Unit42 Palo Alto Networks

Understand the mechanics of serverless authentication: three simulated attacks across major CSPs offer effective approaches for application developers. The post Serverless Tokens in the Cloud: Exploitation and Detections appeared first on Unit 42.

In an extensive campaign affecting 270k webpages, compromised websites were injected with the esoteric JavaScript programming style JSF*ck to redirect users to malicious content. The post JSFireTruck: Exploring Malicious JavaScript Using JSF*ck as an Obfuscation Technique appeared first on Unit 42.

Using data from machine learning tools, we predict a surge in cloud attacks leveraging reworked Linux Executable and Linkage Format (ELF) files. The post The Evolution of Linux Binaries in Targeted Cloud Operations appeared first on Unit 42.

This examination of the Amazon Web Services (AWS) Roles Anywhere service looks at potential risks, analyzed from both defender and attacker perspectives. The post Roles Here? Roles There? Roles Anywhere: Exploring the Security of AWS IAM Roles Anywhere appeared first on Unit 42.

Blitz malware, active since 2024 and updated in 2025, was spread via game cheats. We discuss its infection vector and abuse of Hugging Face for C2. The post Blitz Malware: A Tale of Game Cheats and Code Repositories appeared first on Unit 42.

We discovered an Azure OpenAI misconfiguration allowing shared domains, potentially leading to data leaks. Microsoft quickly resolved the issue. The post Lost in Resolution: Azure OpenAI’s DNS Resolution Issue appeared first on Unit 42.

We compare the effectiveness of content filtering guardrails across major GenAI platforms and identify common failure cases across different systems. The post How Good Are the LLM Guardrails on the Market? A Comparative Study on the Effectiveness of LLM Content Filtering Across Major GenAI Platforms appeared first on Unit 42.

CVE-2025-31324 impacts SAP NetWeaver’s Visual Composer Framework. We share our observations on this vulnerability using incident response cases and telemetry. The post Threat Brief: CVE-2025-31324 (Updated May 23) appeared first on Unit 42.

Muddled Libra continues to evolve. From social engineering to adaptation of new technologies, significant time is spent breaking down organizational defenses. The post Threat Group Assessment: Muddled Libra (Updated May 16, 2025) appeared first on Unit 42.

A new DarkCloud Stealer campaign is using AutoIt obfuscation for malware delivery. The attack chain involves phishing emails, RAR files and multistage payloads. The post DarkCloud Stealer: Comprehensive Analysis of a New Attack Chain That Employs AutoIt appeared first on Unit 42.

Unit 42 details a new malware obfuscation technique where threat actors hide malware in bitmap resources within .NET applications. These deliver payloads like Agent Tesla or XLoader. The post Stealthy .NET Malware: Hiding Malicious Payloads as Bitmap Resources appeared first on Unit 42.

A suspected Iranian espionage campaign impersonated a model agency site for data collection, including fictitious models as possible social engineering lures. The post Iranian Cyber Actors Impersonate Model Agency in Suspected Espionage Operation appeared first on Unit 42.

Lampion malware distributors are now using the social engineering method ClickFix. Read our analysis of a recent campaign. The post Lampion Is Back With ClickFix Lures appeared first on Unit 42.

Programs leveraging AI agents are increasingly popular. Nine attack scenarios using open-source agent frameworks show how bad actors target these applications. The post AI Agents Are Here. So Are the Threats. appeared first on Unit 42.

Advertised on Telegram, Gremlin Stealer is new malware active since March 2025 written in C#. Data stolen is uploaded to a server for publication. The post Gremlin Stealer: New Stealer on Sale in Underground Forum appeared first on Unit 42.