Unit 42

3K posts

Unit 42 banner
Unit 42

Unit 42

@Unit42_Intel

The latest research and news from Unit 42, the Palo Alto Networks (@paloaltontwks) Threat Intelligence and Security Consulting Team covering incident response.

Katılım Aralık 2015
81 Takip Edilen69.6K Takipçiler
Unit 42
Unit 42@Unit42_Intel·
We've identified 100+ domains in a "Point Expiration Reminder" #phishing campaign impersonating Japanese financial institutions. These phishing pages urge users to click a "Next" (次へ) button to harvest login credentials of banking customers. Details at bit.ly/3RaV6E4
Unit 42 tweet mediaUnit 42 tweet media
English
1
14
41
5.9K
Unit 42
Unit 42@Unit42_Intel·
We uncovered a financially motivated campaign distributing both the Vidar information stealer and the XMRig cryptocurrency miner. The Factory-v3 framework pairs unique per-build Go binaries with DLL search-order hijacking to bypass security filters: bit.ly/4eSk6cj
Unit 42 tweet media
English
0
14
34
5.2K
Unit 42
Unit 42@Unit42_Intel·
We are tracking a new #ClickFix campaign targeting #macOS users that installs a backdoor using LaunchAgent. Utilizes affiliate/cloaking redirect URLs to distribute lure pages hosted on pages[.]dev sites leading to 9 distinct payload URLs so far. Details at bit.ly/4gnSkWd
Unit 42 tweet mediaUnit 42 tweet mediaUnit 42 tweet mediaUnit 42 tweet media
English
3
27
107
10.8K
Unit 42
Unit 42@Unit42_Intel·
We recently identified files likely associated with the C-based ransomware variant used by The Gentlemen (Storm-2697). The ransom note (!-READ-ME---GEN-TLE-MEN-!.txt) threatens data publication on a Tor-based leak site with a 239-hour countdown. Details at bit.ly/4gXiGP2
Unit 42 tweet media
English
2
21
80
9.7K
Unit 42
Unit 42@Unit42_Intel·
World Cup 2026 piracy alert: We found 1,500+ domains & URLs across 14 unauthorized streaming operations. Techniques include mirror farms, hosting on cloud platforms, and a campaign pushing fake VPN and APK lures through affiliate tracker chains. Details at bit.ly/4w0FodC
Unit 42 tweet mediaUnit 42 tweet mediaUnit 42 tweet media
English
1
23
47
7K
Unit 42
Unit 42@Unit42_Intel·
We identified a phishing campaign impersonating US state government and motor vehicle agencies across 23 jurisdictions. Hundreds of lookalikes on .one/.shop/.cc/.help/.click domains. Phishing sites copy content from .gov sites. Details at bit.ly/4p3Hxmg
Unit 42 tweet mediaUnit 42 tweet media
English
0
21
55
6.8K
Unit 42
Unit 42@Unit42_Intel·
We are tracking a MaaS #ClickFix operation using Polygon #blockchain as a resilient C2 config store. So far, 130+ compromised sites with 15 rotating C2s. Victim telemetry is periodically exfiltrated and stage 3 execution drops an infostealer. Details at bit.ly/4fmKZ8g
Unit 42 tweet mediaUnit 42 tweet mediaUnit 42 tweet media
English
3
52
203
16.8K
Unit 42 retweetledi
Palo Alto Networks
Palo Alto Networks@PaloAltoNtwks·
We're excited to welcome Sherrod DeGrippo as Head of Threat Intelligence for @Unit42_Intel. As AI reshapes the threat landscape, Sherrod's leadership will help strengthen the actionable threat intelligence defenders rely on to stay ahead. Welcome, Sherrod! 🎉
Palo Alto Networks tweet media
English
4
3
63
4.6K
Unit 42
Unit 42@Unit42_Intel·
LLMs consistently generate fictitious domains for legitimate brands. Attackers register these domains to intercept traffic from automated AI systems and developers. We've observed an attacker building a phishing kit targeting one such domain: bit.ly/4v5IlID
Unit 42 tweet media
English
0
8
54
5.4K
Unit 42
Unit 42@Unit42_Intel·
