Legitimate SaaS Platforms Being Used to Host Phishing Attacks
Platform-abuse phishing is on the rise. We analyze how attackers use services such as website builders to host phishing pages.| Unit 42
AI-Powered Network Security Platform| Unit 42
AI-Powered Network Security Platform| Unit 42
Platform-abuse phishing is on the rise. We analyze how attackers use services such as website builders to host phishing pages.| Unit 42
A technical analysis of deepfake technology uncovers how cybercriminals utilize AI-generated videos of public figures to execute sophisticated scams.| Unit 42
Unit 42 brings together world-renowned threat researchers, incident responders and security consultants to create an intelligence-driven, response-ready organization that's passionate about helping you proactively manage cyber risk.| Unit 42
Unit 42 explores the similarities between the social engineering and reconnaissance tactics used by financially motivated criminals. The post Data Is the New Diamond: Heists in the Digital Age appeared first on Unit 42.| Unit 42
Unit 42 introduces Insights, a new space for fresh thinking and varied content built on trusted expertise. The post Insights: Telling You What We Really Think appeared first on Unit 42.| Unit 42
A campaign leverages CVE-2024-36401 to stealthily monetize victims' bandwidth where legitimate software development kits (SDKs) are deployed for passive income. The post Your Connection, Their Cash: Threat Actors Misuse SDKs to Sell Your Bandwidth appeared first on Unit 42.| Unit 42
New research from Unit 42 on logit-gap steering reveals how internal alignment measures can be bypassed, making external AI security vital. The post Logit-Gap Steering: A New Frontier in Understanding and Probing LLM Safety appeared first on Unit 42.| Unit 42
GenAI-created phishing campaigns misuse tools ranging from website builders to text generators in order to create more convincing and scalable attacks.| Unit 42
The Spring 2020 edition of the Unit 42 Cloud Threat Report provides data on where cloud vulnerabilities and threats are surfacing.| Unit 42
A beginner-friendly tutorial on analyzing .NET malware teaches you how to use common tools, recognize techniques and understand infection chains. The post A Mega Malware Analysis Tutorial Featuring Donut-Generated Shellcode appeared first on Unit 42.| Unit 42
A look at the variance within Muddled Libra (aka Scattered Spider, Octo Tempest). Its lack of structure creates multiple teams with distinct skill sets. The post Muddled Libra’s Strike Teams: Amalgamated Evil appeared first on Unit 42.| Unit 42
CVE-2025-32433 allows for remote code execution in sshd for certain versions of Erlang programming language’s OTP. We reproduced this CVE and share our findings. The post Keys to the Kingdom: Erlang/OTP SSH Vulnerability Analysis and Exploits Observed in the Wild appeared first on Unit 42.| Unit 42
DarkCloud Stealer's delivery has shifted. We explore three different attack chains that use ConfuserEx obfuscation and a final payload in Visual Basic 6. The post New Infection Chain and ConfuserEx-Based Obfuscation for DarkCloud Stealer appeared first on Unit 42.| Unit 42
Muddled Libra gets media attention due to its consistent playbook and unique use of vishing. The group's English fluency is another major factor. The post Muddled Libra: Why Are We So Obsessed With You? appeared first on Unit 42.| Unit 42
BadSuccessor is an attack vector in Windows Server 2025. Under certain conditions it allows privilege elevation via dMSAs. We analyze its mechanics. The post When Good Accounts Go Bad: Exploiting Delegated Managed Service Accounts in Active Directory appeared first on Unit 42.| Unit 42
Project AK47, a toolset including ransomware, was used to leverage SharePoint exploit chain ToolShell. This activity overlaps with Storm-2603. The post Project AK47: Uncovering a Link to the SharePoint Vulnerability Attacks appeared first on Unit 42.| Unit 42
A comprehensive list of threat actor groups tracked by Unit 42, along with information such as summaries and industries typically impacted. The post Threat Actor Groups Tracked by Palo Alto Networks Unit 42 (Updated Aug. 1, 2025) appeared first on Unit 42.| Unit 42
Peel back the layers on Unit 42's Attribution Framework. We offer a rare inside view into the system used to ultimately assign attribution to threat groups. The post Introducing Unit 42’s Attribution Framework appeared first on Unit 42.| Unit 42
Recent activity targeting telecom infrastructure is assessed with high confidence to overlap with Liminal Panda activity. The actors used custom tools, tunneling and OPSEC tactics for stealth. Recent activity targeting telecom infrastructure is assessed with high confidence to overlap with Liminal Panda activity. The actors used custom tools, tunneling and OPSEC tactics for stealth.| Unit 42
