* [Blog](https://www.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www.paloaltonetworks.com/blog/corporate/)
* [Malware](https://www.paloaltonetworks.com/blog/category/malware-2/)
* Parasites Android Malware...

# Parasites Android Malware Discovered by WildFire

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2013%2F08%2Fparasites-android-malware-discovered-by-wildfire%2F)  
[](https://twitter.com/share?text=Parasites+Android+Malware+Discovered+by+WildFire&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2013%2F08%2Fparasites-android-malware-discovered-by-wildfire%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2013%2F08%2Fparasites-android-malware-discovered-by-wildfire%2F&title=Parasites+Android+Malware+Discovered+by+WildFire&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/2013/08/parasites-android-malware-discovered-by-wildfire/&ts=markdown)  
\[\](mailto:?subject=Parasites Android Malware Discovered by WildFire)  
Link copied  
By [Zhi Xu](https://www.paloaltonetworks.com/blog/author/zhi-xu/?ts=markdown "Posts by Zhi Xu")  
Aug 27, 2013  
11 minutes  
[Malware](https://www.paloaltonetworks.com/blog/category/malware-2/?ts=markdown)  
[Android](https://www.paloaltonetworks.com/blog/tag/android/?ts=markdown)  
[APK](https://www.paloaltonetworks.com/blog/tag/apk/?ts=markdown)  
[WildFire](https://www.paloaltonetworks.com/blog/tag/wildfire/?ts=markdown)

On July 16, 2013, Palo Alto Networks WildFire detected a new kind of Android malware that we have named *Parasites* . We will use this post to provide some technical details around this family of malware to benefit our customers, the security industry and other malware researchers. The malware was detected as part of a repackaged app named "*SystemApp Remover* " and a legitimate version of this app is available for sale on the Google Play Store for $1.02. The package name of the detected malware sample is *com.danesh.system.app.remover* , and its package signer is *"Android"*.

Based on analysis from WildFire, the malware sample seems to be distributed by a mobile advertising company in China, named WinAds. Since WinAds does not have its own app store, it is likely that this malware was promoted by WinAds and was pushed to the user.

Compared with the legitimate app, we observed that the repackaged APK file includes two independent payload APK files hidden in the /lib folder. The file names are "/lib/ s.pcb" and "/lib/c.pcb". Unlike other Android malware families, the author did not intend to install these two APK files. Instead, the malware APK will dynamically load these two payload files when receiving certain system broadcast intents (e.g., when the user unlock the screen).

The *s.pcb* and *c.pcb* work independently. The file *s.pcb* specializes in SMS interception and sending SMS in the background, while *c.pcb* controls file download management, displaying ads, and tricking the user into installing downloaded APK files. That is the reason we named the malware *Parasites,* as the two payload APK files are attached to the "victim" APK file through the added launcher codes.

**Repackaging technique**

The *Parasites* sample shows a template to add or remove a payload APK. It also shows an interesting trend of Android malware. The attacker can easily attach a malicious APK file to a legitimate app APK. Further, the same launcher code can be reused to repackage other victim APK files without any changes. This capacity allows the attacker to generate a large number of malicious APK files very easily.

In Figure 1, we show a comparison of *AndroidManifest.xml* files of the legitimate APK file (on the left) and that of the repackaged APK file (on the right). The attacker simply appends the following contents after the original content:

* The broadcast receiver "com.slcc.tls.cofer" is used to start the service "com.slcc.tls.cfqws" which will load the APK file *c.pcb* dynamically;
* The broadcast receiver "com.slcm.hqa.snbgr" is used to start the service "com.slcm.hqa.soiqs" which will load the APK file *s.pcb* dynamically
* The added permissions are permissions claimed by *c.pcb* and *s.pcb* ;
* Compared to the legitimate app, the malware author changes the app version code from "42" to "42108"

[](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/08/figure1.png?ts=markdown)  
[![figure1](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/08/figure1-230x125.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/08/figure1.png?ts=markdown)

*Figure 1. The AndroidManifest.xml of legitimate app (on the left) v.s. the AndroidManifest.xml of Parasites sample (on the right). The red circled parts are changed by the malware author.*

In Figure 2, we show the (reversed) source code of the legitimate APK file downloaded from Google Play (on the left) and the repackaged APK file (on the right). As shown in the figure, the source code of malware sample is highly obfuscated. However, the organization of *Parasites* is still neat and straightforward.

