Unit42 Palo Alto Networks

Unit 42 shares further updates of cybercrime group Scattered LAPSUS$ Hunters. Secure your organization this holiday season. The post The Golden Scale: ‘Tis the Season for Unwanted Gifts appeared first on Unit 42.

Self-replicating worm “Shai-Hulud” has compromised hundreds of software packages in a supply chain attack targeting the npm ecosystem. We discuss scope and more. The post “Shai-Hulud” Worm Compromises npm Ecosystem in Supply Chain Attack (Updated November 26) appeared first on Unit 42.

The line between research tool and threat creation engine is thin. We examine the capabilities of WormGPT 4 and KawaiiGPT, two malicious LLMs. The post The Dual-Use Dilemma of AI: Malicious LLMs appeared first on Unit 42.

Unit 42 outlines a Howling Scorpius attack delivering Akira ransomware that originated from a fake CAPTCHA and led to a 42-day compromise. The post Anatomy of an Akira Ransomware Attack: When a Fake CAPTCHA Led to 42 Days of Compromise appeared first on Unit 42.

Two campaigns delivering Gh0st RAT to Chinese speakers show a deep understanding of the target population’s virtual environment and online behavior. The post Digital Doppelgangers: Anatomy of Evolving Impersonation Campaigns Distributing Gh0st RAT appeared first on Unit 42.

A new type of authentication coercion attack exploits an obscure and rarely monitored remote procedure call (RPC) interface. The post You Thought It Was Over? Authentication Coercion Keeps Evolving appeared first on Unit 42.

Commercial-grade LANDFALL spyware exploits CVE-2025-21042 in Samsung Android’s image processing library. The spyware was embedded in malicious DNG files. The post LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices appeared first on Unit 42.

Effective cyber defense starts with knowing your own network. Unit 42 explains why asset management is the foundation of threat intelligence. The post Know Ourselves Before Knowing Our Enemies: Threat Intelligence at the Expense of Asset Management appeared first on Unit 42.

CVE-2025-59287 is a critical RCE vulnerability identified in Microsoft’s WSUS. Our observations from cases show a consistent methodology. The post Microsoft WSUS Remote Code Execution (CVE-2025-59287) Actively Exploited in the Wild (Updated November 3) appeared first on Unit 42.

Agent session smuggling is a novel technique where AI agent-to-agent communication is misused. We demonstrate two proof of concept examples. The post When AI Agents Go Rogue: Agent Session Smuggling Attack in A2A Systems appeared first on Unit 42.

A nation-state attacker is using novel Airstalk malware in supply chain attacks to exfiltrate browser data. Airstalk misuses the AirWatch API. The post Suspected Nation-State Threat Actor Uses New Airstalk Malware in a Supply Chain Attack appeared first on Unit 42.

Unit 42 explores the escalating threat of AI-powered malicious SEO and its impact on the credibility of the open web. Read more about how threat actors are exploiting AI to manipulate search results and spread misinformation across the web. The post Bots, Bread and the Battle for the Web appeared first on Unit 42.

Unit 42 discusses the misuse of pentesting tool AzureHound by threat actors for cloud discovery. Learn how to detect this activity through telemetry. The post Cloud Discovery With AzureHound appeared first on Unit 42.

Global smishing activity tracked by Unit 42 includes impersonation of many critical services. Its unique ecosystem allows attackers to quickly scale. The post The Smishing Deluge: China-Based Campaign Flooding Global Text Messages appeared first on Unit 42.

Threat actors behind the gift card fraud campaign Jingle Thief target retail via phishing and smishing, maintaining long-term access in cloud environments. The post Jingle Thief: Inside a Cloud-Based Gift Card Fraud Campaign appeared first on Unit 42.