Defending Against Cyber Attacks on San Diego & Barcelona Ports
Discover how Darktrace AI safeguards ports globally against cyber-attacks, including those in San Diego and Barcelona, enhancing maritime cyber security!
No items found.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
No items found.
Share
03
Oct 2018
Last summer’s wave of ransomware attacks compromised port terminals and disrupted global shipping. Since then, cyber security has quickly risen to the top of the agenda for the maritime sector. Earlier this year, another port was hit with ransomware, and then, last week, the ports of Barcelona and San Diego revealed that they had been the victims of further ransomware attacks.
Whilst the 2017 attacks were globally devastating, there was no evidence that they deliberately targeted particular sectors; port terminals were merely caught in the indiscriminate wave of attacks. However, the widespread disruption these attacks caused across industry – from shipping to manufacturing – drew attention to the risk of IT cyber-attacks propagating into the industrial sector’s critical control systems. Operational Technology within industrial environments had previously been kept relatively separate from IT systems, and, consequently, relatively immune from cyber-attack. These attacks showed that the recent trend in integrating and unifying IT and OT systems had now exposed these systems to such indiscriminate attacks.
The increasing convergence of IT and OT systems shows no signs of slowing, however. Hyper-connected ‘smart’ ports are bringing efficiency and precision while cutting costs. Yet, the intertwining of the physical and digital across ports remains a significant challenge for the cyber security teams tasked with their defense. Without rushing to conclusions, it is perhaps no surprise that the Port of Barcelona is in the process of a “Digital Port project,” launched last year to promote the digitization of the port environment.
Although specifics have not yet been revealed, the recent attacks in Barcelona and San Diego appear to be targeted. Perhaps the inadvertent success of last year’s ransomware campaign inspired attackers to pursue the maritime sector specifically. Disruptions to Operational Technology can be highly detrimental to the maritime sector – these systems oversee critical port and ship systems. Any compromise could inflict reputational harm, significant financial losses, and physical damage. That we would see ransomware attacks specifically targeting ports was foreseeable. Many in the industry have been expecting and preparing for such an eventuality over the last 12 months. Now that attackers are actively targeting them, the protection of OT systems has become critical.
Darktrace has deployed AI to a number of companies in the maritime sector to specifically mitigate and defend Operational Technology. These systems are highly customized and bespoke, and therefore unsuitable for the use of off-the-shelf IT solutions. Darktrace’s cyber AI is able to automatically tailor to OT environments and learn a unique sense of ‘self’, regardless of vendor or technology platform.
Our AI is actively defending ports across the world – such as Harwich Haven Authority and Belfast Harbour – and protecting them against both targeted and indiscriminate attacks on their OT and IT systems. Defending these environments requires the ability to protect all technology systems, from the oldest PLCs and SCADA systems, to the newest IoT devices. Whether in the cloud, on a vessel, or on the mainland, Darktrace is able to passively defend your systems and identify cyber-threats in real time, without any impact or disruption.
No items found.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
How a Compromised eScan Update Enabled Multi‑Stage Malware and Blockchain C2
The rise of supply chain attacks
In recent years, the abuse of trusted software has become increasingly common, with supply chain compromises emerging as one of the fastest growing vectors for cyber intrusions. As highlighted in Darktrace’s Annual Threat Report 2026, attackers and state-actors continue to find significant value in gaining access to networks through compromised trusted links, third-party tools, or legitimate software. In January 2026, a supply chain compromise affecting MicroWorld Technologies’ eScan antivirus product was reported, with malicious updates distributed to customers through the legitimate update infrastructure. This, in turn, resulted in a multi‑stage loader malware being deployed on compromised devices [1][2].
An overview of eScan exploitation
According to eScan’s official threat advisory, unauthorized access to a regional update server resulted in an “incorrect file placed in the update distribution path” [3]. Customers associated with the affected update servers who downloaded the update during a two-hour window on January 20 were impacted, with affected Windows devices subsequently have experiencing various errors related to update functions and notifications [3].
While eScan did not specify which regional update servers were affected by the malicious update, all impacted Darktrace customer environments were located in the Europe, Middle East, and Africa (EMEA) region.
External research reported that a malicious 32-bit executable file , “Reload.exe”, was first installed on affected devices, which then dropped the 64-bit downloader, “CONSCTLX.exe”. This downloader establishes persistence by creating scheduled tasks such as “CorelDefrag”, which are responsible for executing PowerShell scripts. Subsequently, it evades detection by tampering with the Windows HOSTS file and eScan registry to prevent future remote updates intended for remediation. Additional payloads are then downloaded from its command-and-control (C2) server [1].
Darktrace’s coverage of eScan exploitation
Initial Access and Blockchain as multi-distributed C2 Infrastructure
On January 20, the same day as the aforementioned two‑hour exploit window, Darktrace observed multiple devices across affected networks downloading .dlz package files from eScan update servers, followed by connections to an anomalous endpoint, vhs.delrosal[.]net, which belongs to the attackers’ C2 infrastructure.