Email #phishing scam capitalizing on the popularity of the 2026 FIFA World Cup ends in credit card theft, not free prizes. Auth-passing email → redirect → geo-cloaked redirector → fake "reward" checkout that steals name, address & card info. Details at bit.ly/3SOcaA8
Unit 42 tweet media
English
1
24
65
7.1K
Unit 42
Unit 42@Unit42_Intel·
We discovered a campaign targeting energy and government entities in Southeast Asia. The group used AppDomainManager injection to deploy a new .NET backdoor called TinyRCT. Read our analysis for more details: bit.ly/4oQxj8D
Unit 42 tweet media
English
0
32
79
8K
Unit 42
Unit 42@Unit42_Intel·
AI agent marketplaces introduce new supply chain risks. Our analysis of ClawHub revealed malicious skills bypassing security scanners to deploy infostealers and execute financial fraud. Read our analysis for details: bit.ly/4bejhrR
Unit 42 tweet media
English
2
12
30
5.5K
Unit 42
Unit 42@Unit42_Intel·
Impersonated "System Administrator" #phishing abuses Teams to seize remote control of victim's machine to deploy #EtherRAT via a malicious MSI/PowerShell, with its C2 hidden in an Ethereum smart contract. An open dir exposes the actor's malware. Details at bit.ly/4v6cfN6
Unit 42 tweet mediaUnit 42 tweet mediaUnit 42 tweet media
English
1
23
103
10.9K
Unit 42
Unit 42@Unit42_Intel·
Understand the “speed gap" in security operations. With attack timelines compressing due to AI use by attackers, we outline how SOCs can re-engineer workflows for velocity in order to counter identity-driven threats: bit.ly/4v6T19Y
Unit 42 tweet media
English
0
5
24
4.4K
Unit 42
Unit 42@Unit42_Intel·
New Kongtuke #ClickFix campaign sideloads Havoc C2 using signed WinWrapIDE binary. The evasive loader uses window cloaking, sandbox sleep, and native callback evasion to run a memory-only #infostealer. Details at bit.ly/4v3tles
Unit 42 tweet mediaUnit 42 tweet mediaUnit 42 tweet media
English
0
40
132
12K
Unit 42
Unit 42@Unit42_Intel·
Our latest research details a bucket hijacking technique impacting major cloud providers. Attackers could silently redirect active data streams by exploiting the global uniqueness of bucket names. Read our analysis for technical details: bit.ly/4f3lBnY
Unit 42 tweet media
English
0
10
31
5.2K
Unit 42
Unit 42@Unit42_Intel·
We identified a deceptive browser extension campaign involved in affiliate marketing fraud, impersonating consumer brands (streaming, productivity, music, etc) with typosquatted .shop domains. 2,000-plus installations so far. Details at bit.ly/4uRmWCZ
Unit 42 tweet mediaUnit 42 tweet media
English
4
24
60
7.7K
Unit 42
Unit 42@Unit42_Intel·
We detected a Browser-in-the-Browser phishing kit for malware delivery rather than credential theft. It uses a draggable pop-up with a spoofed URL to serve a fake "software out of date" warning. It sends malware that it instructs users to run. Details at bit.ly/3SFpmHp
Unit 42 tweet mediaUnit 42 tweet mediaUnit 42 tweet media
English
2
47
177
22.6K
Unit 42
Unit 42@Unit42_Intel·
The latest macOS ClickFix variant invisibly mounts DMG images in the background to execute a macOS infostealer and hijack cryptocurrency wallet info. Details at bit.ly/4ahgmhJ
Unit 42 tweet mediaUnit 42 tweet mediaUnit 42 tweet mediaUnit 42 tweet media
English
5
32
159
14.5K
Unit 42
Unit 42@Unit42_Intel·
An evolved deepfake video campaign is distributing an AI-generated instructional video that guides social media users through stealing their own session cookies via the browser's DevTools. Abuse of 6 SaaS platforms with 800+ lure pages so far. Details at bit.ly/4vYxmle
Unit 42 tweet mediaUnit 42 tweet mediaUnit 42 tweet mediaUnit 42 tweet media
English
2
17
72
8K