Suspected Nation-State Threat Actor Uses New Airstalk Malware in a Supply Chain Attack

Posted on by Samantha Stallings

Executive Summary

We have discovered a new Windows-based malware family we've named Airstalk, which is available in both PowerShell and .NET variants. We assess with medium confidence that a possible nation-state threat actor used this malware in a likely supply chain attack. We have created the threat activity cluster CL-STA-1009 to identify and track any further related activity.

Airstalk misuses the AirWatch API for mobile device management (MDM), which is now called Workspace ONE Unified Endpoint Management. It uses the API to establish a covert command-and-control (C2) channel, primarily through the AirWatch feature to manage custom device attributes and file uploads.

Airstalk has the following functionality:

  • Employs a multi-threaded C2 communication protocol
  • Incorporates versioning
  • Uses a likely stolen certificate to sign some of the samples found

This malware is designed to exfiltrate sensitive browser data, including:

  • Cookies
  • Browsing history
  • Bookmarks
  • Screenshots

We have also identified other tasks within the samples found that the threat author did not implement.

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

Related Unit 42 Topics Supply Chain Attacks, Malicious PowerShell Scripts

Technical Analysis

We have identified two main variants of Airstalk malware, one written in PowerShell, and another written in .NET. The .NET variant of Airstalk has more capabilities than the PowerShell variant and seems to be in a more advanced stage of development.

We call this malware Airstalk because it misuses the MDM API from AirWatch for its C2 communications. Both variants employ the same covert channel for the C2, but the C2 protocols and the targeted browsers differ slightly.

Airstalk PowerShell Variant

PowerShell Covert Channel Implementation

Airstalk uses the devices endpoint (/api/mdm/devices/) of the MDM API from AirWatch for its covert C2 communications with the attacker. These C2 communications use the custom attributes feature of the device within the AirWatch MDM API to store the communication details of the backdoor and use it as a dead drop.

A dead drop is a secret method of communication used to pass items or information between individuals without them connecting directly. Adversaries typically use this technique in espionage, where one person leaves the item in a hidden location and the other retrieves it later.

The malware also leverages another API endpoint (/api/mam/blobs/uploadblob) to upload files for different purposes.

The C2 communication is based on JSON messages through the devices API endpoint, containing at least the following required fields (first schema):

  • CLIENT_UUID: Read through Windows Management Instrumentation (WMI) to contain the real value of the compromised device
  • SERIALIZED_MESSAGE: Base64-encoded JSON message

The serialized message sent within the Value field, has the following minimum fields (second schema):

  • CLIENT_UUID: Real Universally Unique Identifier (UUID) value of the compromised device
  • MESSAGE_TYPE: Varies depending on the purpose of the message
  • SENDER_ROLE: Set to client for all the messages sent from the compromised device toward the API endpoint

The final messages (first schema) are then set as custom attributes through the MDM API to communicate with the attacker.

Screenshot of a PowerShell script used to handle HTTP requests to a web API, featuring variables, a loop, and conditional statements. Specific names are visible in the code.
Figure 1. Covert channel core function from the PowerShell variant of Airstalk.

To read a message back from the attacker, the malware performs the inverse process. It deserializes the message and verifies whether the message comes from the attacker, to avoid reading the message sent by itself, as shown in Figure 2.

Screenshot of a programming script with various functions and conditional statements written in a coding language, highlighted with arrows pointing to specific lines and elements.
Figure 2. C2 response from the Covert channel core function of Airstalk's PowerShell variant.

C2 Protocol

The C2 protocol for Airstalk's PowerShell variant uses different message types for synchronization and execution of specific tasks, based on the stage of the communication.

Table 1 shows the different values that the method field can have.

MESSAGE_TYPE Purpose
CONNECT Connection request
CONNECTED Connection accepted
ACTIONS Tasks synchronization
RESULT Tasks results

Table 1. Values of the method field in Airstalk's PowerShell variant C2 communications.

When executed, Airstalk's PowerShell variant initializes the communication with the attacker. To do so, it sends a CONNECT message and blocks the execution through the function Get-Response as shown in Figure 3, waiting for a message from the threat actor.

Code snippet showing a script to initialize a connection, convert a request to Base64, and handle server response based on connection status, highlighted in various colors to denote syntax.
Figure 3. Connection initialization by Airstalk's PowerShell variant.

The code seems to expect to receive a CONNECTED message. However, the result is the same whatever the message type is, as long as it doesn’t come from the malware (client).

After establishing a connection with the attacker, the malware:

  • Asks for tasks to execute, sending a message of type ACTIONS
  • Blocks the execution, waiting for an answer from the attacker with an ACTIONS message type
  • Returns the ID of the action to conduct, as shown in Figure 4 below
Image of a computer code snippet in a programming language, consisting of functions and conditional statements, with annotations indicated by arrows.
Figure 4. C2 tasks checked by Airstalk's PowerShell variant.

As indicated in Figure 4, this time the execution flow properly filters the message type.

Figure 5 illustrates the execution flow of Airstalk's PowerShell variant.

Diagram showing the interaction between Malware (Infected Device), AirWatch MDM, and Malware (Threat Actor) with descriptions of process steps like blocking execution, acknowledging actions, and executing tasks.
Figure 5. C2 execution flow of Airstalk's PowerShell variant.

Backdoor Capabilities

Once the C2 communication channel is established, the PowerShell variant of Airstalk can receive different tasks through the action field, as shown below in Table 2.

ACTION_ID Task
0 Take a screenshot
1 Get all Chrome cookies
2 List all the files within the user’s directory
4 List all the Chrome profiles within the user’s directory
5 Get browser bookmarks of a given Chrome profile
6 Get the browser history of a given Chrome profile
7 Uninstall the backdoor

Table 2. Identifiers and tasks for the action field.

Following the ACTION_ID values in Table 2, we find the value 3 is skipped. That might be a developer decision, a mistake or a way to hide additional capabilities from the backdoor by removing the implementation of tasks. This removal is a simple but effective way to use it as a modular backdoor.

After executing a task, the malware sends the result of the task with the function UploadResult, specifying the ACTION_ID of the task executed and its returned value as noted in Figure 6.

A screenshot of a code snippet in a programming language with annotations using arrows pointing towards specific lines, highlighting parts of the code related to data handling and server response checks.
Figure 6. Send the task result back to the C2 channel.

Some tasks require sending back a large amount of data or files after Airstalk is executed. To do so, the malware uses the blobs feature of the AirWatch MDM API to upload the content as a new blob. Figure 7 shows how this is implemented in the script of Airstalk's PowerShell variant.

Screenshot of a PowerShell script with annotations indicated by arrows pointing to key elements in the code.
Figure 7. File upload function in Airstalk's PowerShell variant.

An example of this behavior is taking a screenshot of the infected host, which Figure 8 below shows.

Screenshot of a code snippet featuring PowerShell commands. The code includes conditional logic to take a screenshot and upload it, with annotations indicated by arrows.
Figure 8. Screenshot function leveraging the UploadResult functionality.

The function to dump cookies from Chrome enables remote debugging in the browser and restarts it with parameters to load the targeted Chrome profile. These parameters also send the command to dump all the cookies and save them to a file that is later exfiltrated through the covert channel shown below in Figure 9.

Screenshot of a computer screen displaying software code in an IDE, featuring syntax highlighting with arrows pointing to key sections of the code.
Figure 9. Exfiltration of Chrome Cookies.

As previously reported by Red Canary, cookie theft via Chrome remote debugging is not novel functionality and is already built into a number of information stealers such as Lumma and StealC. However, these information stealers are unlikely to successfully run in a well-protected environment. Bundling the functionality into a trusted systems management tool allows execution without raising suspicion.

Airstalk .NET Variant

During our investigation of this malware, we identified a set of samples representing a .NET variant of Airstalk. Compared to the PowerShell variant, the .NET variant has slight differences in its covert C2 channel protocol and has more capabilities. The .NET variant also appears to be in a more advanced stage of development than the PowerShell variant.

While the sample we found of Airstalk's PowerShell found only targets Google Chrome, Airstalk's .NET variant also targets two additional web browsers:

  • Microsoft Edge
  • Island Browser

The .NET variant tries to mimic a legacy application, by using code signing and specific metadata attributes. Figure 10 notes an example of this.

Screenshot displaying properties of a file named AirWatchHelper.exe, a product by VMware. Notable fields include Company Name: VMware, Product Name: Client, and various version details.
Figure 10. Exif metadata from Airstalk's .NET variant is natively set through .NET assemblies.

.NET Covert Channel Implementation

Compared to the PowerShell variant, Airstalk's .NET variant includes an additional suffix to the UUID field within the JSON message (first schema) in its covert C2 communication, as noted in Figure 11.

Screenshot of a programming code snippet showing a function named SetAttribute with several cases in a switch statement and setting of attributes based on delivery type.
Figure 11. Covert channel code function in Airstalk's .NET variant.

The Airstalk .NET variant has three different delivery types for its C2 communications as Table 3 notes.

Delivery type Suffix Description
DEBUG -kd Used to send debugging data
RESULT -kr Used to check tasks and send task results
BASE -kb Used for connection establishment and beaconing

Table 3. Different delivery types in C2 communications for the .NET variant of Airstalk.

C2 Protocol

Compared to the PowerShell variant, Airstalk's .NET variant has small differences in the message types for its C2 protocol. Table 4 lists the extra types (methods) used by the .NET variant.

MESSAGE_TYPE Purpose PowerShell Variant .NET Variant
CONNECT Connection request Yes Yes
CONNECTED Connection accepted Yes Yes
ACTIONS Tasks flow Yes Yes
RESULT Tasks results Yes Yes
MISMATCH Version mismatch error No Yes
DEBUG Debug messages No Yes
PING Beaconing No Yes

Table 4. Communication methods for Airstalk's .NET variant C2 protocol.

Compared to its PowerShell variant, Airstalk's .NET variant has a different execution flow. The .NET variant uses three different execution threads, one for each specific purpose:

  • Managing C2 tasks
  • Exfiltrating the debug log
  • Beaconing to the C2
Image of a computer programming code displayed on a screen, featuring several instances of object-oriented programming concepts. Notable elements include the instantiation of objects, exception handling with a try-catch block, and use of system threading. The code contains annotations and arrows emphasizing specific parts of the script. Some of the information is redacted.
Figure 12. Code illustrating the main execution flow for C2 communications in Airstalk's .NET variant.

As Figure 12 above notes, these variants have a beaconing behavior, a debugging thread and a log file that it sends back to the attacker. This is sent through the covert channel every 10 minutes, according to the Debug function that Figure 13 shows.

Screenshot of computer code featuring programming language with various functions and exception handling related to file operations and debugging.
Figure 13. Debug function periodically uploads the log.

Figure 14 shows the full list of tasks supported by the .NET variant.

Screenshot of code displaying an enumeration titled 'TaskType' with various task names such as UpdateChrome, RunUtility, EnterProfile, OpenUrl, and others listed within curly braces.
Figure 14. List of supported tasks for C2 communications in Airstalk's .NET variant.

Although the .NET variant's task names are defined similarly to the PowerShell variant tasks, not all the tasks are implemented. Additionally, the task IDs in the .NET variant differ from the PowerShell variant. This indicates an evolution of the .NET variant of Airstalk from what we see in the PowerShell variant. In the .NET variant, some tasks look similar to the PowerShell variant, but a closer examination reveals they are more complex as compounds of smaller tasks.

Table 5 below describes the capabilities and implementations of the functions shown earlier in Figure 14.

Name ID Implemented Description
Screenshot 0 Yes Takes a screenshot
UpdateChrome 1 Yes Exfiltrates the specified Chrome profile
FileMap 2 Yes Lists the content of the specified directory
RunUtility 3 No N/A
EnterpriseChromeProfiles 4 Yes Retrieves the available Chrome profiles
UploadFile 5 Yes Exfiltrates specific Chrome artifacts and credentials
OpenURL 6 Yes Opens a new URL in Chrome
Uninstall 7 Yes Finishes the execution
EnterpriseChromeBookmarks 8 Yes Gets the Chrome bookmarks from the specified user
EnterpriseIslandProfiles 9 Yes Retrieves the available Island profiles
UpdateIsland 10 Yes Exfiltrates the specified Island profile
ExfilAlreadyOpenChrome 11 Yes Dumps all the Cookies from the current Chrome profile

Table 5. Tasks for C2 functions in Airstalk's .NET variant.

Versioning

Airstalk's PowerShell variant does not have a version variable, but the .NET variant has a variable specifying the malware version. We found samples of the Airstalk .NET variant using versions 13 and 14.

Persistence

The PowerShell variant uses a scheduled task for persistence that it removes when executing the Uninstall task shown in Figure 15.

Screenshot of a computer script using PowerShell commands, including Remove-Item, Unregister-ScheduledTask, and UploadResult functions within a conditional block.
Figure 15. Airstalk PowerShell variant's uninstall code.

However, Airstalk's .NET variant does not have a persistence mechanism. The .NET variant finishes its process execution and sets a flag in the custom attributes API endpoint as shown in Figure 16.

Screenshot of a code snippet in a text editor indicating an error related to unassigned variable 'client'. The code includes elements typical of C# programming, such as use of the HttpClient class and asynchronous methods.
Figure 16. Airstalk .NET variant's uninstall code.

Signed Binaries and Timestamps

As a defense evasion attempt, binaries for Airstalk's .NET variant are signed with a (likely stolen) certificate signed by a valid CA:

  • Organization: Aoteng Industrial Automation (Langfang) Co., Ltd.
  • Locality: Langfang
  • State: Hebei
  • Country: CN
  • Serial Number: 29afb8d913db84fdb362f4fd927b8553
  • Valid From: Jun 28 10:04:49 2024 GMT
  • Valid To: Jun 28 03:29:37 2025 GMT

However, this certificate was revoked about 10 minutes after its Valid From date:

  • Revocation date: Jun 28 10:14:00 2024 GMT

We found two PE binaries used for testing that were signed with the same certificate and preserved the original timestamps, as Table 6 shows.

SHA256 Compiled Signed First Submitted
0c444624af1c9cce6532a6f88786840ebce6ed3df9ed570ac75e07e30b0c0bde 2024-06-28 17:55:37 UTC 2024-07-03 18:01:00 UTC 2024-07-03 18:03:26 UTC
1f8f494cc75344841e77d843ef53f8c5f1beaa2f464bcbe6f0aacf2a0757c8b5 2024-07-03 20:37:08 UTC 2024-07-03 20:39:00 UTC 2024-07-03 20:43:31 UTC

Table 6. Information on testing PE binaries for Airstalk's .NET variant.

Although the threat actor behind CL-STA-1009 modified the timestamps from later Airstalk .NET variant binaries, we can establish a development timeline by using the signed timestamps, as shown below in Table 7.

SHA256 Signed Compiled Debug First Submitted Description
dfdc27d81a6a21384d6dba7dcdc4c7f9348cf1bdc6df7521b886108b71b41533 2024-07-17 20:00:00 UTC 2055-04-06 21:31:42 UTC 2039-09-07 07 17:14:59 UTC 2024-12-17 16:58:53 UTC .NET variant
b6d37334034cd699a53df3e0bcac5bbdf32d52b4fa4944e44488bd2024ad719b 2024-11-11 00:12:00 UTC 2066-03-16 05:36:50 UTC 2084-08-11 21:19:12 UTC 2024-12-10 00:03:03 UTC .NET variant
4e4cbaed015dfbda3c368ca4442cd77a0a2d5e65999cd6886798495f2c29fcd5 2024-11-14 00:21:00 UTC 2097-03-02 00:38:35 UTC 2089-11-27 15:10:05 2089 UTC 2024-12-09 13:39:25 UTC .NET variant
3a48ea6857f1b6ae28bd1f4a07990a080d854269b1c1563c9b2e330686eb23b5 N/A N/A N/A 2025-01-02 17:35:47 UTC PowerShell variant

Table 7. Development timeline based on the signed timestamps.

Attribution and the Supply Chain

Based on our internal assessment, we assess with medium confidence that a nation-state threat actor used Airstalk malware in a supply chain attack. We are tracking the identified activity as an activity cluster that we named CL-STA-1009.

We’ve followed a number of supply chain attacks over the past few years. Supply chain attacks target the goods and services organizations rely upon to perform their day-to-day activities. The supply chain includes hardware that comprises an organization’s infrastructure, cloud-based services trusted to manage an organization’s most sensitive data, and specialized staff augmentation.

This last category, typically named business process outsourcing (BPO), creates the potential for extensive damage when targeted by attackers. Hardware and software can be monitored, controlled and provisioned. However, human assets — particularly highly specialized ones — must often be granted extensive access to critical business systems. Additionally, they are often working from equipment managed by their own organizations. Because they are managed by the BPO, this effectively places them out of reach of the majority of your organization’s security controls.

Organizations specializing in BPO have become lucrative targets for both criminal and nation-state attackers. We’ve seen a notable increase of attacks on BPOs as the source of intrusion in incidents we've seen over the past few years.

BPOs typically leverage the economy of scale to have highly specialized talent service multiple clients concurrently. While this can generate significant savings for both the BPO and its clients, it has the drawback of allowing the BPO to act as a gateway into multiple targets. Attackers are willing to invest generously in the resources necessary to not only compromise them but maintain access indefinitely.

Conclusion

CL-STA-1009 is a threat activity cluster representing activity from a suspected nation-state actor. This cluster is associated with Airstalk malware, which we assess with medium confidence adversaries used in supply chain attacks.

The .NET variant represents an evolution of the malware, featuring a multi-threaded C2 protocol, versioning, beaconing and more complex, compound tasks. This malware employs defense evasion techniques, including using signed binaries with a revoked certificate that appears to have been issued to a legitimate organization in 2024. These evasion techniques also include the manipulation of PE timestamps, although signing timestamps help establish a timeline of activity. The malware's capabilities and adaptive nature highlight the persistent threat posed by the threat actor behind CL-STA-1009.

The evasion techniques employed by this malware allow it to remain undetected in most environments. This is particularly true if the malware is running within a third-party vendor’s environment. This is particularly disastrous for organizations that use BPO because stolen browser session cookies could allow access to a large number of their clients. Stolen screenshots and logged keystrokes can reveal sensitive and proprietary information not only for the victim, but the victim's customers as well.

Long-term monitoring allows a determined attacker to understand how the business operates and how the BPO organization typically interacts with its customers, making it less likely that follow-on intrusions would be detected. The key to identifying and protecting organizations from these types of attacks is to expand security focus from typical indicators and access control to understanding how users typically work, both internally and externally.

However, the differences in patterns between how an attacker behaves and how your users typically behave will eventually reveal them if you know what to watch for. These differences are what you must identify and act on using behavioral monitoring tools tuned to spot subtle anomalies.

Palo Alto Networks customers are better protected from Airstalk malware through the following products:

  • The Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated in light of the indicators shared in this research.
  • Cortex XDR and XSIAM help prevent malware by employing the Malware Prevention Engine. This approach combines several layers of protection, including Advanced WildFire, Behavioral Threat Protection and the Local Analysis module, to help prevent both known and unknown malware from causing harm to endpoints.
  • Prisma Browser helps protect against attacks like Airstalk in several ways:
    • First, it detects and blocks malicious file downloads through the built-in Advanced WildFire threat detection engine.
    • Second, its layered protection model isolates all browser data and files from the underlying endpoint, preventing local malware from accessing cookies, history or credentials.
    • Finally, Prisma Browser continuously validates device posture, ensuring that the right EDR is installed, active and healthy before allowing access to sensitive applications.

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

  • North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
  • UK: +44.20.3743.3660
  • Europe and Middle East: +31.20.299.3130
  • Asia: +65.6983.8730
  • Japan: +81.50.1790.0200
  • Australia: +61.2.4062.7950
  • India: 000 800 050 45107

Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Indicators of Compromise

IoC Type Description
0c444624af1c9cce6532a6f88786840ebce6ed3df9ed570ac75e07e30b0c0bde SHA256 Signed test sample
1f8f494cc75344841e77d843ef53f8c5f1beaa2f464bcbe6f0aacf2a0757c8b5 SHA256 Signed test sample
dfdc27d81a6a21384d6dba7dcdc4c7f9348cf1bdc6df7521b886108b71b41533 SHA256 Airstalk .NET sample
b6d37334034cd699a53df3e0bcac5bbdf32d52b4fa4944e44488bd2024ad719b SHA256 Airstalk .NET sample
4e4cbaed015dfbda3c368ca4442cd77a0a2d5e65999cd6886798495f2c29fcd5 SHA256 Airstalk .NET sample
3a48ea6857f1b6ae28bd1f4a07990a080d854269b1c1563c9b2e330686eb23b5 SHA256 Airstalk PowerShell sample

Code signing certificate:

-----BEGIN CERTIFICATE-----

MIIF/DCCA+SgAwIBAgIQKa+42RPbhP2zYvT9knuFUzANBgkqhkiG9w0BAQsFADB7

MQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxEDAOBgNVBAcMB0hvdXN0b24x

ETAPBgNVBAoMCFNTTCBDb3JwMTcwNQYDVQQDDC5TU0wuY29tIEVWIENvZGUgU2ln

bmluZyBJbnRlcm1lZGlhdGUgQ0EgUlNBIFIzMB4XDTI0MDYyODEwMDQ0OVoXDTI1

MDYyODAzMjkzN1owgfkxCzAJBgNVBAYTAkNOMQ4wDAYDVQQIDAVIZWJlaTERMA8G

A1UEBwwITGFuZ2ZhbmcxOjA4BgNVBAoMMUFvdGVuZyBJbmR1c3RyaWFsIEF1dG9t

YXRpb24gKExhbmdmYW5nKSBDby4sIEx0ZC4xGzAZBgNVBAUTEjkxMTMxMDAwTUEw

QTNIRjhYOTE6MDgGA1UEAwwxQW90ZW5nIEluZHVzdHJpYWwgQXV0b21hdGlvbiAo

TGFuZ2ZhbmcpIENvLiwgTHRkLjEdMBsGA1UEDwwUUHJpdmF0ZSBPcmdhbml6YXRp

b24xEzARBgsrBgEEAYI3PAIBAxMCQ04wdjAQBgcqhkjOPQIBBgUrgQQAIgNiAASf

B2NdKWXwGa7DkmCA5NiX+kQh5JkYBjGKJgSRz5BflX/Bo+/pXKfN8fsUOe5J3k+y

v/XX53ZiHRJMmpWSjEHXyDFHbBco1hksVLOoeaTFHx65sh5eysXxwD3bwn1IzSCj

ggGpMIIBpTAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFDa9Sf8xLOuvakD+mcAW

7br8SN1fMH0GCCsGAQUFBwEBBHEwbzBLBggrBgEFBQcwAoY/aHR0cDovL2NlcnQu

c3NsLmNvbS9TU0xjb20tU3ViQ0EtRVYtQ29kZVNpZ25pbmctUlNBLTQwOTYtUjMu

Y2VyMCAGCCsGAQUFBzABhhRodHRwOi8vb2NzcHMuc3NsLmNvbTBfBgNVHSAEWDBW

MAcGBWeBDAEDMA0GCyqEaAGG9ncCBQEHMDwGDCsGAQQBgqkwAQMDAjAsMCoGCCsG

AQUFBwIBFh5odHRwczovL3d3dy5zc2wuY29tL3JlcG9zaXRvcnkwEwYDVR0lBAww

CgYIKwYBBQUHAwMwUAYDVR0fBEkwRzBFoEOgQYY/aHR0cDovL2NybHMuc3NsLmNv

bS9TU0xjb20tU3ViQ0EtRVYtQ29kZVNpZ25pbmctUlNBLTQwOTYtUjMuY3JsMB0G

A1UdDgQWBBQdt2jU+7Pr64QrUIvuU1nojIqttzAOBgNVHQ8BAf8EBAMCB4AwDQYJ

KoZIhvcNAQELBQADggIBAMBeOg1geZaMToh9XVF2rrQQRXArYYQKi5svgEX6YcjC

ZljQZzBo8wIyvyyeJ7x33ThTTbPpukggrKE2p019jGjlKQMjWoA1leRatuyrMPVT

w5+Vs/RCEogg1X/n6wmvTUUNvLCv6iDgT3/ZFrm7jIJKrwMkt/HbuGE/AB3w/Hfk

tnDcWbMii58+HmuDbPRtfvKe1p9IZ6EbxdAVRrOg/unECl4JC9gdzma0DbD6HhmY

AgaCEoqBds59ghNjN2y/QpMiAvrUBpX6p4pJzIedj5cJ/WID0QgalIWpOI18rRfP

Lkh6p02s5nmbSZKQQFtjPNCew65shUgCFdiV/mnFVPbI76o4N41c2z+AEqODk6fI

QUEeCr8Ny/Ro6ijXhycFvcN/YS9mLeiZ43cyEx9iylGskYY7wbPUblzNAF5NzxuK

jp/EBCUmCoj/q43D2u/ldB9ND4yaiaRmMMte8BVjSoU9xUUss7a5vft51ONTWtWS

O8Hbs4pnGcPCjewTdrgDqKYcLOPFN4M04kQHaQqQyQaY9Sff6/2c16Sh4rmErluQ

lIbNggl4sHlpMObqSqPnkJy8ClBFr7ah7AH8k6hzyQheh1rXUtmK0TSCbywsLFfH

nGbFSa72+9mByBCUH3ckD+Nnv73dtRdH9/M7+Oq+71BJQmMwmuMXPi450vTM4HIP

-----END CERTIFICATE-----

 

Bots, Bread and the Battle for the Web

Posted on by Anna Chung

When Honest Businesses Meet the Dark Side of Search

Meet Sarah, an artisanal baker who opens Sarah’s Sourdough. To improve her search engine optimization (SEO), she builds a beautiful website and shares authentic baking content. By writing blog posts, earning local backlinks and telling her story, Sarah practices ethical SEO to help search engines understand her value. Soon, when users search “fresh sourdough near me,” her shop ranks at the top. This is how search is meant to work – connecting real people with real solutions.

Understanding Malicious SEO and Its Growing Impact in the Age of AI

Suddenly, Sarah’s thriving bakery site is buried beneath spammy imitators like BestBreadsNow[.]info — ad-filled pages with no real business, just tricks to climb the search ranks. These sites use malicious SEO. This consists of manipulative tactics designed to game algorithms, such as:

  • Keyword stuffing (cramming pages with repetitive terms)
  • Purchased backlinks (paying unrelated sites to link back)
  • Fake content

What was once a niche problem is now a multi-million-dollar shadow economy. Entire ecosystems exist to exploit search engines, including:

  • Cloaking tools that show fake content to search engines
  • Content farms mass-producing shallow articles
  • Underground sellers who fabricate popularity and traffic

And now, AI is accelerating it all. With the click of a button, bad actors can generate tens of thousands of spam articles, spin up fake social accounts to build backlinks, and deploy AI-tailored cloaking that deceives algorithms while staying invisible to users.

Sarah isn’t just competing with bad actors anymore. She’s competing with an AI-powered content machine built to drown out authenticity with algorithm-friendly noise.

Next-Generation Defenses Against AI-Powered SEO Misuse

To counter the rise of AI-boosted malicious SEO, search engines and content platforms must adopt intelligent, proactive defenses beyond simple spam filters or manual moderation. Key strategies include:

AI to Detect AI Manipulation

Search engines need models trained to detect:

  • AI-generated text patterns, like repetitive phrasing, lack of nuance and burst-publishing behavior.
  • Fake engagement, such as bot-generated comments, identical posts across fake profiles and unnatural link velocity.

These models can be built using transformer-based NLP and behavioral anomaly detection algorithms. This dual approach is effective because it allows systems to analyze both the linguistic authenticity of the content itself and the statistical patterns of its distribution. When analyzed together, these two concepts can be indicators pointing to AI-generated text and the inorganic behavior used to promote it.

Network-Level Detection

Modern SEO misuse happens at scale across entire ecosystems of fake domains and botnets. Defense systems must:

  • Identify link farms via graph analysis of backlink structures
  • Detect coordinated bot activity by analyzing IP reuse, timing patterns and shared hosting metadata
  • Compare crawler vs. user views to detect cloaking behavior

Proactive Ecosystem-Wide Monitoring

This gives defenders visibility into the infrastructure behind spam, not just its symptoms. By integrating threat intelligence and pre-release stress testing, defenders can block attacks before they scale.

The Future of SEO: A Strategic Battle Between AI-Driven Threats and Ethical Defense

AI-driven malicious SEO is already reshaping how visibility, trust and reputation are won or lost online. Non-LLM-focused defenses will be outpaced, outnumbered and outsmarted.

The only viable path forward is a proactive one. Search engines, content platforms and threat intelligence teams must shift from reacting to anticipating, using AI not only as a shield but as a strategic advantage. AI empowered this new class of threat, and only its intelligent and responsible use can defeat it.

Malicious versus ethical SEO is not just a fight for rankings. It’s a fight for the credibility of information, for the viability of legitimate businesses and for the soul of the open web. ​​The best time to prepare for this fight starts now.

Additional Resources

Cloud Discovery With AzureHound

Posted on by Samantha Stallings

Executive Summary

AzureHound is a data collection tool intended for penetration testing that is part of the BloodHound suite. Threat actors misuse this tool to enumerate Azure resources and map potential attack paths, enabling further malicious operations. Here, we help defenders understand the tool and protect against illegitimate use of it.

This look into AzureHound will discuss its capabilities and common usage, and map its tool usage to the MITRE ATT&CK framework. Focusing on relevant ATT&CK techniques, we provide examples of tool execution and highlight how the activity appears in Azure log sources as well as in Cortex XDR.

Tools like AzureHound allow threat actors to operate quickly and efficiently in cloud environments. Threat actors operating these tools often leave detectable evidence for defenders who know where to look. This article provides actionable intelligence for tuning detections, improving incident response processes, conducting threat hunting and managing a security function.

Palo Alto Networks customers are better protected from the threats described here through the following products and services:

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team. Organizations can gain help assessing cloud security posture through the Unit 42 Cloud Security Assessment.

Related Unit 42 Topics Azure, Control Plane, Data Plane, Security Logging

AzureHound Tool Background

AzureHound is an open-source data collection tool written in the Go programming language. It is available precompiled for Windows, Linux and macOS.

This tool collects data using the Microsoft Graph and Azure REST Application Programming Interfaces (APIs). It is designed to enumerate an Entra ID and Azure environment and gather information about identities and various other resources. The goal of this enumeration is to use the collected data to identify potential attack paths to privilege escalation within the target Azure environment.

AzureHound can send its output to JSON files, which BloodHound can then ingest. BloodHound is a visualization tool designed to graphically reveal hidden relationships and identify attack paths within an Entra ID, Azure or Active Directory (AD) environment.

The Microsoft Graph API provides developers with programmatic access to organizational data and identities within Microsoft 365 and Microsoft Entra ID.

Operating at the infrastructure layer, the Azure REST API provides access to Azure Resource Manager (ARM), the control plane for all Azure resources like storage, virtual machines and networks.

AzureHound does not need to be run from within the victim environment. This is because both the Microsoft Graph and Azure REST APIs are available externally.

Threat Actor Usage of AzureHound

AzureHound is intended to be used by security professionals — like defenders and red teams — to proactively find and fix cloud vulnerabilities. However, threat actors can also use it for discovery, after gaining access to a victim's Azure environment.

Threat actors use AzureHound to automate complex discovery procedures in Azure environments. This helps them discover user hierarchies and identify high-value targets.

Collecting internal Azure information helps threat actors uncover misconfigurations and indirect privilege escalation opportunities that might not be obvious without this full view of the target Azure environment.

Threat actors also run the tool after obtaining initial access to the victim environment, downloading and running AzureHound on assets to which they have gained access.

As recently as August 2025, threat actor activity with this tool highlights a continued focus on cloud environments as a critical attack surface. Publicly available research identifies AzureHound as part of several post-compromise operations:

  • Unit 42 tracks the Iranian-backed group Curious Serpens (aka Peach Sandstorm), which has been active since at least 2013. The group has evolved to misuse Azure cloud environments in its attack chain, including using AzureHound to conduct internal discovery of the target's Microsoft Entra ID environment.
  • In May 2025, Microsoft reported on a suspected nation-state threat actor it named Void Blizzard leveraging AzureHound during the discovery phase of their attacks to enumerate Entra ID configurations.
  • In August 2025, Microsoft reported a campaign by a ransomware operator they identified as Storm-0501. Operating on-premises in a hybrid, multi-tenant Azure environment, the threat actor used AzureHound to enumerate the target's Entra ID tenants.

MITRE Tactic Discovery

The MITRE ATT&CK framework is a security practitioner and community-driven knowledge base of threat actor behaviors that describes the tactics, techniques and procedures (TTPs) of cyberattacks. The framework provides a common vocabulary for sharing intelligence and research. It aids in the structured analysis of cyberattacks and tracking of trends in threat actors’ activity.

Discovery within the MITRE ATT&CK framework refers to techniques that threat actors use to learn about their target environment after gaining initial access. MITRE ATT&CK recognizes that cloud techniques and procedures differ from their endpoint counterparts and identifies this cloud-focused subset of the Enterprise Matrix as the Cloud Matrix. We will focus on discovery techniques from the Cloud Matrix.

In Azure, discovery involves gathering details on the following:

  • Users
  • Groups
  • Service principals
  • Roles
  • Devices
  • Storage accounts
  • Applications
  • Permissions

Threat actors seek to understand the resources and relationships within the Azure environment to facilitate their attack.

AzureHound accelerates this process by giving threat actors an efficient means to collect data, which they then use to map potential attack paths against the target Azure environment. These attack paths include:

  • Privilege escalation opportunities
  • Lateral movement paths
  • Relationships of high-value accounts such as Global Administrators or other privileged roles

MITRE Discovery Techniques

From the perspective of a threat actor using AzureHound, each discovery technique represents a step in building a comprehensive understanding of a target's cloud environment.

To understand a command-line tool like AzureHound, users typically reference online documentation as well as output from the tool's -h, --help or other usage parameter. Compared to the online documentation, a full listing via the list -h parameter in the 2.6.0 version of AzureHound reveals additional discovery options that are useful in the context of analyzing potential malicious usage. This includes some commands of particular interest to a threat actor such as:

  • function-apps
  • function-app-role-assignments
  • storage-accounts
  • storage-containers
  • subscription-user-access-admins
  • web-apps

The commands above give threat actors baseline information about services commonly exploited in cloud environments. The commands detailed in this analysis are based on the direct output from the tool.

T1087.004: Account Discovery: Cloud

AzureHound can enumerate users, devices and service principals within an Entra ID tenant to collect identity information.

To establish a foundational understanding of the target environment, a threat actor might first locate the identities operating within it. This initial enumeration provides a roster of potential targets for credential theft or impersonation. The tool automates the collection of all identities, including users, devices and service principals, along with their ownership relationships. This provides a detailed picture of the identities present in the tenant.

AzureHound parameters that facilitate the MITRE technique Account Discovery: Cloud Account include the following:

  • list users
  • list devices
  • list device-owners
  • list service-principals
  • list service-principal-owners

AzureHound supports multiple means of authentication, including:

  • Username and password
  • Refresh tokens
  • JSON web tokens (JWT)
  • Service principal secrets
  • Service principal certificates

Microsoft's Entra ID documentation provides a full discussion of Azure token types. For our example, we will use an Azure refresh token we generated using device code flow by following the guidance in the AzureHound CE reference docs.

Threat actors will use whatever means of authentication is available. They can combine a stolen username and password with multi-factor authentication (MFA) fatigue to affect a successful login. Alternatively, they may login with a stolen token. Infostealers such as Raccoon Stealer or Redline can extract cookies, credentials and session tokens from a user's browser. Researchers from Flare found that session tokens acquired from infostealers have exposed tokens from Azure.

As displayed by the list users request within Figure 1, the output of AzureHound command-line discovery can reveal information of interest to a threat actor. This example invocation of the command lists all Entra ID users and sends the output to a file called users.json.

Text on a computer screen displaying the output of the AzureHound 2.6.0 tool, listing all users in an Azure tenant. The output indicates the process completion and the software shutting down gracefully.
Figure 1. Execution of AzureHound to enumerate users.

The following data is among the fields returned by default for each user if available in the Entra ID User record:

  • displayName
  • jobTitle
  • lastPasswordChangeDateTime
  • mail
  • userPrincipalName
  • userType
  • tenantId
  • tenantName

Figure 2 shows a screen capture of the raw output from AzureHound with some of the fields listed above.

A screenshot of a code snippet related to a user account data structure, including fields for account ID, creation date, email, and other attributes.
Figure 2. AzureHound list users raw output.

This data helps threat actors target key users in the target organization for successive stages in the attack. For example, a threat actor could dump all users to a JSON file and search it for job titles that indicate high-value targets including those containing words like:

  • Administrator
  • Application
  • Identity
  • Cloud

These targets are considered high value because these job roles would have elevated privileges within the Azure tenant.

T1069.003: Permission Groups Discovery: Cloud Groups

AzureHound can discover memberships of administrative roles and security groups to map potential privilege escalation paths.

Once threat actors know the identities within the target environment, they need to understand the relationships between the identities by discovering permission structures.

This technique focuses on mapping out administrative roles and group memberships to find exploitable privilege escalation paths. This is achieved by collecting not just the groups and roles themselves, but the web of specific role assignments that connect identities to resources, revealing who has access to what.

For Permissions Groups Discovery: Cloud Accounts, AzureHound has the following capabilities:

  • list groups
  • list roles
  • list group-members
  • list group-owners
  • list role-assignments
  • list app-role-assignments
  • list key-vault-access-policies
  • list management-group-role-assignments
  • list resource-group-role-assignments
  • list subscription-role-assignments
  • list virtual-machine-role-assignments

What data the options above return depends on the identity AzureHound uses to authenticate. AzureHound gathers information based on the permissions granted to the account under which it runs within Azure. These accounts can only enumerate policy definitions and assignments if they have roles like Reader or higher at the subscription or resource group level.

Figure 3 shows the result of a command to enumerate Groups within a tenant.

Screen capture of a terminal displaying log messages from AzureHound, including timestamps and notifications about listing storage accounts and the collection process duration, ending with a shutdown message.
Figure 3. Execution of AzureHound to enumerate groups.

Threat actors enumerate Entra ID groups, roles and role assignments because they collectively define how access and permissions are distributed across users, applications and resources. Threat actors can identify highly privileged roles, such as Global Administrator or Privileged Role Administrator and determine which users or service principals are assigned to them. This information can also reveal privileged escalation paths through nested group memberships.

Role assignments can reveal excessive or misconfigured permissions. This information helps threat actors discover opportunities for privilege escalation, lateral movement and additional data collection.

AzureHound integrates with BloodHound to create graphs that visually map potential privilege escalation and architectural blueprint. It does so using a massive amount of raw data such as lists of users, groups, apps, subscriptions and their permissions.

Manually connecting these dots is slow and prone to error. As such, the BloodHound GUI becomes a useful analytical tool for threat actors.

By importing the collected data, the tool transforms lines of text into a living map of important relationships. This information about highly privileged users gives the threat actor a list of users to target for credential theft. Figure 4 shows users who have the Global Administrator role either directly assigned, or inherited through group membership.

Screen displaying the interface in Global Administrator with various interconnected nodes, some highlighted in pink and blue, representing different entities and their relationships.
Figure 4. BloodHound paths to Global Administrator.

For confidentiality, we have hidden or obscured labels for users and groups as well as tenant information.

T1619: Cloud Storage Object Discovery

AzureHound can discover Azure storage accounts and the blob containers within them, identifying where data is stored.

A primary objective for many threat actors is data exfiltration, making it critical to identify where data is stored. This technique involves discovering cloud storage resources. A threat actor can use AzureHound to specifically target and enumerate Azure storage accounts and the blob containers within them, revealing the locations of potentially sensitive data.

AzureHound has two options for storage object discovery, covering both Azure storage accounts and containers:

  • list storage-accounts
  • list storage-containers

Figure 5 shows an example of storage account discovery via AzureHound, enumerating all storage accounts that the identity passed into the command has access to.

Command line interface where the AzureHound tool lists Azure AD groups. The process concludes by shutting down gracefully, with a suggestion to press Ctrl+C to force quit.
Figure 5. Execution of AzureHound to enumerate storage accounts.

The output from the list storage-account command can reveal important information about the storage account configuration. The output comprises the entire storage account resource definition including:

  • Name
  • Location
  • Key vault properties
  • Replication type
  • DNS endpoints
  • Network access control lists (ACLs)

Microsoft's reference page shows examples of full storage account configurations.

Within this data, the name of the storage account is very important and tied to its service endpoints, which are publicly resolvable DNS names used to connect to the storage account. For example, a storage account blob container by default uses the storage account, container and blob names to define the service endpoint as follows:

hxxps[:]//mystorageaccount.blob.core.windows[.]net/mycontainername/myblobname

Storage accounts can also be tied to custom domain names, which would be in the output's customDomain key-value pair. Please refer to Microsoft's storage account overview for more information on custom domains and other details.

