Starting in July 2025, Akira ransomware attacks surged globally, targeting SonicWall SSL VPN devices. In August, Darktrace detected suspicious activity in a US network, including scanning, lateral movement, and data exfiltration. A compromised SonicWall VPN server linked the incident to the broader Akira campaign exploiting known vulnerabilities.

Darktrace exposed a cybercrime-as-a-service campaign using Python and Go-based malware, Docker containerization, and a full operator UI. With DDoS-as-a-service features, modular APIs, and advanced evasion, this platform highlights the need for defenders to monitor cloud workloads, container orchestration, and API activity to counter evolving threats.

SEO poisoning is a malicious tactic where threat actors manipulate search engine rankings to promote deceptive websites. These sites often mimic legitimate software downloads, delivering malware like the Oyster backdoor. Learn about Darktrace’s investigation into the tactics used to deliver Oyster via fake PuTTY sites and manipulate search visibility.

Unifying network and email security closes critical gaps in your defenses, enabling faster detection, investigation, and response. Discover how an integrated, AI-driven approach strengthens protection across the entire attack lifecycle.

Cryptojacking attacks are rising as threat actors exploit hard-to-detect cryptomining malware. Learn how Darktrace detected and contained a cryptojacking attempt in its early stages using Autonomous Response, with expert analysis of the malware itself revealing insights into a novel cryptomining strain.

This blog outlines a real-world attack where threat actors exploited Fortinet SSL-VPN vulnerabilities to infiltrate a network. It highlights how Darktrace identified threat and took immediate actions to contain it, demonstrating the importance of proactive detection and rapid intervention in minimizing risk and disruption.

Darktrace investigates active exploitation of Ivanti EPMM vulnerabilities CVE-2025-4427 and CVE-2025-4428. Threat actors can leverage these CVEs for unauthenticated remote code execution, delivering malware like KrustyLoader. This blog explores evolving post-exploitation tactics and emphasizes the need for continuous visibility and machine-speed response across enterprise network environments.

Explore key cyber threat trends observed across Darktrace’s customer base in the first half of 2025. As threat actors increasingly adopt AI and diversify their techniques and tooling, anomaly-based detection continues to prove vital in defending against evolving attacks.

This blog examines a real-world Auto-Color malware attack that originated from the exploitation of CVE-2025-31324. Learn how Darktrace identified and contained the threat using AI-driven detection and response, with additional support from its expert analyst team.

Learn about a recent Scattered Spider attack observed by Darktrace, comparing tactics with those seen in previous attacks. Widespread use of LOTL techniques alongside continued changes in TTPs such as their recent use of Ransomware-as-a-Service (RaaS) platforms can make it challenging for security teams to harden defenses.

Since 2018, Blind Eagle has targeted Latin American organizations using phishing and RATs. Darktrace detected Blind Eagle activity on a customer network involving C2 connectivity, malicious payload downloads and data exfiltration. Without Autonomous Response, the attack escalated, highlighting the need for proactive detection and response defense to counter fast-evolving threats.

An industry leading petrochemical manufacturer uses the Darktrace ActiveAI Security Platform to improve visibility, protect against supply chain attacks, and save the security team hundreds of hours of incident investigation.

A critical SAP vulnerability, CVE-2025-31324, allows unauthenticated remote code execution via NetWeaver Visual Composer. Despite early mitigation guidance, many systems remain exposed. Darktrace detected exploitation attempts six days before public disclosure, highlighting the importance of proactive, threat-agnostic detection.

ClickFix is a social engineering technique that exploits human error through fake prompts, leading users to unknowingly run malicious commands. Learn how Darktrace detects and responds to such threats!

Darktrace announces its Leader position in the inaugural Gartner® Magic Quadrant™ for Network Detection and Response (NDR).

Darktrace investigated “PumaBot,” a Go-based Linux botnet targeting IoT devices. It avoids internet-wide scanning, instead using a C2 server to get targets and brute-force SSH credentials. Once inside, it executes remote commands and ensures persistence.

To quickly identify and respond to threats before damage occurs, this local government relies on Darktrace to improve network visibility, stop insider threats, protect its email systems, and accelerate incident investigations.

Darktrace's AI-driven tools identified and disrupted AsyncRAT activity, detecting suspicious connections and blocking them autonomously. This proactive response prevented the compromise from escalating and safeguarded sensitive data from exfiltration.

This blog outlines Darktrace's model-based anomaly detection and how security teams can leverage custom models for targeted threat hunts. Recently, Darktrace's Threat Research team applied this method in their report, "AI & Cybersecurity: The State of Cyber in UK and US Energy Sectors."

In early 2025, Darktrace uncovered SocGholish-to-RansomHub intrusion chains, including loader and C2 activity, alongside credential harvesting via WebDAV and SCF abuse. Learn more about SocGholish and its kill chain here!