Category: Unit 42

PhantomVAI is a new loader used to deploy multiple infostealers. We discuss its overall evolution and use of steganography and obfuscated scripts. The post PhantomVAI Loader Delivers a Range of Infostealers appeared first on Unit 42. This article has been…

Read more →

BlackSuit ransomware delivered by APT Ignoble Scorpius started with a vishing attack. Read how Unit 42 helped and the ultimate outcome. The post Anatomy of an Attack: The "BlackSuit Blitz" at a Global Equipment Manufacturer appeared first on Unit 42.…

Read more →

Scattered Lapsus$ Hunters: Organizations, be aware of the effort of this cybercriminal alliance as they target retail and hospitality for extortion. The post The Golden Scale: Bling Libra and the Evolving Extortion Economy appeared first on Unit 42. This article…

Read more →

Indirect prompt injection can poison long-term AI agent memory, allowing injected instructions to persist and potentially exfiltrate conversation history. The post When AI Remembers Too Much – Persistent Behaviors in Agents’ Memory appeared first on Unit 42. This article has…

Read more →

Unit 42 discovers ClickFix phishing kits, commoditizing social engineering. This kit presents a lowered barrier for inexperienced cybercriminals. The post The ClickFix Factory: First Exposure of IUAM ClickFix Generator appeared first on Unit 42. This article has been indexed from…

Read more →

Cloud breaches are rising. This step-by-step guide from Unit 42 shows how to investigate, contain and recover from cloud-based attacks. The post Responding to Cloud Incidents A Step-by-Step Guide from the 2025 Unit 42 Global Incident Response Report appeared first…

Read more →

Researchers identified vulnerabilities in TOTOLINK X6000R routers: CVE-2025-52905, CVE-2025-52906 and CVE-2025-52907. We discuss root cause and impact. The post TOTOLINK X6000R: Three New Vulnerabilities Uncovered appeared first on Unit 42. This article has been indexed from Unit 42 Read the…

Read more →

「Phantom Taurus」は、これまで活動が報告されていなかった中国の脅威グループです。本稿では、このグループが使用する特徴的なツールセットが、いかにしてその存在の発見につながったのかを解説します。 The post Phantom Taurus: 新たな中華系Nexus APTとNET-STARマルウェア スイートの発見 appeared first on Unit 42. This article has been indexed from Unit 42 Read the original article: Phantom Taurus: 新たな中華系Nexus APTとNET-STARマルウェア スイートの発見

Read more →

Phantom Taurus is a previously undocumented Chinese threat group. Explore how this group’s distinctive toolset lead to uncovering their existence. The post Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite appeared first on…

Read more →

CVE-2025-20333, CVE-2025-20362 and CVE-2025-20363 affect multiple Cisco products, and are being exploited by a threat actor linked to the ArcaneDoor campaign. The post Threat Insights: Active Exploitation of Cisco ASA Zero Days appeared first on Unit 42. This article has…

Read more →

We connect Bookworm malware to Chinese APT Stately Taurus using our attribution framework, enhancing our understanding of threat group tradecraft. The post Bookworm to Stately Taurus Using the Unit 42 Attribution Framework appeared first on Unit 42. This article has…

Read more →

Self-replicating worm “Shai-Hulud” has compromised hundreds of software packages in a supply chain attack targeting the npm ecosystem. We discuss scope and more. The post "Shai-Hulud" Worm Compromises npm Ecosystem in Supply Chain Attack (Updated September 23) appeared first on…

Read more →

SEO poisoning campaign “Operation Rewrite” uses a malicious IIS module called BadIIS to redirect users to unwanted websites. The post Operation Rewrite: Chinese-Speaking Threat Actors Deploy BadIIS in a Wide Scale SEO Poisoning Campaign appeared first on Unit 42. This…

Read more →

Self-replicating worm “Shai-Hulud” has compromised hundreds of software packages in a supply chain attack targeting the npm ecosystem. We discuss scope and more. The post "Shai-Hulud" Worm Compromises npm Ecosystem in Supply Chain Attack (Updated September 18) appeared first on…

Read more →

Self-replicating worm “Shai-Hulud” has compromised hundreds of software packages in a supply chain attack targeting the npm ecosystem. We discuss scope and more. The post "Shai-Hulud" Worm Compromises npm Ecosystem in Supply Chain Attack appeared first on Unit 42. This…

Read more →

Unit 42 explores how innocent clicks can have serious repercussions. Learn how simply visiting a malicious site can expose users to significant digital dangers. The post Myth Busting: Why "Innocent Clicks" Don't Exist in Cybersecurity appeared first on Unit 42.…

Read more →

We examine security weaknesses in LLM code assistants. Issues like indirect prompt injection and model misuse are prevalent across platforms. The post The Risks of Code Assistant LLMs: Harmful Content, Misuse and Deception appeared first on Unit 42. This article…

Read more →

Effective OAuth token management is crucial for supply chain security, preventing breaches caused by dormant integrations, insecure storage or lack of rotation. The post Trusted Connections, Hidden Risks: Token Management in the Third-Party Supply Chain appeared first on Unit 42.…

Read more →

Unit 42 delves into how cybercriminals are treating stolen data like digital diamonds amid rising attacks and evolving extortion tactics. The post Data Is the New Diamond: Latest Moves by Hackers and Defenders appeared first on Unit 42. This article…

Read more →

AdaptixC2, an open-source C2 framework, is increasingly used in attacks. We discuss its features and potential use case scenarios. The post AdaptixC2: A New Open-Source Framework Leveraged in Real-World Attacks appeared first on Unit 42. This article has been indexed…

Read more →