The latest research and news from Unit 42, the Palo Alto Networks (@paloaltontwks) Threat Intelligence and Security Consulting Team covering incident response.
Joined December 2015
- Tweets 2,987
- Following 81
- Followers 69,139
- Likes 254
1,993 Photos and videos
19h
We detected a malicious browser extension campaign that trojanizes legitimate extensions to serve ads covertly. The extension categories include ad blocking, messaging privacy, screen recording and music control. 1,000 installations so far. Details at bit.ly/4xtQcT3
5
38
113
8,737
23h
Cloud logging services provide visibility but attackers target them to create weak spots. By manipulating encryption keys or redirecting log flows they can evade detection and monitor activity in real time. Our research analyzes these risks: bit.ly/3SlMYAJ
1
9
22
3,056
Jun 15
Actors weaponize #AI hype: fake LLM domains, branded C2 infrastructure and payment skimmers. We tracked three active campaigns abusing AI lures and infrastructure. Details at bit.ly/3SHlc1D
2
20
61
7,517
Jun 12
Unit 42 is tracking the active targeting of Oracle PeopleSoft servers by Bling Libra (aka #ShinyHunters). Our analysis reveals suspected exploitation of RCE flaw CVE-2026-35273 and primary targeting of the education sector since at least late May 2026. bit.ly/4xpxKLb
1
12
29
3,908
Jun 8
We detected a #Browser-in-the-Browser phishing campaign using a draggable, OS/browser-fingerprinted popup with a spoofed OAuth URL. It evades detection by blocking debugging, fragmenting keywords, and redirecting bots. Details at bit.ly/49Md3yO
2
40
151
11,341
Jun 5
Unit 42 provides indicators of activity and mitigations for PAN-OS CVE-2026-0257, an authentication bypass in GlobalProtect. bit.ly/4fu1rEo
1
12
42
5,214
Jun 5
We detected an evasive #ClickFix injection with a fake Lirunex payment platform lure tricking the user into requesting the SSL certificate path through a file dialog box but silently delivers a RAT disguised as image files. Details at bit.ly/4eo0Sea
22
78
5,675
Jun 4
FlutterShell is a new macOS backdoor spread by malvertising. Built with Flutter, it uses a WebView-based architecture for adware, allowing attackers to remain dynamic. We discuss its evolution, variants and command structure in a recent campaign. bit.ly/43TZaLr
14
59
5,772
Jun 3
We are tracking Pink (CL-CRI-1147), a new Com-affiliated extortion brand whose leak site went live 5/31/26. Pink uses vishing and IT impersonation to phish credentials/MFA, then exfiltrates enterprise cloud storage and productivity data to extort victims: bit.ly/4en565G
22
68
9,088
Jun 2
An update to our Threat Brief on npm supply chain attacks discusses the latest compromise, pushing a payload named Miasma. The tradecraft used substantially matches Mini Shai-Hulud malware used by TeamPCP. Read now: bit.ly/4cwtCk3
13
34
4,299
Jun 2
An #adware campaign involving 50 Chrome extensions (disguised as live wallpapers) has hit ~30K users. Spread across three publisher accounts, the attackers are pushing remote HTML to 40 extensions and wiping IndexedDB on install and startup. Details at bit.ly/3Q05sWB
1
35
102
10,794
May 29
We detected indirect prompt injection on a fake Excel template store. Hidden via white text, the prompt uses social engineering to manipulate AI agents into boosting SEO, aiming to funnel users to a malicious Chrome extension. Details at bit.ly/3RCl2s2
3
31
129
19,247
May 29
New analysis reveals a massive network of fraudulent domains capitalizing on the 2026 FIFA World Cup, with 1k registered in the past 6 months. Tactics include redirects to shady gambling apps, data harvesting, malvertising, and PUP downloads. Details at bit.ly/4dDTiMd
6
19
3,989
May 28
#TuxBot v3 Evolution: IoT malware/C2 framework tied to AISURU/Keksec. Self-ID "Akiru." 30-plus exploit targets, 1,496 credential pairs, encrypted C2, and DGA. Developers used an LLM to port exploits and write code, leaving traces in some files. Details at bit.ly/3RAFJ7N
1
27
88
8,179
May 27
2026-05-26 (Tuesday): Another page impersonating Claude was used to push #SHubStealer when viewed on a macOS host. Details at bit.ly/4fcekmj
2
31
135
14,804
May 25
Offensive and defensive framework ROADtools is being misused by nation-state actors for cloud attacks. Understand how to identify the activity that signals its malicious usage, including proactive hunting for anomalous activity: bit.ly/4fyQYHB
32
99
31,115
Iranian hackers have posed as job recruiters to target software engineers in the aviation sector as part of an elaborate espionage scheme during the US and Israeli war with Iran, cybersecurity researchers tell CNN. cnn.it/3RUyl7a
93
119
280
126,589
May 22
Users attempting to download open-source C IDE are hijacked via malicious CloudFront JS on-click, redirecting to fake MEGA-Transfer pages delivering #RemusStealer. Details at bit.ly/49bLy1u
2
26
70
5,739
May 22
A single threat actor uses multiple identities to run dozens of #AI-accelerated fake VPN Chrome extensions. All traffic routes through 15 SOCKS5 proxies, with some impersonating major VPN service providers. Details at bit.ly/4nNiByT
19
64
7,668
May 22
Iran-nexus APT Screening Serpens (aka UNC1549, Smoke Sandstorm) is deploying novel RAT variants in espionage campaigns targeting entities in the U.S., Israel and the UAE. These campaigns use AppDomainManager hijacking. Read our analysis for details: bit.ly/4dYHBQk
19
61
4,177