Category: Unit 42

Peel back the layers on Unit 42’s Attribution Framework. We offer a rare inside view into the system used to ultimately assign attribution to threat groups. The post Introducing Unit 42’s Attribution Framework appeared first on Unit 42. This article…

Read more →

Social engineering thrives on trust and is now boosted by AI. Unit 42 incident response data explains why it’s surging. We detail eight critical countermeasures. The post 2025 Unit 42 Global Incident Response Report: Social Engineering Edition appeared first on…

Read more →

Unit 42 has observed active exploitation of recent Microsoft SharePoint vulnerabilities. Here’s how you can protect your organization. The post Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief (Updated July 29) appeared first on Unit 42. This article has been…

Read more →

Recent activity targeting telecom infrastructure is assessed with high confidence to overlap with Liminal Panda activity. The actors used custom tools, tunneling and OPSEC tactics for stealth. The post The Covert Operator's Playbook: Infiltration of Global Telecom Networks appeared first…

Read more →

Unit 42 has observed active exploitation of recent Microsoft SharePoint vulnerabilities. Here’s how you can protect your organization. The post Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief (Updated July 25) appeared first on Unit 42. This article has been…

Read more →

A subtle yet dangerous email attack vector: homograph attacks. Threat actors are using visually similar, non-Latin characters to bypass security filters. The post The Ηоmоgraph Illusion: Not Everything Is As It Seems appeared first on Unit 42. This article has…

Read more →

Muddled Libra (Scattered Spider, UNC3944) is evolving. Get the latest insights and defensive recommendations based on Unit 42 incident response cases. The post Muddled Libra Threat Assessment: Further-Reaching, Faster, More Impactful appeared first on Unit 42. This article has been…

Read more →

Unit 42 has observed active exploitation of recent Microsoft SharePoint vulnerabilities. Here’s how you can protect your organization. The post Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief (Updated July 24) appeared first on Unit 42. This article has been…

Read more →

Cloud logging is essential for security and compliance. Learn best practices when navigating AWS, Azure or GCP for comprehensive visibility into your environment. The post Cloud Logging for Security and Beyond appeared first on Unit 42. This article has been…

Read more →

Unit 42 has observed active exploitation of recent Microsoft SharePoint vulnerabilities. Here’s how you can protect your organization. The post Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief (Updated July 22) appeared first on Unit 42. This article has been…

Read more →

Unit 42 has observed an active exploitation of recent Microsoft SharePoint Vulnerabilities. Here’s how you can protect your organization. The post Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief appeared first on Unit 42. This article has been indexed from…

Read more →

CL-STA-1020 targets Southeast Asian governments using a novel Microsoft backdoor we call HazyBeacon. It misuses AWS Lambda URLs for C2. The post Behind the Clouds: Attackers Targeting Governments in Southeast Asia Implement Novel Covert C2 Communication appeared first on Unit…

Read more →

SLOW#TEMPEST malware uses dynamic jumps and obfuscated calls to evade detection. Unit 42 details these techniques and how to defeat them with emulation. The post Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques appeared first on Unit…

Read more →

ClickFix campaigns are on the rise. We highlight three that distributed NetSupport RAT, Latrodectus, and Lumma Stealer malware. The post Fix the Click: Preventing the ClickFix Attack Vector appeared first on Unit 42. This article has been indexed from Unit…

Read more →

An IAB campaign exploited leaked ASP.NET Machine Keys. We dissect the attacker’s infrastructure, campaign and offer takeaways for blue teams. The post GoldMelody’s Hidden Chords: Initial Access Broker In-Memory IIS Modules Revealed appeared first on Unit 42. This article has…

Read more →

We analyze CVE-2025-24813 (Tomcat Partial PUT RCE) and CVE-2025-27636/29891 (Camel Header Hijack RCE). The post Apache Under the Lens: Tomcat’s Partial PUT and Camel’s Header Hijack appeared first on Unit 42. This article has been indexed from Unit 42 Read…

