countries across Europe [5].

World Leaks’ Tactics, Techniques, and Procedures (TTPs) [3][4]

World Leaks’ typical attack pattern involves the exploitation of credentials with inadequate access controls, e.g. lacking multi-factor authentication (MFA), moving through reconnaissance, lateral movement and data exfiltration, notably without an encryption element.

Initial Access:

Initial access is typically gained through the exploitation of compromised virtual private network (VPN) credentials lacking MFA through valid accounts, as well as phishing campaigns. The targeting of internet-facing VPN infrastructure, RDP, and public-facing applications also represent common attack vectors in World Leaks incidents.

Lateral Movement:

SMB, RDP, and SSH are used for lateral movement via remote services. Notably, the group is also known to use PsExec and Rclone as part of their lateral movement activities.

Persistence:

Registry key modifications, scheduled tasks creation, account manipulation.

Exfiltration:

Data exfiltration is carried out through custom storage software tooling via TOR connections. Cloud storage services used for exfiltration particularly include MEGA. World Leaks also carry out direct data transfer through established command-and-control (C2) infrastructure.

Unlike Hunters International, which combined encryption with extortion, World Leaks claims to have abandoned the use of encryption. Some reports note that operations since January 2025 represent a pivot toward eliminating encryption entirely, instead relying on custom exfiltration tooling with SOCKSv5 proxy and TOR-based communications [4]. However, in early 2026, Darktrace detected an incident that directly contradicted this claim: World Leaks carried out an attack that involved both the exfiltration and encryption of customer data.

Darktrace’s Coverage of World Leaks Ransomware

Organizations today face a growing challenge: keeping pace with increasingly fast-moving threats. This incident highlights a common problem, when time-limited mitigations expire or human security teams cannot respond quickly enough, attackers are often able to regain the upper hand. A recent Darktrace detection of World Leaks ransomware provides a clear example of this challenge in practice.

In January 2026, Darktrace identified the presence of ransomware and data encryption linked to World Leaks within the network of an organization within the healthcare sector. Although Darktrace’s Autonomous Response capability was active in the customer’s environment and initially blocking suspicious connectivity, buying time for the customer to remediate, the attack continued once these mitigative actions expired. Darktrace continued to apply Autonomous Response actions as the attack progressed, working to inhibit the attackers at each stage of the intrusion.

Investigations carried out by Darktrace revealed that threat actors likely gained initial access via a Fortigate appliance in mid-October, indicating a three-month dwell time, before employing living-off-the-land (LOTL) techniques for lateral movement. C2 communications were established using Cloudflare Tunnel (formerly Argo Tunnel). As part of the Actions on Objectives attack phase, a significant volume of data was exfiltrated to the MEGA cloud storage platform, followed by the encryption of customer data.

Initial access/ Lateral movement

Darktrace analysts identified the likely patient-zero device within the network as a Fortigate appliance. In October 2025, this device was seen conducting brute-force activity using the compromised ‘administrator’ credential to gain a foothold deeper within the customer’s environment. Masquerading as a privileged user, the threat actor then went on to launch activity on remote devices via PsExec, a common administrative tool that allows users to execute processes on remote systems without manually installing client software, providing significant power to attackers when abused. Around the time, Darktrace detected an unknown device on the network attempting to authenticate via NTLM. As this device had not previously been seen on the network, it likely belonged to the attacker.

Reconnaissance

As part of the reconnaissance phase of the attack, port and network scanning was carried out in an attempt to identify open UDP and TCP ports within the network.

Lateral movement & C2

Around one month after entering the customer’s network, the World Leaks threat actors began tunnelling activity using Cloudflare Tunnel. Darktrace detected connections to several hostnames including: region2.v2.argotunnel[.]com; h2.cftunnel[.]com; region1.v2.argotunnel[.]com. This tunnelling activity continued until January of 2026, when encryption occurred. Cloudflare tunnels are known to be abused by attackers as they enable the use of temporary infrastructure to scale operations, allowing rapid deployment and teardown. Furthermore, leveraging of Cloudflare’s infrastructure to create these rate-limited tunnels (used to relay traffic from an attacker-controlled server to a local machine) makes such malicious activity harder to detect by both defenders and traditional security measures, particularly those that rely on static blocklists [6].

