Unit 42

Signed #RMM and synthetic domains are exploited to bypass #cybersecurity. Tactic: Hijacking of a popular content-sharing service for #malware traffic. Scale: 340 samples and 224 domains. Alert: Detections surged August 2025. Details at bit.ly/4lFtCkz

Boggy Serpens, an Iranian state-sponsored threat group, now uses AI-assisted malware development and advanced evasion techniques. Our research details their evolving cyberespionage tactics. Read the full analysis to understand their techniques: bit.ly/4cNmLTZ

Our investigation into CL-STA-1087 uncovers new AppleChris and MemFun backdoors plus the custom Getpass credential harvester. We share our analysis of the attackers’ methods and tools to help defenders. Read the full analysis: bit.ly/4sKJuos

🛡️ Defeat machine-speed threats with Unit 42 MSIAM 2.0. Unit 42 MSIAM 2.0 delivers an AI-driven, 24/7 Managed SOC built for machine-speed threats. Experience the future of security operations today. bit.ly/47K0B1l

Iran-linked Handala Hack (aka Void Manticore, COBALT MYSTIQUE) is a reported vector for an increase in wiper attacks. This Insights blog details proactive recommendations for security teams, from identity management to enhancing security controls. bit.ly/4rrBVlu

Since late December 2025, Unit 42 has responded to numerous incidents across various industries involving data theft and extortion likely associated with #BlingLibra (aka #ShinyHunters) and affiliated threat actors. Details on how to protect your org: bit.ly/4lqqf0V

AI agents are rapidly becoming more capable, helping people automate decisions, orchestrate workflows, and take action across the enterprise. But as agents become more autonomous, the big question becomes: how do you deploy them without losing control? Introducing the AWARE framework – a new framework for secure AI agent deployment, developed by the Work AI Institute at Glean in collaboration with @Databricks and @PaloAltoNtwks. glean-it.com/4uFq5XQ

AI judges, LLMs' automated gatekeepers, are vulnerable to stealthy prompt injection. Our latest research reveals how benign inputs can manipulate them to authorize policy violations. Read the full analysis: bit.ly/4b7cQpC

We investigated an open web directory on a #VoidLink C2 server that reveals new samples and possible overlaps with activity we track as CL-STA-1015. Previous versions of VoidLink have been seen in the wild as early as 2025-12-02. Details at: bit.ly/4s6Ehr8

We’ve discovered a massive campaign using 30k-plus hostnames to distribute a #BrowserExtension named "OmniBar AI Chat and Search." This extension overrides the browser homepage and uses an attacker-controlled domain for #SearchHijacking. Details at bit.ly/4dbRVED

Our research observed CL-UNK-1068 employing custom malware, modified open-source utilities and LOLBINs. This toolset ensures persistent access. Explore our full analysis: bit.ly/4cr7YOC

Indirect prompt injection allows adversaries to manipulate AI agents with content that LLMs process as commands. Our telemetry shows this is being used to promote phishing sites and compromise decision pipelines. Read the full analysis: bit.ly/40fjchT

We are tracking Iranian cyber activity stemming from a multi-vector retaliatory campaign against Operation Epic Fury and Operation Roaring Lion. Our observations cover hacktivism, phishing and vishing, and potential action from state-aligned groups. bit.ly/4aMxQmX

Our research uncovered CVE-2026-0628, a high severity vulnerability in Chrome Gemini, allowing local file access. Google has issued a fix. Read the full analysis: bit.ly/4rHlQZW

We continue to track #AlloyTaurus (#GALLIUM, #UNC2814) IP addresses and domains. We've identified infrastructure leveraged by the actor in 2025/2026 to target telecommunication and government entities located in Africa, Asia and South America. Details at: bit.ly/4s9uYGo

🔎 Hunt for signs of compromise for this vulnerability using the Cisco SD-WAN Threat Hunt Guide: cyber.gov.au/sites/default/…

Unit 42 is tracking CVE-2026-20127, an actively exploited zero-day vuln in Cisco Catalyst SD-WAN Controller. We recommend updating to the latest versions, hunting for signs of compromise and reviewing the Talos Threat Advisory here: bit.ly/46uYApr

🚨 New threat intel from @PaloAltoNtwks' @Unit42_Intel 🚨 A rogue virtual machine uncovered during an IR investigation provides insight into the operational playbook of Muddled Libra (aka Scattered Spider / UNC3944). This analysis breaks down the TTPs retailers and hospitality orgs need to watch in 2026: rhisac.org/threat-intelli…

AI is being weaponized for mass-scale malware. We’ve uncovered 10 malicious extensions (#affiliate-hijacking and #GenAI abuse) with clear #AI-fingerprints: verbose comments and cookie-cutter code. Details at bit.ly/3OK6ncN

Tech support scams targeting Japanese victims leverage multiple browser APIs for victim containment: fullscreen lock, keyboard hijacking, Web Worker resource exhaustion & window spawning on close attempts. Encrypted JavaScript evades detection. Details at bit.ly/3Oqz5iY