* The package *com.slcc.tls* is the interface to start package *com.clg.sc* which acts as the interface to launch and control the APK file *c.pcb*.
* The package *com.slcm.hqa* is the interface to start package *com.cgm.sm* which acts as the interface to launch and control the APK file *s.pcb* . The package *com.slc.tools* is used to start an instance of *SManager* defined in package *com.cgm.sm*.

[](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/08/Figure2.png?ts=markdown)  
[![Figure2](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/08/Figure2-230x93.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/08/Figure2.png?ts=markdown)

*Figure 2. The comparison of source codes: the original APK file (on the left) v.s. the repackaged APK file (on the right)*

The attack functions are provided by s.pcb and c.pcb. As these two APK files work independently, we discuss the technical details of both APK files separately.

**Payload APK *s.pcb* (the *SMSIntercept*)**

s\*.pcb\* is an complete and independent APK file but it is not signed. By reversing the APK file, the package name is "*com.lcq.sm* ". The s\*.pcb\* will be loaded when the user unlock the touchscreen (i.e. android.intent.action.USER\_PRESENT), or when smartphone connects to a WiFi network (i.e., android.net.conn.CONNECTIVITY\_CHANGE), or when a new app is installed on the smartphone (i.e., android.intent.action.PACKAGE\_ADDED). The app name is "SMSIntercept".

[](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/08/Figure3.png?ts=markdown)  
[![Figure3](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/08/Figure3-230x97.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/08/Figure3.png?ts=markdown)

*Figure 3. AndroidManifest.xml of s.pcb.*

The s.pcb APK has the following key functions:

* Send SMS with the infected device ID to a designated phone number controlled by remote attack website.
* Block incoming SMS messages and log the intercepted SMS contents in a database file.
* Maintain a command and control channel with the attacker through the Internet

**Send SMS To Designated Phone Number**

After being loaded, s.pcb first communicates with the url **http://sm1.wombin.com/pages/ExistsMobile.ashx** to request the receiver phone number. The returned results are in the format of JSON object. Figure 4 shows an example of these results:

*\[{ "ErrorType":"E1","PhoneNum":"13708333433;","RequestTimes":"40;","NextRequestTime":"123"}\]*

With the received information, the APK will first save the received information in the file "/data/data/com.danesh.system.app.remover/shared\_prefs/sm.xml", as shown in Figure 4.

[](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/08/Figure4.png?ts=markdown)  
[![Figure4](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/08/Figure4-230x64.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/08/Figure4.png?ts=markdown)

*Figure 4. The sm.xml that contains the specifications for sending SMS messages and the Icon of s.pcb.*

Then, the malware APK composes a SMS message that includes the infected device's ID as content, and sends the SMS in the background to the number provided by the malicious URL. Every time the *s.pcb* APK is loaded, it will attempt to send a SMS message.

**Block incoming SMS and log the intercepted SMS contents in database files**

*s.pcb* monitors the intents broadcasted on the infected device. The SMS interceptor is implemented in class "*com.lcq.sm.ISR* ". When the intent "*android.provider.Telephony.SMS\_RECEIVED* " is received, the *s.pcb* will first check the content of received SMS message with criteria stored in *sm.db* file. If there is a match, the s.pcb will log the received SMS in the database file *sm.db* , and then block the broadcast by calling the *BroadcastReceiver* .*abortBroadcast* () function, so that the user will never see the incoming SMS. The structure of *sm.db* file is shown in Figure 5.

[](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/08/Figure5.png?ts=markdown)  
[![Figure5](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/08/Figure5-230x71.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/08/Figure5.png?ts=markdown)

*Figure 5. Structure of sm.db*

**Command \& Control**

*s.pcb* implements its communication functions in the *com.lcq.sm.k* class. One interesting feature is that, the s.pcb not only uploads the phone's information to the attacker, it also uploads the host APK file information to the attacker (i.e. *com.danesh.system.app.remover* in this sample). We believe the attacker is attempting to build a botnet with different types of repackaged APK files. The host APK file information is used for management of different APK files.

