Blog
Cloud Security
Cortex Cloud Security Research

Cortex Cloud Security Research

Model Namespace Reuse: An AI Supply-Chain Attack Exploiting Model Name Trust

Model Namespace Reuse: An AI Supply-Chain Attack Exploiting Model Name Trust

BadSuccessor is a critical attack vector that emerged following the release of Windows Server 2025. Under certain conditions, this server version enables users to leverage delegated Managed Service Accounts (dMSAs) to elevate privileges within Active Directory environments running Windows Server 2025. At the time of writing this article, no patch exists for this issue.

Cloud Cybersecurity Research

Threat Research

Sep 03, 2025

By Itay Saraf, Ofir Balassiano

Cybercrime, Nation-State Cyberattacks, Ransomware, Threat Actor Groups, Academic Serpens, Agent Serpens, Agonizing Serpens, Alloy Taurus, Ambitious Scorpius, Bashful Scorpius

Threat Actor Groups Tracked by Palo Alto Networks Unit 42 (Updated Aug. 1, ...

This article lists selected threat actors tracked by Palo Al...

Aug 01, 2025

By Unit 42

Cybercrime, Nation-State Cyberattacks, Ransomware, Threat Actor Groups, Threat Research, Advanced Persistent Threat, Bookworm, nomenclature, Stately Taurus

Introducing Unit 42’s Attribution Framework

Threat actor attribution has traditionally been considered more art than science, often re...

Jul 31, 2025

By Andy Piazza, Kyle Wilhoit, Robert Falcone, David Fuertes

Business Email Compromise, Cybercrime, Malware, Threat Actor Groups, Trend Reports, Agent Serpens, Agentic AI, ClickFix, Credential Harvesting, Lumma Stealer

2025 Unit 42 Global Incident Response Report: Social Engineering Edition

We see social engineering evolving into one of the most reli...

Jul 30, 2025

By Unit 42

Malware, Threat Actor Groups, Threat Research, Vulnerabilities, Advanced Persistent Threat, backdoor, CL-STA-0969, GALLIUM, GoLang, Liminal Panda

The Covert Operator's Playbook: Infiltration of Global Telecom Networks

Unit 42 has observed multiple incidents targeting the telecommunications industry in South...

Jul 29, 2025

By Renzon Cruz, Nicolas Bareil, Navin Thomas

High Profile Threats, Malware, Threat Actor Groups, 0ktapus, ALPHV, BlackCat ransomware, MITRE, Muddled Libra, phishing, Scatter Swine

Muddled Libra Threat Assessment: Further-Reaching, Faster, More Impactful

Unit 42 has tracked and responded to several waves of intrusion operations conducted by th...

Jul 25, 2025

By Unit 42

Cloud Cybersecurity Research, Threat Research, AWS, Azure, Cloud, Container, control plane, data plane, GCP, incident response

Cloud Logging for Security and Beyond

This article aims to simplify cloud logging best practices for each major cloud service provider (CSP) while considering security, regulatory and busi...

Jul 22, 2025

By Margaret Kelley, Nicole Weaver

Malware, Threat Actor Groups, AWS, backdoor, C2, CL-STA-1020, DLL Sideloading, Dropbox, Google Drive, Microsoft

Behind the Clouds: Attackers Targeting Governments in Southeast Asia Implem...

Since late 2024, Unit 42 researchers have been tracking a cluster of suspicious activity as CL-STA-1020, targeting gover...

Jul 14, 2025

By Lior Rochberger

Cybercrime, Threat Actor Groups, GoLang, Initial Access Broker, Microsoft, web server, web shells

GoldMelody’s Hidden Chords: Initial Access Broker In-Memory IIS Modules Rev...

Unit 42 researchers continue to observe network security trends, tracking how cybercriminals take advantage of vulnerabi...

Jul 08, 2025

By Tom Marsden, Chema Garcia

Cybercrime, Hacktivism, High Profile Threats, Malware, Threat Actor Groups, Threat Research, Agent Serpens, Agonizing Serpens, Boggy Serpens, Curious Serpens

Threat Brief: Escalation of Cyber Risk Related to Iran (Updated June 30)

The recent conflict involving Iran, particularly its militar...

Jun 25, 2025

By Unit 42

Cloud Cybersecurity Research, Threat Research, AWS, Google Cloud, Microsoft Azure, serverless

Serverless Tokens in the Cloud: Exploitation and Detections

Jun 13, 2025

By Zohar Zigdon

Cloud Cybersecurity Research, Malware, Threat Research, endpoint, Linux Malware, Machine Learning, PowerShell, Remote Access Trojan, VBScript, Winnti

The Evolution of Linux Binaries in Targeted Cloud Operations

On January 31, a security researcher named Mohammad Faghani posted an analysis of malware...

Jun 10, 2025

By Nathaniel Quist, Bill Batchelor

Cloud Cybersecurity Research, DNS, Threat Research, endpoint, Microsoft Azure

Lost in Resolution: Azure OpenAI's DNS Resolution Issue

In late 2024, Unit 42 researchers discovered an issue with Azure OpenAI’s Domain Name System (DNS) resolution logic that could have enabled cross-tenant data leaks and meddler-in-t...

Jun 03, 2025

By David Orlovsky

High Profile Threats, Malware, Threat Actor Groups, 0ktapus, ALPHV, app-ID, BlackCat ransomware, MITRE, Muddled Libra, phishing

Threat Group Assessment: Muddled Libra (Updated May 16, 2025)

We’ve added an additional section to this article that describes the evolution of Muddled...

May 16, 2025

By Amer Elsad, Kristopher Russo, Austin Dever

Business Email Compromise, Cybercrime, Ransomware, Threat Actor Groups, Threat Research, Trend Reports, AI, Akira ransomware, BianLian, Bitter Scorpius

Extortion and Ransomware Trends January-March 2025

This article examines obfuscation techniques used in popular malware families, and offers...

Apr 23, 2025

By Unit 42

Cybercrime, Malware, Threat Actor Groups, Cryptocurrency, DPRK, GitHub, Infostealer, JavaScript Malware, Slow Pisces, social engineering

Slow Pisces Targets Developers With Coding Challenges and Introduces New Cu...

Recently, we discovered several new malware samples with unique characteristics that made...

Apr 14, 2025

By Prashil Pattni

Cloud Cybersecurity Research, Threat Research, IAM, JSON

OH-MY-DC: OIDC Misconfigurations in CI/CD

Recently, Unit 42 identified the NOKKI malware family that was used in attacks containing politically-motivated lures targeting Russian and Cambodian speaking individuals or organizations. As part of this resea...

Apr 04, 2025

By Aviad Hahami

Load more

Load more

Get the latest news, invites to events, and threat alerts

Get the latest news, invites to events, and threat alerts

By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement.