Tag: Unit 42

BadSuccessor is an attack vector in Windows Server 2025. Under certain conditions it allows privilege elevation via dMSAs. We analyze its mechanics. The post When Good Accounts Go Bad: Exploiting Delegated Managed Service Accounts in Active Directory appeared first on…

Read more →

Project AK47, a toolset including ransomware, was used to leverage SharePoint exploit chain ToolShell. This activity overlaps with Storm-2603. The post Project AK47: Uncovering a Link to the SharePoint Vulnerability Attacks appeared first on Unit 42. This article has been…

Read more →

A comprehensive list of threat actor groups tracked by Unit 42, along with information such as summaries and industries typically impacted. The post Threat Actor Groups Tracked by Palo Alto Networks Unit 42 (Updated Aug. 1, 2025) appeared first on…

Read more →

Unit 42 has observed active exploitation of recent Microsoft SharePoint vulnerabilities. Here’s how you can protect your organization. The post Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief (Updated July 31) appeared first on Unit 42. This article has been…

Read more →

Peel back the layers on Unit 42’s Attribution Framework. We offer a rare inside view into the system used to ultimately assign attribution to threat groups. The post Introducing Unit 42’s Attribution Framework appeared first on Unit 42. This article…

Read more →

Social engineering thrives on trust and is now boosted by AI. Unit 42 incident response data explains why it’s surging. We detail eight critical countermeasures. The post 2025 Unit 42 Global Incident Response Report: Social Engineering Edition appeared first on…

Read more →

Unit 42 has observed active exploitation of recent Microsoft SharePoint vulnerabilities. Here’s how you can protect your organization. The post Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief (Updated July 29) appeared first on Unit 42. This article has been…

Read more →

Recent activity targeting telecom infrastructure is assessed with high confidence to overlap with Liminal Panda activity. The actors used custom tools, tunneling and OPSEC tactics for stealth. The post The Covert Operator's Playbook: Infiltration of Global Telecom Networks appeared first…

Read more →

Unit 42 has observed active exploitation of recent Microsoft SharePoint vulnerabilities. Here’s how you can protect your organization. The post Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief (Updated July 25) appeared first on Unit 42. This article has been…

Read more →

A subtle yet dangerous email attack vector: homograph attacks. Threat actors are using visually similar, non-Latin characters to bypass security filters. The post The Ηоmоgraph Illusion: Not Everything Is As It Seems appeared first on Unit 42. This article has…

Read more →

Muddled Libra (Scattered Spider, UNC3944) is evolving. Get the latest insights and defensive recommendations based on Unit 42 incident response cases. The post Muddled Libra Threat Assessment: Further-Reaching, Faster, More Impactful appeared first on Unit 42. This article has been…

Read more →

Unit 42 has observed active exploitation of recent Microsoft SharePoint vulnerabilities. Here’s how you can protect your organization. The post Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief (Updated July 24) appeared first on Unit 42. This article has been…

Read more →

Cloud logging is essential for security and compliance. Learn best practices when navigating AWS, Azure or GCP for comprehensive visibility into your environment. The post Cloud Logging for Security and Beyond appeared first on Unit 42. This article has been…

Read more →

Unit 42 has observed active exploitation of recent Microsoft SharePoint vulnerabilities. Here’s how you can protect your organization. The post Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief (Updated July 22) appeared first on Unit 42. This article has been…

Read more →

Unit 42 has observed an active exploitation of recent Microsoft SharePoint Vulnerabilities. Here’s how you can protect your organization. The post Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief appeared first on Unit 42. This article has been indexed from…

Read more →

CL-STA-1020 targets Southeast Asian governments using a novel Microsoft backdoor we call HazyBeacon. It misuses AWS Lambda URLs for C2. The post Behind the Clouds: Attackers Targeting Governments in Southeast Asia Implement Novel Covert C2 Communication appeared first on Unit…

Read more →

SLOW#TEMPEST malware uses dynamic jumps and obfuscated calls to evade detection. Unit 42 details these techniques and how to defeat them with emulation. The post Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques appeared first on Unit…

Read more →

ClickFix campaigns are on the rise. We highlight three that distributed NetSupport RAT, Latrodectus, and Lumma Stealer malware. The post Fix the Click: Preventing the ClickFix Attack Vector appeared first on Unit 42. This article has been indexed from Unit…

Read more →

An IAB campaign exploited leaked ASP.NET Machine Keys. We dissect the attacker’s infrastructure, campaign and offer takeaways for blue teams. The post GoldMelody’s Hidden Chords: Initial Access Broker In-Memory IIS Modules Revealed appeared first on Unit 42. This article has…

Read more →

Our telemetry shows a surge in Windows shortcut (LNK) malware use. We explain how attackers exploit LNK files for malware delivery. The post Windows Shortcut (LNK) Malware Strategies appeared first on Unit 42. This article has been indexed from Unit…

Read more →