< ciso
brief />
Tag Banner

All news with #unit 42 tag

78 articles · page 4 of 4

Phantom Taurus: NET-STAR .NET IIS Backdoor Revealed

🔍 Unit 42 documents a newly designated Chinese-aligned threat actor, Phantom Taurus, which uses a previously undocumented .NET malware suite called NET-STAR to target IIS web servers. The actor focuses on government and telecommunications organizations across the Middle East, Africa and Asia and has shifted from email theft to direct database exfiltration. The report outlines technical behaviors, in-memory fileless execution, and mitigation guidance for Palo Alto Networks protections.
read more →

Bookworm Linked to Stately Taurus — Unit 42 Analysis

🔎 This Unit 42 case study applies the Unit 42 Attribution Framework to link the Bookworm remote access Trojan to the Chinese APT group Stately Taurus by combining malware analysis, tooling, OPSEC, infrastructure, victimology, and timelines. Analysts highlighted embedded PDB paths, a UUID-based shellcode encoding technique, and co-occurrence with a custom tool named ToneShell. Overlapping C2 IPs and domains, consistent targeting in Southeast Asia, and closely aligned compile times supported a high-confidence attribution. Palo Alto Networks also lists protections across WildFire, NGFW, URL/DNS filtering, Cortex XDR, and incident response contact options.
read more →

BadIIS SEO-Poisoning Campaign Targets Vietnam Servers

🔍 Palo Alto Networks Unit 42 is tracking an SEO poisoning campaign dubbed Operation Rewrite that employs a native IIS implant called BadIIS. The module inspects User-Agent strings, identifies search engine crawlers, and fetches poisoned content from a remote C2 to inject keywords and links so compromised sites artificially rank for targeted queries. Unit 42 observed multiple tooling variants — lightweight ASP.NET handlers, a managed .NET IIS module, and an all‑in‑one PHP script — and reports a focus on East and Southeast Asia, particularly Vietnam.
read more →

Operation Rewrite: BadIIS SEO Poisoning Campaign in Asia

🔍 Unit 42 uncovered Operation Rewrite, a March 2025 SEO poisoning campaign that deploys a native IIS implant called BadIIS to manipulate search engine indexing and redirect users to attacker-controlled scam sites. The implant registers request handlers, inspects User‑Agent and Referer headers, and proxies malicious content from remote C2 servers. Variants include lightweight ASP.NET page handlers, a managed .NET IIS module, and an all-in-one PHP front controller. Organizations can detect and block activity with Palo Alto Networks protections and should engage incident responders if compromised.
read more →

Unit 42 Earns NCSC Enhanced Level Incident Response

🔒 Palo Alto Networks' Unit 42 has been added to the UK's NCSC Cyber Incident Response scheme at the Enhanced Level, demonstrating certified capability to manage the most complex and impactful cyber incidents. The assurance verifies structured, government-benchmarked processes, strong investigative expertise, and a customer-focused retainer model tailored to regulatory and operational needs. This recognition underscores Unit 42's role in helping organisations reduce dwell time, contain threats faster, and strengthen long-term resilience.
read more →

Shai-Hulud Worm: Large npm Supply Chain Compromise

🪱 Palo Alto Networks Unit 42 is investigating an active supply chain attack in the npm ecosystem driven by a novel self-replicating worm tracked as "Shai-Hulud." The malware has compromised more than 180 packages, including high-impact libraries such as @ctrl/tinycolor, and automates credential theft, repository creation, and propagation across maintainers' packages. Unit 42 assesses with moderate confidence that an LLM assisted in authoring the malicious bash payload. Customers are protected through Cortex Cloud, Prisma Cloud, Cortex XDR and Advanced WildFire, and Unit 42 recommends immediate credential rotation, dependency audits, and enforcement of MFA.
read more →

Code Assistant Risks: Indirect Prompt Injection and Misuse

🛡️ Unit 42 describes how IDE-integrated AI code assistants can be abused to insert backdoors, leak secrets, or produce harmful output by exploiting features like chat, auto-complete, and context attachment. The report highlights an indirect prompt injection vector where attackers contaminate public or third‑party data sources; when that data is attached as context, malicious instructions can hijack the assistant. It recommends reviewing generated code, controlling attached context, adopting standard LLM security practices, and contacting Unit 42 if compromise is suspected.
read more →

Token Management Risks in the Third-Party Supply Chain

🔐 This Unit 42 report describes how compromised OAuth tokens in third‑party integrations create severe supply‑chain exposure, using recent incidents as examples. It highlights three recurring weaknesses: dormant integrations, insecure token storage and long‑lived credentials, and explains how attackers exploit these to exfiltrate data and pivot. The authors recommend token posture management, encrypted secret storage and centralized runtime monitoring to detect and revoke abused tokens quickly.
read more →

AdaptixC2: Open-Source Post-Exploitation Framework Used

🛡️ Unit 42 observed AdaptixC2 in early May 2025 being used in real-world intrusions to perform command execution, file transfers and data exfiltration. The open-source framework offers modular beacons, in-memory execution and multiple persistence and tunneling options, which adversaries have adapted for evasive operations. Unit 42 published extraction tools, YARA rules and hunting guidance to help defenders detect and mitigate these threats.
read more →