Threat actors seek to access the data in storage accounts for data exfiltration. However, these service endpoints can be secured by network ACLs on the storage account firewall. This information provides the threat actor an understanding of network allowlists and denylists comprising the firewall configuration.

Figure 6 shows that the storage account service has a default deny policy, allowing access only from two /24 network ranges and trusted Azure services like Azure Monitor, Backup and File Sync.

Screenshot of snippet for network rules in Azure Services, showing two IP rules set to "Allow" with specific IP addresses.
Figure 6. Storage account network ACLs.

Trusted services in Azure refers to a predefined list of Microsoft-owned services that are, by default, granted permissions and access to other Azure resources, bypassing standard network ACLs. Microsoft manages the list and it’s specific to the resource type (e.g., storage blobs, key vaults).

T1526: Cloud Service Discovery

AzureHound can identify which Azure platform services (e.g., Web Apps, Function Apps and Logic Apps) are in use.

Beyond storage and identities, an actor will seek to understand what platform services are in use, as these can present unique paths for attack. By enumerating services like Web Apps, Function Apps and Kubernetes clusters (AKS), a threat actor can identify application platforms that may be misconfigured or vulnerable. This provides the threat actor with a menu of potential high-level service targets.

For Cloud Service Discovery, AzureHound has the following capabilities:

  • list apps
  • list web-apps
  • list function-apps
  • list logic-apps
  • list automation-accounts
  • list managed-clusters
  • list vm-scale-sets
  • list container-registries

With a list of applications, the threat actor’s search expands to the underlying resources. This allows them to map out automation pipelines, Kubernetes clusters and container registries for the cloud's crown jewels. A single misconfigured automation account could allow for the execution of the attacker's own code with high privileges.

This search also involves testing for publicly exposed container registries, pulling images for offline analysis to hunt for hard-coded credentials, API keys or vulnerable libraries. It could also uncover abandoned resources, providing new and powerful attack strategies.

For example, once a threat actor discovers a forgotten test automation pipeline, they can exploit its powerful identity and rights over a resource group. The attacker could then use this trusted identity to inject malicious code into the automation's runbook, waiting for a cloud pipeline to trigger, then executing their malicious code with those elevated permissions.

For a deeper look into cloud pipeline threats, see the Unit 42 analysis on the Anatomy of a Cloud Supply Pipeline Attack.

T1580: Cloud Infrastructure Discovery

AzureHound can enumerate foundational infrastructure resources like virtual machines, key vaults and management groups.

To fully grasp the architecture of the target environment, a threat actor must discover the foundational infrastructure components. This technique involves enumerating core resources and the management constructs that contain them.

A threat actor can build a complete architectural map of the cloud deployment by listing the following:

  • Virtual machines
  • Key vaults
  • The hierarchy of tenants, subscriptions and resource groups

For Cloud Infrastructure Discovery, AzureHound has the following capabilities:

  • list tenants
  • list subscriptions
  • list resource-groups
  • list management-groups
  • list virtual-machines
  • list key-vaults

Similar to the BloodHound user mapping previously shown, this use case shows how attackers visually examine infrastructure elements with BloodHound. Figure 7 displays these key vault findings. We have hidden or obscured labels and tenant information for confidentiality.

Screenshot of Microsoft AzureHound portal interface displaying a network topology diagram with icons representing Tenant, Subscriptions, Resource Groups, and Key Vaults. Icons are connected by lines indicating relationships. An arrow on the right points to a specific item in a navigation menu.
Figure 7. BloodHound illustration of available key vaults.

Instead of scrolling through output, the threat actor now has a complete, bird's eye view of key vaults in the tenant infrastructure. They can visually navigate the hierarchy from the tenant down to individual resources.

For example, in addition to key vaults, attackers can click on a node representing the Production subscription. They could then select virtual machines from the Descendent Objects list and instantly see all the virtual machines connected to it.

Defender Perspective

AzureHound relies on Microsoft Graph and Azure REST APIs to enumerate users, roles and permissions. This means that effective defense requires a layered approach that combines access control, endpoint security and visibility into the API activity. The goal is to make it significantly harder for threat actors to authenticate, execute and operate undetected in an organization's environment.

Mitigations

From a defender perspective, secure configurations are essential. As noted above in our discussion of MITRE discovery techniques, AzureHound can be used to obtain information about Azure users and resources within a specific tenant via publicly documented APIs. These API requests may also uncover security vulnerabilities within a tenant. By design, this information is accessible on a per-tenant basis to users with an Entra ID account with Read privileges in that tenant.

To bolster the security of your Azure account, we recommend customers follow Microsoft best practices. In addition, to help prevent the unauthorized access necessary for this technique to be successful, we recommend Admins implement additional security measures.

In addition to Microsoft's recommended best practices and additional security steps, the following mitigations can help further secure your organization. Some of these intersect with the best practices, and some are complementary controls or policy considerations that can be implemented to further harden your environment.

The first line of defense is strong identity and access control, which controls what a user, group or service principal can do. Organizations should implement phishing-resistant MFA for all accounts, especially those with access to sensitive data or administrative roles. Users performing highly privileged tasks, such as Global Administrators or Privileged Role Administrators, should maintain separate accounts for those duties.

Privileged Identity Management (PIM) solutions, such as Microsoft Entra ID PIM or broader Privileged Access Management (PAM) platforms, enable organizations to manage, control and monitor access to privileged identities. These solutions help prevent a compromise of standard user credentials from granting a threat actor elevated access.

In addition to identity and access control, Conditional Access Policies (CAPs) help mitigate exposure to AzureHound by restricting user and application access. CAPs are part of Entra ID and are enforced during authentication. They work by enforcing CAP-defined requirements including MFA, device compliance, trusted locations and client application restrictions. Because of this, CAPs can block AzureHound from accessing Microsoft Graph and Azure management APIs, even if an attacker has obtained valid credentials.

Another effective measure is token binding, which ensures that authentication tokens are tied to a specific device. This feature is known as Token Protection in Entra ID and moved to general availability in August 2025.

As discussed above, Void Blizzard has used stolen authentication tokens. These tokens can be used to authenticate to the target environment, including by AzureHound to the Microsoft Graph API. Token binding can help mitigate token theft attacks by making the stolen token invalid from a different device.

Additionally, secure browsers can provide similar protection by shielding access to private or privileged applications and ensuring that tokens issued are valid only from the secure browser. This renders the tokens invalid from the command line, for tools such as AzureHound.

In addition to identity controls, visibility at the endpoint level remains essential in detecting and preventing AzureHound and other threats. Ensure that endpoint detection and response (EDR/XDR) tooling is deployed across all assets, including to cloud workloads such as cloud detection and response (CDR).

The 2025 Unit 42 Global Incident Response Report discusses how threat actors target unmanaged assets. These assets are those defined as not having endpoint detection and response tools (EDR/XDR/CDR), with a reduced chance of threats being discovered.

It is also vital that organizations use a combination of cloud security posture management (CSPM) and CDR tools to detect attackers creating new compute instances (i.e., virtual machines, containers or serverless functions). This also helps ensure that cloud endpoint agents are properly installed and configured to maintain monitoring capabilities over newly created compute instances. Closing visibility gaps drastically reduces the threat actor's ability to evade detection.

AzureHound reveals which identities can register applications within the Azure tenant, so controlling app registrations is another effective mitigation against AzureHound. Threat actors often take advantage of default settings that allow users to register applications and grant themselves elevated permissions. This in turn can enable broad directory visibility without interactive logins or MFA.

Disabling user-initiated app registrations and requiring an admin consent workflow reduces the chances of a threat actor creating malicious service principals or bypassing MFA through tokenized app-based authentication.

Logging Considerations

Microsoft Graph activity logs have been available in preview since October 2023 and reached general availability in April 2024. This important capability allows defenders to monitor HTTP requests to the Graph service and detect suspicious enumeration patterns.

By default, Microsoft Graph activity logs are not enabled. Defenders should configure Microsoft Entra ID to export Microsoft Graph activity logs to destinations such as Azure Event Hubs. This allows integration with security information and event management (SIEM) solutions as well as EDR, XDR and CDR tools. These logs capture granular details of the API calls that have passed through the Graph API, including the endpoints targeted by tools like AzureHound.

Some AzureHound requests call the Azure REST API at the management.azure[.]com ARM endpoint. These requests to the ARM provider are logged differently than Graph API calls and present visibility challenges.

Activity logs collect subscription-level events from the ARM provider such as creating a new resource or deleting a storage account, which are events not associated with AzureHound requests. The read and list operations (REST GET calls) AzureHound invokes are not recorded in activity logs.

While diagnostic settings can be explicitly enabled for various resource types to capture resource provider level logging, this will only log service endpoint read operations at the data plane level (e.g., mystorage.blob.core.windows[.]net, or myvault.vault.azure[.]net). This does not occur at the control plane level where requests to the ARM provider take place. As a result, AzureHound enumeration calls to the Azure REST API, such as listing storage accounts (azurehound list storage-accounts) or key vaults (azurehound list key-vaults), will not appear in activity or resource logs.

The AzureHound GitHub repository provides additional context and information on which API an AzureHound command uses, and consequently which log to look in for the events.

For example, details on the azurehound list storage-accounts command discussed above can be found in the AzureHound API client code for storage accounts. Figure 8 illustrates AzureHound client code using the Azure REST API for storage account enumeration.

Screenshot of a code snippet related to Microsoft Azure Storage Account, featuring parameters for subscription ID and API version date.
Figure 8. AzureHound storage account enumeration source code.

Figure 9 illustrates the AzureHound client code for role enumeration list roles command using the Graph API.

Screenshot of coding script using Azure AD and Microsoft Graph API with functions and variables written in red and blue on a white background.
Figure 9. AzureHound role enumeration source code.

AzureHound list commands that go through the Azure REST API ARM endpoint and thus may not be visible in logs include the following:

  • automation-accounts
  • container-registries
  • function-apps
  • key-vaults
  • logic-apps
  • managed-clusters
  • management-groups
  • resource-groups
  • storage-accounts
  • storage-containers
  • virtual-machines
  • vm-scale-sets
  • web-apps

This logging weak spot reveals unexpected behavior of AzureHound. All azurehound list commands are preceded by AzureHound test calls to the endpoints and APIs the tool uses. The endpoints and APIs called differ depending on the Azure environment (e.g., global Azure Cloud, U.S. government, China).

The global Azure Cloud environment uses the following authentication and API endpoints:

  • Microsoft identity platform endpoint: login.microsoftonline[.]com
  • Microsoft Graph API: graph.microsoft[.]com
  • Azure REST API ARM endpoint: management.azure[.]com

Figure 10 shows an extract from the verbose output of AzureHound execution for these test calls.

Screenshot of a command-line interface displaying logs from Azurehound version 2.6.0, a tool by the BloodHound Enterprise team, indicating testing connections and the start of data collection processes involving Microsoft Azure services.
Figure 10. AzureHound API test requests.

The AzureHound call to the Microsoft identity platform endpoint login.microsoftonline[.]com is recorded in the Entra ID non-interactive sign-in logs. If Graph API logging is enabled as described earlier, the test call to the Microsoft Graph API (hxxps[:]//graph.microsoft[.]com/v1.0/organization) will be visible in the Microsoft Graph activity logs. Due to the logging limitations mentioned above, the test call to the Azure REST API at management.azure[.]com is not logged.

Table 1 below shows information from the logs for a list storage-accounts request given at 10:57 P.M. and a request for list groups given at 11:25 P.M. Recall that storage account enumeration uses the Azure REST API.

AzureHound Command Line AzureHound API Calls Logged Time Logged RequestURI Logged User-Agent
list storage-accounts AzureHound test call to the Graph API to determine reachability[1] 8/1/2025, 10:57:35.185 PM hxxps[:]//graph.microsoft[.]com/v1.0/organization azurehound/v2.6.0
Call to Azure REST API to enumerate storage account data. Call to REST API at management.azure[.]com/[...]Microsoft.Storage/storageAccounts/list is not logged
list groups AzureHound test call to the Graph API to determine reachability[1] 8/1/2025, 11:25:45.561 PM hxxps[:]//graph.microsoft[.]com/v1.0/organization azurehound/v2.6.0
Call to Microsoft Graph API to enumerate group data. 8/1/2025, 11:25:45.651 PM hxxps[:]//graph.microsoft[.]com/v1.0/groups?%24filter=securityEnabled+eq+true&%24top=99 azurehound/v2.6.0
[1]Although we only include the Graph API test call in the table, all three test calls mentioned above are invoked each time.

Table 1. Microsoft Graph API vs. Azure REST API request logging.

The data shows that while the list groups command logs the read operation for the group enumeration (Graph API: hxxps[:]//graph.microsoft[.]com/v1.0/groups?[...]), the list storage-accounts request has no associated RequestURI logged for the read operation of the storage accounts (Azure REST API: Microsoft.Storage/storageAccounts/list). This is the REST API logging weak spot that we previously referred to. However, we can match these test calls to information in other logs to gain more visibility into this activity.

For AzureHound list commands using the Azure REST API, the initial /organization Graph API request used to test the connection is logged. It can be used to correlate events by matching fields such as session ID, IP address, user ID and user-agent against other log activity in Microsoft Graph activity logs and Entra ID sign-in logs.

In addition to Microsoft Graph API and Azure REST API activity and resource logs, Entra ID sign-in logs and audit logs can provide additional context.

As the name implies, Entra ID sign-in logs record successful and failed sign-ins, but these logs also record the following:

  • CAP policy evaluation
  • Token issuance for API calls
  • User-agent and device
  • MFA details

The information contained in these logs can help identify suspicious login patterns such as:

  • Unusual geography
  • Impossible travel
  • Sign-in to resources Microsoft Graph and Azure management APIs in quick succession
  • Accounts signing in without MFA

Entra Audit logs track directory-level configuration changes in Microsoft Entra ID including:

  • User and group modification (create, delete, update)
  • Role assignments and removals
  • App registration and service principal modification
  • Application consent
  • Conditional Access policy changes
  • PIM role activations and deactivations

As such, audit logs are not very useful for directly detecting AzureHound activity. However, they are useful for finding follow-on activity after a threat actor has escalated privileges, such as the threat actor creating a new user for persistence and assigning it privileged roles.

It is also worth noting that in July 2025, Defender XDR introduced a new Advanced Hunting table, GraphApiAuditEvents, in public preview. This is a leaner version of Microsoft Graph Activity Logs that provides visibility into Entra ID Graph API calls without extra ingestion or storage costs. Its schema is simplified, including key fields like RequestURI and token identifiers. However, it lacks the UserAgent field and is limited to a default 30 days of data retention.

We will discuss in the next section how we use this information to hunt in Cortex XDR or XSIAM for related threat actor activity.

Threat Hunting

While Cortex Cloud includes various detections for Azure cloud discovery activity, an incident responder or threat hunter can also use Cortex XQL queries to drill down into the data for more detail on individual events. At the most basic level, this can be done by querying the Cortex cloud_audit_logs dataset for requests where the user agent contains an AzureHound identifier (default: azurehound/<version>).

Industry observations indicate that in many cases, threat actors operate tools using default configurations, including user-agent strings, providing an easy parameter for an initial hunt query.

Optionally, a filter for the API operation can be set to filter results for that respective operation. The following example searches for AzureHound activity (azurehound list users) that is querying the Microsoft Graph API for a list of Entra ID users.

Cortex ingests log data from Azure. The activity in Azure is surfaced through Microsoft Entra ID Microsoft Graph activity log and tied to its audit and sign-in monitoring capabilities. This provides visibility into HTTP requests made to the Microsoft Graph API within a tenant.

Figure 11 below shows a sample raw activity log entry representing an AzureHound list users request that has been sanitized for anonymity. Defenders can use many of the fields to create additional queries fitting the situation they are investigating. For example, filtering for a specific signInActivityId or callerIpAddress.

Screenshot displaying a snippet of JSON code related to Microsoft Graph API, highlighting details such as request ID, operation name, and timestamps.
Figure 11. Raw Azure activity log extract for AzureHound list users.

There are several other useful elements from the log extract:

  • The user-agent string indicates that AzureHound was most likely used to make this request.
  • The Request URI field indicates AzureHound is pulling user data via GET /users with a large attribute set (accountEnabled, createdDateTime, displayName, mail, userPrincipalName, etc.). This is consistent with discovery and privilege escalation mapping.
  • In the App ID field, the value 1950a258-227b-4e31-a9cf-717495945fc2 is the Microsoft Azure PowerShell client ID. This is worth noting as PowerShell is often used by offensive tools and by threat actors.
  • And finally, the UserPrincipalObjectID (454b1120-3507-4bbb-b559-87b7f64af7fa) is the Entra ID object ID of the user whose credentials were used. For more information, correlate the sign-in activity ID (frZ7H7lx8kSlDW0b-4MfAA) with Entra ID sign-in logs.

Identification of high volume API enumeration by a single identity is also a useful strategy for defenders to help identify suspicious discovery activity. AzureHound may generate bursts of API calls in a short time window when querying the Microsoft Graph or Azure REST APIs. This can happen during requests for high volume resources such as users, roles, virtual machines or applications, or simply when using azurehound list to enumerate the entire Azure environment at once. When combined with user-agent strings and the IP address of the calling entity, this can provide a signal for broad enumeration of an Azure environment.

The following XQL query helps surface this enumeration. The operation_name and operation_name_orig filters will limit the results to limit the search to Graph API GET requests which AzureHound uses as explained above.

The bin and comp stages together with the count() function are used to aggregate the data into 60-minute buckets for comparison with the apiCallCount threshold (500 calls per 60 minutes in the example). The apiCallCount should be adjusted to fit the size of the Azure environment. Larger organizations will likely see a higher number of requests as the number of users, roles, virtual machines and applications will typically be much larger than smaller organizations.

Cortex XQL queries allow defenders to drill into telemetry collected from sources like Microsoft Graph API activity logs to uncover detailed indicators of AzureHound activity. Queries that correlate request volume, user identity, caller IP and user agent over defined time windows can help defenders identify unusual enumeration patterns typical of AzureHound.

Conclusion

Threat actors make use of AzureHound’s capabilities for targeted cloud discovery. Its ability to enumerate users, groups, applications, permissions and resource relationships maps directly to MITRE ATT&CK TTPs. This gives threat actors like Curious Serpens and Void Blizzard a structured method to map environments, identify accounts for privilege escalation and locate the crown jewels of cloud environments.

Detecting this activity depends on telemetry visibility. Microsoft Graph activity logs provide a rich record of API calls, enabling defenders to identify discovery patterns. When paired with other Azure and Entra ID logs, these sources form a comprehensive monitoring layer that elevates threat detection and incident response.

Please refer to our Detecting Threats with Microsoft Graph Activity Logs guide for a walkthrough on configuring Graph API logging, integrating with Cortex XDR and using Cortex to investigate Microsoft Graph activity.

By aligning detections with the MITRE ATT&CK framework and leveraging these log sources, defenders can combine visibility with proactive control. The following are all critical actions that strengthen an organization’s ability to deny attackers success:

  • Mapping legitimate discovery tools to threat scenarios
  • Correlating data across systems
  • Applying Conditional Access Policies
  • Following the principle of least privilege
  • Closely monitoring for deviations from normal behavior

Palo Alto Networks Protection and Mitigation

Palo Alto Networks customers are better protected from the threats discussed above through the following products:

  • Cortex Cloud Identity Security encompasses Cloud Infrastructure Entitlement Management (CIEM), Identity Security Posture Management (ISPM), Data Access Governance (DAG) as well as Identity Threat Detection and Response (ITDR) and provides clients with the necessary capabilities to improve their identity related security requirements. By providing visibility into identities, and their permissions, within cloud environments, to accurately detect misconfigurations, unwanted access to sensitive data and real-time analysis surrounding usage and access patterns.
  • Prisma Browser applies multiple mechanisms to protect against token theft and enables administrators to enforce re-authentication during a session. This limits the lifespan of any hijacked session and narrows the attacker’s window of opportunity.
  • Organizations can gain help assessing cloud security posture through the Unit 42 Cloud Security Assessment.

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

  • North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
  • UK: +44.20.3743.3660
  • Europe and Middle East: +31.20.299.3130
  • Asia: +65.6983.8730
  • Japan: +81.50.1790.0200
  • Australia: +61.2.4062.7950
  • India: 00080005045107

Indicators of Compromise

User agent string:

  • azurehound/<version>

Additional Resources

 

The Smishing Deluge: China-Based Campaign Flooding Global Text Messages

Posted on by Zhanhao Chen

Executive Summary

We are attributing an ongoing smishing (phishing via text message) campaign of fraudulent toll violation and package misdelivery notices to a group widely known as the Smishing Triad. Our analysis indicates this campaign is a significantly more extensive and complex threat than previously reported. Attackers have impersonated international services across a wide array of critical sectors.