Dynamic-link library (DLL) hijacking remains a popular technique to run malware. We address its evolution using examples from the realm of cybercrime and more.| Unit 42
Unit 42 has observed active exploitation of recent Microsoft SharePoint vulnerabilities. Here’s how you can protect your organization. The post Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief (Updated July 25) appeared first on Unit 42.| Unit 42
CL-STA-1020 targets Southeast Asian governments using a novel Microsoft backdoor we call HazyBeacon. It misuses AWS Lambda URLs for C2. CL-STA-1020 targets Southeast Asian governments using a novel Microsoft backdoor we call HazyBeacon. It misuses AWS Lambda URLs for C2.| Unit 42
An overview of CVE-2024-3094, a vulnerability in XZ Utils impacting multiple Linux distributions, and information about how to mitigate.| Unit 42
Our telemetry shows a surge in Windows shortcut (LNK) malware use. We explain how attackers exploit LNK files for malware delivery. Our telemetry shows a surge in Windows shortcut (LNK) malware use. We explain how attackers exploit LNK files for malware delivery.| Unit 42
In an extensive campaign affecting 270k webpages, compromised websites were injected with the esoteric JavaScript programming style JSF*ck to redirect users to malicious content. In an extensive campaign affecting 270k webpages, compromised websites were injected with the esoteric JavaScript programming style JSF*ck to redirect users to malicious content.| Unit 42
Using data from machine learning tools, we predict a surge in cloud attacks leveraging reworked Linux Executable and Linkage Format (ELF) files. Using data from machine learning tools, we predict a surge in cloud attacks leveraging reworked Linux Executable and Linkage Format (ELF) files.| Unit 42
We compare the effectiveness of content filtering guardrails across major GenAI platforms and identify common failure cases across different systems. We compare the effectiveness of content filtering guardrails across major GenAI platforms and identify common failure cases across different systems.| Unit 42
Lampion malware distributors are now using the social engineering method ClickFix. Read our analysis of a recent campaign. Lampion malware distributors are now using the social engineering method ClickFix. Read our analysis of a recent campaign.| Unit 42
A compromise of the GitHub action tj-actions/changed-files highlights how attackers could exploit vulnerabilities in third-party actions to compromise supply chains. A compromise of the GitHub action tj-actions/changed-files highlights how attackers could exploit vulnerabilities in third-party actions to compromise supply chains.| Unit 42
Unit 42 details the just-discovered connection between threat group Stately Taurus (aka Mustang Panda) and the malware Bookworm, found during analysis of the group's infrastructure. Unit 42 details the just-discovered connection between threat group Stately Taurus (aka Mustang Panda) and the malware Bookworm, found during analysis of the group's infrastructure.| Unit 42
Our researcher provides an overview on containers - starting with their Linux history - and shows the different implementations of containers in Windows, how they work and the security pitfalls that may occur.| Unit 42
We detail the observed limited activity regarding authentication bypass vulnerability CVE-2024-0012 affecting specific versions of PAN-OS software, and include protections and mitigations. We detail the observed limited activity regarding authentication bypass vulnerability CVE-2024-0012 affecting specific versions of PAN-OS software, and include protections and mitigations.| Unit 42
We examine an LLM jailbreaking technique called "Deceptive Delight," a technique that mixes harmful topics with benign ones to trick AIs, with a high success rate. We examine an LLM jailbreaking technique called "Deceptive Delight," a technique that mixes harmful topics with benign ones to trick AIs, with a high success rate.| Unit 42
We recount an extensive cloud extortion campaign leveraging exposed .env files of at least 110k domains to compromise organizations' AWS environments.| Unit 42
Two ongoing campaigns bear hallmarks of North Korean state-sponsored threat actors, posing in job-seeking roles to distribute malware or conduct espionage.| Unit 42
Muddled Libra continues to evolve. From social engineering to adaptation of new technologies, significant time is spent breaking down organizational defenses.| Unit 42
The main purpose of Siloscape is to open a backdoor into poorly configured Kubernetes clusters in order to run malicious containers.| Unit 42
In three campaigns over the past 20 months, Russian APT Fighting Ursa has targeted over 30 organizations of likely strategic intelligence value using CVE-2023-23397.| Unit 42
BlackCat ransomware gang has released a utility called Munchkin, allowing attackers to propagate their payload to remote machines. We analyze this new tool.| Unit 42
