All news with #darktrace tag

🔎 Darktrace researchers have analyzed a newly identified malware called ZionSiphon that combines typical endpoint compromise techniques with functions tailored to industrial control systems, specifically targeting water treatment and desalination infrastructure. The sample includes privilege escalation, persistence, and USB-based propagation alongside environment and software checks for reverse osmosis and chlorine control. While it can scan OT protocols such as Modbus and attempt register modifications, implementation gaps and a country-validation flaw suggest the strain is an early-stage tool that may fail to activate in many environments.

🚨 Darktrace researchers disclosed ZionSiphon, a newly observed malware family tailored to Israeli water treatment and desalination systems. The June 29, 2025 sample establishes persistence, escalates privileges, propagates via removable media, and scans local subnets for OT services, probing Modbus, DNP3 and S7comm devices. It contains routines to alter chlorine dosing and pressure parameters but appears unfinished or misconfigured; non-target hosts trigger a self-destruct sequence.

💧 Researchers at Darktrace identified ZionSiphon, a new operational technology malware engineered to sabotage water treatment and desalination environments. The sample includes routines to increase chlorine dosing, force valves open, and raise RO pressure by appending fixed configuration entries, and it propagates via USB as a hidden svchost.exe. A faulty IP verification routine currently prevents activation, but attackers could correct the logic to enable dangerous OT manipulation.

🔍 Cybersecurity firm Darktrace has identified a new variant of the Chaos botnet that targets misconfigured cloud deployments, expanding the malware's focus beyond routers and edge devices. The 64-bit ELF binary was delivered to a deliberately misconfigured Hadoop honeypot via an HTTP request that created an application embedding shell commands to fetch and execute the payload from pan.tenire[.]com. The updated sample removes SSH- and router-based spread features and instead implements a SOCKS proxy, enabling compromised hosts to relay attacker traffic and broadening the botnet's monetization and evasion capabilities.

🔒 Darktrace's Threat Report 2026 warns that identity-based attacks—primarily via compromised cloud and email accounts—now initiate 58% of intrusions in Europe, with network-based breaches comprising the other 42%. Germany and the manufacturing sector were particularly affected as attackers leverage valid credentials and legitimate admin tools to evade detection. The report highlights state-backed groups (e.g., Lazarus, ShadowPad) and RaaS operators such as Akira, noting heavy targeting of Azure, GCP and Docker environments. Experts recommend continuous monitoring of privileged accounts, hardened MFA, device baselines and behavioral detection to spot anomalies early.

📧 Darktrace detected more than 32 million high-confidence phishing emails in 2025, signaling a major escalation in identity-driven attacks and automated campaigns. Over 8.2 million of those targeted VIPs, while 1.6 million originated from newly created domains and 1.2 million included malicious QR codes. The vendor reported 70% of phishing passed DMARC, 41% were spear-phishing and 38% used novel social-engineering techniques, highlighting attackers’ growing sophistication and emphasis on credential compromise.

📧 Darktrace warns of a major increase in Black Friday-themed phishing, reporting a 620% spike in the weeks before the 2025 sales and forecasting a further 20–30% rise during Black Friday week. The firm highlights three primary tactics: brand impersonation, fake marketing domains and generative AI-generated adverts. Amazon was the most impersonated brand, and other US retailers were also targeted. Consumers are advised to verify senders and avoid clicking suspicious links.

🔒In a global intrusion tracked by Darktrace, the China-linked group Salt Typhoon exploited a Citrix NetScaler Gateway vulnerability to gain access and maintain persistence. Attackers employed DLL sideloading to deploy the SNAPPYBEE (Deed RAT) backdoor alongside legitimate antivirus executables, then moved laterally to Citrix Virtual Delivery Agent hosts while obscuring origin via SoftEther VPN infrastructure. C2 channels used HTTP (with Internet Explorer user-agent headers and URIs like "/17ABE7F017ABE7F0") and unidentified TCP protocols; the domain aar.gandhibludtric[.]com has prior links to the group. Darktrace emphasised the need for anomaly-based behavioural detection to surface such stealthy activity early.

⚠️ Researchers at Darktrace disclosed ShadowV2, a DDoS-focused botnet that exploits misconfigured Docker daemons on AWS EC2 instances to deploy a Go-based RAT and enlist hosts as attack nodes. The campaign uses a Python spreader to spawn an Ubuntu setup container, build a custom image, and run an ELF payload that checks in with a Codespaces-hosted C2. Operators leverage HTTP/2 Rapid Reset floods, a Cloudflare UAM bypass via ChromeDP, and a FastAPI/Pydantic operator API, signaling a modular DDoS-for-hire service.