Read more →

Our telemetry shows a surge in Windows shortcut (LNK) malware use. We explain how attackers exploit LNK files for malware delivery. The post Windows Shortcut (LNK) Malware Strategies appeared first on Unit 42. This article has been indexed from Unit…

Read more →

Unit 42 details recent Iranian cyberattack activity, sharing direct observations. Tactical and strategic recommendations are provided for defenders. The post Threat Brief: Escalation of Cyber Risk Related to Iran (Updated June 26) appeared first on Unit 42. This article has…

Read more →

Unit 42 details recent Iranian cyberattack activity, sharing direct observations. Tactical and strategic recommendations are provided for defenders. The post Threat Brief: Escalation of Cyber Risk Related to Iran appeared first on Unit 42. This article has been indexed from…

Read more →

Cybercriminals are targeting financial organizations across Africa, potentially acting as initial access brokers selling data on the dark web. The post Cybercriminals Abuse Open-Source Tools To Target Africa’s Financial Sector appeared first on Unit 42. This article has been indexed…

Read more →

We identified a resurgence of the Prometei botnet’s Linux variant. Our analysis tracks the activity of this cryptominer and its new features. The post Resurgence of the Prometei Botnet appeared first on Unit 42. This article has been indexed from…

Read more →

We analyze two new KimJongRAT stealer variants, combining new research with existing knowledge. One uses a Portable Executable (PE) file and the other PowerShell. The post Exploring a New KimJongRAT Stealer Variant and Its PowerShell Implementation appeared first on Unit…

Read more →

Understand the mechanics of serverless authentication: three simulated attacks across major CSPs offer effective approaches for application developers. The post Serverless Tokens in the Cloud: Exploitation and Detections appeared first on Unit 42. This article has been indexed from Unit…

Read more →

In an extensive campaign affecting 270k webpages, compromised websites were injected with the esoteric JavaScript programming style JSF*ck to redirect users to malicious content. The post JSFireTruck: Exploring Malicious JavaScript Using JSF*ck as an Obfuscation Technique appeared first on Unit…

Read more →

Using data from machine learning tools, we predict a surge in cloud attacks leveraging reworked Linux Executable and Linkage Format (ELF) files. The post The Evolution of Linux Binaries in Targeted Cloud Operations appeared first on Unit 42. This article…

Read more →

This examination of the Amazon Web Services (AWS) Roles Anywhere service looks at potential risks, analyzed from both defender and attacker perspectives. The post Roles Here? Roles There? Roles Anywhere: Exploring the Security of AWS IAM Roles Anywhere appeared first…

Read more →

Blitz malware, active since 2024 and updated in 2025, was spread via game cheats. We discuss its infection vector and abuse of Hugging Face for C2. The post Blitz Malware: A Tale of Game Cheats and Code Repositories appeared first…

Read more →

We discovered an Azure OpenAI misconfiguration allowing shared domains, potentially leading to data leaks. Microsoft quickly resolved the issue. The post Lost in Resolution: Azure OpenAI's DNS Resolution Issue appeared first on Unit 42. This article has been indexed from…

Read more →

We compare the effectiveness of content filtering guardrails across major GenAI platforms and identify common failure cases across different systems. The post How Good Are the LLM Guardrails on the Market? A Comparative Study on the Effectiveness of LLM Content…

Read more →

CVE-2025-31324 impacts SAP NetWeaver’s Visual Composer Framework. We share our observations on this vulnerability using incident response cases and telemetry. The post Threat Brief: CVE-2025-31324 (Updated May 23) appeared first on Unit 42. This article has been indexed from Unit…

Read more →

Muddled Libra continues to evolve. From social engineering to adaptation of new technologies, significant time is spent breaking down organizational defenses. The post Threat Group Assessment: Muddled Libra (Updated May 16, 2025) appeared first on Unit 42. This article has…

Read more →

A new DarkCloud Stealer campaign is using AutoIt obfuscation for malware delivery. The attack chain involves phishing emails, RAR files and multistage payloads. The post DarkCloud Stealer: Comprehensive Analysis of a New Attack Chain That Employs AutoIt appeared first on…

