All news with #unit 42 tag

🛡️ Palo Alto Networks' Unit 42 attributes a China-linked espionage campaign, tracked as CL-STA-1087, to long-running intrusions against Southeast Asian military organizations dating to 2020. The operators used staged loaders, DLL hijacking and sleep-based sandbox evasion to deploy backdoors AppleChris and MemFun, plus a credential stealer named Getpass. Persistent, modular tooling and Pastebin-based dead drops enabled stealthy, long-term access focused on C4I and organizational intelligence.

🔍 Palo Alto Networks Unit 42 details a persistent espionage campaign, CL-STA-1087, suspected to operate from China and targeting Southeast Asian military organizations. The actors used custom backdoors AppleChris and MemFun, plus a modified credential harvester Getpass, and relied on Pastebin/Dropbox dead-drop resolvers for stealthy C2 resolution. Unit 42 provides IoCs, SHA256 hashes and defensive guidance for Cortex XDR, Advanced WildFire and related protections.

🔒 Researchers at Unit 42, Palo Alto Networks' lab, have demonstrated that LLM-based safety and evaluation systems — called AI Judges — can be manipulated via prompt-injection-style token sequences. Their custom fuzzer, AdvJudge-Zero, probes models in a black-box manner, finding low-perplexity formatting tokens that shift internal attention and increase the likelihood of an 'allow' decision. Unit 42 recorded a 99% bypass rate across multiple architectures, and showed that adversarial retraining on fuzzer-discovered examples can reduce that success rate to near zero.

🛡️ Palo Alto Networks Unit 42 attributes a years-long espionage campaign against high-value organizations in South, Southeast and East Asia to a previously undocumented cluster dubbed CL-UNK-1068. The actor uses a mixed toolkit of custom malware, modified open-source utilities and living-off-the-land binaries to operate on both Windows and Linux. Intrusions commonly begin with web server exploits and web shells, followed by credential theft and targeted file harvesting. Researchers observed novel exfiltration methods—archiving with WinRAR, Base64-encoding via certutil, and printing the encoded output to the web shell to avoid direct file transfer.

⚠️ Unit 42 researchers describe web-based indirect prompt injection (IDPI), where adversaries embed hidden or obfuscated instructions in webpages that are later consumed by LLMs and agentic systems. The report catalogs 22 payload engineering techniques, presents a taxonomy of attacker intents from low to critical, and details multiple in-the-wild detections, including the first observed AI ad-review bypass. It emphasizes detection, intent analysis and web-scale defenses to protect automated pipelines.

⚠️ Beginning Feb. 28, 2026, Unit 42 observed a rapid escalation in cyber activity tied to Iran following joint U.S.–Israeli strikes, coinciding with an internal internet outage that reduced connectivity in Iran to 1–4%. That loss likely constrains coordinated state-aligned campaigns from inside Iran while enabling decentralized and geographically dispersed actors to increase disruptive operations. Unit 42 identified a phishing campaign using a malicious replica of the Israeli Home Front Command RedAlert APK and tracked about 60 active hacktivist groups claiming DDoS, wiper, and hack-and-leak operations. Organizations should prioritize multi-layered defenses, offline backups, strict out-of-band verification, patching, monitoring, and incident response preparedness; Palo Alto Networks and Unit 42 offer protections and services to assist.

🛡 Unit 42 discovered CVE-2026-0628, a high-severity flaw in Chrome's new Gemini Live panel that allowed extensions with only declarativeNetRequest permissions to inject JavaScript into the privileged panel context. That injection could escalate extension privileges to access camera and microphone, read local files, take screenshots and render phishing content inside a trusted browser UI. Google was notified on 2025-10-23 and issued a patch in early January 2026. Palo Alto Networks recommends mitigations such as Prisma Browser and related protections.

🚨 Palo Alto Networks' Unit 42 reports that cyberattacks are accelerating: the fastest incidents moved from initial access to data exfiltration in 72 minutes, down from nearly five hours in 2024, and AI is compressing reconnaissance, phishing, scripting and execution timelines. Yet most breaches traced to basic failures such as weak authentication, limited real‑time visibility, and misconfigurations. Identity and trust issues featured in 90% of incidents, and Unit 42 found excessive permissions across 99% of 680,000 cloud identities. In response, Palo Alto launched Unit 42 Managed XSIAM 2.0 to provide end‑to‑end onboarding, threat hunting and faster automated response.

⚠️ The Unit 42 2026 Global Incident Response Report analyzes over 750 major incidents across 50+ countries and reveals attackers are moving faster and leveraging trusted identities and integrations. The report documents AI-driven acceleration—some intrusions advanced from initial access to exfiltration in as little as 72 minutes—and shows identity weaknesses in nearly 90% of cases. It recommends reducing exposure, tightening identity controls, and increasing response speed.

🔒 Unit 42 Managed XSIAM 2.0 delivers a 24/7 managed SOC built on Cortex XSIAM and operated by Unit 42 analysts, threat hunters, responders and SOC engineers. Designed to close the gap with machine-speed attacks, MSIAM 2.0 replaces alert-driven models with continuous detection, proactive hunting and ongoing engineering of detections, correlations and playbooks. The service supports native and third-party EDR telemetry, enables pre-authorized full-cycle remediation across endpoints, firewalls, identity and cloud, and includes a Breach Response Guarantee with up to 250 hours of Unit 42 incident response to streamline crisis containment and recovery.

