Blog
Cloud Security
Cortex Cloud Security Research

Cortex Cloud Security Research

The Covert Operator's Playbook: Infiltration of Global Telecom Networks

Unit 42 has observed multiple incidents targeting the telecommunications industry in Southwest Asia. We are currently tracking this activity as CL-STA-0969. This activity includes attacking and leveraging interconnected mobile roaming networks. This report provides a technical analysis of the activity cluster based on our incident response engagements including observed tactics, techniques and procedures (TTPs)....

Malware

Threat Actor Groups

Vulnerabilities

Advanced Persistent Threat

backdoor

CL-STA-0969

GALLIUM

GoLang

Liminal Panda

PingPull

Jul 29, 2025

By Renzon Cruz, Nicolas Bareil, Navin Thomas

High Profile Threats, Malware, Threat Actor Groups, 0ktapus, ALPHV, BlackCat ransomware, MITRE, Muddled Libra, phishing, Scatter Swine

Muddled Libra Threat Assessment: Further-Reaching, Faster, More Impactful

Unit 42 has tracked and responded to several waves of intrusion operations conducted by th...

Jul 25, 2025

By Unit 42

Cloud Cybersecurity Research, Threat Research, AWS, Azure, Cloud, Container, control plane, data plane, GCP, incident response

Cloud Logging for Security and Beyond

This article aims to simplify cloud logging best practices for each major cloud service provider (CSP) while considering security, regulatory and busi...

Jul 22, 2025

By Margaret Kelley, Nicole Weaver

Malware, Threat Actor Groups, AWS, backdoor, C2, CL-STA-1020, DLL Sideloading, Dropbox, Google Drive, Microsoft

Behind the Clouds: Attackers Targeting Governments in Southeast Asia Implem...

Since late 2024, Unit 42 researchers have been tracking a cluster of suspicious activity as CL-STA-1020, targeting gover...

Jul 14, 2025

By Lior Rochberger

Cybercrime, Threat Actor Groups, GoLang, Initial Access Broker, Microsoft, web server, web shells

GoldMelody’s Hidden Chords: Initial Access Broker In-Memory IIS Modules Rev...

Unit 42 researchers continue to observe network security trends, tracking how cybercriminals take advantage of vulnerabi...

Jul 08, 2025

By Tom Marsden, Chema Garcia

Cybercrime, Hacktivism, High Profile Threats, Malware, Threat Actor Groups, Threat Research, Agent Serpens, Agonizing Serpens, Boggy Serpens, Curious Serpens

Threat Brief: Escalation of Cyber Risk Related to Iran (Updated June 30)

The recent conflict involving Iran, particularly its militar...

Jun 25, 2025

By Unit 42

Cloud Cybersecurity Research, Threat Research, AWS, Google Cloud, Microsoft Azure, serverless

Serverless Tokens in the Cloud: Exploitation and Detections

Jun 13, 2025

By Zohar Zigdon

Cloud Cybersecurity Research, Malware, Threat Research, endpoint, Linux Malware, Machine Learning, PowerShell, Remote Access Trojan, VBScript, Winnti

The Evolution of Linux Binaries in Targeted Cloud Operations

On January 31, a security researcher named Mohammad Faghani posted an analysis of malware...

Jun 10, 2025

By Nathaniel Quist, Bill Batchelor

Cloud Cybersecurity Research, DNS, Threat Research, endpoint, Microsoft Azure

Lost in Resolution: Azure OpenAI's DNS Resolution Issue

In late 2024, Unit 42 researchers discovered an issue with Azure OpenAI’s Domain Name System (DNS) resolution logic that could have enabled cross-tenant data leaks and meddler-in-t...

Jun 03, 2025

By David Orlovsky

High Profile Threats, Malware, Threat Actor Groups, 0ktapus, ALPHV, app-ID, BlackCat ransomware, MITRE, Muddled Libra, phishing

Threat Group Assessment: Muddled Libra (Updated May 16, 2025)

We’ve added an additional section to this article that describes the evolution of Muddled...