Read more →

CVE-2025-31324 impacts SAP NetWeaver’s Visual Composer Framework. We share our observations on this vulnerability using incident response cases and telemetry. The post Threat Brief: CVE-2025-31324 appeared first on Unit 42. This article has been indexed from Unit 42 Read the…

Read more →

Unit 42 details a new malware obfuscation technique where threat actors hide malware in bitmap resources within .NET applications. These deliver payloads like Agent Tesla or XLoader. The post Stealthy .NET Malware: Hiding Malicious Payloads as Bitmap Resources appeared first…

Read more →

A suspected Iranian espionage campaign impersonated a model agency site for data collection, including fictitious models as possible social engineering lures. The post Iranian Cyber Actors Impersonate Model Agency in Suspected Espionage Operation appeared first on Unit 42. This article…

Read more →

Lampion malware distributors are now using the social engineering method ClickFix. Read our analysis of a recent campaign. The post Lampion Is Back With ClickFix Lures appeared first on Unit 42. This article has been indexed from Unit 42 Read…

Read more →

Programs leveraging AI agents are increasingly popular. Nine attack scenarios using open-source agent frameworks show how bad actors target these applications. The post AI Agents Are Here. So Are the Threats. appeared first on Unit 42. This article has been…

Read more →

Advertised on Telegram, Gremlin Stealer is new malware active since March 2025 written in C#. Data stolen is uploaded to a server for publication. The post Gremlin Stealer: New Stealer on Sale in Underground Forum appeared first on Unit 42.…

Read more →

Ransomware leak site data and Unit 42 case studies reveal new trends from Q1 2025, including the most active groups, targeted industries and novel extortion tactics. The post Extortion and Ransomware Trends January-March 2025 appeared first on Unit 42. This…

Read more →

Ransomware leak site data and Unit 42 case studies reveal new trends from Q1 2025, including the most active groups, targeted industries and novel extortion tactics. The post Extortion and Ransomware Trends January-March 2025 appeared first on Unit 42. This…

Read more →

North Korean IT workers are reportedly using real-time deepfakes to secure remote work, raising serious security concerns. We explore the implications. The post False Face: Unit 42 Demonstrates the Alarming Ease of Synthetic Identity Creation appeared first on Unit 42.…

Read more →

Agent Tesla, Remcos RAT and XLoader delivered via a complex phishing campaign. Learn how attackers are using multi-stage delivery to hinder analysis. The post Cascading Shadows: An Attack Chain Approach to Avoid Detection and Complicate Analysis appeared first on Unit…

Read more →

North Korean state-sponsored group Slow Pisces (Jade Sleet) targeted crypto developers with a social engineering campaign that included malicious coding challenges. The post Slow Pisces Targets Developers With Coding Challenges and Introduces New Customized Python Malware appeared first on Unit…

Read more →

North Korean state-sponsored group Slow Pisces (Jade Sleet) targeted crypto developers with a social engineering campaign that included malicious coding challenges. The post Slow Pisces Targets Developers With Coding Challenges and Introduces New Customized Python Malware appeared first on Unit…

Read more →

GenAI boosts productivity but also poses security risks. Palo Alto Networks has a new whitepaper about prompt-based threats and how to defend against them. The post How Prompt Attacks Exploit GenAI and How to Fight Back appeared first on Unit…

Read more →

We found three key attack vectors in OpenID Connect (OIDC) implementation and usage. Bad actors could exploit these to access restricted resources. The post OH-MY-DC: OIDC Misconfigurations in CI/CD appeared first on Unit 42. This article has been indexed from…

Read more →

Phishing with QR codes: New tactics described here include concealing links with redirects and using Cloudflare Turnstile to evade security crawlers. The post Evolution of Sophisticated Phishing Tactics: The QR Code Phenomenon appeared first on Unit 42. This article has…

Read more →

Understanding trends amidst noise: tracking shifts in security alerts allows cloud defenders to parse threats from attackers targeting IAM, storage and more. The post Cloud Threats on the Rise: Alert Trends Show Intensified Attacker Focus on IAM, Exfiltration appeared first…

Read more →

A compromise of the GitHub action tj-actions/changed-files highlights how attackers could exploit vulnerabilities in third-party actions to compromise supply chains. The post GitHub Actions Supply Chain Attack: A Targeted Attack on Coinbase Expanded to the Widespread tj-actions/changed-files Incident: Threat Assessment…

Read more →

A compromise of the GitHub action tj-actions/changed-files highlights how attackers could exploit vulnerabilities in third-party actions to compromise supply chains. The post GitHub Actions Supply Chain Attack: A Targeted Attack on Coinbase Expanded to the Widespread tj-actions/changed-files Incident: Threat Assessment…

Read more →

A compromise of the GitHub action tj-actions/changed-files highlights how attackers could exploit vulnerabilities in third-party actions to compromise supply chains. The post Threat Assessment: GitHub Actions Supply Chain Attack: The Compromise of tj-actions/changed-files appeared first on Unit 42. This article…

Read more →

Three unusual malware samples analyzed here include an ISS backdoor developed in a rare language, a bootkit and a Windows implant of a post-exploit framework. The post Off the Beaten Path: Recent Unusual Malware appeared first on Unit 42. This…

Read more →

We identified a campaign spreading thousands of sca crypto investment platforms through websites and mobile apps, possibly through a standardized toolkit. The post Investigating Scam Crypto Investment Platforms Using Pyramid Schemes to Defraud Victims appeared first on Unit 42. This…

Read more →

We identified multiple vulnerabilities in ICONICS Suite, SCADA software used in numerous OT applications. This article offers a technical analysis of our findings. The post Multiple Vulnerabilities Discovered in a SCADA System appeared first on Unit 42. This article has…

Read more →

A graph intelligence-based pipeline and WHOIS data are among the tools we used to identify this campaign, which introduced a variant of domain generation algorithms. The post The Next Level: Typo DGAs Used in Malicious Redirection Chains appeared first on…

Read more →

A topological analysis and case studies add nuance to a study of malicious traffic distribution systems. We compare their use by attackers to benign systems. The post Beneath the Surface: Detecting and Blocking Hidden Malicious Traffic Distribution Systems appeared first…

Read more →

Malware authors use AES encryption and code virtualization to evade sandbox static analysis. We explore how this facilitates spread of Agent Tesla, XWorm and more. The post Uncovering .NET Malware Obfuscated by Encryption and Virtualization appeared first on Unit 42.…

Read more →

Unit 42 reports on phishing activity linked to the threat group JavaGhost. These attacks target organizations’ AWS environments. The post JavaGhost’s Persistent Phishing Attacks From the Cloud appeared first on Unit 42. This article has been indexed from Unit 42…

Read more →

We analyze the backdoor Squidoor, used by a suspected Chinese threat actor to steal sensitive information. This multi-platform backdoor is built for stealth. The post Squidoor: Suspected Chinese Threat Actor’s Backdoor Targets Global Organizations appeared first on Unit 42. This…

Read more →

Koi Stealer and RustDoor malware were used in a campaign linked to North Korea. This activity targeted crypto wallet owners. The post RustDoor and Koi Stealer for macOS Used by North Korea-Linked Threat Actor to Target the Cryptocurrency Sector appeared…

Read more →

The new Linux malware named Auto-color uses advanced evasion tactics. Discovered by Unit 42, this article cover its installation, evasion features and more. The post Auto-Color: An Emerging and Evasive Linux Backdoor appeared first on Unit 42. This article has…

Read more →

We discuss vulnerabilities in popular GenAI web products to LLM jailbreaks. Single-turn strategies remain effective, but multi-turn approaches show greater success. The post Investigating LLM Jailbreaking of Popular Generative AI Web Products appeared first on Unit 42. This article has…

