This study focuses on darknet traffic analysis and applies tensor factorization in order to detect coordinated group activities, such as a botnet. Tensor factorization is a powerful tool for extracting co-occurrence patterns that is highly interpretable and can handle more variables than matrix factorization. We propose a simple method for detecting group activities from its extracted features. However, tensor factorization requires too high a computational cost to run in real time. To address this problem, we implemented a two-step algorithm in order to achieve fast, memory-efficient factorization. We also utilize nonnegative Tucker decomposition, one of the tensor factorization methods, because it has non-negativity constraints, to avoid physically unreasonable results. Finally, we introduce our prototype implementation of the proposed scheme, with which we demonstrate the effectiveness of the scheme by reviewing several past security incidents.