Data Is the New Diamond: Evolving Salesforce Data Theft

🔒 Recent Unit 42 analysis details ongoing data theft campaigns targeting Salesforce environments, notably a Salesloft Drift supply chain intrusion attributed to UNC6395 that may have started with reconnaissance as early as March 2025. Threat actors claiming links to Muddled Libra and Bling Libra have promoted stolen datasets on Telegram and announced new RaaS ambitions, while some channels were removed by September 5. Unit 42 emphasizes the prominence of social engineering by operatives tied to "The Com," predicts shifts toward data theft extortion and other monetization tactics, and recommends engagement with RH-ISAC, adoption of Salesforce mitigations, and use of Unit 42 incident insights to strengthen people and process defenses.
read more →

Securing AI Before Times: Preparing for AI-driven Threats

🔐 At the Aspen US Cybersecurity Group Summer 2025 meeting, Wendi Whitmore urged urgent action to secure AI while defenders still retain a temporary advantage. Drawing on Unit 42 simulations that executed a full attack chain in as little as 25 minutes, she warned adversaries are evolving from automating old tactics to attacking the foundations of AI — targeting internal LLMs, training data and autonomous agents. Whitmore recommended adoption of a five-layer AI tech stack — Governance, Application, Infrastructure, Model and Data — combined with secure-by-design practices, strengthened identity and zero-trust controls, and investment in post-quantum cryptography to protect long-lived secrets and preserve resilience.
read more →

Palo Alto Networks Named Leader in IDC IR Services

🔒 Palo Alto Networks' Unit 42 has been named a Leader in the 2025 IDC MarketScape for Worldwide Incident Response Services. Published 2025-08-26 by Sam Rubin, the announcement highlights Unit 42's threat-informed, tech-driven methodology combining telemetry from over 70,000 customers, tracking of more than 200 threat groups, and 150+ intel partnerships. Deep integration with Palo Alto Networks platforms, notably Cortex, plus AI and automation, is credited with faster detection, containment, and reduced dwell time. Unit 42 emphasizes post-incident transformation mapped to MITRE ATT&CK and NIST to help organizations not only recover but emerge more resilient.
read more →

Introducing Insights: Direct Perspectives from Unit 42

📝 Unit 42 has launched Insights, a new article series that connects readers directly to researchers and consultants with candid, real-time thinking about threats and incident response. Unlike formal threat assessments, these pieces share early observations, theories, and the kinds of practitioner conversations that don’t fit a traditional research paper. The series complements Unit 42’s rigorously reviewed reports by exposing the messier, immediate judgments that shape investigations and client guidance.
read more →

Threat Actors Abuse SDKs to Sell Victim Bandwidth Stealthily

🔍 Unit 42 observed a campaign exploiting CVE-2024-36401 in GeoServer to remotely deploy legitimate SDKs or apps that sell victims' internet bandwidth. The attackers leverage JXPath evaluation to achieve RCE across multiple GeoServer endpoints, then install lightweight binaries that operate quietly to monetize unused network capacity. This approach often uses unmodified vendor SDKs to maximize stealth and persistence while avoiding traditional malware indicators.
read more →

GenAI-Enabled Phishing: Risks from AI Web Services

🚨 Unit 42 analyzes how rapid adoption of web-based generative AI is creating new phishing attack surfaces. Attackers are leveraging AI-powered website builders, writing assistants and chatbots to generate convincing phishing pages, clone brands and automate large-scale campaigns. Unit 42 observed real-world credential-stealing pages and misuse of trial accounts lacking guardrails. Customers are advised to use Advanced URL Filtering and Advanced DNS Security and report incidents to Unit 42 Incident Response.
read more →

Erlang/OTP SSH RCE: CVE-2025-32433 Exploitation Wave

⚠️ Unit 42 details active exploitation of CVE-2025-32433, a critical (CVSS 10.0) unauthenticated RCE in the Erlang/OTP SSH daemon that processes SSH protocol messages prior to authentication. Researchers reproduced and validated the bug and observed exploit bursts from May 1–9, 2025, with payloads delivering reverse shells and DNS-based callbacks to randomized subdomains. Immediate remediation is to upgrade to OTP-27.3.3, OTP-26.2.5.11 or OTP-25.3.2.20 (or later); temporary measures include disabling SSH, restricting access and applying Unit 42 signature 96163.
read more →

Threat Actor Groups Tracked by Unit 42 — Updated 2025

📌 This Unit 42 reference catalog enumerates selected threat actor groups tracked by Palo Alto Networks, organized by assigned constellation and primary motivation (nation-state, cybercrime, ransomware). It lists aliases, activity summaries, typical sectors impacted and observed TTPs, and highlights recent additions through Aug. 1, 2025. Use of Unit 42 telemetry and the Attribution Framework informs assessments and updates.
read more →

Unit 42 Attribution Framework: Systematic Attribution

🔎 Unit 42's Attribution Framework defines a structured, repeatable process for linking observed cyber activity to clusters, temporary groups, or formally named threat actors. It pairs the Diamond Model with the Admiralty System to score source reliability and information credibility, guiding analysts through minimum standards, naming conventions, and promotion criteria to reduce premature attribution.
read more →