Unit42 Palo Alto Networks

GenAI-created phishing campaigns misuse tools ranging from website builders to text generators in order to create more convincing and scalable attacks. The post Fashionable Phishing Bait: GenAI on the Hook appeared first on Unit 42.

A beginner-friendly tutorial on analyzing .NET malware teaches you how to use common tools, recognize techniques and understand infection chains. The post A Mega Malware Analysis Tutorial Featuring Donut-Generated Shellcode appeared first on Unit 42.

A look at the variance within Muddled Libra (aka Scattered Spider, Octo Tempest). Its lack of structure creates multiple teams with distinct skill sets. The post Muddled Libra’s Strike Teams: Amalgamated Evil appeared first on Unit 42.

CVE-2025-32433 allows for remote code execution in sshd for certain versions of Erlang programming language’s OTP. We reproduced this CVE and share our findings. The post Keys to the Kingdom: Erlang/OTP SSH Vulnerability Analysis and Exploits Observed in the Wild appeared first on Unit 42.

DarkCloud Stealer’s delivery has shifted. We explore three different attack chains that use ConfuserEx obfuscation and a final payload in Visual Basic 6. The post New Infection Chain and ConfuserEx-Based Obfuscation for DarkCloud Stealer appeared first on Unit 42.

Muddled Libra gets media attention due to its consistent playbook and unique use of vishing. The group’s English fluency is another major factor. The post Muddled Libra: Why Are We So Obsessed With You? appeared first on Unit 42.

BadSuccessor is an attack vector in Windows Server 2025. Under certain conditions it allows privilege elevation via dMSAs. We analyze its mechanics. The post When Good Accounts Go Bad: Exploiting Delegated Managed Service Accounts in Active Directory appeared first on Unit 42.

Project AK47, a toolset including ransomware, was used to leverage SharePoint exploit chain ToolShell. This activity overlaps with Storm-2603. The post Project AK47: Uncovering a Link to the SharePoint Vulnerability Attacks appeared first on Unit 42.

A comprehensive list of threat actor groups tracked by Unit 42, along with information such as summaries and industries typically impacted. The post Threat Actor Groups Tracked by Palo Alto Networks Unit 42 (Updated Aug. 1, 2025) appeared first on Unit 42.

Unit 42 has observed active exploitation of recent Microsoft SharePoint vulnerabilities. Here’s how you can protect your organization. The post Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief (Updated August 12) appeared first on Unit 42.

Peel back the layers on Unit 42’s Attribution Framework. We offer a rare inside view into the system used to ultimately assign attribution to threat groups. The post Introducing Unit 42’s Attribution Framework appeared first on Unit 42.

Social engineering thrives on trust and is now boosted by AI. Unit 42 incident response data explains why it’s surging. We detail eight critical countermeasures. The post 2025 Unit 42 Global Incident Response Report: Social Engineering Edition appeared first on Unit 42.

Recent activity targeting telecom infrastructure is assessed with high confidence to overlap with Liminal Panda activity. The actors used custom tools, tunneling and OPSEC tactics for stealth. The post The Covert Operator’s Playbook: Infiltration of Global Telecom Networks appeared first on Unit 42.

A subtle yet dangerous email attack vector: homograph attacks. Threat actors are using visually similar, non-Latin characters to bypass security filters. The post The Ηоmоgraph Illusion: Not Everything Is As It Seems appeared first on Unit 42.

Muddled Libra (Scattered Spider, UNC3944) is evolving. Get the latest insights and defensive recommendations based on Unit 42 incident response cases. The post Muddled Libra Threat Assessment: Further-Reaching, Faster, More Impactful appeared first on Unit 42.