The attackers have targeted U.S. residents in this campaign since April 2024. The threat actor is evolving their tactics by expanding their reach globally, improving the social engineering tactics used in smishing for delivery.

The threat actor is also expanding the range of services they impersonate to include many international services in critical sectors, such as:

  • Banking
  • Cryptocurrency platforms
  • E-commerce platforms
  • Healthcare
  • Law enforcement
  • Social media

The campaign is highly decentralized, lacking a single point of control, and uses a large number of domains and a diverse set of hosting infrastructure. This is advantageous for the attackers as churning through thousands of domains weekly makes detection more difficult.

Using our intelligence framework, we have identified over 194,000 malicious domains linked to this operation since Jan. 1, 2024. Although these domains are registered through a Hong Kong-based registrar and use Chinese nameservers, the attack infrastructure is primarily hosted on popular U.S. cloud services.

This campaign uses SMS messages for social engineering to create a sense of urgency and prompt victims into immediate action. The campaign's global scale, complex infrastructure and realistic phishing pages strongly suggest that it is powered by a large, well-resourced phishing-as-a-service (PhaaS) operation. This poses a widespread threat to individuals globally. These phishing pages aim to collect sensitive information such as National Identification Numbers (such as Social Security numbers), home addresses, payment details and login credentials.

Palo Alto Networks customers are better protected from this activity through the following products and services:

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

Related Unit 42 Topics Phishing, SMS

Technical Analysis of the Extended Smishing Triad Campaign

Earlier this year, we released timely threat intelligence social posts that reported our discovery of more than 10,000 domains involved in smishing scams. Subsequently, we found and blocked over 91,500 domains involved in the same scam. Since publishing those threat intelligence posts, we have continued to track and analyze the threat actors and domains behind these smishing scams.

Security vendor Resecurity attributes these attacks to the Smishing Triad, reporting that the group shared phishing kits on Telegram and other services. This finding is corroborated by follow-up reports by Silent Push. However, our analysis reveals that the campaign's scope is far broader and evolves faster than previously known.

Many indicators suggest that the campaign is constantly evolving. A Fortinet article highlighted the fact that the threat actors used email-to-SMS features. This article noted that arbitrary email addresses can be used to send messages through iMessage. However, we have observed that more recent smishing messages have started to use phone numbers to send them.

Many of these messages are received from phone numbers beginning with the international country code for the Philippines (+63). However, there has been an increasing number of messages in this campaign received from U.S. phone numbers (+1) as well.

Tracking all domains in this campaign is challenging due to its decentralized nature. The attack domains are short-lived and constantly churned, with thousands registered daily. The rapidly evolving campaign highlights that tracking root domains using just lexical patterns is not enough.

We have developed a multi-faceted intelligence framework to track this campaign. It synthesizes data from the following sources:

  • WHOIS and passive DNS (pDNS) reputation metrics
  • Evolving domain patterns
  • Visual clustering of screenshots
  • Graph-based infrastructure analysis

Using our multi-faceted intelligence framework, we found a total of 194,345 fully qualified domain names (FQDNs) across 136,933 root domains associated with this campaign. These root domains were registered on or after Jan. 1, 2024.

The majority of these domains are registered through Dominet (HK) Limited, a Hong Kong-based registrar and use Chinese nameservers. Although the domain registration and DNS infrastructure originate in China, the attacking infrastructure (the hosting IP addresses) is concentrated in the U.S., particularly within popular cloud services.

We find that the domains in this campaign impersonate global services in many sectors, including:

  • Critical services: Banking, healthcare and law enforcement (e.g., multi-national financial services and investment companies, police forces from cities in the Middle East)
  • Widely used services: E-commerce, social media, online gaming and cryptocurrency exchanges (e.g., several Russia-based e-commerce markets and cryptocurrency exchanges)
  • Previously reported services: Tolls and global state-owned mail and package delivery services extending beyond the U.S. (e.g., Israel, Canada, France, Germany, Ireland, Australia, Argentina)

Attackers craft SMS messages to deliver these URLs. These are highly tailored to the victims to compel immediate action. Using social engineering techniques creates a sense of urgency. By employing targeted personal information and incorporating technical or legal jargon they can appear more legitimate. These things combined with the scope of services imitated suggests that a large PhaaS operation is behind this campaign.

Underground Phishing-as-a-Service Ecosystem

In this section, we discuss the underground PhaaS ecosystem and investigate the Smishing Triad Telegram channel. Over the past six months, the channel has evolved from a dedicated phishing kit marketplace into a highly active community that gathers diverse threat actors within the PhaaS ecosystem.

Figure 1 shows chat records from different participants within the channel. Most posts are advertising various underground services such as domain registration, data sales and message delivery. Highlighting the intense competition within this ecosystem, multiple threat actors compete to offer the same services, particularly Rich Communication Services and Instant Message delivery (RCS/IM).

Screenshot of a Telegram chat with various users discussing services like virtual card provision, RCS/IM delivery, and data brokering, displayed in Chinese characters.
Figure 1. Telegram chat history of different threat actors in the PhaaS ecosystem.

Figure 2 illustrates below the different roles active in the Smishing Triad Telegram channel and their interactions.

Diagram illustrating the process of a phishing attack involving various entities such as a Liveness Scanner, Data Broker, Domain Seller Hosting Provider, Blocklist Scanner, SMS/RSC/IM Spammer, and a Phishing Kit Developer. They all work together in the ecosystem developing the target number, phishing message, credentials, and more. Arrows indicate the flow of information and actions between these elements leading to the eventual targeting of a Victim.
Figure 2. The PhaaS ecosystem of the Smishing Triad.

Threat actors specialize in different stages of the smishing supply chain, enabling them to launch attacks more efficiently and scalably:

  • Upstream
    • Data broker: Sells target phone numbers
    • Domain seller: Registers disposable domains for hosting phishing websites
    • Hosting provider: Provides servers to run phishing backends
  • Midstream
    • Phishing kit developer: Builds phishing websites (frontend and backend) and maintains the PhaaS platform, including dashboards for harvesting and managing stolen credentials
  • Downstream
    • SMS/RCS/IM spammer: Delivers phishing messages at scale to direct victims to phishing websites
  • Support
    • Liveness scanner: Verifies which target phone numbers are valid and active
    • Blocklist scanner: Checks the phishing domains against blocklists to trigger asset rotations

Domains Involved in the Campaign

A majority of the root domains involved in this campaign were created with a hyphenated series of strings followed by a top-level domain (TLD) (e.g., [string1]-[string2].[TLD]). In this section, we describe the part before the first hyphen as a prefix. In conjunction with a well-known subdomain, these prefixes could potentially trick victims. For instance, a casual inspection of the domain irs.gov-addpayment[.]info could trick people into thinking they are navigating to irs[.]gov.

Figure 3 shows the most popular prefixes of domain names used in the 136,933 root domains we found in this campaign.

Pie chart showing domain distribution: 80.0% .COM, 8.7% .GOVE, 5.9% .ORG, 1.9% .DE, 2.0% all other domains below 1%.
Figure 3. The 10 most popular prefixes of the root domains found in this campaign.

While these domains are registered through various registrars, a significant majority (68.06% or 93,197) of the root domains are registered under Dominet (HK) Limited, a registrar based in Hong Kong. The next most popular registrars are Namesilo with 11.85% (16,227) and Gname with 7.94% (10,873) of the root domains.

Domain Registration Trends

The WHOIS creation dates shown in Figure 4 reveal an interesting shift. We have picked the top 10 most popular domain prefixes in this campaign. The domains with the prefix com- were the most commonly registered in this campaign until May 2025. However, in the past three months, we observed a significant increase in the registration of gov- domains relative to com- domains. This indicates that the campaign is evolving to fit the types of services it impersonates.

Bar graph displaying the number of domains by WHOIS creation month from October 2024 to June 2025, segmented by domain prefixes including al, ca, co, com, de, dmv, gov, id, ny, and org. The highest domain count is in March 2025 for the 'all' category with close to 30k domains.
Figure 4. WHOIS creation dates for domains belonging to this campaign.

Domain Lifetimes

We also evaluated the lifetime of the domains used in this campaign using pDNS data. A domain's lifetime is the duration between its earliest “first seen” and latest “last seen” timestamps.

As detailed in Figure 5, 39,964 (29.19%) domains were active for two days or less. We saw that 71.3% of these domains were active for less than a week and 82.6% had a lifespan of two weeks or less.

Less than 6% of domains remain active beyond the first three months of their registration. This rapid churn clearly demonstrates that the campaign's strategy relies on a continuous cycle of newly registered domains to evade detection.

Bar chart showing the distribution of domain lifespans, with 'Count of Domains' on the vertical axis and 'Number of Days Domains Were Active' on the horizontal axis. The chart indicates a high count of domains with very short lifespans, decreasing sharply as the number of active days increases. Most domains were active for less than 10 days.
Figure 5. Distribution of domain lifetimes from pDNS data.

Network Infrastructure

As previously mentioned, the domains involved in these campaigns are highly decentralized. In this section, we investigate the network infrastructure of the campaign.

DNS Infrastructure

The 194,345 FQDNs in this campaign resolve to a large and diverse set of approximately 43,494 unique IP addresses. The campaign uses a majority of U.S. IP addresses hosted on Autonomous System AS13335, particularly within the 104.21.0[.]0/16 subnet.

In contrast, the nameserver infrastructure is more concentrated, with only 837 unique nameserver root domains. A large majority of the FQDNs use just two providers: AliDNS (45.6%) and Cloudflare (34.6%). This centralization suggests that while the campaign's web hosting is widely distributed, its DNS management is consolidated under a few key services.

Campaign Infrastructure Graph

In Figure 6, we present an example graph depicting this campaign. We see that there are 90 different root domains pointing to a set of IP addresses in the 104.21.0[.]0/16 subnet belonging to AS13335. There are several such localized clusters for each IP address and nameserver.

Network diagram depicting various types of internet connections between a central node and multiple outer nodes, with icons representing different components like URLs, hostnames, and IP addresses, accompanied by a legend explaining the symbols used. URL icon is URL. FILE icon is file. WWW earth icon is hostname. American flag is IP address. Hostname icon in orange circle is domain in a seed list. Blue indicates relationships.
Figure 6. Campaign graph depicting 90 different root domains pointing to a set of IP addresses within the 104.21.0[.]0/16 subnet.
The U.S. Postal Service (USPS) is the single most impersonated service with 28,045 FQDNs. The broader category of toll services is the most impersonated category in this campaign, with nearly 90,000 dedicated phishing FQDNs.

We present examples of domains that masquerade as different types of services in the Impersonated Brands and Services section.

Geolocation of the Attack Domains Infrastructure

The attack domains are hosted on different IP addresses that are geolocated to various countries. To identify the domains generating the most traffic, we analyzed the distribution of pDNS queries to find the DNS query volume for all domains in the campaign.

We aggregated the number of DNS responses per domain and geolocated the IP addresses in these responses. Queries to domains located in the U.S. account for more than half the volume of queries, as shown in Figure 7. The attack infrastructure for domains generating the largest volume of traffic were located in the U.S., followed by China and Singapore.

Bar chart displaying the percentage distribution of DNS queries across countries. United States leads at 58%, followed by China at 21%, Singapore at 19%, all other countries combined at 1.5%, and Germany at 0.5%. The chart includes labels for each country and percentage values on each bar.
Figure 7. Distribution of DNS queries to attack domains by geolocation of the IP addresses.

Impersonated Brands and Services

A large portion of the attack infrastructure we saw was based in the U.S., and the impersonated services reflected this. However, we also identified attackers impersonating services in other countries.

Large U.S. Focus

The campaign targets individuals. It sends messages that masquerade as coming from various commercial organizations as well as state and U.S. government offices, such as:

  • Commercial and state-owned mail and package delivery services
  • State vehicles and licensing agencies
  • State and federal tax services or agencies

We also found mentions of U.S. state names and their two-letter abbreviations in the FQDNs.

Global Brands and Services

  • Critical services: This campaign often includes messages that mimic those that could come from critical services such as mail, toll payment services, law enforcement and banking in several countries:
    • The U.S. (banking, mail and delivery, tolls)
    • Germany (mail and delivery services, investment banks and savings banks)
    • United Arab Emirates (police forces belonging to multiple cities)
    • The UK (state-owned services)
    • Malaysia, Mexico (banks)
    • Argentina, Australia, Canada, France, Ireland, Israel, Russia (electronic tolls, as well as mail and delivery services).
  • General services: The campaign involves impersonating messages from many general services such as:
    • Carpooling applications
    • Online platforms for home-sharing and hospitality services
    • Popular social media sites
  • Typosquatting: We have observed several FQDNs used in this campaign that are typosquatting popular services, including financial technology applications and personal cloud services
  • E-commerce and online payment platforms: This campaign also impersonates several large e-commerce platforms in:
    • Russia
    • Poland
    • Lithuania
    • Other countries internationally
  • Cryptocurrency exchanges: We found that the campaign also impersonates cryptocurrency exchanges, wallet and Web3 platforms
  • Gaming-related: We have found FQDNs used in this campaign relating to online games and fake marketplaces for in-game skins

What Content Is Being Hosted?

Phishing Impersonating Banking and Popular Services

The most common landing page we observed contained phishing content impersonating the service indicated by the FQDN. Figure 8 presents examples of phishing pages designed to resemble login and identity verification for a consumer electronics company (5,078 FQDNs) and a significant financial services firm (769 FQDNs). These are potentially aimed at extracting victims’ login information and other sensitive information such as social security numbers.

Two open browser windows displaying user interface designs for account access. The left screen shows a login page with options to enter an email address, and buttons for password recovery and account creation. The right screen displays a form for identity verification requiring name, date of birth, and identification number.
Figure 8. Landing pages for domains phishing banking and popular service providers.

Phishing Impersonating Government Agencies

We have observed phishing pages impersonating government services such as the IRS and U.S. state vehicle departments and other transportation-related agencies.

These landing pages often mention unpaid toll and other service charges. They are potentially aimed at extracting login credentials, personal details and payment information.

Figure 9 shows examples of landing pages of domains impersonating state-specific electronic toll services. They use the state names and their services in the subdomain names and make use of state logos and emblems within the phishing pages.

Left: Photo of vehicles driving on a snowy highway during winter above text spoofing a department of transportation website. Right: Screenshot of the "Renewal Express" website interface for vehicle registration, featuring a section titled "To pay your notice." In both images some of the information is redacted.
Figure 9. Landing pages for domains phishing state-specific electronic toll services.

Figure 10 shows examples of landing pages impersonating U.S. government agencies such as the IRS (128 FQDNs). The page contains a fake CAPTCHA page that is designed to manipulate users into executing malicious scripts on their machine.

Left: Two people smiling while looking at a laptop screen, displayed with a "Robot or human?" CAPTCHA prompt. Right: A close-up of a computer screen showing a Google reCAPTCHA verification step.
Figure 10. Landing pages for domains phishing government agencies.

Misdelivery and Fake Customs Charges

Figure 11 shows several examples of landing pages containing fake notices of delivery failure, toll violation, international customs charges associated with popular mail and package delivery services, and toll services. These are potentially aimed at extracting personal information such as home addresses, contact details and payment information from victims.

Collage of four website screenshots including a UK Government customs charge page, a Hebrew mobile app interface, a delivery options page, and a shipping tracker page.
Figure 11. Landing pages for misdelivery and fake customs charges.

Conclusion

We have uncovered that the smishing campaign impersonating U.S. toll services is not isolated. It is instead a large-scale campaign with global reach impersonating many services across different sectors. The threat is highly decentralized. Attackers are registering and churning through thousands of domains daily.

To track this rapidly evolving activity, we developed a multi-faceted intelligence framework that synthesizes data from WHOIS records, pDNS, evolving domain patterns, visual clustering of landing pages and graph-based infrastructure analysis.

We advise people to exercise vigilance and caution. People should treat any unsolicited messages from unknown senders with suspicion. We recommend that people verify any request that demands urgent action using the official service provider's website or application. This should be done without clicking any links or calling any phone numbers included in the suspicious message.

Palo Alto Networks Protection and Mitigation

Palo Alto Networks customers are better protected from the threats discussed above through the following products:

Advanced URL Filtering and Advanced DNS Security identify known domains and URLs associated with this activity as malicious.

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

  • North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
  • UK: +44.20.3743.3660
  • Europe and Middle East: +31.20.299.3130
  • Asia: +65.6983.8730
  • Japan: +81.50.1790.0200
  • Australia: +61.2.4062.7950
  • India: 00080005045107

Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Indicators of Compromise

  • icloud.com-remove-device[.]top
  • flde-lity.com-lg[.]icu
  • michigan.gov-etczhh[.]cc
  • utah.gov-etcfr[.]win
  • irs.gov-tax[.]cfd
  • irs.org.gov-tax[.]icu
  • anpost.com-pay[.]online
  • kveesh6.il-363[.]com
  • dhl.de-yiore[.]store
  • usps.com-posewxts[.]top
  • e-zpass.com-etcha[.]win
  • usps.com-isjjz[.]top
  • flde-lity.com-jw[.]icu
  • e-zpass.com-tollbiler[.]icu
  • e-zpassny.com-pvbfd[.]win
  • e-zpass.com-statementzz[.]world
  • e-zpass.com-emea[.]top
  • pikepass.com-chargedae[.]world
  • e-zpass.com-etcoz[.]win
  • e-zpassny.com-kien[.]top
  • e-zpassny.com-xxai[.]vip
  • sunpass.com-hbg[.]vip
  • usps.com-hzasr[.]bid
  • e-zpassny.gov-tosz[.]live
  • michigan.gov-imky[.]win
  • e-zpass.org-yga[.]xin
  • e-zpass.org-qac[.]xin
  • ezpass.org-pvwh[.]xin
  • ezpassnj.gov-mhmt[.]xin
  • e-zpassny.gov-hzwy[.]live
  • irs.gov-addpayment[.]info
  • irs.gov-mo[.]net
  • israeipost.co-ykk[.]vip
  • canpost.id-89b98[.]com
  • anpost.id-39732[.]info

Additional Resources

Jingle Thief: Inside a Cloud-Based Gift Card Fraud Campaign

Posted on by Samantha Stallings

Executive Summary

We investigated a campaign waged by financially motivated threat actors operating out of Morocco. We refer to this campaign as Jingle Thief, due to the attackers’ modus operandi of conducting gift card fraud during festive seasons. Jingle Thief attackers use phishing and smishing to steal credentials, to compromise organizations that issue gift cards. Their operations primarily target global enterprises in the retail and consumer services sectors. Once they gain access to an organization, they pursue the type and level of access needed to issue unauthorized gift cards.

The activity related to this campaign is tracked by Unit 42 as cluster CL‑CRI‑1032. The threat actors behind the activity target organizations that primarily rely on cloud-based services and infrastructure. They then exploit Microsoft 365 capabilities to conduct reconnaissance, maintain long-term persistence and execute large-scale gift card fraud. We assess with moderate confidence that the activity cluster we track as CL-CRI-1032 overlaps with the activity of threat actors publicly tracked as Atlas Lion and STORM-0539 [PDF].

What makes the threat actor behind this activity particularly dangerous is the ability to maintain a foothold inside organizations for extended periods — sometimes over a year. During this time, they gain deep familiarity with the environment, including how to access critical infrastructure — making detection and remediation especially challenging. In April and May 2025, the threat actor behind the Jingle Thief campaign launched a wave of coordinated attacks across multiple global enterprises.

This article presents an end-to-end analysis of the Jingle Thief campaign lifecycle, based on real-world incident telemetry and detections. We provide a clear view of the methods involved in this activity, and practical guidance for mitigating identity-based threats — attacks that target user accounts and credentials — in cloud environments. As identity increasingly replaces the traditional perimeter, understanding campaigns like Jingle Thief is essential to securing modern enterprise infrastructure.

This activity was identified through behavioral anomalies detected by Cortex User Entity Behavior Analytics (UEBA) and Identity Threat Detection and Response (ITDR). Customers are better protected from this activity with the new Cortex Advanced Email Security module.

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

Related Unit 42 Topics Phishing, Smishing

Who Is Behind the Jingle Thief Campaign?

We assess with moderate confidence that the Jingle Thief campaign was created by financially motivated Morocco-based attackers who have been active since 2021. Their operations primarily target global enterprises in the retail and consumer services sectors. Although not affiliated with a nation-state, the activity we track as CL‑CRI‑1032 includes advanced tactics, persistence and operational focus.