The endpoint contained a self‑signed SSL certificate with the string “O=Internet Widgits Pty Ltd, ST=SomeState, C=AU”, a default placeholder commonly used in SSL/TLS certificates for testing and development environments, as well as in malicious C2 infrastructure [4].
Utilizing a multi‑distributed C2 infrastructure, the attackers also leveraged domains linked with the Solana open‑source blockchain for C2 purposes, namely “.sol”. These domains were human‑readable names that act as aliases for cryptocurrency wallet addresses. As browsers do not natively resolve .sol domains, the Solana Naming System (formerly known as Bonfida, an independent contributor within the Solana ecosystem) provides a proxy service, through endpoints such as sol-domain[.]org, to enable browser access.
Darktrace observed devices connecting to blackice.sol-domain[.]org, indicating that attackers were likely using this proxy to reach a .sol domain for C2 activity. Given this behavior, it is likely that the attackers leveraged .sol domains as a dead drop resolver, a C2 technique in which threat actors host information on a public and legitimate service, such as a blockchain. Additional proxy resolver endpoints, such as sns-resolver.bonfida.workers[.]dev, were also observed.
Solana transactions are transparent, allowing all activity to be viewed publicly. When Darktrace analysts examined the transactions associated with blackice[.]sol, they observed that the earliest records dated November 7, 2025, which coincides with the creation date of the known C2 endpoint vhs[.]delrosal[.]net as shown in WHOIS Lookup information [4][5].
Figure 1: WHOIS Look records of the C2 endpoint vhs[.]delrosal[.]net.
Figure 2: Earliest observed transaction record for blackice[.]sol on public ledgers.
Subsequent instructions found within the transactions contained strings such as “CNAME= vhs[.]delrosal[.]net”, indicating attempts to direct the device toward the malicious endpoint. A more recent transaction recorded on January 28 included strings such as “hxxps://96.9.125[.]243/i;code=302”, suggesting an effort to change C2 endpoints. Darktrace observed multiple alerts triggered for these endpoints across affected devices.
Similar blockchain‑related endpoints, such as “tumama.hns[.]to”, were also observed in C2 activities. The hns[.]to service allows web browsers to access websites registered on Handshake, a decentralized blockchain‑based framework designed to replace centralized authorities and domain registries for top‑level domains. This shift toward decentralized, blockchain‑based infrastructure likely reflects increased efforts by attackers to evade detection.
In outgoing connections to these malicious endpoints across affected networks, Darktrace / NETWORK recognized that the activity was 100% rare and anomalous for both the devices and the wider networks, likely indicative of malicious beaconing, regardless of the underlying trusted infrastructure. In addition to generating multiple model alerts to capture this malicious activity across affected networks, Darktrace’s Cyber AI Analyst was able to compile these separate events into broader incidents that summarized the entire attack chain, allowing customers’ security teams to investigate and remediate more efficiently. Moreover, in customer environments where Darktrace’s Autonomous Response capability was enabled, Darktrace took swift action to contain the attack by blocking beaconing connections to the malicious endpoints, even when those endpoints were associated with seemingly trustworthy services.
Conclusion
Attacks targeting trusted relationships continue to be a popular strategy among threat actors. Activities linked to trusted or widely deployed software are often unintentionally whitelisted by existing security solutions and gateways. Darktrace observed multiple devices becoming impacted within a very short period, likely because tools such as antivirus software are typically mass‑deployed across numerous endpoints. As a result, a single compromised delivery mechanism can greatly expand the attack surface.
Attackers are also becoming increasingly creative in developing resilient C2 infrastructure and exploiting legitimate services to evade detection. Defenders are therefore encouraged to closely monitor anomalous connections and file downloads. Darktrace’s ability to detect unusual activity amidst ever‑changing tactics and indicators of compromise (IoCs) helps organizations maintain a proactive and resilient defense posture against emerging threats.
Credit to Joanna Ng (Associate Principal Cybersecurity Analyst) and Min Kim (Associate Principal Cybersecurity Analyst) and Tara Gould (Malware Researcher Lead)
Edited by Ryan Traill (Content Manager)
Appendices
Darktrace Model Detections
Anomalous File::Zip or Gzip from Rare External Location
![WHOIS Look records of the C2 endpoint vhs[.]delrosal[.]net.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/69e6bd15391fbfb9bc810102_Screenshot%202026-04-20%20at%204.56.01%E2%80%AFPM.png)
![Earliest observed transaction record for blackice[.]sol on public ledgers.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/69e6bd3a9035e7b16c8df83c_Screenshot%202026-04-20%20at%204.56.40%E2%80%AFPM.png)