Read more →

Unit 42 details the just-discovered connection between threat group Stately Taurus (aka Mustang Panda) and the malware Bookworm, found during analysis of the group’s infrastructure. The post Stately Taurus Activity in Southeast Asia Links to Bookworm Malware appeared first on…

Read more →

Unit 42 researchers detail nine vulnerabilities discovered in NVIDIA’s CUDA-based toolkit. The affected utilities help analyze cubin (binary) files. The post Multiple Vulnerabilities Discovered in NVIDIA CUDA Toolkit appeared first on Unit 42. This article has been indexed from Unit…

Read more →

Atomic Stealer, Poseidon Stealer and Cthulhu Stealer target macOS. We discuss their various properties and examine leverage of the AppleScript framework. The post Stealers on the Rise: A Closer Look at a Growing macOS Threat appeared first on Unit 42.…

Read more →

Evaluation of three jailbreaking techniques on DeepSeek shows risks of generating prohibited content. The post Recent Jailbreaks Demonstrate Emerging Threat to DeepSeek appeared first on Unit 42. This article has been indexed from Unit 42 Read the original article: Recent…

Read more →

A Chinese-linked espionage campaign targeted entities in South Asia using rare techniques like DNS exfiltration, with the aim to steal sensitive data. The post CL-STA-0048: An Espionage Operation Against High-Value Targets in South Asia appeared first on Unit 42. This…

Read more →

CVE-2025-0282 and CVE-2025-0283 affect multiple Ivanti products. This threat brief covers attack scope, including details from an incident response case. The post Threat Brief: CVE-2025-0282 and CVE-2025-0283 (Updated Jan. 17) appeared first on Unit 42. This article has been indexed…

Read more →

CVE-2025-0282 and CVE-2025-0283 affect multiple Ivanti products. This threat brief covers attack scope, including details from an incident response case. The post Threat Brief: CVE-2025-0282 and CVE-2025-0283 appeared first on Unit 42. This article has been indexed from Unit 42…

Read more →

Graph neural networks aid in analyzing domains linked to known attack indicators, effectively uncovering new malicious domains and cybercrime campaigns. The post One Step Ahead in Cyber Hide-and-Seek: Automating Malicious Infrastructure Discovery With Graph Neural Networks appeared first on Unit…

Read more →

The jailbreak technique “Bad Likert Judge” manipulates LLMs to generate harmful content using Likert scales, exposing safety gaps in LLM guardrails. The post Bad Likert Judge: A Novel Multi-Turn Technique to Jailbreak LLMs by Misusing Their Evaluation Capability appeared first…

Read more →

This article demonstrates how AI can be used to modify and help detect JavaScript malware. We boosted our detection rates 10% with retraining. The post Now You See Me, Now You Don’t: Using LLMs to Obfuscate Malicious JavaScript appeared first…

Read more →

A phishing campaign targeting European companies used fake forms made with HubSpot’s Free Form Builder, leading to credential harvesting and Azure account takeover. The post Effective Phishing Campaign Targeting European Companies and Organizations appeared first on Unit 42. This article…

Read more →

A phishing campaign targeting European companies used fake forms made with HubSpot’s Free Form Builder, leading to credential harvesting and Azure account takeover. The post Effective Phishing Campaign Targeting European Companies and Institutions appeared first on Unit 42. This article…

Read more →

Using real-world examples and offering plenty of pragmatic tips, learn how to protect your directory services from LDAP-based attacks. The post LDAP Enumeration: Unveiling the Double-Edged Sword of Active Directory appeared first on Unit 42. This article has been indexed…

Read more →

Vulnerabilities in Microsoft Azure Data Factory’s integration with Apache Airflow can lead to unauthorized access and control over cloud resources. The post Dirty DAG: New Vulnerabilities in Azure Data Factory’s Apache Airflow Integration appeared first on Unit 42. This article…