🕵️‍♂️ Palo Alto Networks' Unit 42 reports a state-sponsored threat actor tracked as TGR-STA-1030/UNC6619 has run global-scale "Shadow Campaigns," compromising at least 70 government and critical infrastructure organizations across 37 countries and conducting reconnaissance tied to 155 countries. The actor has been active since at least January 2024 and is assessed to operate from Asia. Initial access combined tailored phishing lures hosted on Mega.nz with exploitation of known flaws in SAP Solution Manager, Microsoft Exchange, D-Link, and Windows to deploy loaders such as Diaoyu. Victim environments were instrumented with Cobalt Strike, webshells, tunneling tools, and a bespoke Linux eBPF rootkit named ShadowGuard to hide activity and evade detection.

🔒 Palo Alto Networks Unit 42 reports an Asia-origin, state-backed actor tracked as TGR-STA-1030 breached at least 70 government and critical-infrastructure organizations across 37 countries and scanned infrastructure tied to 155 countries in late 2025. Active since January 2024, the group used MEGA-hosted phishing ZIPs to deliver a guarded loader, Diaoyu Loader, which requires a zero-byte pic1.png and checks for select AV processes before pulling images from GitHub to stage a Cobalt Strike payload. It also exploited N-day flaws, deployed web shells, tunnelers and an eBPF Linux rootkit ShadowGuard, maintaining prolonged access for intelligence collection.

🧠 Unit 42 examines why phishing remains effective despite advanced defenses, highlighting the role of human psychology, cognitive bias and AI-enabled deception. The article outlines a three-stage attack model—The Bait, The Hook and The Catch—and common social engineering tactics such as urgency, authority and distraction. It urges a zero-trust mindset, continuous education and a simple habit: pause and verify before acting.

🔒 Unit 42 researchers discovered CVE-2025-0921, a privileged file system operations vulnerability in Iconics Suite (GENESIS64) that can be abused to corrupt critical binaries and cause a denial-of-service. The issue affects certain Windows deployments of Iconics Suite and can be chained with CVE-2024-7587 (GenBroker32 installer) to gain effective write access to protected log paths. Iconics released an advisory and a workaround that, if applied, mitigates the reported issues; organizations should apply vendor guidance and limit local write access to application directories.

🔐 This Unit 42 analysis outlines the evolving Russian cyber threat to the Milano Cortina 2026 Winter Olympics, framing Russia’s IOC exclusion as a geopolitical grievance that raises the risk of disruptive operations. It reviews historical GRU-linked campaigns against prior Games and projects plausible scenarios ranging from destructive OT malware to AI-driven deepfakes and V2X manipulation. The report recommends zero‑trust visibility, IoT anomaly detection, telemetry verification, and micro‑segmentation to reduce operational impact.

🔒 Researchers at Unit 42 demonstrated how attackers can convert benign webpages into bespoke phishing pages by calling LLMs from client-side code to generate malicious JavaScript in real time. This polymorphic technique assembles malware inside the victim’s browser, leaving no static payload and evading many traditional network and signature controls. Defenders are advised to prioritize message-layer protections, secure web gateways, and secure enterprise browsers to block the initial lure and the last mile reassembling of malicious code.

⚠️ Unit 42 details a technique where seemingly benign webpages call trusted LLM APIs from the browser to generate malicious JavaScript dynamically and execute it at runtime. Carefully engineered prompts can bypass model safety guardrails and return credential-harvesting code that assembles in-browser into personalized phishing pages. Because payloads are served via trusted domains and differ per visit, this approach defeats many static and network-based detectors, making runtime behavioral analysis the most effective mitigation.

🔐 Unit 42 details activity by Hamas-affiliated Ashen Lepus using a new modular .NET suite named AshTag, alongside custom loaders and revised C2 techniques to evade detection. The actors targeted Arabic-speaking government and diplomatic entities across the Middle East, delivering malware via RAR archives, DLL sideloading, and payloads hidden in benign HTML. Operators improved encryption and domain masquerading and performed hands-on exfiltration using Rclone. Organizations should monitor the provided IOCs and strengthen EDR and egress controls.

🔒 WIRTE (tracked as Ashen Lepus by Palo Alto Networks) has been observed using benign binaries to sideload a malicious DLL named AshenLoader, which drops additional components to deploy the AshTag .NET backdoor. The intrusion chain begins with a decoy PDF and a RAR archive from file-sharing services, leading to in-memory execution of a stager to minimize forensic traces. Targets are primarily government and diplomatic entities in the Middle East, with recent expansion to Oman and Morocco. Operators have been observed staging diplomacy-related documents and exfiltrating them using Rclone.

🔒 Elastic Security Labs and Unit 42 describe a China‑focused campaign in which the actor Dragon Breath uses a multi‑stage loader named RONINGLOADER to deliver a modified Gh0st RAT. The attack leverages trojanized NSIS installers that drop two embedded packages—one benign and one stealthy—to load a DLL and an encrypted tp.png file containing shellcode. The loader employs signed drivers, WDAC tampering, and Protected Process Light abuse to neutralise endpoint protections popular in the Chinese market before injecting a persistent high‑privilege backdoor.