Specifically, the communication functions include:

* Download initial data, such as the phone number to send SMS
  * URL connecting to : http://sm1.wombin.com/pages/ExistsMobile.ashx
* Download instruction data
  * URL connecting to : http://sm1.wombin.com/pages/MobileApply.ashx
* Upload phone information to remote server
  * URL connecting to : http://smup1.wombin.com:9998/smup.action
  * Uploaded information include:
    * Device id (i.e. imei in this sample)
    * appkey: the "SM\_KEY" embedded in the AndroidManifest.xml of *Parasites* APK file. Used to identify the host APK file this s.pcb lives in
    * host app name: i.e. *com.danesh.system.app.remover* in this sample.

**Payload APK *c.pcb* (the *DownloadManager*)**

c\*.pcb\* is also an unsigned APK file. By reversing the APK file, its package name is "*com.ulk.app* ". The intents are exactly the same as those seen in *s.pcb* . As such c\*.pcb\* is loaded when the user unlocks the touchscreen (i.e. android.intent.action.USER\_PRESENT), or when the device connects to a WiFi network (i.e., android.net.conn.CONNECTIVITY\_CHANGE), or when a new app is installed on the device (i.e., android.intent.action.PACKAGE\_ADDED). The app name is "Test App" when we managed to install it separately.

[](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/08/Figure6.png?ts=markdown)  
[![Figure6](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/08/Figure6-230x90.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/08/Figure6.png?ts=markdown)

*Figure 6. AndroidManifest.xml of c.pcb.*

The c.pcb APK acts like aggressive adware, providing the following functions:

* File download management
* Pushing ads to phone
* Trick the user to install the downloaded APK files by sending notification messages.
* Keep a command and control channel with the attacker through Internet

**Download Management**

*c.pcb* downloads files with a given address and saves the APK file on the SD card. Further, all the downloading records are saved in a database file located in *"/data/data/com.danesh.system.app.remover/databases/LDownload.db*" file. The structure of this file is as shown in Figure 7.

[](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/08/Figure7.png?ts=markdown)  
[![Figure7](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/08/Figure7-230x59.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/08/Figure7.png?ts=markdown)

*Figure 7. The LDownload.db file kept by c.pcb.*

**Push Ads to Phone**

*c.pcb* allows the attacker to send promotions to the device and display the them via the notification service. In *c.pcb* , the promotion information is called "*ad* " and each *ad* is uniquely identified by a *gid* . The titles and images displayed in notification messages are also sent from the attacker. To keep track of these types of "ads", *c.pcb* maintains a database file in the "/data/data/com.danesh.system.app.remover/databases/lock.db" file. In this file, detailed information is logged as shown in Figure 8.

[](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/08/Figure8.png?ts=markdown)  
[![Figure8](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/08/Figure8-230x129.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/08/Figure8.png?ts=markdown)

*Figure 8. The lock.db file that keeps all the promotion information (the gid is the unique id of each entity)*

**Push APK files to user by notifications**

*c.pcb* does not claim the permission to install the downloaded APK files directly. Instead, we observed that the malware attempts to trick the user by sending notifications. *c.pcb* provides two types of notifications, one is through the standard notifications bar on the top of screen, and the other is by popping up an *AlertDialog* . For example, class *com.lsc.sc.f* builds an *AlertDialog* object with the message in the Dialog as "*You have downloaded apps that have not been installed yet* ". By default, when the user attempts to open a downloaded APK file, the Android OS will consider this action as "attempting to install this file". The system app will handle the installation. This saves the APK installation task and the corresponding security permission for the *c.pcb*.

**Command \& Control**

*c.pcb* communicates with *wombin.com*, and we observed the following actions:

* Check if the local *gids* are still valid
  * URL connecting to: **http://toget1.wombin.com:6011/ucheckvalid.do** . The list of local *gids* will be uploaded for validation.
* Upload phone information to remote server
  * URL connecting to : http://toreport1.wombin.com:6012/upostdata.do
  * Uploaded information include:
    * Device ID (i.e. imei in this sample)
    * appkey: the "SM\_KEY" embedded in the AndroidManifest.xml of *Parasites* APK file. Used to identify the host APK file this s.pcb lives in
    * Host app name: i.e. *com.danesh.system.app.remover* in this sample.
    * Current Android OS model
* Regain information of a *gid* from remote website:
  * URL connecting to : **http://toget1.wombin.com:6011/uregetad.do**
  * The *gid* will be uploaded
* Debug purpose:
  * URL connecting to : **http://toget1.wombin.com:6011/getadDebug.do**
* Upload the local ads promotion statistic information:
  * URL connection to: **http://toupdate1.wombin.com:6013/ukup.do**
  * The uploaded information include:
    * Device ID
    * Appkey
    * *pname*: the intent used to launch the p.pcb.
    * *svion* : *c.pcb* version (value is 1 in the current sample)
    * Host app name
    * Android OS model,
    * Network name (e.g. ChinaMobile)
    * *gids* and their counts.