Read more →

Analysis of packer-as-a-service (PaaS) HeartCrypt reveals its use in over 2k malicious payloads across 45 malware families since its early 2024 appearance. The post Crypted Hearts: Exposing the HeartCrypt Packer-as-a-Service Operation appeared first on Unit 42. This article has been…

Read more →

Unit 42 probes network abuses around events like the Olympics, featuring case studies of scams and phishing through domain registrations and more. The post Network Abuses Leveraging High-Profile Events: Suspicious Domain Registrations and Other Scams appeared first on Unit 42.…

Read more →

North Korean IT worker cluster CL-STA-0237 instigated phishing attacks via video apps in Laos, exploiting U.S. IT firms and major tech identities. The post Fake North Korean IT Worker Linked to BeaverTail Video Conference App Phishing Attack appeared first on…

Read more →

We discuss North Korea’s use of IT workers to infiltrate companies, detailing detection strategies like IT asset management and IP analysis to counter this. The post Global Companies Are Unknowingly Paying North Koreans: Here’s How to Catch Them appeared first…

Read more →

New research reveals two vulnerabilities in Google’s Vertex AI that may lead to privilege escalation or data theft through custom jobs or malicious models. The post ModeLeak: Privilege Escalation to LLM Model Exfiltration in Vertex AI appeared first on Unit…

Read more →

We discuss a new campaign from the cybercrime group behind Silent Skimmer, showcasing the exploit of Telerik UI vulnerabilities and malware like RingQ loader. The post Silent Skimmer Gets Loud (Again) appeared first on Unit 42. This article has been…

Read more →

Explore how we detect DNS hijacking by analyzing millions of DNS records daily, using machine learning to identify redirect attempts to malicious servers. The post Automatically Detecting DNS Hijacking in Passive DNS appeared first on Unit 42. This article has…

Read more →

A threat actor attempted to use an AV/EDR bypass tool in an extortion attempt. Instead, the tool provided Unit 42 insight into the threat actor. The post TA Phone Home: EDR Evasion Testing Reveals Extortion Actor's Toolkit appeared first on…

Read more →

A first-ever collaboration between DPRK-based Jumpy Pisces and Play ransomware signals a possible shift in tactics. The post Jumpy Pisces Engages in Play Ransomware appeared first on Unit 42. This article has been indexed from Unit 42 Read the original…

Read more →

We examine an LLM jailbreaking technique called “Deceptive Delight,” a technique that mixes harmful topics with benign ones to trick AIs, with a high success rate. The post Deceptive Delight: Jailbreak LLMs Through Camouflage and Distraction appeared first on Unit…

Read more →

We examine an LLM jailbreaking technique called “Deceptive Delight,” a technique that mixes harmful topics with benign ones to trick AIs, with a high success rate. The post Deceptive Delight: Jailbreak LLMs Through Camouflage and Distraction appeared first on Unit…

Read more →

Explore how macOS Gatekeeper’s security could be compromised by third-party apps not enforcing quarantine attributes effectively. The post Gatekeeper Bypass: Uncovering Weaknesses in a macOS Security Mechanism appeared first on Unit 42. This article has been indexed from Unit 42…

Read more →

The Unit 42 Threat Frontier report discusses GenAI’s impact on cybersecurity, emphasizing the need for AI-specific defenses and proactive security. The post Unit 42 Looks Toward the Threat Frontier: Preparing for Emerging AI Risks appeared first on Unit 42. This…

Read more →

Discover recent attacks using Lynx ransomware, a rebrand of INC, targeting multiple crucial sectors in the U.S. and UK with prevalent double-extortion tactics. The post Lynx Ransomware: A Rebranding of INC Ransomware appeared first on Unit 42. This article has…

Read more →

Discover how North Korean attackers, posing as recruiters, used an updated downloader and backdoor in a campaign targeting tech job seekers. The post Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and…

Read more →

Four DNS tunneling campaigns identified through a new machine learning tool expose intricate tactics when targeting vital sectors like finance, healthcare and more. The post No Way to Hide: Uncovering New Campaigns from Daily Tunneling Detection appeared first on Unit…

Read more →