May 16, 2025

By Amer Elsad, Kristopher Russo, Austin Dever

Business Email Compromise, Cybercrime, Ransomware, Threat Actor Groups, Threat Research, Trend Reports, AI, Akira ransomware, BianLian, Bitter Scorpius

Extortion and Ransomware Trends January-March 2025

This article examines obfuscation techniques used in popular malware families, and offers...

Apr 23, 2025

By Unit 42

Cybercrime, Malware, Threat Actor Groups, Cryptocurrency, DPRK, GitHub, Infostealer, JavaScript Malware, Slow Pisces, social engineering

Slow Pisces Targets Developers With Coding Challenges and Introduces New Cu...

Recently, we discovered several new malware samples with unique characteristics that made...

Apr 14, 2025

By Prashil Pattni

Cloud Cybersecurity Research, Threat Research, IAM, JSON

OH-MY-DC: OIDC Misconfigurations in CI/CD

Recently, Unit 42 identified the NOKKI malware family that was used in attacks containing politically-motivated lures targeting Russian and Cambodian speaking individuals or organizations. As part of this resea...

Apr 04, 2025

By Aviad Hahami

Cloud Cybersecurity Research, Threat Research, API attacks, Containers, IAM, serverless

Cloud Threats on the Rise: Alert Trends Show Intensified Attacker Focus on ...

The attacks against cloud-hosted infrastructure are increasing, and the proof is in the analysis of security alert trends. Recent research reveals tha...

Mar 27, 2025

By Nathaniel Quist

Cloud Cybersecurity Research, High Profile Threats, GitHub, supply chain

GitHub Actions Supply Chain Attack: A Targeted Attack on Coinbase Expanded ...

Update April 2: Recent investigations have revealed preliminary steps in the tj-actions and reviewdog compromise that were not known until now. We hav...

Mar 20, 2025

By Omer Gil, Aviad Hahami, Asi Greenholts, Yaron Avital

Business Email Compromise, Cloud Cybersecurity Research, Threat Research, Amazon Simple Email Service, AWS, IAM, JavaGhost, phishing

JavaGhost’s Persistent Phishing Attacks From the Cloud

Unit 42 researchers have observed phishing activity that we track as TGR-UNK-0011. We assess with high confidence that t...

Feb 28, 2025

By Margaret Kelley

Malware, Threat Actor Groups, Bookworm, DLL Sideloading, Stately Taurus, ToneShell

Stately Taurus Activity in Southeast Asia Links to Bookworm Malware

This article reviews nine vulnerabilities we recently discovered in two utilities called cuobjdump and nvdisasm, both from NVIDIA's Compute Unified De...

Feb 20, 2025

By Robert Falcone

Get the latest news, invites to events, and threat alerts

By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement.

Cortex Cloud Security Research

The Covert Operator's Playbook: Infiltration of Global Telecom Networks

Muddled Libra Threat Assessment: Further-Reaching, Faster, More Impactful

Cloud Logging for Security and Beyond

Behind the Clouds: Attackers Targeting Governments in Southeast Asia Implem...

GoldMelody’s Hidden Chords: Initial Access Broker In-Memory IIS Modules Rev...

Threat Brief: Escalation of Cyber Risk Related to Iran (Updated June 30)

Serverless Tokens in the Cloud: Exploitation and Detections

The Evolution of Linux Binaries in Targeted Cloud Operations

Lost in Resolution: Azure OpenAI's DNS Resolution Issue

Threat Group Assessment: Muddled Libra (Updated May 16, 2025)

Extortion and Ransomware Trends January-March 2025

Slow Pisces Targets Developers With Coding Challenges and Introduces New Cu...

OH-MY-DC: OIDC Misconfigurations in CI/CD

Cloud Threats on the Rise: Alert Trends Show Intensified Attacker Focus on ...

GitHub Actions Supply Chain Attack: A Targeted Attack on Coinbase Expanded ...

JavaGhost’s Persistent Phishing Attacks From the Cloud

Stately Taurus Activity in Southeast Asia Links to Bookworm Malware

Get the latest news, invites to events, and threat alerts

Get the latest news, invites to events, and threat alerts

Products and Services

Company

Popular Links