Unlike threat actors who rely on commodity malware or endpoint exploitation, the attackers behind CL‑CRI‑1032 operate almost exclusively in cloud environments once they obtain credentials through phishing. They exploit cloud-based infrastructure to impersonate legitimate users, gain unauthorized access to sensitive data and carry out gift card fraud at scale.

Anatomy of the Jingle Thief Campaign

In a campaign that we observed, threat actors maintained access for approximately 10 months and compromised over 60 user accounts within a single global enterprise. The activity involved the use of Microsoft 365 services, including SharePoint, OneDrive, Exchange and Entra ID. This demonstrated a high degree of adaptability and operational patience. Detecting this approach requires close observation of adversaries’ actions over an extended period. The threat actors behind the Jingle Thief campaign often align their activity with holiday periods, increasing operations during times of reduced staffing and heightened gift card spending.

Having gained initial access, the threat actors conducted reconnaissance to map the environment, moved laterally to access more sensitive areas, and identified opportunities to execute large-scale financial fraud. Figure 1 illustrates the end-to-end attack lifecycle across Microsoft 365, highlighting how the threat actors progressed from phishing-based entry to persistent access through device registration.

Sequence of icons representing the attack chain: Initial Access shows phishing and smishing for cloud credentials; Cloud Recon involves mining SharePoint and OneDrive for gift card intel; Internal Phishing depicts sending phishing emails internally; Inbox Rules include forwarding emails to external senders; Evade Defense depicts moving phishing emails to deleted items, Register Device features modification of authentication methods.
Figure 1. Jingle Thief phishing attack chain across Microsoft 365.

The final attack step of device registration creates a foothold that the threat actors exploit to issue gift cards, which they then leverage for monetary gain.

Why Gift Cards? The Prey of Choice

Gift cards are highly attractive to financially motivated actors due to their ease of redemption and rapid monetization. Threat actors resell gift cards on gray-market forums at discounted rates, enabling near-instant cash flow.

Additional factors that make gift cards attractive include:

  • Minimal personal information required for redemption
  • Difficult to trace, making fraud harder to investigate or recover
  • Accepted widely, often indistinguishable from legitimate use
  • Useful for low-risk money laundering, especially across jurisdictions
  • Frequently issued through systems with weak access controls, broad internal permissions, and limited monitoring or logging

Retail environments are particularly vulnerable to this type of attack, as gift card systems are often accessible to a wide range of internal users, such as store employees. These systems may support multiple vendors or programs, making access pathways broader and more difficult to control.

Gift card fraud combines stealth, speed and scalability, especially when paired with access to cloud environments where issuance workflows reside. To exploit these systems, the threat actors need access to internal documentation and communications. They can secure this by stealing credentials and maintaining a quiet, persistent presence within Microsoft 365 environments of targeted organizations that provide gift card services.

In the campaign we observed, the attackers made repeated access attempts against multiple gift‑card issuance applications. They tried to issue high‑value cards across different programs in order to monetize them, and possibly to use the cards as collateral in money-laundering schemes — effectively turning digital theft into untraceable cash or short-term loans. These operations were staged in a way that minimizes logging and forensic traces, reducing the chance of rapid detection.

Highly Targeted and Tailored Attacks

The threat actors behind the Jingle Thief campaign invest heavily in reconnaissance before launching attacks. They gather intelligence on each target, including branding, login portals, email templates and domain naming conventions. This allows them to craft highly convincing phishing content that appears authentic to both users and security tools.

Phishing URLs often include the organization’s name, a trusted third-party tool or software, and landing pages that closely mimic legitimate login screens. This highly customized social engineering approach increases the likelihood of compromise and highlights the actors’ use of sophisticated techniques.

Figure 2 shows a credential phishing page crafted by the threat actors to impersonate a legitimate Microsoft 365 login portal, tailored to the victim organization’s branding.

Screenshot of an "Account Sign On" interface with fields for User ID and Password, and buttons for "Sign In," "Forgot Password," and "Change Password."
Figure 2. Fake Microsoft 365 login page tailored to the target organization.

Initial Access: Phishing and Smishing for Cloud Credentials

The threat actors behind the Jingle Thief campaign typically begin their operations with tailored phishing or SMS-based smishing attacks. These messages lure victims to counterfeit Microsoft 365 login portals that mimic legitimate sign-in pages. Some lures impersonate nonprofits or non-governmental organizations (NGOs), likely to give the appearance of credibility and increase victim engagement.

Notably, many messages are delivered using self-hosted PHP mailer scripts, often sent from compromised or hijacked WordPress servers, which obscure the attackers’ origin and improve delivery.

The threat actors also employ deceptive URL formatting, such as: https://organization[.]com@malicious.cl[/]workspace

While the URL above appears to point to the legitimate organization’s domain (organization[.]com), browsers interpret everything before the @ as user credentials, and actually navigate to the domain after it (malicious.cl). This tactic helps disguise the true destination of the link and increases the likelihood of victims clicking.

After harvesting credentials in the campaign that we observed, the attackers authenticated to Microsoft 365 directly and began navigating the environment, with no malware required. Figure 3 shows a smishing attempt used to harvest credentials, captured from a malicious PHP email send log from the attackers’ infrastructure. The message originated from a Moroccan IP address, and was sent to a Verizon SMS gateway (vtext.com).

Screenshot of an email header displaying various metadata fields such as date, subject, and server information, indicating the use of Microsoft Windows and Linux operating systems. Two sections are highlighted in red boxes.
Figure 3. Credential phishing via smishing, logged from attackers’ infrastructure.

Cloud Reconnaissance: Mining SharePoint and OneDrive for Gift Card Intel

After initial access, the attackers behind Jingle Thief perform extensive reconnaissance within the Microsoft 365 environment, particularly focusing on SharePoint and OneDrive. These services frequently contain internal documentation related to business operations, financial processes and IT workflows.

The threat actors search for:

  • Gift card issuance workflows
  • Ticketing system exports or instructions
  • VPN configuration and access guides
  • Spreadsheets or internal tools used to issue or track gift cards
  • Organizational virtual machines, Citrix environments

Figure 4 shows SharePoint files accessed by the threat actors after account compromise, revealing their focus on internal documentation tied to gift card workflows and remote access infrastructure.

Screenshot showing a list of hyperlinks and document files.
Figure 4. Internal SharePoint files accessed by Jingle Thief post-compromise.

Rather than escalating privileges, the threat actors build situational awareness by accessing readily available data on compromised users. This discreet approach helps evade detection while laying the groundwork for future fraud.

Internal Phishing for Lateral Moves

Instead of deploying malware or post-exploitation frameworks, Jingle Thief relies on internal phishing to expand their foothold within target environments. In an attempted attack against one of our customers, after compromising a user's Microsoft 365 account, the attackers sent phishing emails from the legitimate account to personnel inside the same organization. These messages mimicked IT service notifications or ticketing updates, often leveraging information gathered from internal documentation or previous communications to appear legitimate.

Common lures:

  • Fake ServiceNow alerts: "INCIDENT REQ07672026 Has been completed"
  • IT access notifications: "ServiceNow Account Inactivity Notice"
  • Generic approval prompts: "Incident pending your review"

These emails link to fake login portals branded with the organization’s identity, leveraging internal trust to evade suspicion and spread laterally.

Figure 5 shows an internal phishing email sent from a compromised account, spoofing a ServiceNow inactivity notice to trick users into entering credentials.

An email screenshot from ServiceNow titled "ServiceNow Account Inactivity Notice," alerting the recipient of detected inactivity on their account and asking them to verify their account activity within 48 hours to prevent deactivation. Some of the information is redacted for privacy concerns.
Figure 5. Internal phishing email mimicking a ServiceNow notification.

Ruling the Inbox for Silent Email Exfiltration

To passively monitor internal communications, the attackers responsible for the Jingle Thief campaign often create inbox rules to automatically forward emails to attacker-controlled addresses.

They monitor:

  • Gift card approvals
  • Financial workflows
  • IT ticketing or account changes

This approach reduces the need for active attacker interaction and helps maintain stealth. Figure 6 shows an alert flagging the creation of a malicious inbox forwarding rule, which is one of the stealth tactics employed by these threat actors to monitor internal communications.

Screenshot of a security alert from XDR Analytics indicating an "Exchange inbox forwarding rule configured" identified as an Identity Threat.
Figure 6. Cortex XDR alert showing automatic email forwarding rule set by threat actors.

Stealthy Email Activity: Hiding in Plain Sight

To cover their tracks, the attackers actively manage mailbox folders:

  • Moving sent phishing emails immediately from Sent Items to Deleted Items
  • Moving replies from users from Inbox to Deleted Items

This ensures that victims won’t see the phishing messages or responses, delaying discovery by both victims and defenders.

The Exchange audit logs in Figure 7 show the attackers moving phishing email replies from the Inbox folder to the Deleted Items folder.

Screenshot of an email inbox displaying multiple messages with the subject 'Automatic reply: INCIDENT [Set of numbers] has been completed', all from the sender 'MoveToDeclassifiedItems' and located in the 'Inbox' folder.
Figure 7. Items moved from Inbox to Deleted Items.

Dominating Rogue Devices for Persistence

Most of the intrusions we observed in the Jingle Thief campaign relied on stolen credentials or session tokens for temporary access. However, the actors also demonstrated techniques for establishing longer-term persistence within compromised environments.

In some intrusions, the threat actors took control of identity infrastructure by misusing legitimate user self-service and device enrollment mechanisms in Microsoft Entra ID. These tactics allowed them to maintain access even after passwords were reset or sessions were revoked.

Tactics include:

  • Registering rogue authenticator apps to bypass MFA
  • Resetting passwords via self-service flows
  • Enrolling attacker-controlled devices in Entra ID

Figure 8 shows the user interface for registering a device in Microsoft Entra ID using the Authenticator app. The attackers misused this legitimate process to silently enroll rogue devices and maintain MFA-resistant access.

Screenshot of the Microsoft Authenticator app onboarding screen with an illustration featuring a person and a cat next to a mobile device displaying security features. There are options to 'Add account' and links for 'Begin recovery' and checking if the user already has a backup.
Figure 8. Device registration flow in Microsoft Entra ID.

The ultimate goal of these varied tactics – phishing, inbox control, mail exfiltration and rogue device registration – is to obtain and monetize gift cards at scale.

Tracing Jingle Thief’s Moroccan Roots

The campaign activities that we observed almost exclusively originated from IP addresses geolocated in Morocco. Across incidents, Microsoft 365 logs showed recurring device fingerprints and login behaviors associated with these IP addresses. Unlike many actors who hide behind VPNs, these threat actors often made no attempt to obscure their origin, and only sometimes used Mysterium VPN when accessing compromised accounts.

Autonomous System Number (ASN) metadata from the connections also consistently matched Moroccan telecommunications providers, including:

  • MT-MPLS
  • ASMedi
  • MAROCCONNECT

In addition to IP and ASN infrastructure, Jingle Thief reuses distinctive domain and URL structures across campaigns. These recurring patterns in domain naming and infrastructure further support attribution to a Morocco-based threat group.

Conclusion

The Jingle Thief campaign demonstrates a clear focus on major retailers’ gift-card issuance systems. The attackers targeted multiple issuance applications to generate high‑value cards, likely for resale on gray markets, or as fungible assets in money‑laundering chains. Gift-card systems are often under‑monitored and widely accessible internally, making them an attractive extension to identity‑based attacks: By compromising the right accounts, threat actors can issue and steal gift cards, while leaving almost no trace of their malicious operations.

The cluster of activity behind the Jingle Thief campaign overlaps with the activity of threat actors publicly tracked as Atlas Lion. This cluster — tracked by Unit 42 as CL-CRI-1032 — favors identity misuse over malware, and leverages trusted cloud services rather than endpoint compromise. Their campaigns highlight how attackers can operate entirely within cloud environments, abusing legitimate features for phishing, persistence and fraud.

By understanding the tactics used in the Jingle Thief campaign, defenders can better prioritize identity-based monitoring and adapt to the industry’s shift toward treating identity as the new security perimeter. Understanding user behavior, login patterns and identity misuse are increasingly essential for early detection and response.

Palo Alto Networks customers are better protected from this activity with the new Cortex Advanced Email Security module, as well as Cortex UEBA and ITDR.

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

  • North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
  • UK: +44.20.3743.3660
  • Europe and Middle East: +31.20.299.3130
  • Asia: +65.6983.8730
  • Japan: +81.50.1790.0200
  • Australia: +61.2.4062.7950
  • India: 00080005045107

Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Indicators of Compromise

Moroccan Infrastructure (Attribution Signal)

  • 105.156.109[.]227
  • 105.156.234[.]139​​
  • 105.157.86[.]136
  • 105.158.226[.]49
  • 105.158.237[.]165
  • 160.176.128[.]242
  • 160.178.201[.]89
  • 160.179.102[.]157
  • 196.64.165[.]160
  • 196.65.139[.]51
  • 196.65.146[.]114
  • 196.65.172[.]48
  • 196.65.237[.]97
  • 196.74.125[.]243
  • 196.74.183[.]81
  • 196.77.47[.]232
  • 196.89.141[.]80
  • 41.141.201[.]19
  • 41.250.180[.]114
  • 41.250.190[.]104

Associated ASN Organizations (Geolocated to Morocco)

  • MT-MPLS
  • ASMedi
  • MAROCCONNECT

U.S. Infrastructure (Potential Proxy or Compromised Hosts)

  • 70.187.192[.]236
  • 72.49.91[.]23

Phishing URL Patterns

  • hxxps://*.com.ng/*[brand-name].com/home/
  • hxxps://*.[brand-name].servicenow.*/*access
  • hxxps://[brand-name].com@*.*/portal/
  • hxxps://[brand-name].com@*.*/workspace
  • hxxps://*/home
  • hxxps://*/workspace/home

Additional Resources

Cortex XDR/XSIAM Alerts on Jingle Thief Activity

Table 1 shows Cortex alerts for this activity, using Identity Analytics including behavioral indicators of compromise (BIOC) and the ITDR module.

Alert Name Alert Source MITRE ATT&CK Technique
Exchange inbox forwarding rule configured XDR Analytics BIOC, Identity Threat Module (ITDR) Hide Artifacts: Email Hiding Rules (T1564.008)
User moved Exchange sent messages to deleted items XDR Analytics, Identity Threat Module (ITDR) Indicator Removal: Clear Mailbox Data (T1070.008)
First connection from a country in organization XDR Analytics BIOC, Identity Analytics Compromise Accounts (T1586)
First SSO access from ASN in organization XDR Analytics BIOC, Identity Analytics Valid Accounts: Domain Accounts (T1078.002)
Impossible Traveler - SSO XDR Analytics, Identity Analytics Compromise Accounts (T1586)
A user connected from a new country XDR Analytics BIOC, Identity Analytics Compromise Accounts (T1586)
First SSO access from ASN for user XDR Analytics BIOC, Identity Analytics Valid Accounts: Domain Accounts (T1078.002)
A user connected to a VPN from a new country XDR Analytics BIOC, Identity Analytics Compromise Accounts (T1586)
VPN access with an abnormal operating system XDR Analytics BIOC, Identity Analytics Valid Accounts: Domain Accounts (T1078.002)
First VPN access from ASN in organization XDR Analytics BIOC, Identity Analytics Valid Accounts: Domain Accounts (T1078.002)
First SSO Resource Access in the Organization XDR Analytics BIOC, Identity Analytics Valid Accounts: Domain Accounts (T1078.002)
Suspicious SSO access from ASN XDR Analytics BIOC, Identity Analytics Valid Accounts: Domain Accounts (T1078.002)
A possible risky login to Azure XDR Analytics BIOC, Identity Analytics Compromise Accounts (T1586)
User attempted to connect from a suspicious country XDR Analytics BIOC, Identity Analytics Compromise Accounts (T1586)
SSO with new operating system XDR Analytics BIOC, Identity Analytics Valid Accounts: Domain Accounts (T1078.002)
Massive file downloads from SaaS service XDR Analytics, Identity Threat Module (ITDR) Data from Cloud Storage (T1530)

Table 1. Cortex XDR/XSIAM alerts on Jingle Thief campaign activity.

 

The Golden Scale: Notable Threat Updates and Looking Ahead

Posted on by Ria Bhatia

We recently published an Insights piece “The Golden Scale: Bling Libra and the Evolving Extortion Economy,” which primarily focused on the Salesforce data theft extortion activity. This was associated with the cybercriminal syndicate known as Scattered LAPSUS$ Hunters. Since early October 2025, we have observed several notable developments within a Telegram channel (SLSH 6.0 part 3) used by the threat actors. This activity may provide a glimpse into how the group plans to operate in the foreseeable future. We’re providing these insights so that organizations can better prepare for and defend against this evolving threat activity.

Fallout From the Extortion Deadline

As noted in our previous Insights piece, Scattered LAPSUS$ Hunters listed the deadline for impacted organizations to make a ransom payment as 11:59 PM ET on Oct. 10, 2025. Since that time, news reports have indicated that the threat actors have leaked stolen data allegedly belonging to six companies. These companies operate across the aviation, energy and retail sectors. The leaked data allegedly includes various types of personally identifiable information (PII) such as names, dates of birth, email addresses, phone numbers and frequent flyer numbers.

Unit 42 recently tried to access the data leak site (DLS) associated with the threat actors, and noticed the website had what appeared to be a defacement message posted (see Figure 1). As a result, we were unable to determine if any victim data was still listed.

Text excerpt with a warning message presumably addressed to someone named James from the Scattered, mentioning the FBI and ShinyHunters.
Figure 1. Screenshot of message posted to Bling Libra’s latest DLS as of Oct. 17, 2025. Source: Scattered LAPSUS$ Hunters' DLS.

On Oct. 11, 2025, a day after the posted deadline and the release of data for the six organizations referenced above, the threat actors stated that “nothing else will be leaked.” The meaning of “the things we have cannot be leaked for obvious reasons” is unclear (see Figure 2). These “obvious reasons” could mean increased attention and action from law enforcement due to who owns the data or its type.

Telegram screenshot reads: "A lot of people are asking what else will be leaked. Nothing else will be leaked. Everything that was leaked was leaked, we have nothing else to leak and obviously the things we have cannot be leaked for obvious reasons. :D
Figure 2. Screenshot of Telegram post to SLSH 6.0 part 3 channel on Oct. 11, 2025. Source: Telegram.

As shown below in Figure 3, the threat actors appear to potentially be stepping away from any activities until the beginning of next year. A post after this one states “I promise you, you WILL feel our wrath.”

Telegram screenshot with a statement from the threat actors on their continuous operations targeting global corporations and critical infrastructure, and insisting they are not criminals but businessmen.
Figure 3. Screenshot of Telegram post to SLSH 6.0 part 3 channel on Oct. 11, 2025. Source: Telegram.

Extortion-as-a-Service Program Advertisement

On Oct. 10, 2025, shortly prior to their self-imposed deadline, the threat actors formally alluded to the launch of their extortion-as-a-service (EaaS) program as shown in Figure 4. They claim this EaaS program will be similar to a typical ransomware-as-a-service (RaaS) program with a clear difference: no file encryption. As noted in my previous Insights piece, one likely factor for this shift is to potentially fly under the radar of law enforcement attention. This could be motivated by their focus on disrupting ransomware operations in recent years.

Telegram screenshot announcing the launch of a new EaaS (Extortion-as-a-Service), detailing features such as anonymity and professional negotiation support, with further details to be released soon.
Figure 4. Screenshot of Telegram post to SLSH 6.0 part 3 channel on Oct. 10, 2025. Source: Telegram.

Renewed Insider Access Recruitment

On Oct. 5, 2025, the threat actors posted an advertisement seeking insider access at organizations across a variety of industries, as seen in Figure 5.

As also noted by ReliaQuest on their X account, the threat actors state their primary interest is in acquiring access to call centers, gaming companies, hosting providers, software-as-a-service (SaaS) and telecom organizations. These organizations would be based in countries such as the U.S., UK, Australia, Canada and France.

Telegram screenshot that includes information on rules, IA rates, employee or insider recruitment, and regions of focus.
Figure 5. Screenshot of Telegram post to SLSH 6.0 part 3 channel on Oct. 5, 2025 Source: Telegram.

Threat actors affiliated with “The Com” have previously advertised interest in partnering with insiders at targets of interest to them. This was reported in our May 2025 update on Muddled Libra (aka Scattered Spider).

Potential Emergence of New Ransomware

On Oct. 4, 2025, the threat actors claimed to be developing a new form of ransomware named “SHINYSP1D3R” as noted in Figures 6 and 7. These posts appear to be related to observations previously noted by Falconfeeds in August 2025. It is currently unclear if the aforementioned ransomware is still under development or simply a false claim.