**Discussion**

The *Parasites* sample shows a good example about how to attach independent APK files to a host APK file. It allows the attacker to convert an existing benign app (e.g. a task management app) into an attack app, and then attach its APK file to any host APK file. The attached APK files will be loaded dynamically and run independently from the host APK file. This allows the attacker to make sophisticated repackaged APK files more easily and efficiently.

To this end, we show the organization of folder */data/data/com.danesh.system.app.remover* , which keeps all the information related to the attack. The *sc.dex* and *sc.jar* correspond to *c.pcb* . The *s.jar* and *s.dex* correspond to *s.pcb*.

[](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/08/Figure9.png?ts=markdown)  
[![Figure9](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/08/Figure9-230x292.png)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2013/08/Figure9.png?ts=markdown)

*Figure 9 The organization of local storage maintained by Parasites*\*.\*\*\*

**Malware sample availability**

The sha256 value of detected malware APK file is

ee46d769baaef9df06554ef140c7881de977eeb1701e24c54635c2815f668186.

As on Aug 21, 2013, the APK file URL is still valid at

http://down.winads.cn/winads/ad/adAPK/130715203948.APK

*** ** * ** ***

## Related Blogs

### [Application Advisory/Analysis](https://www.paloaltonetworks.com/blog/category/application-analysis/?ts=markdown), [Malware](https://www.paloaltonetworks.com/blog/category/malware-2/?ts=markdown), [Mobility](https://www.paloaltonetworks.com/blog/category/mobility/?ts=markdown), [Threat Advisories - Advisories](https://www.paloaltonetworks.com/blog/category/threat-advisories-advisories/?ts=markdown), [Threat Prevention](https://www.paloaltonetworks.com/blog/category/threat-prevention-2/?ts=markdown), [Unit 42](https://www.paloaltonetworks.com/blog/category/unit42/?ts=markdown)

[#### Chinese Taomike Monetization Library Steals SMS Messages](https://www.paloaltonetworks.com/blog/2015/10/chinese-taomike-monetization-library-steals-sms-messages/)

### [Endpoint](https://www.paloaltonetworks.com/blog/category/endpoint-2/?ts=markdown), [Malware](https://www.paloaltonetworks.com/blog/category/malware-2/?ts=markdown)

[#### Malware Can't Bear Traps With Bare Metal Analysis](https://www.paloaltonetworks.com/blog/2017/04/malware-cant-bear-traps-bare-metal-analysis/)

### [Malware](https://www.paloaltonetworks.com/blog/category/malware-2/?ts=markdown), [Unit 42](https://www.paloaltonetworks.com/blog/category/unit42/?ts=markdown)

[#### Pythons and Unicorns and Hancitor...Oh My! Decoding Binaries Through Emulation](https://www.paloaltonetworks.com/blog/2016/08/unit42-pythons-and-unicorns-and-hancitoroh-my-decoding-binaries-through-emulation/)

### [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown), [Malware](https://www.paloaltonetworks.com/blog/category/malware-2/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Research](https://www.paloaltonetworks.com/blog/category/research/?ts=markdown), [Unit 42](https://www.paloaltonetworks.com/blog/category/unit42/?ts=markdown)

[#### From Ransom to Revenue Loss](https://www.paloaltonetworks.com/blog/2025/10/from-ransom-to-revenue-loss/)  
[#### Always Innovating: Cloud Native Security for Azure, AWS \& GCP](https://www.paloaltonetworks.com/blog/network-security/always-innovating-september-2023/)  
[#### Always Innovating: Advanced Threat Prevention and Software Firewalls](https://www.paloaltonetworks.com/blog/network-security/always-innovating-august-2023/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language