January 19,2026 – Content Update

We are committed to continuously strengthening security operations for our customers through our innovative DARC Vault monthly releases. Much like Microsoft’s Patch Tuesday, the DARC Vault acts as a consistent and reliable source of enhanced security content, empowering users to stay ahead of evolving threats with fresh detections every month.

Each month, we deliver the latest Out-Of-The-Box (OOTB) content that not only introduces brand-new capabilities but also enhances existing detections. This month, we are excited to announce a significant update focused on Windows, Cloudflare, Webserver, and Linux.

Below is a summary of the new additions and improvements:

Summary of Fortnightly Improvements

Content Type	Actions	Count
Detections	New	36
	Enhanced	3
Dashboards	New	–
Reports	New	–

New Detections

#	Name	Description
1	SharePoint ToolShell Vulnerability Exploitation Chain-webserver	Investigating SharePoint ToolShell Vulnerability Exploitation Chain targeting public-facing applications.
2	UNC5142 In-Memory PowerShell Payload Execution	Investigating UNC5142 In-Memory PowerShell Payload Execution on Windows platforms.
3	Suspicious Modification of WordPress Core Theme Files	Suspicious modification of WordPress core theme files detected.
4	Suspicious DLL Sideloading via Element or VLC	Suspicious DLL Sideloading via Element or VLC under investigation.
5	Suspicious Child Process of Analysis Tool	Suspicious child process of analysis tool detected. Investigate further.
6	Stealit Suspicious Browser Extension Installation	Stealit Suspicious Browser Extension Installation detected via file creation events.
7	SharePoint ToolShell Vulnerability Exploitation Chain	Investigating SharePoint ToolShell Vulnerability Exploitation Chain.
8	Detection for TOLLBOOTH IIS Malicious Module Deployment_ep-dns	Detection for TOLLBOOTH IIS Malicious Module Deployment under investigation.
9	Stealit Component Execution from AppData	Stealit Component Execution from AppData under investigation. Targets various platforms.
10	Dropping Elephant VLC Side-Loading and Staging	Investigation of Dropping Elephant VLC Side-Loading and Staging attack.
11	Suspicious Child Process Spawned by npm	Suspicious child process spawned by npm under investigation.
12	Office Macro-Spawned PowerShell Execution	Office Macro-Spawned PowerShell Execution under investigation.
13	NightEagle APT Chisel Malware Execution	NightEagle APT Chisel Malware Execution under investigation.
14	Detection for SonicCrypt Payload Execution	Detection for SonicCrypt Payload Execution under investigation.
15	DragonForce Ransomware Execution	DragonForce Ransomware Execution under investigation. Targets various platforms.
16	Katz Stealer PowerShell Steganography Dropper	Katz Stealer PowerShell Steganography Dropper attack under investigation.
17	TAG-140 DRAT V2 Initial Execution via MSHTA	Investigating initial execution via MSHTA with malicious command lines.
18	Confucius PowerShell Download and Execution	Confucius PowerShell Download and Execution attack under investigation.
19	Detection for TOLLBOOTH IIS Malicious Module Deployment_ep-file	Detection for TOLLBOOTH IIS Malicious Module Deployment under investigation.
20	UNC5142 Malware Hash Detection	UNC5142 Malware Hash Detection for PROCESS_ADDED and FILE_CREATED actions.
21	Godzilla Webshell File Creation	Godzilla Webshell File Creation detected. Investigating file creation with specific hash or filename patterns.
22	ClickFix PowerShell Execution	Detects suspicious PowerShell execution patterns.
23	Potential Anti-Malware Analysis Tool Execution – Process and Memory Analysis	Potential Anti-Malware Analysis Tool Execution – Process and Memory Analysis under investigation.
24	MonsterV2 Malware Hash Execution Detection	MonsterV2 Malware Hash Execution Detection under investigation.
25	GoldMelody Post-Exploitation Activity	GoldMelody Post-Exploitation Activity under investigation.
26	Malicious NPM Package Installation Associated With XORIndex Campaign	Malicious NPM Package Installation Associated With XORIndex Campaign under investigation.
27	Silent File Downloads via Curl	Silent File Downloads via Curl under investigation. Detects malicious file downloads using curl.
28	Possible Modular Java Backdoor Execution Detection on Modular Cloe MFT	Possible Modular Java Backdoor Execution Detection on Modular Cloe MFT under investigation.
29	KimJongRAT Loader Execution	KimJongRAT Loader Execution involves malicious rundll32 or PowerShell scripts in AppData.
30	Suspicious Process Injection into ImagingDevices	Suspicious Process Injection into ImagingDevices under investigation. Attack involves process injection by element or VLC executables.
31	Possible Malicious MSIX Payload via Google Ad	Possible Malicious MSIX Payload via Google Ad under investigation.
32	APT28 Covenant Grunt Stager_ep-registry	APT28 Covenant Grunt Stager attack under investigation.
33	HIDDENDRIVER Rootkit Registry Configuration	HIDDENDRIVER Rootkit Registry Configuration under investigation.
34	Detection of Hidden Accounts and RID Hijacking in Windows	Detection of Hidden Accounts and RID Hijacking in Windows under investigation.
35	Custom Cloudflare HTTP Request User Enumeration	This detection identifies attempts to enumerate user accounts or endpoints via HTTP requests with patterns such as predictable usernames, sequential IDs, or common paths.
36	Server-Side Code Injection in URL	Detects malicious attempts to inject server-side code (e.g., SQL, JavaScript) via the URL to execute unauthorized actions or exfiltrate data.

Updated Detections

1	Binary File Modification Detected in System Paths	Investigating suspicious binary file changes involving critical commands.
2	Suspicious wevtutil Usage	This rule is designed to identify potentially suspicious usage of the ‘wevtutil’ utility, which is commonly employed for managing event logs on Windows systems.
3	MsiExec Service Child Process With Network Connection_ep-dns	MsiExec Service Child Process With Network Connection under investigation.