Telegram screenshot: "It's time to make it clear to certain entities what real extortion looks like." The rest of the text lists other cybercrime groups and asks the readers to stay tuned on what's new.
Figure 6. Screenshot of Telegram posts to SLSH 6.0 part 3 channel on Oct. 4, 2025. Source: Telegram.
Telegram screenshot that says what is coming next is the GTA 6 of ransomware.
Figure 7. Screenshot of Telegram posts to SLSH 6.0 part 3 channel on Oct. 4, 2025. Source: Telegram.

What Comes Next — and What I Recommend You Do

Given that the clearnet version of Scattered LAPSUS$ Hunters’ newly launched DLS is unavailable at this time, it is unclear if any of the victims listed on the site made a ransom payment to the threat actors.

Additionally, it remains relatively uncertain if the EaaS program advertised by the threat actors will be as lucrative of a business model as they likely hoped it would be. Given that the advertisement specifically cites the removal of any file encryption in comparison to a traditional RaaS program, organizations may be less willing to make a ransom payment considering the potential lack of operational disruption.

Finally, it is not evident why the threat actors would potentially be interested in operating both an EaaS and a RaaS program, other than attempting to diversify their revenue streams. This is certainly something Unit 42 will continue to monitor going forward.

As noted in our previous Insights piece, the theft and leakage of PII, including loyalty program details (e.g., frequent flyer numbers) from some victim organizations (specifically those in hospitality) could enable cybercriminals to conduct identity theft and other types of fraud, including fueling the growth of fraudulent travel agencies advertised across underground cybercrime forums and Telegram channels.

Given the rise of RaaS programs in recent years, many organizations have developed incident response playbooks specifically to prepare for a ransomware event in terms of operational disruption. I believe it is now time for organizations to create similar playbooks for the growing threat of EaaS programs, specifically to prepare for the reputational risks associated with such events. This should include having third-party experts on standby via retainer to assist with potential negotiations, verification of stolen data and other related actions.

If your organization has been threatened with data theft extortion by Scattered Lapsus$ Hunters or other cybercriminals, the Unit 42 Incident Response team is here and ready to support with either a suspected compromise or to reduce the risk via a proactive threat assessment.

Threat Brief: Nation-State Actor Steals F5 Source Code and Undisclosed Vulnerabilities

Posted on by Unit 42

Executive Summary

On Oct. 15, 2025, F5 — a U.S. technology company — disclosed that a nation-state threat actor conducted a significant long-term compromise of their corporate networks. In this incident, attackers stole source code from their BIG-IP suite of products and information about undisclosed vulnerabilities. F5’s BIG-IP suite is commonly used by large organizations, primarily in the U.S. but also globally, for availability, access control and security. Organizations including government agencies and Fortune 500 companies rely on BIG-IP.

Cortex Xpanse currently identifies over 600,000 unique hosts behind a Big-IP instance exposed to the internet.

F5’s investigation revealed that the attackers maintained long-term access to the company’s product development environment and engineering knowledge management platform. This enabled attackers to access highly sensitive data.

F5 also released details of several vulnerabilities of varying severity. Some of the key vulnerabilities are:

  • CVE-2025-53868: A BIG-IP SCP and SFTP vulnerability with a CVSS score of 8.7. This could allow for a significant impact on affected systems.
  • CVE-2025-61955: An F5OS vulnerability with a CVSS score of up to 8.8 in appliance mode. This could lead to major compromises of F5OS-A and F5OS-C systems.
  • CVE-2025-57780: An F5OS vulnerability with a CVSS score of up to 8.8 in appliance mode, representing another critical threat to F5OS systems.

Key Takeaways

  • What Was Exfiltrated: The threat actor exfiltrated files from the BIG-IP product development environment and engineering knowledge management platforms. These files contained some BIG-IP source code and information about undisclosed vulnerabilities. F5 stated it currently has no knowledge of undisclosed critical or remote code vulnerabilities, and it has not observed active exploitation of any undisclosed F5 vulnerabilities.
  • Customer Impact: There is no evidence of access to — or exfiltration of — data from F5’s CRM, financial, support case management or iHealth systems. However, some of the exfiltrated files from the knowledge management platform contained configuration or implementation information for a small percentage of customers.
  • Supply Chain Integrity: There is no evidence of modification to F5’s software supply chain, including source code and build and release pipelines.
  • Unaffected: There is no evidence that the threat actor accessed or modified the NGINX source code or product development environment. There was also no evidence that the threat actor accessed or modified the F5 Distributed Cloud Services or Silverline systems.

While details of what exactly was exfiltrated are not publicly available, the theft of source code and previously undisclosed vulnerabilities is significant and could potentially facilitate rapid exploitation of vulnerabilities.

Guidance

Unit 42 highly recommends following F5 public guidance in its public Security Notification and Quarterly Security Notification.

Palo Alto Networks customers receive protections from and mitigations for these CVEs in the following ways:

  • The Unit 42 Incident Response team can be engaged to help with a compromise or to provide a proactive assessment to lower your risk.
  • Cortex Xpanse has existing attack surface rules that can be used to assist customers in identifying publicly accessible F5 devices.
Vulnerabilities Discussed CVE-2025-53868, CVE-2025-61955, CVE-2025-57780

Details of the Attack

According to F5, the compromise of their corporate networks was conducted by an unspecified sophisticated nation-state actor. Attacks in recent years have illustrated the allure of technology companies as not just a viable target, but a force multiplier in increasing the efficiency and timeline of espionage activity.

F5 also released details of several vulnerabilities of varying severity. Some of the key vulnerabilities are:

  • CVE-2025-53868: A BIG-IP SCP and SFTP vulnerability with a CVSS score of 8.7. This could allow for a significant impact on affected systems.
  • CVE-2025-61955: An F5OS vulnerability with a CVSS score of up to 8.8 in appliance mode. This could lead to major compromises of F5OS-A and F5OS-C systems.
  • CVE-2025-57780: An F5OS vulnerability with a CVSS score of up to 8.8 in appliance mode, representing another critical threat to F5OS systems.

History of Targeted Attacks

There is a history of nation-state actors going after high value targets in the technology industry. Given the reach of F5’s BIG-IP suite, well-resourced, sophisticated actors have focused on it in the past.

In late 2023, a critical vulnerability (CVE-2023-46747) emerged within the BIG-IP Traffic Management User Interface (TMUI), allowing for an authentication bypass. UNC5174, a China-nexus threat actor, actively exploited this flaw. Mandiant’s investigation revealed that the group leveraged this vulnerability to create backdoor administrator accounts, ultimately gaining command execution on compromised devices.

For three years, a Chinese state-sponsored group reported as Velvet Ant used malicious software to exploit outdated F5 BIG-IP equipment. This allowed persistent access and exfiltration of data from a targeted organization's network.

In July 2025, a critical vulnerability (CVE-2022-1388) became the gateway for another sophisticated attack. The China-nexus group known as Fire Ant — overlapping with UNC3886 — exploited an iControl REST authentication bypass flaw in F5 BIG-IP devices. This allowed them to deploy web shells, tunnel traffic between network segments and execute arbitrary system commands.

Current Scope of the Attack Against F5

The threat actor exfiltrated files from the BIG-IP product development environment and engineering knowledge management platforms. F5’s post as of Oct. 16 stated that the company has found no evidence of access to — or exfiltration of — data from its CRM, financial, support case management or iHealth systems. However, some of the exfiltrated files from the knowledge management platform contained configuration or implementation information for a small percentage of customers.

F5 stated that the stolen files contained some BIG-IP source code and information about undisclosed vulnerabilities. F5 stated it currently has no knowledge of undisclosed critical or remote code vulnerabilities. It also has not observed active exploitation of any undisclosed F5 vulnerabilities.

There has been no evidence of modification to F5’s software supply chain, including source code and build and release pipelines. There is also no evidence that the threat actor accessed or modified the NGINX source code or product development environment. Finally, there was no evidence that the threat actor accessed or modified the F5 Distributed Cloud Services or Silverline systems.

Generally, if an attacker steals source code it takes time to find exploitable issues. In this case, the threat actor also stole information on previously undisclosed vulnerabilities that F5 was actively working to patch. This could provide the ability for threat actors to exploit vulnerabilities that have no public patch, potentially increasing speed to exploit creation.

The disclosure of 45 vulnerabilities in this quarter versus just six last quarter suggests F5 is moving as fast as they can to actively patch as many flaws as possible before the threat actors can exploit them.

Interim Guidance

Unit 42 highly recommends following F5 public guidance in its public Security Notification and Quarterly Security Notification. This guidance includes:

  • Updating BIG-IP software
  • A threat hunting guide
  • Hardening guidance
  • Security information and event management (SIEM) integration recommendations

F5 strongly recommends updating BIG-IP software as soon as possible. F5 support is providing a threat hunting guide to strengthen detection and monitoring. It also published best practices for hardening F5 systems, adding automated hardening checks to the F5 iHealth Diagnostic Tool. This tool can help surface gaps, prioritize actions and provide links to remediation guidance.

Lastly, F5 recommends the following:

  • Enabling BIG-IP event streaming to SIEM
  • Following step-by-step instructions for syslog configuration (KB13080)
  • Monitoring for login attempts (KB13426) to enhance visibility and alerting for:
    • Admin logins
    • Failed authentications
    • Privilege and configuration changes

Conclusion

The potential impact of this compromise is unique due to the theft of confidential information regarding previously undisclosed vulnerabilities that F5 was actively in the process of patching. This data potentially grants threat actors the capacity to exploit vulnerabilities for which no public patch currently exists, which could accelerate the creation of exploits.

According to public information, the compromise was identified in early August 2025. While F5 stated they had not yet seen evidence of in-the-wild exploitation, the timing suggests that these vulnerabilities could have been exploited for upwards of two months. This highlights the need to immediately address mitigation guidance.

F5's prompt disclosure and mitigation guidance are crucial first steps. The top priority for any organization using F5 BIG-IP is to implement mitigation and hardening guidance without delay and begin threat hunting activities immediately.

This underscores the need for a defense-in-depth strategy in the face of unknown, emerging and previously-identified vulnerabilities.

Palo Alto Networks customers are better protected by our products, as listed below. We will update this threat brief as more relevant information becomes available.

Palo Alto Networks Product Protections

Palo Alto Networks customers can leverage a variety of product protections and updates to identify and defend against this threat.

If you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

  • North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
  • UK: +44.20.3743.3660
  • Europe and Middle East: +31.20.299.3130
  • Asia: +65.6983.8730
  • Japan: +81.50.1790.0200
  • Australia: +61.2.4062.7950
  • India: 000 800 050 45107

Cortex Xpanse

Cortex Xpanse has existing attack surface rules that can be used to assist customers in identifying publicly accessible F5 devices.

Updated Oct. 27, 2025, at 1:00 p.m PT to clarify language on exposed instances. 

PhantomVAI Loader Delivers a Range of Infostealers

Posted on by Samantha Stallings

Executive Summary

Unit 42 researchers have been tracking phishing campaigns that use PhantomVAI Loader to deliver information-stealing malware through a multi-stage, evasive infection chain. Threat actors wage these campaigns to deliver obfuscated scripts and loaders that use steganography techniques to conceal payloads.

The loader initially used in these campaigns was dubbed Katz Stealer Loader, for the Katz Stealer malware that it delivers. Hackers are selling this new infostealer on underground forums as malware as a service (MaaS). Recently, we observed that the loader now delivers additional infostealers, such as AsyncRAT, XWorm, FormBook and DCRat. Given this unique behavior, we now track the loader under a new name: PhantomVAI Loader. We chose the name because of the loader’s stealth and the VAI method it executes.

Threat actors deploy PhantomVAI Loader in attacks worldwide, targeting organizations from a wide spectrum of industries:

  • Manufacturing
  • Education
  • Utilities
  • Technology
  • Healthcare
  • Information
  • Government

We explore each stage of the multi-layered infection chain, from the initial phishing email to the final deployment of the infostealer payload. We also outline the functionality of Katz Stealer specifically.

Palo Alto Networks customers are better protected from this activity through the following products and services:

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

Related Unit 42 Topics Infostealers

Background

On April 13, 2025, a user called katzadmin posted about a new infostealer named Katz Stealer. The user uploaded these posts to the BreachForums underground forum, and later to the exploit[.]in and xss[.]is forums as well. Katz Stealer is a type of MaaS that collects sensitive data from a variety of applications hosted on infected machines.

We observed threat actors delivering Katz Stealer through phishing emails containing obfuscated JavaScript or VBS code, PowerShell scripts and a .NET loader. Initially called Katz Stealer Loader — and also known as VMDetectLoader — this loader now delivers infostealers such as AsyncRAT, XWorm, FormBook and DCRat. We track this loader under a new name: PhantomVAI Loader.

Infection Chain Analysis

The PhantomVAI Loader attack chain starts with an initial phishing operation and culminates in the deployment of payloads. Figure 1 summarizes the steps of this process.

Flowchart detailing a cyberattack involving a phishing email, leading to the download of various files including archives and scripts, utilizing tools like PowerShell, and culminating in the injection of an infostealer via PhantomVAI loader.
Figure 1. The PhantomVAI Loader attack chain.

Phishing Emails

The infection chain starts with a phishing email that contains a malicious attachment. Figure 2 shows an example of one of the phishing emails.

Email screenshot displaying a message about a new shipment order, including a document attachment. The sender is identified as a cargo logistics company, referencing confirmation of shipment documents. The text in the email includes contact details and a website URL
Figure 2. Phishing email. Source: VirusTotal.

The emails contain themes like sales, payments and legal actions to trick the targeted users into opening the malicious attachment. Some of these emails incorporate homograph attacks, which involve replacing Latin characters in the email with other Unicode or math characters. Attackers use this technique to bypass email defenses by disguising terms that email security mechanisms usually flag as suspicious.

Stage 1: JavaScript and VBS Scripts

The phishing email attachments are archived JavaScript or VBS files. Threat actors obfuscate these scripts in an attempt to bypass detections. Figure 3 shows an example of obfuscated JavaScript from one of these files.

Screenshot of obfuscated JavaScript in a text editor, displaying multiple lines with syntax highlighting.
Figure 3. Obfuscated JavaScript.

The script embeds a Base64-encoded PowerShell script and executes it to download and deliver the next stage of the infection.

Stage 2: PowerShell Script

The decoded PowerShell script downloads and loads the next stage of the infection. Figure 4 shows an example of a decoded PowerShell script.

Screenshot of the PowerShell script containing the steganography, highlighted by a box and arrow. The last line is the PhantomVAI loader command-line arguments.
Figure 4. PowerShell script used to download the next stages of the attack.

The PowerShell script downloads a GIF or other image file that conceals the loader payload. This technique is known as steganography. In the infections that we observed, threat actors used this technique to embed text within the image. The text is a Base64-encoded DLL file.

Next, the script extracts the Base64 data by searching for specific strings that represent the start and end of the encoded text. In this case, the PowerShell script searches for all text between <<sudo_png>> and <<sudo_odt>>. This text is an encoded DLL. In other cases, threat actors inserted the encoded text between different headers. Figure 5 shows an example of encoded text embedded in a GIF file using steganography.

Screenshot of computer code in an editor, featuring various lines of text in white and gray on a black background. The text includes various programming syntax and keywords with a section highlighted in red that says 'sudo png'.
Figure 5. The start of encoded Base64 text embedded in a GIF file.

After extracting the encoded text from the image or GIF file, the PowerShell script decodes the text and loads the DLL. The loaded DLL is the .NET loader payload that we call PhantomVAI Loader.

The PowerShell script invokes a method called VAI within PhantomVAI Loader and provides it with several parameters. The first parameter is a URL for the command and control (C2) server that hosts the final payload.

Stage 3: Executing PhantomVAI Loader

PhantomVAI Loader is written in C#, and the VAI method has three main functionalities:

  • Running virtual machine checks
  • Establishing persistence
  • Retrieving the final payload

Virtual Machine Detection

When PhantomVAI Loader is executed, it performs checks to determine whether it is running on a virtual machine, as the code below shows. The VM detection portion of the code appears to be based on a GitHub project named VMDetector. If any of the checks return a true response, PhantomVAI Loader exits and stops executing.

Establishing Persistence

PhantomVAI Loader uses one or all of the following methods to create persistence:

  • A scheduled task executes PowerShell commands to download a file from an attacker-controlled URL. The task saves the file with a specific name and extension and then executes it.
  • A scheduled task executes a script using wscript.exe. The path to this script is supplied as a command-line parameter.
  • A Run registry key to execute a specific file. The file’s path is also provided as a command-line argument.

Retrieving Payload and Injection

PhantomVAI Loader downloads the payload from the URL specified as a command-line parameter in the Stage 2 PowerShell script. It then injects this payload into a target process that is also defined by a command-line parameter, using the process hollowing technique. The loader injects the payload into a process located in one of these four paths, depending on the command-line argument and the payload architecture:

  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\
  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
  • C:\Windows\System32\
  • C:\Windows\SysWOW64\

In most of the cases observed at the time of writing this article, PhantomVAI Loader injected the payload into the Microsoft Build Engine executable, MSBuild.exe. Figure 6 shows an example of such an injection, in the context of the infection chain.

Screenshot of the Cortex XDR interface showing four files: msedge.exe, wscript.exe, powershell.exe, and MSBuild.exe. Each file has a corresponding icon, with powershell.exe displaying a warning symbol and associated error code. It is marked at the loaded PhantomVAI loader.
Figure 6. Infection chain that starts with the user opening an email using msedge.exe (Microsoft Edge browser) and ends with PhantomVAI Loader injecting the payload to MSBuild.exe.

Katz Stealer: A New Malware-as-a-Service Stealer

PhantomVAI Loader has evolved to deliver a number of infostealers. As Katz Stealer is the least well known and documented, we cover it in additional detail here.

Threat actors use Katz Stealer to steal data from infected machines, such as:

  • Browser credentials
  • Browser data (such as cookies, history, login data)
  • Cryptocurrency wallets
  • Telegram data
  • Discord data
  • Operating system information
  • Steam and game data
  • VPN data
  • FTP clients data
  • Communication and messaging applications data
  • Email clients data
  • Screenshots
  • Clipboard data

Katz Stealer also checks the machine’s language and compares it to a hardcoded list of country codes by using the following APIs:

  • GetKeyboardLayout
  • GetLocaleInfoA
  • GetSystemDefaultLangID

The country codes that Katz Stealer checks are all part of the Commonwealth of Independent States (CIS), as Figure 7 shows. If it finds a match, Katz Stealer stops executing. This language check and subsequent behavior could provide a clue to the origin of the author of the malware.

Screenshot of code with country codes and their corresponding full names, including Russia, Belarus, Kazakhstan, Kyrgyzstan, Tajikistan, Uzbekistan, Armenia, Azerbaijan, and Moldova. Each entry is prefixed with "dq offset."
Figure 7. Code snippet showing the country codes that Katz Stealer checks.

Conclusion

This article highlights phishing campaigns that deliver PhantomVAI Loader, also known as Katz Stealer Loader. Combining social engineering via phishing emails, obfuscated scripts, steganography and a .NET loader, this multi-stage infection chain demonstrates the lengths attackers go to in attempts to evade detection and bypass defenses.

Our research highlights how this loader has evolved in the cybercrime ecosystem. While initially, threat actors used the loader solely to deliver Katz Stealer, recent observations show that the loader now distributes additional malware strains, including AsyncRAT, XWorm, FormBook and DCRat.

MaaS offerings like Katz Stealer are a pervasive threat that can significantly impact security and privacy by exposing sensitive data such as passwords, networking data, emails and files. Understanding the attack chains and techniques that threat actors use to deliver these malicious payloads is vital to ensuring organization security.

Palo Alto Networks Protection and Mitigation

Palo Alto Networks customers are better protected from the threats discussed above through the following products and services:

  • The Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated in light of the indicators shared in this research.
  • Cortex XDR and XSIAM help prevent all the threats described above by employing the Malware Prevention Engine. This approach combines several layers of protection, including Advanced WildFire, Behavioral Threat Protection and the Local Analysis module, to prevent both known and unknown malware from causing harm to endpoints.

Figure 8 shows two examples of detection alerts that the emails in this campaign trigger in Cortex XDR.

Two screenshots of Cortex XDR warnings. The left screenshot titled "Suspicious theme and sentiment in email" from XDR Analytics, mentions possible malicious email content. The right screenshot titled "Usage of homograph characters detected in an email" also from XDR Analytics, alerts to characters that mimic Latin letters, potentially impersonating a well-known brand or identity.
Figure 8. Detection of phishing emails that contain suspicious themes and homograph characters.

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

  • North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
  • UK: +44.20.3743.3660
  • Europe and Middle East: +31.20.299.3130
  • Asia: +65.6983.8730
  • Japan: +81.50.1790.0200
  • Australia: +61.2.4062.7950
  • India: 00080005045107

Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Indicators of Compromise


SHA256 Hash for Archive Example

  • 02aa167e4bb41e3e40a75954f5a0bd5915f9a16fd6c21b544a557f2a7df3c89b

SHA256 Hashes for JavaScript Examples

  • e663916cc91b4285a1ee762716ff7ce4537153c7893e2d88c13c7e57bbb646a9
  • 45fddf55acb50df5b027701073dee604b4135f750c585b29d6dcac824f26ae00
  • 9f28f82d21fe99d0efdcab403f73870d68fd94e6d0f762e658d923ccd1e7424c
  • 05d66568017f2c2e417fa6680f9b4fa4a8a9bc1b7256fe46fbf3e71956b99773
  • 4346c3c08df612b8bcd23a3b57845755bafb0efc57ff77203f8da3b46628a008
  • 0c0dae4d7da069c928f06addb1c5c824e820e4556a1244142f56227954bf9c7d
  • 3a039ce210a0b5ff65f57d304519b885bae91d1bec345c54e59e07bc39fca97e

SHA256 Hashes for PhantomVAI Loader

  • 4ab4a37db01eba53ee47b31cba60c7a3771b759633717e2c7b9c75310f57f429
  • 9ae50e74303cb3392a5f5221815cd210af6f4ebf9632ed8c4007a12defdfa50d
  • 893ee952fa11f4bdc71aee3d828332f939f93722f2ec4ae6c1edc47bed598345
  • b60ee1cd3a2c0ffadaad24a992c1699bcc29e2d2c73107f605264dbf5a10d9b6
  • 0df13fd42fb4a4374981474ea87895a3830eddcc7f3bd494e76acd604c4004f7
  • 6051384898e7c2e48a2ffb170d71dbf87e6410206614989a037dac7c11b8d346
  • 01222c6c2dbb021275688b0965e72183876b7adb5363342d7ac49df6c3e36ebe
  • 6f7c5bad09698592411560a236e87acae3195031646ff06a24f1cfada6774ba6
  • 6aa2989ebb38e77a247318b5a3410b5d4f72b283c7833a0b800ea7d1de84ccc6
  • 4c5d7e437f59b41f9f321be8c17ae1f128c04628107a36f83df21b33d12ff8db
  • 639eb0d2c2da5487412e7891638b334927232ff270781fad81dc5371f44f7c8e
  • 553d76d0c449377be550570e65e2bcae4371964fc3b539a1e1022d80699da5db
  • a7993775f4518c6c68db08e226c11e51f9bc53314e4ff9385269baac582e2528
  • 7ddce5be3642b66c7559821e26877c9f0242c748da64b2e68a81844bb1a6b148
  • 84e0a543df302b18f1188139160fc5a8bd669da071e492453d5d6756064ee568
  • 97b76d61941b790deff9f025dec55484e32ebff32b1b6e173d6fbf42cd8996ef
  • bf6a5e37097330d7d68b6ac3deb6a10a1d3269be575fd51315774d1e7e1eca34
  • a62a81785714844a099a918c66df9367b5eb14df06e589d59bc81f392358c5cc
  • 920309f3822f993afeaa8ec70b4ef6b43dd2562be85cc2985efedc6cda2e7578
  • 421c4b4b53d291da2b53c068a491b3913d92fe0eb6f330861e7b60f3d9f8eee7
  • 87fae395c0e9ce3631dece94971befa578623ff0540d06539f583df921568814
  • 4b8bde867c06b617d731ea9e965bf64800330701942324e475b8119352122e7c
  • 3c6a8132df3351e2b7d186d0b3f41847e6920ebcb940548e3c9ed274901104c2
  • 76cbb0abd9511aab2cc9dda993e3b9ab77afb09d2959f143647065ca47e725cc
  • ed1b4a03595c59e5a90dd4f02f1993a2c5a43ca46a33aab0d15a1bbb1f8b3d30
  • c44bac8b66ad11756b4c5ff3b1cd7e1187c634088f9e7aa2250067033df24e8d
  • 63dfdb4927c0bca64f8952904f463330360eb052f2a2a749bf91a851a2be89b4
  • 373c820cc395ea5b9c6f38b9470913e6684e8afea59e9dfeb3da490014074bf1
  • b263df6b58c9259000e45a238327de8c07e79f2e7462c2b687c1c5771bac1dd5
  • f05bc36211301087e403df09daa014ea8f04f5bdae5cef75eb866b56b82af2d6
  • c45d3b6d2237fc500688a73d3ba18335d0002917f1a1f09df6934c87deaa097f
  • fcad234dc2ad5e2d8215bcf6caac29aef62666c34564e723fa6d2eee8b6468ed
  • e05b7f44ef8d0b58cfc2f407b84dcff1cb24e0ec392f792a49ad71e7eab39143
  • 87c9bede1feac2e3810f3d269b4492fe0902e6303020171e561face400e9bdb4
  • c3de728850dc1e777ad50a211a4be212ca6c4ac9d94bf7bb6d5f7fe5f4574021
  • e5daa86418ac444d590a2c693cd7749d87134c47d8e0dbac30c69f23a8e8131f


SHA256 Hashes for Katz Stealer

  • a6b736988246610da83ce17c2c15af189d3a3a4f82233e4fedfabdcbbde0cff0
  • 74052cf53b45399b31743a6c4d3a1643e125a277e4ddcfcad4f2903b32bc7dc4
  • 20bde6276d6355d33396d5ebfc523b4f4587f706b599573de78246811aabd33c
  • e345d793477abbecc2c455c8c76a925c0dfe99ec4c65b7c353e8a8c8b14da2b6
  • 96ada593d54949707437fa39628960b1c5d142a5b1cb371339acc8f86dbc7678
  • 925e6375deaa38d978e00a73f9353a9d0df81f023ab85cf9a1dc046e403830a8
  • b249814a74dff9316dc29b670e1d8ed80eb941b507e206ca0dfdc4ff033b1c1f
  • 9b6fb4c4dd2c0fa86bffb4c64387e5a1a90adb04cb7b5f7e39352f9eae4b93fa
  • d5ead682c9bed748fd13e3f9d0b7d7bacaf4af38839f2e4a35dc899ef1e261e2
  • ece74382ec6f319890e24abbf8e0a022d0a4bd7e0aeaf13c20bab3a37035dcd1
  • 2dba8e38ac557374ae8cbf28f5be0541338afba8977fbff9b732dee7cee7b43e
  • 11e90765640cbb12b13afa1bcec31f96f50578a5e65e2aa7be24465001b92e41
  • b2245ca7672310681caa52dc72e448983d921463c94cdab0ba9c40ad6b2a58fe
  • c929ee54bdd45df0fa26d0e357ba554ef01159533501ec40f003a374e1e36974
  • c0e3c93c59b45e47dda93438311f50ddb95808fd615a467285c9c359bce02cf0
  • 309da3c8422422089b7f9af3b1b3f89e2d5c36e48e4d9d9faa07affb7d9a7b17
  • fdc86a5b3d7df37a72c3272836f743747c47bfbc538f05af9ecf78547fa2e789
  • 25b1ec4d62c67bd51b43de181e0f7d1bda389345b8c290e35f93ccb444a2cf7a
  • 964ec70fc2fdf23f928f78c8af63ce50aff058b05787e43c034e04ea6cbe30ef
  • d92bb6e47cb0a0bdbb51403528ccfe643a9329476af53b5a729f04a4d2139647
  • 5dd629b610aee4ed7777e81fc5135d20f59e43b5d9cc55cdad291fcf4b9d20eb
  • b912f06cf65233b9767953ccf4e60a1a7c262ae54506b311c65f411db6f70128
  • 2852770f459c0c6a0ecfc450b29201bd348a55fb3a7a5ecdcc9986127fdb786b

Additional Resources

 

Anatomy of an Attack: The "BlackSuit Blitz" at a Global Equipment Manufacturer

Posted on by Ria Bhatia

Unit 42 recently assisted a prominent manufacturer who experienced a severe ransomware attack orchestrated by Ignoble Scorpius, the group that distributes BlackSuit ransomware. This incident serves as a reminder of how a seemingly minor issue — in this case, a single set of compromised VPN credentials — can lead to a full-scale corporate crisis with tremendous impact to the bottom line.

The Attack: A Combination of Reconnaissance and Ransomware

The Ignoble Scorpius attack began with a voice phishing (vishing) call. The attacker impersonated the company's IT help desk and tricked an employee into entering their legitimate VPN credentials on a phishing site.

With these credentials, the threat actor gained initial network access and immediately escalated their privileges. They executed a DCSync attack on a domain controller to steal highly privileged credentials, including a key service account. Using these compromised credentials, they moved laterally across the network using RDP and SMB, employing tools like Advanced IP Scanner and SMBExec to map the network and identify high-value targets.

The attackers established persistence by deploying AnyDesk and a custom RAT on a domain controller, configured as a scheduled task to survive reboots. (It is important to note that threat actors often abuse and take advantage of legitimate products like AnyDesk for malicious purposes. We are not implying that the legitimate product is flawed.)

The attackers then compromised a second domain controller, extracting the NTDS.dit database containing all user password hashes, and exfiltrated over 400 GB of data using a renamed rclone utility. To cover their tracks, the threat actors deployed CCleaner to erase forensic evidence before unleashing the final blow: BlackSuit ransomware, orchestrated through Ansible, simultaneously encrypted hundreds of virtual machines across approximately 60 VMware ESXi hosts, disrupting operations across the entire infrastructure.

How Unit 42 Helped

When Unit 42 was engaged, we helped the client expand their Cortex XDR deployment from 250 to over 17,000 endpoints, providing enterprise-wide visibility to track the attacker's every move. We also leveraged Cortex XSOAR to automate containment actions, stopping the attack from spreading further.

Our investigation identified the full attack path and led to some critical recommendations including:

  • Network Security: Replace end-of-life Cisco ASA firewalls with Next-Generation Firewalls (NGFW), implement network segmentation, and restrict administrative access to critical systems (like DCs and ESXi hosts) to dedicated management VLANs.
  • Identity and Access Management: Enforce MFA for all remote access, disable NTLM or require EPA, rotate all credentials, and restrict service accounts from being used for interactive logons like RDP.
  • Endpoint and Server Hardening: Block EFSRPC using RPC filters to prevent PetitPotam/DCSync attacks, deploy and maintain a fully patched XDR solution on all endpoints, and have a strict policy for removing EOL systems.
  • Logging and Monitoring: Enhance log retention to 90-plus days for critical sources (ESXi, firewalls, Nasuni), ensure logs are properly parsed for effective analysis, and enable features like AWS CloudTrail log validation.

The Outcome

The client was able to achieve several key outcomes:

  • Financial demand negated: We successfully negated the $20 million ransom demand, ensuring the client paid no ransom.
  • Expanded visibility: The engagement expanded the client’s endpoint visibility from 250 to over 17,000, creating a robust foundation for future security operations.
  • Strategic guidance: We provided bespoke, strategic after-incident guidance, helping the client fortify their defenses and prevent future attacks.
  • Continuous monitoring: Following the incident, the client onboarded Unit 42 Managed Detection and Response (MDR) services for continuous monitoring, ensuring they are better prepared to handle future threats.

The Takeaway

This attack serves as a stark reminder that even a single compromised credential can create a domino effect, leading to a catastrophic security breach. The swift and sophisticated tactics of threat actors like Ignoble Scorpius and their use of BlackSuit ransomware demonstrate the critical need for a proactive and multi-layered defense strategy.

By implementing MFA on all remote access points, and integrating robust endpoint visibility, automated containment, and expert guidance, organizations can not only disrupt an attack in progress but also shore up their defenses to prevent future incidents. Most importantly, investments in proactive security assessments have shown to pay dividends that far outweigh the costs of operational and financial impact of a full-scale ransomware attack.

Interested in learning more about the latest attack trends? If so, take a look at our 2025 Unit 42 Global Incident Response Report, which distills the most critical findings based on our direct experience responding to real-world cyberattacks at over 500 organizations across 38 countries.

Additional Resources

About Unit 42

Unit 42 strengthens your team with the tools and expertise needed to stay ahead of threats like BlackSuit ransomware and protect your business. With our proven strategies and insights from thousands of engagements, we’ll help your team handle the toughest situations with confidence.

The Golden Scale: Bling Libra and the Evolving Extortion Economy

Posted on by Samantha Stallings

Scattered Lapsus$ Hunters: What Retail and Hospitality Organizations Should Know

In recent months, threat actors claiming to be part of a new conglomerate dubbed Scattered Lapsus$ Hunters (aka ​​SP1D3R HUNTERS, SLSH) have asserted responsibility for laying siege to customer Salesforce tenants as part of a coordinated effort to steal data and hold it for ransom. At least one industry source refers to this criminal syndicate as the Trinity of Chaos. “Trinity” is used because the conglomerate is likely composed of individuals tied to three groups: Muddled Libra (aka Scattered Spider), Bling Libra (aka ShinyHunters), and LAPSUS$, all of which are likely representative of the broader cybercriminal community known as The Com.

At this time, the threat actors claim to have stolen more than 1 billion Salesforce records as part of two separate threat campaigns aimed at stealing customer information. The main culprit behind the extortion attempts is Bling Libra, a threat group likely active since at least early 2020 that has previously claimed responsibility for a number of data breaches over the last few years.

As noted by Unit 42 in related Insights pieces earlier this year, a number of global retail and hospitality organizations have felt the brunt of this data theft extortion activity. Here, we provide readers with the latest updates tied to these threat actors. We highlight the inherent risks for retail and hospitality organizations potentially impacted by this activity and offer recommendations to combat the evolving threat of extortion-as-a-service (EaaS) providers.

The Rise of Bling Libra’s EaaS Offering

On Oct. 3, 2025, Scattered Lapsus$ Hunters officially launched their data leak site (DLS). At the time of its inception it was hosted on a domain previously associated with the BreachForums cybercrime forum. Figure 1 below depicts an image posted at the top of the DLS.

Screenshot of a data threat message directed at Salesforce, Inc., claiming encryption of roughly 1 billion records ransomed for 989.45 million dollars and demanding negotiation by a specified deadline.
Figure 1. Image of Bling Libra’s Salesforce data leak site. Source: BleepingComputer.

The threat actors posted the names of 39 global organizations from which they claim to have stolen Salesforce data. They set a deadline of Oct. 10, 2025 for the victims to pay a ransom, threatening to leak the files after that time. Based on Unit 42 observations across Telegram channels operated by the threat group, they are also recruiting other threat actors to help send extortion notes to victims via email, specifically focusing on communicating with executives.

The threat actors have even attempted to directly extort Salesforce itself. The company responded to media outlets that it has no intentions of negotiating with or paying a ransom to the cybercriminals, a message which they also reiterated via emails to customers.

Bling Libra recently told Bleeping Computer that they have been privately operating as an EaaS provider for some time now. They claimed to take a revenue share (typically 25-30%) from extortion payments made to threat actors they are collaborating with.

This is a similar playbook to how ransomware-as-a-service (RaaS) providers have operated for several years now. The primary differentiator between EaaS and RaaS is the lack of malware deployment (ransomware) that encrypts files, thereby typically rendering them inaccessible.

As documented in a prior Unit 42 threat research article, Bling Libra has evolved over time with regards to their monetization tactics. They moved from selling and publishing stolen data to directly extorting victims. Our article documented their activity after infiltrating victims’ Amazon Web Services (AWS) cloud environments. The activity in the news in recent months shows their primary focus on Salesforce tenants.

The Emergence of Other Extortion-focused Threat Groups

Another notable development in the EaaS economy is Bling Libra’s recent collaboration with a threat group named Crimson Collective. This group was seemingly unknown until their recent entrance onto the data theft extortion scene.

Based on Unit 42 observations and news reports, Crimson Collective claimed to have breached Red Hat on or about Oct. 1, 2025. The cybercriminals claim to have exfiltrated approximately 570 GB of compressed data from more than 28,000 internal development repositories. Red Hat confirmed the root cause as a breach into one of its GitLab instances. The stolen data allegedly includes an estimated 800 Customer Engagement Reports (CERs), which are documents prepared for clients by Red Hat consultants that typically contain sensitive information about the clients’ network and platforms.

Other news reports indicate that Crimson Collective has also been actively targeting AWS cloud environments in recent weeks, where they continue to be focused on data theft and subsequent extortion. At this time, it appears that in addition to sending extortion notes via email to victims, the threat group is also partnering with Scattered Lapsus$ Hunters to post victims via Bling Libra’s recently launched DLS. Figure 2 alludes to this combination of criminal forces.

Telegram screenshot of Crimson Collective post. Screenshot of a social media post discussing the creation of NATO on 4th April 1949, comparing it to a hypothetical larger alliance, and linking to a webpage with further details. The post encourages not becoming the next headline and to make the right choice. It has received various reactions and comments.
Figure 2. Screenshot of Telegram post by Crimson Collective. Source: BleepingComputer.

Similar to Scattered Lapsus$ Hunters, Crimson Collective also operates at least one Telegram channel to communicate with their audience, typically boasting of their latest victims. News reports indicate that victims allegedly impacted by their breach of Red Hat include aviation, telecommunications, public-sector, financial services and retail organizations.

Bling Libra’s Pending Deadline

In recent weeks, Scattered Lapsus$ Hunters posted on their Telegram channels that they were retiring from their cybercrime operations. This claim was greeted with skepticism by industry experts. Based on recent events illustrated throughout this article, that was an incredibly short-lived retirement — if at all factual.

On Oct. 9, 2025, the FBI announced that it had seized all domains associated with BreachForums. Shortly thereafter, Bling Libra confirmed the seizure activity. This included the clearnet version of their newly launched DLS. The group stated that it will not pursue relaunching another iteration of BreachForums.

However, Bling Libra stated that none of its core members had been arrested and that the darknet version of their DLS was not impacted by the FBI’s activity. Doubling down, they warned of the potential release of the stolen Salesforce data, writing in a forum post, “Stay tuned for 11:59 PM New York time on 10/10/2025.” Figure 3 below further illustrates these latest developments.

Screenshot of forum post of BreachForums' seizure by the FBI and international forums. The post advises others on how to take next steps.
Figure 3. Screenshot of forum post by Bling Libra. Source: BleepingComputer.

Regardless of what happens with this situation, there appears to be a shift occurring across the cybercrime ecosystem. Cybercriminals seem to be moving toward partnering with and monetizing their intrusion operations via an EaaS provider rather than via a RaaS provider.

One factor behind this shift may be greater potential to fly under the radar. Law enforcement attention in recent years has focused on disrupting ransomware operations. EaaS involves slightly different TTPs (e.g. no encryption and operational disruption) and may therefore avoid some of those efforts.

Risks to Retail and Hospitality Organizations

As someone who focuses directly on supporting retail and hospitality organizations as part of my role at Unit 42, I want to highlight the risks associated with this data theft extortion activity.

From a retailer perspective, the theft of customer data can lead to outcomes such as identity theft. It can also enable social engineering attacks, account takeover and various types of fraud. Most importantly, however, is the potential erosion of consumer trust. This is something that retailers can ill afford to suffer with tightening margins and the upcoming peak shopping season.

From a hospitality perspective, many of the issues remain the same as above.

However, I see a distinction in terms of potential fraud. Retail organizations would primarily be targeted with tactics like returns and gift card fraud. Hospitality organizations are more likely to be targeted with tactics like loyalty rewards fraud (e.g., airline miles, hotel points).

These tactics are influencing the growing underground trend of fraudulent travel agency advertisements. For example, stolen loyalty rewards can be used by threat actors to book travel arrangements (e.g. flights, hotels) which they can resell to unsuspecting customers at a discounted rate and reap the profit from such transactions. Many of these fake travel agencies are advertised across underground cybercrime forums and Telegram channels.

My Recommendations

Unit 42 recently published a threat brief on the repercussions from the Salesloft Drift supply chain attack, which includes recommendations that apply to supply chain attacks more broadly. We’ve also published on best practices for token and integration management as they relate to the supply chain.

Both Scattered Lapsus$ Hunters and Crimson Collective are focusing their data theft and subsequent extortion efforts on platforms like Salesforce and AWS. To combat this, organizations should leverage automated tools like TruffleHog. These can help efficiently scan for secrets and hardcoded credentials within code repositories, configuration files or any potentially exfiltrated data.

Additionally, organizations should implement zero trust pillars, such as conditional access policies and the principle of least privilege, to limit the damage attackers can do even if they are successful at breaching your network.

