Category: Unit 42

Unit 42 shares further updates of cybercrime group Scattered LAPSUS$ Hunters. Secure your organization this holiday season. The post The Golden Scale: 'Tis the Season for Unwanted Gifts appeared first on Unit 42. This article has been indexed from Unit…

Read more →

Self-replicating worm “Shai-Hulud” has compromised hundreds of software packages in a supply chain attack targeting the npm ecosystem. We discuss scope and more. The post "Shai-Hulud" Worm Compromises npm Ecosystem in Supply Chain Attack (Updated November 25) appeared first on…

Read more →

The line between research tool and threat creation engine is thin. We examine the capabilities of WormGPT 4 and KawaiiGPT, two malicious LLMs. The post The Dual-Use Dilemma of AI: Malicious LLMs appeared first on Unit 42. This article has…

Read more →

Unit 42 outlines a Howling Scorpius attack delivering Akira ransomware that originated from a fake CAPTCHA and led to a 42-day compromise. The post Anatomy of an Akira Ransomware Attack: When a Fake CAPTCHA Led to 42 Days of Compromise…

Read more →

Two campaigns delivering Gh0st RAT to Chinese speakers show a deep understanding of the target population’s virtual environment and online behavior. The post Digital Doppelgangers: Anatomy of Evolving Impersonation Campaigns Distributing Gh0st RAT appeared first on Unit 42. This article…

Read more →

A new type of authentication coercion attack exploits an obscure and rarely monitored remote procedure call (RPC) interface. The post You Thought It Was Over? Authentication Coercion Keeps Evolving appeared first on Unit 42. This article has been indexed from…

Read more →

A new type of authentication coercion attack exploits an obscure and rarely monitored remote procedure call (RPC) interface. The post You Thought It Was Over? Authentication Coercion Keeps Evolving appeared first on Unit 42. This article has been indexed from…

Read more →

Commercial-grade LANDFALL spyware exploits CVE-2025-21042 in Samsung Android’s image processing library. The spyware was embedded in malicious DNG files. The post LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices appeared first on Unit 42. This article has…

Read more →

Effective cyber defense starts with knowing your own network. Unit 42 explains why asset management is the foundation of threat intelligence. The post Know Ourselves Before Knowing Our Enemies: Threat Intelligence at the Expense of Asset Management appeared first on…

Read more →

CVE-2025-59287 is a critical RCE vulnerability identified in Microsoft’s WSUS. Our observations from cases show a consistent methodology. The post Microsoft WSUS Remote Code Execution (CVE-2025-59287) Actively Exploited in the Wild (Updated November 3) appeared first on Unit 42. This…

Read more →

Agent session smuggling is a novel technique where AI agent-to-agent communication is misused. We demonstrate two proof of concept examples. The post When AI Agents Go Rogue: Agent Session Smuggling Attack in A2A Systems appeared first on Unit 42. This…

Read more →

A nation-state attacker is using novel Airstalk malware in supply chain attacks to exfiltrate browser data. Airstalk misuses the AirWatch API. The post Suspected Nation-State Threat Actor Uses New Airstalk Malware in a Supply Chain Attack appeared first on Unit…

Read more →

Unit 42 explores the escalating threat of AI-powered malicious SEO and its impact on the credibility of the open web. Read more about how threat actors are exploiting AI to manipulate search results and spread misinformation across the web. The…

Read more →

CVE-2025-59287 is a critical RCE vulnerability identified in Microsoft’s WSUS. Our observations from cases show a consistent methodology. The post Microsoft WSUS Remote Code Execution (CVE-2025-59287) Actively Exploited in the Wild (Updated October 28) appeared first on Unit 42. This…

Read more →

CVE-2025-59287 is a critical RCE vulnerability identified in Microsoft’s WSUS. Our observations from cases show a consistent methodology. The post Microsoft WSUS Remote Code Execution (CVE-2025-59287) Actively Exploited in the Wild appeared first on Unit 42. This article has been…

Read more →

Executive Summary AzureHound is a data collection tool intended for penetration testing that is part of the BloodHound suite. Threat actors misuse this tool to enumerate Azure resources and map potential attack paths, enabling further malicious operations. Here, we help…

Read more →

Global smishing activity tracked by Unit 42 includes impersonation of many critical services. Its unique ecosystem allows attackers to quickly scale. The post The Smishing Deluge: China-Based Campaign Flooding Global Text Messages appeared first on Unit 42. This article has…

Read more →

Threat actors behind the gift card fraud campaign Jingle Thief target retail via phishing and smishing, maintaining long-term access in cloud environments. The post Jingle Thief: Inside a Cloud-Based Gift Card Fraud Campaign appeared first on Unit 42. This article…

Read more →

Unit 42 shares notable developments of cybercrime group Scattered LAPSUS$ Hunters. Learn how this group may operate in the future. The post The Golden Scale: Notable Threat Updates and Looking Ahead appeared first on Unit 42. This article has been…

Read more →

A nation-state actor stole BIG-IP source code and information on undisclosed vulnerabilities from F5. We explain what sets this theft apart from others. The post Threat Brief: Nation-State Actor Steals F5 Source Code and Undisclosed Vulnerabilities appeared first on Unit…

Read more →