The DarkHydrus group has begun using a new version of the RogueRobin backdoor. This version is written in C# and in addition to using DNS Tunneling for command and control, can also use Google Drive.

Palo Alto Networks Unit 42 recently captured and investigated new samples of the Linux coin mining malware used by the Rocke group. The family was suspected to be developed by the Iron cybercrime group and it’s also associated with the Xbash malware we reported on in September of 2018. The threat actor Rocke was originally

At Palo Alto Networks, we use various methods to detect malicious web pages and malicious JavaScript on websites our customers visit online. In addition to static approaches such as signature matching, our security crawlers execute all scripts discovered on web pages and observe their dynamic behavior. Then, we apply special behavioral signatures based on different indicators,

As a Threat Intelligence Analyst for Palo Alto Networks Unit 42, I often use Wireshark to review packet captures (pcaps) of network traffic generated by malware samples. To better accomplish this work, I use a customized Wireshark column display as described my previous blog about using Wireshark. Today’s post provides more tips for analysts to

Our Email Link Analysis (ELINK) system is routinely reviewed by our Unit 42 research team. In examining the data it collects, patterns and trends are discovered which helps us discern prevalent web threats. This blog is the third (3rd quarter of 2018) in a series of posts tracking web-based threats throughout the year, specifically statistics pertaining to malicious URLs, domains, exploit kits, and CVEs.

Unit 42’s research on Smoke Loader, a malware that encrypts network traffic and files with various keys to avoid analysis

Unit 42 has continued researching the Shamoon 3 attacks that impacted an oil and gas organization and identified another wiper Trojan

We proudly present to you the new Unit 42 website

The Sofacy group continues to use variants of the Zebrocy payload in its attack campaigns.

On December 10, a new variant of the Disttrack malware was submitted to VirusTotal that shares a considerable amount of code with the Disttrack malware used in the Shamoon 2 attacks in 2016 and 2017.

This time every year, people all over the world get new devices. Regardless of what holiday(s) you may (or may not) celebrate, the end of the year is a time for people to give and receive some of the latest devices to come on to the market. Nothing spoils a new gadget more than having

“When it comes to realistic predictions for the year ahead, my philosophy is simple: there are certain trends that research shows will continue to move upward.” Ryan Olson, VP of Threat Intelligence, looks at what can be expected in 2019.

The Sofacy group continued their global attack campaigns between October and November, primarily targeting NATO-aligned nation states and former USSR states and delivering Zebrocy or Cannon.

The benefits for enterprises moving to the cloud are clear: greater flexibility, agility, scalability and cost savings. However, adopting public cloud infrastructure can also magnify security risks and compliance challenges. Unit 42’s latest report examines the latest cloud security trends and tips.

Unit 42’s Don’t Panic Podcast returns with season 3.