From Linear to Complex: An Upgrade in RansomHouse Encryption
Unit 42 uncovered the previously unseen KSwapDoor. This Linux backdoor was initially mistaken for BPFDoor.
Cortex Cloud Security Research
Hamas-Affiliated Ashen Lepus Targets Middle Eastern Diplomatic Entities Wit...
In recent months, we have been analyzing the activity of an advanced persistent threat (APT) known for its espionage activities against Arabic-speakin...
Cloud Cybersecurity Research, Threat Research, control plane, Curious Serpens, data plane, logging, Microsoft Azure, pentest tool
Cloud Discovery With AzureHound
AzureHound is a data collection tool intended for penetration testing that is part of the BloodHound suite. Threat actors misuse this tool to enumerat...
Cloud Cybersecurity Research, Cybercrime, Threat Research, CL‑CRI‑1032, Microsoft, phishing, smishing
Jingle Thief: Inside a Cloud-Based Gift Card Fraud Campaign
Unit 42 stopped monitoring this threat and updating the brief on Sept. 18, 2025. Please refer to the Microsoft SharePoin...
Cloud Cybersecurity Research, General, Insights, Cloud Infrastructure Protection, Cloud Security, Unit 42 Incident Response Report
Responding to Cloud Incidents: A Step-by-Step Guide From the 2025 Unit 42 G...
Cloud incidents like ransomware attacks and account compromise can bring operations to a h...
Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR M...
Phantom Taurus is a previously undocumented nation-state actor whose espionage operations align with People’s Republic of China (PRC) state interests....
Bookworm to Stately Taurus Using the Unit 42 Attribution Framework
Our research uncovered a fundamental flaw in the AI supply chain that allows attackers to gain Remote Code Execution (RCE) and additional capabilities...
Model Namespace Reuse: An AI Supply-Chain Attack Exploiting Model Name Trus...
BadSuccessor is a critical attack vector that emerged following the release of Windows Server 2025. Under certain condit...
Cybercrime, Nation-State Cyberattacks, Ransomware, Threat Actor Groups, Academic Serpens, Agent Serpens, Agonizing Serpens, Alloy Taurus, Ambitious Scorpius, Bashful Scorpius
Threat Actor Groups Tracked by Palo Alto Networks Unit 42 (Updated Aug. 1, ...
This article lists selected threat actors tracked by Palo Al...
Cybercrime, Nation-State Cyberattacks, Ransomware, Threat Actor Groups, Threat Research, Advanced Persistent Threat, Bookworm, nomenclature, Stately Taurus
Introducing Unit 42’s Attribution Framework
Threat actor attribution has traditionally been considered more art than science, often re...
Business Email Compromise, Cybercrime, Malware, Threat Actor Groups, Trend Reports, Agent Serpens, Agentic AI, ClickFix, Credential Harvesting, Lumma Stealer
2025 Unit 42 Global Incident Response Report: Social Engineering Edition
We see social engineering evolving into one of the most reli...
Malware, Threat Actor Groups, Threat Research, Vulnerabilities, Advanced Persistent Threat, backdoor, CL-STA-0969, GALLIUM, GoLang, Liminal Panda
The Covert Operator's Playbook: Infiltration of Global Telecom Networks
Unit 42 has observed multiple incidents targeting the telecommunications industry in South...
High Profile Threats, Malware, Threat Actor Groups, 0ktapus, ALPHV, BlackCat ransomware, MITRE, Muddled Libra, phishing, Scatter Swine
Muddled Libra Threat Assessment: Further-Reaching, Faster, More Impactful
Unit 42 has tracked and responded to several waves of intrusion operations conducted by th...
Cloud Cybersecurity Research, Threat Research, AWS, Azure, Cloud, Container, control plane, data plane, GCP, incident response
Cloud Logging for Security and Beyond
This article aims to simplify cloud logging best practices for each major cloud service provider (CSP) while considering security, regulatory and busi...
Malware, Threat Actor Groups, AWS, backdoor, C2, CL-STA-1020, DLL Sideloading, Dropbox, Google Drive, Microsoft
Behind the Clouds: Attackers Targeting Governments in Southeast Asia Implem...
Since late 2024, Unit 42 researchers have been tracking a cluster of suspicious activity as CL-STA-1020, targeting gover...
GoldMelody’s Hidden Chords: Initial Access Broker In-Memory IIS Modules Rev...
Unit 42 researchers continue to observe network security trends, tracking how cybercriminals take advantage of vulnerabi...