Further lateral movement was carried out using common remote management tools such as Windows Remote Management (WinRM) RDP, allowing the World Leaks threat actors to access local devices within the victim organization’s network.

As this attack progressed, Darktrace detected multiple files being written over SMB. These files included Windows\Temp\chromeremotedesktophost.msi, which was written from the patient-zero device to another internal device as part of lateral movement efforts. Following this transfer, and prior to subsequent data exfiltration activity, a network server was observed connecting to the hostname remotedesktop-pa[.]googleapis[.]com, an API endpoint required for Chrome Remote Desktop, indicating that Chrome RDP was used by the threat actor in this stage of the attack.

Other files written over SMB included the script programdata\syc\OpenSSHUtils.psm1 (which can be used legitimately to configure OpenSSH) and the executable programdata\syc\ssh‑sk‑helper.exe (a legitimate OpenSSH component used to support security keys). These files were written from the suspected patient‑zero device to an internal domain controller using the ‘administrator’ credential.

Thereafter, SSH connections to external IP address 51.15.109[.]222 were observed, providing another channel between the malicious actors and victim machines. Darktrace recognized that the use of SSH by the devices seen connecting to this IP address was highly anomalous, indicating that this suspicious activity formed part of the attack.

Writes of the script programdata\syc\OpenSSHUtils.psm1 were also observed into January, highlighting the continuation of the attack that had begun three months earlier.

On December 19 and 20, Darktrace detected a DNS server within the customer’s network making anomalous outgoing connections to an external IP address not previously seen in the environment: 193.161.193[.]99. This IP address has been reported by open-source-intelligence (OSINT) as being associated with C2 infrastructure, having been linked to several remote access trojans (RATs) and botnets in the past.

This activity a shift towards the infrastructure-as-a-service (IaaS) model, underscoring the growing trend around As-a-Service Cybercrime models and the increasing the industrialization of botnets. The presence of extensive digital botnets, often leased to other criminal organizations, means the group gaining initial access is not necessarily the same group conducting ransomware deployment or data theft; botnets now act as shared underlying infrastructure enabling multiple forms of cybercriminal activity [7].

Furthermore, connections to this IP address (193.161.193[.]99) were made over port 1194, which is associated with OpenVPN, suggesting that World Leaks may have leveraged it to obfuscate C2 communication with attacker-controlled infrastructure.

Darktrace’s detection of the IP address 193.161.193[.]99, noting that it was first seen within the customer’s network on December 19, 2025.
Figure 1: Darktrace’s detection of the IP address 193.161.193[.]99, noting that it was first seen within the customer’s network on December 19, 2025.

Data exfiltration

In November, Darktrace detected the threat actors carrying out one of their Attack on Objective tactics: data exfiltration. Multiple local devices within the compromised network began transferring data to Backblaze and MEGA domains, both of which provide cloud storage services; 80+GB of data was transferred to MEGA in late December 2025. Endpoints associated with this activity included: backblazeb2[.]com and gfs302n520[.]userstorage[.]mega[.]co[.]nz, as well as related user agents such as AS40401 BACKBLAZE) and MegaClient/10.3.0/64.

Notably, Darktrace researchers identified two known World Leaks TTPs in this attack: the use of MEGA, a known tool abused by the group, and Rclone, a command-line tool used to manage files on cloud storage, which was observed in the user agent of the MEGA data-transfer connections: rclone/v1.69.0 [4].

