Unit 42

2026-05-26 (Tuesday): Another page impersonating Claude was used to push #SHubStealer when viewed on a macOS host. Details at bit.ly/4fcekmj

Offensive and defensive framework ROADtools is being misused by nation-state actors for cloud attacks. Understand how to identify the activity that signals its malicious usage, including proactive hunting for anomalous activity: bit.ly/4fyQYHB

Iranian hackers have posed as job recruiters to target software engineers in the aviation sector as part of an elaborate espionage scheme during the US and Israeli war with Iran, cybersecurity researchers tell CNN. cnn.it/3RUyl7a

Users attempting to download open-source C++ IDE are hijacked via malicious CloudFront JS on-click, redirecting to fake MEGA-Transfer pages delivering #RemusStealer. Details at bit.ly/49bLy1u

A single threat actor uses multiple identities to run dozens of #AI-accelerated fake VPN Chrome extensions. All traffic routes through 15 SOCKS5 proxies, with some impersonating major VPN service providers. Details at bit.ly/4nNiByT

Iran-nexus APT Screening Serpens (aka UNC1549, Smoke Sandstorm) is deploying novel RAT variants in espionage campaigns targeting entities in the U.S., Israel and the UAE. These campaigns use AppDomainManager hijacking. Read our analysis for details: bit.ly/4dYHBQk

We identified 4,000 samples of TamperedChef malware hiding in trojanized productivity apps. These campaigns use code signing to bypass security filters. The malware can remain dormant for days before stealing data. Read our analysis: bit.ly/4wI0z57

2026-05-20 (Tuesday): Pages impersonating Claude and Homebrew continue to distribute malware like #MacSync stealer by employing a #ClickFix-style social engineering technique. Details at bit.ly/4upfAHC

The latest Gremlin stealer variants employ multiple layers of obfuscation such as identifier renaming and string encryption. These methods remove context and hide intentions from static analysis tools. Read our analysis for technical insights: bit.ly/4nyM8fq

LinkedIn Search leads to #CastleLoader delivering #AsyncRAT. Attackers use Clickfix lures with fake verification popups to mask PowerShell activity. The loader decrypts the payload via RC4, using the first 64 bytes as a key to bypass filters. Details: bit.ly/4uOIqka

Active Directory Certificate Services is a high impact vector for privilege escalation. Adversaries misuse built-in features to impersonate accounts and establish persistence. Our research provides a deep dive into these methods. Read our analysis: bit.ly/3R9vLKn

We detected 7 dynamic runtime impersonating malicious Chrome extensions. A remote kill-switch targets #crypto users. They used deceptive practices including Unicode BIDI spoofing (Ledger, Braavos, etc), dual-identity, BSC drainer and fake Solana wallet: bit.ly/4dbw8wC

We observed a phishing campaign pivot to evade static analysis, shifting from credential theft to #OAuth device code phishing. Attackers replaced hardcoded URLs with runtime-fetched landing pages and generated images as blob URLs. Details at: bit.ly/4uCtzJQ

New threat brief: CVE-2026-0300, a buffer overflow vulnerability in the PAN-OS User-ID Authentication Portal. Unit 42 observed limited exploitation for unauthenticated RCE. Read our analysis for mitigation steps and Palo Alto Networks guidance: bit.ly/4uEte9A

Threat actors leverage LLMs to accelerate development of malicious browser extensions. These extensions masquerade as AI tools, exploiting privileges to steal sensitive data. Understand this evolving threat. Read our analysis: bit.ly/3P4J2TB

Copy Fail (CVE-2026-31431) is a critical privilege escalation in the Linux kernel's crypto subsystem. Attackers can stealthily write to page cache, bypassing integrity checks. This impacts Kubernetes, multi-tenant hosts and CI/CD. Details: bit.ly/4cTVWgs

New C2 infrastructure and lures detected associated with #Coruna and #DarkSword malware. Threat actors are using fake crypto reward scam web pages to deliver malicious URLs and RCE exploits to iOS users. Details at: bit.ly/4d8mOs7

Finger protocol LOLBin #ClickFix campaign that uses fake AI tools, background removers and LinkedIn lures and injects “finger <username> @ C2” with 12+ lure domains containing fake reCAPTCHA, 6 Finger usernames and 6 rotating C2 domains. Details at: bit.ly/3Rmc4Pl

Obfuscated #WebSocket backdoors are injecting credit card skimmers into hundreds of compromised websites. The payload sends stolen card information back to attacker's C2 domains. Details at: bit.ly/42HyNb3

New AirSnitch attack techniques target the Wi-Fi infrastructure itself. We show how attackers can intercept and inject packets, bypassing encryption. This fundamentally shifts assumptions of wireless security. Read our full analysis: bit.ly/3OP0X0s