Cortex Cloud Security Research
Novel Technique to Detect Cloud Threat Actor Operations
Cloud-based alerting systems often struggle to distinguish between normal cloud activity and targeted malicious operations by known threat actors. The...
The Shadow Campaigns: Uncovering Global Espionage
This investigation unveils a new cyberespionage group that Unit 42 tracks as TGR-STA-1030. We refer to the group’s activity as the Shadow Campaigns. W...
DNS OverDoS: Are Private Endpoints Too Private?
We discovered an aspect of Azure’s Private Endpoint architecture that could expose Azure resources to denial of service (DoS) attacks. In this article, we explore how both intentio...
From Linear to Complex: An Upgrade in RansomHouse Encryption
Unit 42 uncovered the previously unseen KSwapDoor. This Linux backdoor was initially mistaken for BPFDoor.
Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities Wit...
In recent months, we have been analyzing the activity of an advanced persistent threat (APT) known for its espionage activities against Arabic-speakin...
Cloud Cybersecurity Research, Threat Research, control plane, Curious Serpens, data plane, logging, Microsoft Azure, pentest tool
Cloud Discovery With AzureHound
AzureHound is a data collection tool intended for penetration testing that is part of the BloodHound suite. Threat actors misuse this tool to enumerat...
Cloud Cybersecurity Research, Cybercrime, Threat Research, CL‑CRI‑1032, Microsoft, phishing, smishing
Jingle Thief: Inside a Cloud-Based Gift Card Fraud Campaign
Unit 42 stopped monitoring this threat and updating the brief on Sept. 18, 2025. Please refer to the Microsoft SharePoin...
Cloud Cybersecurity Research, General, Insights, Cloud Infrastructure Protection, Cloud Security, Unit 42 Incident Response Report
Responding to Cloud Incidents: A Step-by-Step Guide From the 2025 Unit 42 G...
Cloud incidents like ransomware attacks and account compromise can bring operations to a h...
Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR M...
Phantom Taurus is a previously undocumented nation-state actor whose espionage operations align with People’s Republic of China (PRC) state interests....
Bookworm to Stately Taurus Using the Unit 42 Attribution Framework
Our research uncovered a fundamental flaw in the AI supply chain that allows attackers to gain Remote Code Execution (RCE) and additional capabilities...
Model Namespace Reuse: An AI Supply-Chain Attack Exploiting Model Name Trus...
BadSuccessor is a critical attack vector that emerged following the release of Windows Server 2025. Under certain condit...
Cybercrime, Nation-State Cyberattacks, Ransomware, Threat Actor Groups, Academic Serpens, Agent Serpens, Agonizing Serpens, Alloy Taurus, Ambitious Scorpius, Bashful Scorpius
Threat Actor Groups Tracked by Palo Alto Networks Unit 42 (Updated Aug. 1, ...
This article lists selected threat actors tracked by Palo Al...
Cybercrime, Nation-State Cyberattacks, Ransomware, Threat Actor Groups, Threat Research, Advanced Persistent Threat, Bookworm, nomenclature, Stately Taurus
Introducing Unit 42’s Attribution Framework
Threat actor attribution has traditionally been considered more art than science, often re...
Business Email Compromise, Cybercrime, Malware, Threat Actor Groups, Trend Reports, Agent Serpens, Agentic AI, ClickFix, Credential Harvesting, Lumma Stealer
2025 Unit 42 Global Incident Response Report: Social Engineering Edition
We see social engineering evolving into one of the most reli...
Malware, Threat Actor Groups, Threat Research, Vulnerabilities, Advanced Persistent Threat, backdoor, CL-STA-0969, GALLIUM, GoLang, Liminal Panda
The Covert Operator's Playbook: Infiltration of Global Telecom Networks
Unit 42 has observed multiple incidents targeting the telecommunications industry in South...