Cyber AI Analyst Incident highlighting data upload activity to backblaze[.]com endpoints.
Figure 2: Cyber AI Analyst Incident highlighting data upload activity to backblaze[.]com endpoints.\

Ransomware deployment & encryption

The encryption stage of this attack was confirmed by the presence of a ransom note found on the network in a file with a seemingly randomized nine-character string preceding README.txt, attributing the incident to World Leaks, along with an extension with the same nine characters appended to encrypted files. Darktrace also observed SMB writes of files named world.exe and task.bat, with the compromised ‘localadmin’ credential used during the SMB logins. It is likely that these files served as the vector for the ransomware payload.

Packet Capture (PCAP) of the ransom note claiming that the attack was carried out by World Leaks.
Figure 3: Packet Capture (PCAP) of the ransom note claiming that the attack was carried out by World Leaks.

Conclusion

Though traditional ransomware relies on encryption, recent trends show that cyber threat actors no longer need to rely on noisy encryption tools and can eliminate much of the risk and technical complexity associated with encrypting systems. This is the model reportedly preferred by World Leaks after their rebrand from Hunters International.

In addition to reducing noise around these attacks, extortion‑only operations may be favored by threat actors over encryption‑focused ones for several reasons, including the fact that traditional security tools may struggle to detect data theft compared to encryption, that attackers leave less evidence behind when encryption is avoided, and that the long‑term impacts of stolen data on organizations can be greater than the loss of systems caused by encryption processes, which can be restored [8]. This is supported by analysis of data leak sites suggesting that almost 1,500 incidents in 2025 relied on data theft alone. Attackers can simply steal victim data and attempt to extort a ransom by threatening to publish it, without needing to deploy ransomware at all [9]. Furthermore, although World Leaks aims to function as an affiliate‑based EaaS operation, security teams should remain aware that their affiliates may have different criminal objectives.

Contrary to reports that World Leaks’ typical attack style has an extortion‑only objective, Darktrace detected an incident in which a World Leaks attack did end with the encryption of customer data. This highlights the need for adaptive defenses and reinforces the importance of network defenders staying proactive in the face of attacks, particularly as they may progress in ways that are unexpected compared to previous trends associated with a given threat actor.

Credit to Tiana Kelly (Senior Cyber Analyst and Analyst Manager) and Emily Megan Lim (Senior Cyber Analyst)

Edited by Ryan Traill (Content Manager)

Appendices

IoCs

  • world.exe – Executable File – Possible Ransomware Payload
  • task.bat – Script File – Possible Ransomware Payload
  • ‘^[A-Z][a-z]{3}[A-Z][a-z][A-Z]{3}[.]README[.]txt' – Ransom Note
  • [.]^[A-Z][a-z]{3}[A-Z][a-z][A-Z]{3} – Ransomware file extension

·       51.15.109[.]222 – IP Address - Possible C2 Infrastructure

·       193.161.193[.]99 – IP Address – Probable C2 Infrastructure

Darktrace Model Detections (Enhanced Monitoring models denoted with an asterisk)

·      Device / Attack and Recon Tools

·      Device / Suspicious SMB Scanning Activity

·      Device / Anomalous NTLM Brute Force

·      Compliance / Connection to Tunnelling Service

·      Device / Suspicious New User Agents

·      Device / New or Unusual Remote Command Execution

·      Compliance / SMB Drive Write

·      Anomalous Connection / Uncommon 1 GiB Outbound

·      Compromise / Ransomware / Ransom or Offensive Words Written to SMB

·      Device / Multiple Lateral Movement Model Alerts*

·      Device / SMB Lateral Movement

·      Unusual Activity / Sustained Anomalous SMB Activity

·      Device / Large Number of Model Alerts

·      Compromise / Ransomware / SMB Reads then Writes with Additional Extensions

·      Compromise / Ransomware / Suspicious SMB Activity*

·      Anomalous File / Internal / Additional Extension Appended to SMB File

·      Unusual Activity / SMB Access Failures

·      Unusual Activity / Enhanced Unusual External Data Transfer*

·      Device / Suspicious File Writes to Multiple Hidden SMB Shares

·      Anomalous Server Activity / Rare External from Server

·      Unusual Activity / Unusual Mega Data Transfer*

·      Device / Possible SMB/NTLM Brute Force

·      Anomalous Connection / Unusual Admin RDP Session

·      Anomalous Connection / Active Remote Desktop Tunnel

·      Anomalous Connection / Data Sent to Rare Domain

·      Anomalous Connection / New or Uncommon Service Control

·      Anomalous Connection / New or Uncommon Service Enumeration

·      Anomalous Connection / Rare WinRM Outgoing

·      Anomalous Connection / SMB Enumeration

·      Anomalous Connection / Unusual Admin RDP Session

·      Anomalous Connection / Unusual Incoming Long Remote Desktop Session

·      Anomalous Connection / Upload via Remote Desktop

·      Anomalous File / Internal / Executable Uploaded to DC

·      Anomalous File / Internal / Unusual SMB Script Write

·      Compliance / SSH to Rare External Destination

·      Device / Anomalous Github Download

·      Device / Anonymous NTLM Logins

·      Device / Network Scan

·      Device / New or Uncommon WMI Activity

·      Device / New User Agent To Internal Server

·      Device / Possible Brute-Force Activity

·      Device / RDP Scan

·      Device / SMB Session Brute Force (Admin)

·      Device / SMB Session Brute Force (Non-Admin)

·      Device / Suspicious Network Scan Activity

·      Unusual Activity / Successful Admin Brute-Force Activity

·      Unusual Activity / Unusual External Data to New Endpoint

·      Unusual Activity / Unusual External Data Transfer

·      Unusual Activity / Unusual File Storage Data Transfer

·      User / New Admin Credentials on Server

Cyber AI Analyst Incidents

·      Scanning of Multiple Devices

·      Large Volume of SMB Login Failures to Multiple Devices

·      Suspicious Chain of Administrative Connections

·      SMB Write of Suspicious File

·      Suspicious DCE-RPC Activity

·      Unusual External Data Transfer

·      Unusual External Data Transfer to Multiple Related Endpoints

·      Unusual External Data Transfer to Endpoints

MITRE ATT&CK Mapping

·      Initial Access – T1190 – Exploit Public-Facing Application

·      Defense Evasion, Initial Access, Persistence, Privilege Escalation – T1078 – Valid Accounts

·      Resource Development – T1588.001 – Obtain Capabilities: Malware

·      Reconnaissance – T1590.005 – Gather Victim Network Information: IP Addresses

·      Reconnaissance – T1592.004 – Gather Victim Host Information: Client Configurations

·      Reconnaissance – T1595.001 – Active Scanning: Scanning IP Blocks

·      Reconnaissance – T1595.002 – Active Scanning: Vulnerability Scanning

·      Reconnaissance – T1595.003 – Active Scanning: Wordlist Scanning

·      Discovery – T1018 – Remote System Discovery

·      Discovery – T1046 – Network Service Discovery

·      Discovery – T1083 – File and Directory Discovery

·      Discovery – T1135 – Network Share Discovery

·      Command and Control – T1219 – Remote Access Tools

·      Command and Control – T1219.002 – Remote Access Tools: Remote Desktop Software

·      Command and Control – T1571 – Non-Standard Port

·      Command and Control – T1572 – Protocol Tunneling

·      Command and Control – T1573.001 – Encrypted Channel: Symmetric Cryptography

·      Credential Access – T1110 – Brute Force

·      Credential Access – T1110.001 – Brute Force: Password Guessing

·      Defense Evasion – T1006 – Direct Volume Access

·      Defense Evasion – T1564.005 – Hide Artifacts: Hidden File System

·      Defense Evasion – T1564.012 – Hide Artifacts: File/Path Exclusions

·      Execution – T1047 – Windows Management Instrumentation

·      Execution – T1569.002 – System Services: Service Execution

·      Lateral Movement – T1021 – Remote Services

·      Lateral Movement – T1021.001 – Remote Services: Remote Desktop Protocol

·      Lateral Movement – T1021.002 – Remote Services: SMB/Windows Admin Shares

·      Lateral Movement – T1021.006 – Remote Services: Windows Remote Management

·      Lateral Movement – T1080 – Taint Shared Content

·      Lateral Movement – T1210 – Exploitation of Remote Services

·      Lateral Movement – T1570 – Lateral Tool Transfer

·      Collection – T1039 – Data from Network Shared Drive

·      Collection – T1074 – Data Staged

·      Exfiltration – T1041 – Exfiltration Over C2 Channel

·      Exfiltration – T1048 – Exfiltration Over Alternative Protocol

·      Exfiltration – T1567.002 – Exfiltration Over Web Service: Exfiltration to Cloud Storage

References

[1] https://www.levelblue.com/blogs/levelblue-blog/extortion-as-a-service-the-latest-threat-actor-criminal-ecosystem/

[2] https://blackpointcyber.com/wp-content/uploads/2025/12/World-Leaks.pdf

[3] https://blackpointcyber.com/threat-profile/world-leaks-ransomware/

[4] https://www.halcyon.ai/threat-group/worldleaks

[5] https://www.moxfive.com/resources/moxfive-threat-actor-spotlight-world-leaks

[6] https://thehackernews.com/2024/08/cybercriminals-abusing-cloudflare.html

[7] https://www.trendmicro.com/vinfo/tw/security/news/threat-landscape/the-industrialization-of-botnets-automation-and-scale-as-a-new-threat-infrastructure

[8] https://www.morphisec.com/blog/ransomware-without-encryption-why-pure-exfiltration-attacks-are-surging-and-why-theyre-so-hard-to-catch/

[9] https://sed-cms.broadcom.com/sites/default/files/2026-01/RWN-2026-WP100_1.pdf

Continue reading
About the author
Tiana Kelly
Senior Cyber Analyst & Team Lead

Blog

/

Network

/

March 11, 2026

NetSupport RAT: How Legitimate Tools Can Be as Damaging as Malware

Default blog imageDefault blog image

What is NetSupport Manager?

NetSupport Manager is a legitimate IT tool used by system administrators for remote support, monitoring, and management. In use since 1989, NetSupport Manager enables users to remotely access and navigate systems across different platforms and operating systems [1].

What is NetSupport RAT?

Although NetSupport Manager is a legitimate tool that can be used by IT and security professionals, there has been a rising number of cases in which it is abused to gain unauthorized access to victim systems. This misuse has become so prevalent that, in recent years, security researchers have begun referring to NetSupport as a Remote Access Trojan (RAT), a term typically used for malware that enables a threat actor to remotely access or control an infected device [2][3][4].

NetSupport RAT activity summary

The initial stages of NetSupport RAT infection may vary depending on the source of the initial compromise. Using tactics such as the social engineering tactic ClickFix, threat actors attempt to trick users into inadvertently executing malicious PowerShell commands under the guise of resolving a non-existent issue or completing a fake CAPTCHA verification [5]. Other attack vectors such as phishing emails, fake browser updates, malicious websites, search engine optimization (SEO) poisoning, malvertising and drive-by downloads are also employed to direct users to fraudulent pages and fake reCAPTCHA verification checks, ultimately inducing them to execute malicious PowerShell commands [5][6][7]. This leads to the successful installation of NetSupport Manager on the compromised device, which is often placed in non-standard directories such as AppData, ProgramData, or Downloads [3][8].

Once installed, the adversary is able to gain remote access to the affected machine, monitor user activity, exfiltrate data, communicate with the command-and-control (C2) server, and maintain persistence [5]. External research has also highlighted that post-exploitation of NetSupport RAT has involved the additional download of malicious payloads [2][5].

Attack flow diagram highlighting key events across each phase of the attack phase
Figure 1: Attack flow diagram highlighting key events across each phase of the attack phase [2][5].

