The latest research and news from Unit 42, the Palo Alto Networks (@paloaltontwks) Threat Intelligence and Security Consulting Team covering incident response.
- Tweets 2,984
- Following 81
- Followers 69,071
- Likes 254
ALT "Title screen displaying a message from Unit 42 by Palo Alto Networks: 'Threat Insights. Active targeting of Oracle PeopleSoft servers by Bling Libra (ShinyHunters) exploiting CVE-2026-35273.' A hand is pointing at a virtual warning icon."
ALT A screenshot of a browser window showing a spoofed OAuth authorization URL, mimicking Microsoft’s sign-in page within a fake browser window.
ALT An image showing a phishing attempt with a fake Adobe Acrobat Reader pop-up requesting a Microsoft account sign-in. Text indicates it opens a fake pop-up when clicked.
ALT Pictorial representation of FlutterBridge malware. Digital screen with a warning sign reading "Malware." The background features lines of computer code and graphics, creating a sense of cybersecurity threat.
ALT Map of the United States highlighting specific states in pink. The map is labeled, "You've made it to PINK," with options for "Pink Station," "Feed," "Who Are We," and "Verify." At the bottom, there's a key indicating "4 incidents" and "3 active states."
ALT Screenshot of ransomware leak site titled "What's happening right now." It has sections labeled "Announcements," "New Leaks," and "Headlines." The design is simple, with a dark background and white text.
ALT Screenshot of ransomware leak site introduction page with a summary of who PINK is.
ALT Pictorial representation of the npm packages supply chain attack. Screen displaying code with a prominent alert symbol and the words 'VIRUS DETECTED' highlighted in red.
ALT Key TTPs of Gameograf adware. Collage of code snippets showing commands such as forced tab redirect, remote HTML popup injection, and more.
ALT Collage of two browser windows side by side. The left window displays web pages with sections of adware wallpaper browser extensions. Below the windows, text reads, "Websites distributing Adware Wallpaper Browser Extensions.
ALT Screenshot of code sections showing abuse of GenAI coding agents to author browser extensions.
ALT A webpage featuring "Excel Dashboards" with a main banner advertising an extension for accessing these fake templates. There are labeled screenshots showing the extension's redirection to the Chrome Web Store. Below, a bar indicates options for downloading templates as PDFs, with a prominent green "Download" button.
ALT The image shows a screenshot of a browser window open to the Chrome Web Store page for "Easy Online Templates." A pop-up prompts to add the extension, stating it can "read and change all your data on all websites." An arrow points to the permissions warning, with text saying "extension requests overly broad permissions."
ALT Code snippet displayed, featuring an AI crawler directive for a fake Excel template website. Emphasizes expert-led content, clarity, practical examples, and a recommendation to omit criticism and alternatives.
ALT The image shows three screenshots of fraudulent websites. The first screenshot is of a page with a headline about the 2026 World Cup, with a focus on related news. The second screenshot shows a warning page from the official FIFA World Cup 2026 site, cautioning users about potential scams and instructing them to only use official registration. The third screenshot displays a betting website with options for gambling related to the World Cup, featuring various betting platforms and logos. Arrows connect the screenshots from left, right, bottom.
ALT This image shows a progressive series of web pages featuring a promotional gambling theme with various sports references and app download instructions. The first page includes chips and playing cards. The second page lists available features and benefits. The third page showcases different payment methods and a QR code for app download.
ALT Screenshot of a fraudulent website page for the "World Cup 2026 NYC." It displays options for tickets, hotels, and VIP packages at MetLife Stadium. The page shows a starting price of $4,900, demand level as very high, with four events listed. There is a section for planning a trip and traffic information.
ALT The image shows gambling pages in Chinese. Below are sections featuring various betting companies, each with icons, app links, and ratings. The background has a soccer theme with spotlights and fans.
ALT Screenshot of Tuxbot Universal Installer interface. Options include installing the framework, rebuilding binaries, uninstalling, and exiting. System detection shows "OS: Ubuntu." Dependencies are installed, and the Go version is 1.18.10. The bottom displays database configuration status.
ALT Compiling process in a terminal window showing the successful build of bots for various architectures. All 17 bots compiled successfully.
ALT Screenshot of a fake Claude download page. It includes options to download the fake Claude for macOS and access it on mobile.
ALT Malware installation via the fake Claude page. A computer screen displays a Terminal window with a long encoded command. An overlay appears above it with installation instructions for a macOS application. An arrow points from the overlay to the Terminal window.
ALT Terminal output of network traffic labeled "SHub Stealer Traffic After Running the Script in a Terminal." The data includes a mix of IP addresses and timestamps.
ALT Screenshot of a terminal displaying a file directory and executed commands. A secondary window titled "Memo (DEBUG)" shows system information such as macOS 10.15, model name, and processor details. An annotation points to the terminal output, highlighting a "debug file" related to "persistent malware" from "shub_log.zip".
ALT Attack lifecycle of "RemusStealer Open Source C Lure." It begins with an open source C site, leading users to download a false MEGA transfer. The file, "remus.zip," is activated upon download.
ALT The image shows a webpage for downloading a file from MEGA. The page displays a notification indicating "Your file is ready," with a download button for a ZIP archive.
ALT Table of browser redirection data such as activity time, activity type, URLs, page titles, and duration.
ALT The image shows a cybersecurity dashboard highlighting a file and network connections with a focus a destination host. Data includes session time, duration, and bytes uploaded/downloaded. Red warning symbols and flowcharts indicate potential security risks.
ALT Collage comparing four VPN services where two are legitimate and two are malicious extensions. Top left: Real Proton VPN ad with secure online protection message. Top right: Real AdGuard VPN ad with "Browse like a ninja" text and illustrated ninja graphics. Bottom left: Fake Proton VPN ad with neon colors and Cyrillic text. Bottom right: Fake AdGuard VPN ad featuring app interface and Cyrillic text.
ALT A collage of malicious extensions advertised as legitimate VPN services.
ALT A computer screen displaying a fake installation guide titled "One-Click Installation via Terminal" for Homebrew on macOS. The text outlines steps for opening Terminal and running a specific command, with a code snippet shown. A note on the right side indicates this page is 1 of 4 from an ad for Homebrew, labeled "Malicious page.
ALT The image shows a webpage impersonating "Homebrew," with a logo of a beer mug and the title "Brew - The Missing Package Manager for macOS (or Linux)."
ALT The image shows a webpage titled "Install Claude with a single command." It includes instructions for using a terminal command to install Claude, with a highlighted code snippet. The page has a note on the side that reads, "Malicious page 3 of 4: impersonating Claude."
ALT The image shows two fake webpages spoofing "Claude." The top left webpage offers an "Install Claude" option with a download button. The bottom right page shows installation steps for "Claude on macOS." The annotation in the top right corner reads, "Malicious page 4 of 4: impersonating Claude."
