The malicious activities of emerging malware programs spread over the Internet have caused significant damages to the Internet infrastructures as well as end users' digital assets. The monitoring of routed but unused IP address spaces, namely, a darknet, provides a cost-effective way to monitor the global cyber-threats in the Internet. By monitoring a large, distributed, global-scale darknet, the NICTER project has been analyzing, reporting, and mitigating tremendous malicious activities in the cyberspace for more than a decade. In this paper, we present the recent advances at NICTER with a focus on the newly developed data mining engines lying at its core. Cases studies range from host-level analysis to group-level analysis, where data mining technologies have been brought into the service of improved system resilience and automated security operation.