Darktrace coverage

In November of 2025, suspicious behavior indicative of the malicious abuse of NetSupport Manager was observed on multiple customers across Europe, the Middle East, and Africa (EMEA) and the Americas (AMS).

While open-source intelligence (OSINT) has reported that, in a recent campaign, a threat actor impersonated government entities to trick users in organizations in the Information Technology, Government and Financial Services sectors in Central Asia into downloading NetSupport Manager [8], approximately a third of Darktrace’s affected customers in November were based in the US while the rest were based in EMEA. This contrast underscores how widely NetSupport Manager is leveraged by threat actors and highlights its accessibility as an initial access tool.  

The Darktrace customers affected were in sectors including Information and Communication, Manufacturing and Arts, entertainment and recreation.

The ClickFix social engineering tactic typically used to distribute the NetSupport RAT is known to target multiple industries, including Technology, Manufacturing and Energy sectors [9]. It also reflects activity observed in the campaign targeting Central Asia, where the Information Technology sector was among those affected [8].

The prevalence of affected Education customers highlights NetSupport’s marketing focus on the Education sector [10]. This suggests that threat actors are also aware of this marketing strategy and have exploited the trust it creates to deploy NetSupport Manager and gain access to their targets’ systems. While the execution of the PowerShell commands that led to the installation of NetSupport Manager falls outside of Darktrace's purview in cases identified, Darktrace was still able to identify a pattern of devices making connections to multiple rare external domains and IP addresses associated with the NetSupport RAT, using a wide range of ports over the HTTP protocol. A full list of associated domains and IP addresses is provided in the Appendices of this blog.

Although OSINT identifies multiple malicious domains and IP addresses as used as C2 servers, signature-based detections of NetSupport RAT indicators of compromise (IoCs) may miss broader activity, as new malicious websites linked to the RAT continue to appear.

Darktrace’s anomaly‑based approach allows it to establish a normal ‘pattern of life’ for each device on a network and identify when behavior deviates from this baseline, enabling the detection of unusual activity even when it does not match known IoCs or tactics, techniques and procedures (TTPs).

In one customer environment in late 2025, Darktrace / NETWORK detected a device initiating new connections to the rare external endpoint, thetavaluemetrics[.]com (74.91.125[.]57), along with the use of a previously unseen user agent, which it recognized as highly unusual for the network.

Darktrace’s detection of HTTP POST requests to a suspicious URI and new user agent usage.
Figure 2: Darktrace’s detection of HTTP POST requests to a suspicious URI and new user agent usage.

Darktrace identified that user agent present in connections to this endpoint was the ‘NetSupport Manager/1.3’, initially suggesting legitimate NetSupport Manager activity. Subsequent investigation, however, revealed that the endpoint was in fact a malicious NetSupportRAT C2 endpoint [12]. Shortly after, Darktrace detected the same device performing HTTP POST requests to the URI fakeurl[.]htm. This pattern of activity is consistent with OSINT reporting that details communication between compromised devices and NetSupport Connectivity Gateways functioning as C2 servers [11].

Conclusion

As seen not only with NetSupport Manager but with any legitimate or open‑source software used by IT and security professionals, the legitimacy of a tool does not prevent it from being abused by threat actors. Open‑source software, especially tools with free or trial versions such as NetSupport Manager, remains readily accessible for malicious use, including network compromise. In an age where remote work is still prevalent, validating any anomalous use of software and remote management tools is essential to reducing opportunities for unauthorized access.

Darktrace’s anomaly‑based detection enables security teams to identify malicious use of legitimate tools, even when clear signatures or indicators of compromise are absent, helping to prevent further impact on a network.


Credit to George Kim (Analyst Consulting Lead – AMS), Anna Gilbertson (Senior Cyber Analyst)

Edited by Ryan Traill (Analyst Content Lead)

Appendices

Darktrace Model Alerts

·       Compromise / Suspicious HTTP and Anomalous Activity

·       Compromise / New User Agent and POST

·       Device / New User Agent

·       Anomalous Connection / New User Agent to IP Without Hostname

·       Anomalous Connection / Posting HTTP to IP Without Hostname

·       Anomalous Connection / Multiple Failed Connections to Rare Endpoint

·       Anomalous Connection / Application Protocol on Uncommon Port

·       Anomalous Connection / Multiple HTTP POSTs to Rare Hostname

·       Compromise / Beaconing Activity To External Rare

·       Compromise / HTTP Beaconing to Rare Destination

·       Compromise / Agent Beacon (Medium Period)

·       Compromise / Agent Beacon (Long Period)

·       Compromise / Quick and Regular Windows HTTP Beaconing

·       Compromise / Sustained TCP Beaconing Activity To Rare Endpoint

·       Compromise / POST and Beacon to Rare External

Indicators of Compromise (IoCs)

Indicator           Type     Description

/fakeurl.htm URI            NetSupportRAT C2 URI

thetavaluemetrics[.]com        Connection hostname              NetSupportRAT C2 Endpoint

westford-systems[.]icu            Connection hostname              NetSupportRAT C2 Endpoint

holonisz[.]com                Connection hostname              NetSupportRAT C2 Endpoint

heaveydutyl[.]com      Connection hostname              NetSupportRAT C2 Endpoint

nsgatetest1[.]digital   Connection hostname              NetSupportRAT C2 Endpoint

finalnovel[.]com            Connection hostname              NetSupportRAT C2 Endpoint

217.91.235[.]17              IP             NetSupportRAT C2 Endpoint

45.94.47[.]224                 IP             NetSupportRAT C2 Endpoint

74.91.125[.]57                 IP             NetSupportRAT C2 Endpoint

88.214.27[.]48                 IP             NetSupportRAT C2 Endpoint

104.21.40[.]75                 IP             NetSupportRAT C2 Endpoint

38.146.28[.]242              IP             NetSupportRAT C2 Endpoint

185.39.19[.]233              IP             NetSupportRAT C2 Endpoint

45.88.79[.]237                 IP             NetSupportRAT C2 Endpoint

141.98.11[.]224              IP             NetSupportRAT C2 Endpoint

88.214.27[.]166              IP             NetSupportRAT C2 Endpoint

107.158.128[.]84          IP             NetSupportRAT C2 Endpoint

87.120.93[.]98                 IP             Rhadamanthys C2 Endpoint

References

  1. https://mspalliance.com/netsupport-debuts-netsupport-24-7/
  2. https://blogs.vmware.com/security/2023/11/netsupport-rat-the-rat-king-returns.html
  3. https://redcanary.com/threat-detection-report/threats/netsupport-manager/
  4. https://www.elastic.co/guide/en/security/8.19/netsupport-manager-execution-from-an-unusual-path.html
  5. https://rewterz.com/threat-advisory/netsupport-rat-delivered-through-spoofed-verification-pages-active-iocs
  6. https://thehackernews.com/2025/11/new-evalusion-clickfix-campaign.html
  7. https://corelight.com/blog/detecting-netsupport-manager-abuse
  8. https://thehackernews.com/2025/11/bloody-wolf-expands-java-based.html
  9. https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector
  10. https://www.netsupportsoftware.com/education-solutions
  11. https://www.esentire.com/blog/unpacking-netsupport-rat-loaders-delivered-via-clickfix
  12. https://threatfox.abuse.ch/browse/malware/win.netsupportmanager_rat/
  13. https://www.virustotal.com/gui/url/5fe6936a69c786c9ded9f31ed1242c601cd64e1d90cecd8a7bb03182c47906c2

Continue reading
About the author
George Kim
Analyst Consulting Lead – AMS
あなたのデータ × DarktraceのAI
唯一無二のDarktrace AIで、ネットワークセキュリティを次の次元へ