Finally, make sure your organization is a member of an industry-aligned Information Sharing and Analysis Center (ISAC). For example, retail and hospitality companies should join and participate within the RH-ISAC, where members get access to real-time threat insights and best practices that can assist with both reactive and proactive defensive measures.

As always, the Unit 42 Incident Response team can also be engaged to help with a compromise or to provide a proactive assessment to lower your organization's risk related to the aforementioned threat activity.

When AI Remembers Too Much – Persistent Behaviors in Agents’ Memory

Posted on by Jay Chen

Executive Summary

This article presents a proof of concept (PoC) that demonstrates how adversaries can use indirect prompt injection to silently poison the long-term memory of an AI Agent. We use Amazon Bedrock Agent for this demonstration. In this scenario, if agent memory is enabled, an attacker can insert malicious instructions into an agent's memory via prompt injection. This can occur when a victim user is tricked into accessing a malicious webpage or document via social engineering.

In our proof of concept, the content of the webpage manipulates the agent’s session summarization process, causing the injected instructions to be stored in memory. Once planted, these instructions persist across sessions, and they are incorporated into the agent’s orchestration prompts. This ultimately allows the agent to silently exfiltrate a user’s conversation history in future interactions.

Importantly, this is not a vulnerability in the Amazon Bedrock platform. Rather, it underscores a broader, unsolved security challenge in the large language model (LLM) — prompt injection, in the context of the use of agents.

LLMs are designed to follow natural language instructions, but they cannot reliably distinguish between benign and malicious input. As a result, when untrusted content (i.e., webpages, documents or user input) is incorporated into system prompts, these models can become susceptible to adversarial manipulation. This puts applications relying on LLMs, like agents (and by extension, their memory), at risk of prompt attacks.

While no complete solution currently exists for eliminating prompt injection, practical mitigation strategies can significantly reduce risk. Developers should treat all untrusted input as potentially adversarial, including content from websites, documents, APIs or users.

Solutions like Amazon Bedrock Guardrails and Prisma AIRS can help detect and block prompt attacks in real time. However, comprehensive protection for AI agents requires a layered defense strategy that includes:

  • Content filtering
  • Access control
  • Logging
  • Continuous monitoring

We reviewed this research with Amazon prior to publication. Representatives from Amazon welcomed our research but emphasized that, in their view, these concerns are easy to mitigate by enabling Bedrock platform features designed to reduce such risks. Specifically, they pointed out that applying Amazon Bedrock Guardrails with the prompt-attack policy provides effective protection.

Prisma AIRS is designed to provide layered, real-time protection for AI systems by detecting and blocking threats, preventing data leakage and enforcing secure usage policies across a variety of AI applications.

URL filtering solutions like Advanced URL Filtering can validate links against known threat intelligence feeds and block access to malicious or suspicious domains. This prevents attacker-controlled payloads from reaching the LLM in the first place.

AI Access Security is designed for visibility and control over usage of third-party GenAI tools, helping prevent sensitive data exposures, unsafe use of risky models and harmful outputs through policy enforcement and user activity monitoring.

Cortex Cloud is designed to provide automatic scanning and classification of AI assets, both commercial and self-managed models, to detect sensitive data and evaluate security posture. Context is determined by AI type, hosting cloud environment, risk status, posture and datasets.

A Unit 42 AI Security Assessment can help you proactively identify the threats most likely to target your AI environment.

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

Related Unit 42 Topics Indirect Prompt Injection, GenAI, Memory Corruption

Bedrock Agents Memory

Generative AI (GenAI) applications increasingly rely on memory features to deliver personalized and coherent experiences. Unlike previous LLMs, which are stateless and process each conversation session in isolation, storing information in memory enables agents to retain context across sessions.

Amazon Bedrock Agents Memory enables AI agents to retain information across user interactions. When this feature is enabled, the agent stores summarized conversation and action under a unique memory ID, typically scoped per user. This allows the agent to recall prior context, preferences and task progress, eliminating the need for users to repeat themselves in future sessions.

Internally, Bedrock Agents use a session summarization process driven by LLMs. At the end of each session, whether it was explicitly closed or automatically timed out, the agent invokes an LLM using a configurable prompt template. This prompt instructs the model to extract and summarize key information such as user goals, stated preferences and agent actions. The resulting summary encapsulates the core context of the interaction.

In subsequent sessions, Bedrock Agents then inject this summary into the orchestration prompt template, becoming part of the agent's system instructions in subsequent sessions. In effect, the agent's memory influences how the agent reasons, plans and responds. This allows the agent’s behavior to evolve based on accumulated context.

Developers can configure memory retention for up to 365 days and customize the summarization pipeline by modifying the prompt template. This enables fine-grained control over what information is extracted, how it is structured and what is ultimately stored. These features provide a mechanism by which developers can add additional capabilities and defense in depth features to their agentic applications.

Indirect Prompt Injection

Prompt injection is a security risk in LLMs where a user crafts input containing deceptive instructions to manipulate the model’s behavior, which can lead to unauthorized data access or unintended actions.

Indirect prompt injection is a related attack vector in which malicious instructions are embedded in external content (i.e., emails, webpages, documents or metadata) that the model later ingests and processes. Unlike direct prompt injection, this method exploits the model’s integration with external data sources, causing it to interpret embedded instructions as legitimate input without direct user interaction.

PoC: Memory Manipulation via Indirect Prompt Injection

As a PoC for an agent memory manipulation attack, we created a simple travel assistant chatbot using Amazon Bedrock Agents. The bot was capable of booking, retrieving and canceling trips, as well as reading external websites. We enabled the memory feature, with each user assigned an isolated memory scope to ensure that any compromise affected only the targeted user.

We built the agent using the default AWS-managed orchestration and session summarization prompt templates without customization (see Additional Resources). Our bot's agent leveraged the Amazon Nova Premier v1 foundation model. We did not enable the Bedrock Guardrails, reflecting a minimally protected configuration for this PoC.

Attack Scenario

In our fictional scenario, the victim is a legitimate user of the chatbot, while an attacker operates externally and has no direct access to the system. Through social engineering, the attacker persuades the victim to submit a malicious URL to the chatbot. When the chatbot fetches this URL, it retrieves a webpage containing embedded prompt injection payloads.

These payloads manipulate the session summarization prompt, causing the LLM to include malicious instructions in its summary output.

This PoC uses the following steps:

  1. An attacker creates a webpage embedded with prompt injection payloads
  2. The attacker sends the malicious URL to the victim
  3. The victim provides the URL to the chatbot
  4. The chatbot retrieves the content of the malicious webpage
  5. The prompt injection payload manipulates the session summarization process, inserting malicious instructions into the agent’s memory
  6. In subsequent conversation sessions, Bedrock Agents incorporate these instructions into the orchestration prompts
  7. Acting on the injected instructions, the chatbot silently exfiltrates the user’s conversation history to a remote command-and-control (C2) server using the web access tool.

Figure 1 illustrates this attack flow.

Diagram illustrating a cybersecurity threat scenario involving multiple components: a hacker, a C2, a human figure at a computer, a chatbot, and a memory storage unit. Connections between these elements show the flow between the attacker, the attacker inserting the malicious URL in the chatbot, the person using the chatbot, and the delivery of the malicious URL stored in the memory of the chatbot as the sessions continue.
Figure 1. Attack flow for memory manipulation PoC.

Prompt Injection Payload Construction

This section walks through how we crafted malicious instructions on the webpage to perform prompt injection against the session summarization prompt.

The technique from this PoC targets the session summarization prompt, aiming to insert malicious instructions in the agent’s persistent memory. Understanding the structure of the summarization prompt is key to grasping the attack vector.

By default, the summarization prompt extracts two main elements:

  • User goals – Explicit objectives stated by the user during the session
  • Assistant actions – Actions taken by the agent to fulfill those goals

We populated a summarization prompt template with a conversation session including these user goals and assistant actions. The conversation, including user inputs, assistant responses and tool invocations, are wrapped inside <conversation> XML tags (highlighted in blue). A typical flow for this technique includes:

  1. (User) The user asks the chatbot to read a URL
  2. (Action) The agent selects and invokes a tool to fetch web content
  3. (Result) The tool returns the content of the webpage
  4. (Assistant) The agent generates a response using the tool output and user query

As noted in Figure 2, this structure contains the tool output (i.e., the retrieved webpage) in the result field (highlighted in red). This field is the only attacker-controlled input in the summarization prompt, making it the ideal injection point.

Screenshot of a text-based conversation between a user and an AI assistant, discussing a URL for illustrative purposes, with portions of the text highlighted for emphasis. The input is marked as benign. The red highlight is the ideal injection point.
Figure 2. Snippet of session summarization prompt template.

Payload Anatomy

The injected payload is divided into three parts, with each part separated by a forged <conversation> XML tag (highlighted in yellow). These tags are designed to confuse the LLM. This causes the LLM to interpret parts one and three as separate conversation blocks and part two, which falls outside those blocks, as part of the system instructions in the session summarization prompt.

  • Part one ends with a forged </conversation> tag, tricking the LLM into interpreting it as the end of one conversation block. It contains the prior user-agent exchanges along with benign webpage content. The malicious payload begins at the end of this section.
  • Part three begins with a forged <conversation> tag, tricking the LLM into interpreting it as the start of another conversation block. It contains a fabricated user-agent interaction that reiterates the instructions from Part two, increasing the likelihood that the LLM will include them in the final session summary.
  • Part two, strategically placed outside of any <conversation> block, contains the core malicious instructions. This positioning makes the LLM interpret it as part of the system instructions rather than user or tool-generated input, which significantly increases the chance that the LLM will follow the instructions. To blend in, the payload adopts the same XML-like syntax used in the prompt template.

Figure 3 illustrates how Bedrock Agents populate the result field with malicious content from the attacker’s webpage, while all other fields in the summarization prompt remain untouched.

Marked as malicious. Screenshot of AI agent chat interface with text boxes showing a sample dialogue about URL validation. The image includes marked sections labeled as "Malicious action," "Result," and "Guidelines" with annotations for improving user instructions related to security. The URL example.com is mentioned in the conversation.
Figure 3. Prompt injection payload in the session summarization prompt.

Exploitation Payload Delivery and Installation

Figure 4 shows the malicious webpage containing the exploitation payload corresponding to Step 1 in the attack flow. The malicious instructions the attacker specifies are embedded in the HTML but rendered invisible to the end user, keeping the attack stealthy.

Image listing the top 5 U.S. national parks for summer vacation and their closest airports. Parks included are Glacier National Park, Yosemite National Park, Grand Teton National Park, Acadia National Park, and Olympic National Park. Each park entry lists nearby airports with respective distances.
Figure 4. Malicious webpage where the prompt injection payloads are hidden below the benign content.

Figure 5 illustrates the victim’s interaction with the chatbot corresponding to Steps 2-4 in the attack flow. Notably, the agent does not display any malicious behavior or reveal the injected instructions. This is because the payload targets the session summarization prompt, not the orchestration prompt, which governs the real-time conversation. As the injected instructions are unrelated to the user’s query, the LLM excludes them from the assistant’s response.

Screenshot displaying a national park guide with flight times from Washington, D.C. to various national parks in the US. The prompt asks the chatbot to take a look at the national park guide listed in a URL, which is malicious.
Figure 5. The victim user asked the chatbot to read the malicious URL.

Figure 6 presents a snippet of the LLM’s output during the session summarization process corresponding to Step 5 in the attack flow. As expected, the model extracts key user goals and assistant actions from the conversation. However, it also incorporates the attacker’s injected instructions from the malicious webpage, labeling them under a fabricated topic such as “validation goal.” Since every topic in the summary is automatically inserted into the agent’s memory, this step effectively installs the payload for future sessions.

Screenshot of a summary of an LLM booking travel plans, including tasks like review of national park recommendations, and travel time estimations. The content is split by summary, user goals, and the assistant actions.
Figure 6. Session summarization LLM output.

Payload Activation in Subsequent Sessions

Amazon Bedrock Agents automatically injects memory contents into every new session's context. Figure 7 shows the victim returning to the chatbot several days later to book a new trip, corresponding to Step 6 in the attack flow. The agent completes the booking as expected, and from the user’s perspective, everything appears normal. However, malicious behavior is now occurring silently in the background.

Screen capture of a confirmed travel booking notification for a flight from Washington, DC to Kalispell, MT on July 15, 2025, to visit Glacier National Park initiated by a user talking to a chatbot.
Figure 7. The victim asked the chatbot to book a new trip in a new conversation session.

Figure 8 shows a portion of the orchestration prompt used in the new session, corresponding to Step 7 in the attack flow. This prompt includes the agent’s memory contents, which are now augmented with the attacker’s instructions, as part of the system instructions section. Because system instructions strongly influence the LLM’s behavior, the model is more likely to execute the malicious instructions.

Screenshot of an AI agent description. The session summary discusses the validation goals for the agent which include a malicious URL. This is followed by goals for the end user and assistant actions including scraped content from a partially redacted URL and booking a flight.
Figure 8. Compromised memory embedded in the orchestration prompt.

Figure 9 shows how the agent reasons and plans to accomplish the user’s request. In the first assistant message, the agent outlines its execution plan, which incorporates steps derived from the attacker’s instructions. In the second message, the agent silently exfiltrates the user’s booking information to a malicious domain by encoding the data in the C2 URL’s query parameters and requesting that URL with the scrape_url tool. This enables the agent to execute the attacker’s payload without any visible indication to the victim.

Screenshot of a computer code snippet discussing the validation of a booking via an assistant, with parameters and URL included.
Figure 9. The malicious instructions are incorporated into the agent’s execution plan.

Conclusion

Long-term memory is a powerful feature of AI agents, enabling personalized, context-aware and adaptive user experiences. However, it also introduces new attack surfaces. We demonstrated through our PoC that AI agents with long-term memory can serve as a vector for persistent malicious instructions. This could affect agent behavior across sessions and over time, providing a possible avenue of long-term systemic manipulation. Because memory contents are injected into the system instructions of orchestration prompts, they are often prioritized over user input, amplifying the potential impact.

While this PoC leverages a malicious webpage as the delivery mechanism, the broader risk extends to any untrusted input channel, such as:

  • Documents
  • Third-party APIs
  • User-generated content

Depending on the agent’s capabilities and integrations, successful exploitation could result in data exfiltration, misinformation or unauthorized actions, all carried out autonomously. The good news, as AWS notes, is that the specific attack we demonstrated can be mitigated by enabling Bedrock Agent’s built-in protections, namely the default pre-processing prompt and the Bedrock Guardrail, against prompt attacks.

Mitigating memory manipulation attacks requires a layered security approach. Developers should assume any external input could be adversarial and implement safeguards accordingly. This includes filtering untrusted content, restricting agent access to external sources and continuously monitoring agent behavior to detect and respond to anomalies.

As AI agents grow more capable and autonomous, securing memory and context management will be critical to ensuring safe and trustworthy deployment.

Protection and Mitigation

The root cause of this memory manipulation attack is the agent’s ingestion of untrusted, attacker-controlled content, particularly from external data sources such as webpage or documents. The attack can be disrupted if — at any stage in the chain — a malicious URL, webpage content or session summarization prompt is sanitized, filtered or blocked. Effective mitigation requires a defense-in-depth strategy across multiple layers of the agent’s input and memory pipeline.

Pre-processing

Developers can enable the default pre-processing prompt provided for every Bedrock Agent. This lightweight safeguard uses a foundation model to evaluate whether user input is safe to process. It can operate with its default behavior or be customized to include additional classification categories. Developers can also integrate AWS Lambda to implement tailored rules through a custom response parser. This flexibility enables defenses aligned to each application’s specific security posture.

Content Filtering

Inspect all untrusted content, especially data retrieved from external sources, for potential prompt injection. Solutions such as Amazon Bedrock Guardrails and Prisma AIRS are designed to effectively detect and block prompt attacks designed to manipulate LLM behavior. These tools can be used to enforce input validation policies, strip suspicious or forbidden content or reject malformed data before it is passed to the LLMs.

URL Filtering

Restrict the set of domains that the agent’s web-reading tools can access. URL filtering solutions like Advanced URL Filtering can validate links against known threat intelligence feeds and block access to malicious or suspicious domains. This prevents attacker-controlled payloads from reaching the LLM in the first place. Implementing allowlists (or deny-by-default policies) is especially important for tools that bridge between external content and internal memory systems.

Logging and Monitoring

AI agents can execute complex actions autonomously, without direct developer oversight. For this reason, comprehensive observability is critical.

Amazon Bedrock provides Model Invocation Logs, which record every prompt and response pair. In addition, the Trace feature offers fine-grained visibility into the agent’s reasoning steps, tool usage and memory interactions. Together, these tools support forensic analysis, anomaly detection and incident response.

Prisma AIRS is designed for real-time protection of AI applications, models, data and agents. It analyzes network traffic and application behavior to detect threats such as prompt injection, denial-of-service attacks and data exfiltration, with inline enforcement at the network and API levels.

AI Access Security is designed for visibility and control over usage of third-party GenAI tools, helping prevent sensitive data exposures, unsafe use of risky models and harmful outputs through policy enforcement and user activity monitoring. Together, Prisma AIRS and AI Access Security help secure the building of enterprise AI applications and external AI interactions.

Cortex Cloud is designed to provide automatic scanning and classification of AI assets, both commercial and self-managed models, to detect sensitive data and evaluate security posture. Context is determined by AI type, hosting cloud environment, risk status, posture and datasets.

A Unit 42 AI Security Assessment can help you proactively identify the threats most likely to target your AI environment.

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

  • North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
  • UK: +44.20.3743.3660
  • Europe and Middle East: +31.20.299.3130
  • Asia: +65.6983.8730
  • Japan: +81.50.1790.0200
  • Australia: +61.2.4062.7950
  • India: 00080005045107

Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Additional Resources

Bedrock Agents Session Summarization Prompt Template

 

Bedrock Agents Orchestration Prompt Template

References

The ClickFix Factory: First Exposure of IUAM ClickFix Generator

Posted on by Samantha Stallings

Executive Summary

Attackers are packaging a highly effective social engineering technique known as ClickFix into easy-to-use phishing kits, making it accessible to a wider range of threat actors. This technique tricks victims into bypassing security measures by manually executing malware, typically information stealers and remote access Trojans (RATs). The commoditization of this technique follows the trend of phishing-as-a-service, lowering the skill and effort required to conduct successful attacks.

We have uncovered a phishing kit named the IUAM ClickFix Generator that automates the creation of these attacks. The kit is designed to generate highly customizable phishing pages that lure victims by mimicking browser verification challenges often used to block automated traffic. It includes advanced features such as operating system detection and clipboard injection, enabling low-effort, cross-platform malware deployment.

We have seen at least one campaign where attackers used pages generated by the IUAM ClickFix Generator to deploy the DeerStealer malware. Furthermore, our observation of several other pages with slight technical and visual differences points to a larger trend. This suggests adversaries are building a growing commercial ecosystem to monetize this technique through competing ClickFix-themed phishing kits.

Palo Alto Networks customers are better protected from this activity through the following products and services:

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

Related Unit 42 Topics ClickFix, Phishing

A Glimpse Behind the Curtain: The ClickFix Assembly Line

We identified a publicly exposed phishing kit generator hosted on an HTTP server at IP address 38.242.212[.]5, first observed on July 18, 2025. It remained active through early October.

The server hosts a web application on TCP port 3000, developed using the Express framework and styled with Tailwind CSS. The application serves an HTML page titled IUAM ClickFix Generator.

This tool allows threat actors to create highly customizable phishing pages that mimic the challenge-response behavior of a browser verification page commonly deployed by Content Delivery Networks (CDNs) and cloud security providers to defend against automated threats. The spoofed interface is designed to appear legitimate to victims, increasing the effectiveness of the lure.

An actor can configure every detail through a simple user interface (Figure 1), including:

  • Site and message configuration
    • Allows customization of the phishing page title (default: “Just a moment…”) and domain
    • Includes editable page message, widget text, footer notes and success or error prompts to lure or instruct victims
  • Clipboard configuration
    • Defines the content automatically copied to the victim’s clipboard upon clicking verification prompts, typically a malicious command for them to paste and execute
  • Mobile blocking and security popover
    • Detects mobile access and prompts victims to switch to desktop browsers and edit the core instructional component presented to them (security popover)
  • Advanced settings
    • Enables obfuscation techniques and automatic clipboard-copy JavaScript injection
    • Includes OS detection to tailor commands for Windows (Command Prompt or PowerShell) or macOS (Terminal)
Screenshots IUAM ClickFix generator, a "professional phishing page configuration tool." Detailed settings include checkbox selections, numeric values, and dropdown menus for customization and security features.
Figure 1. User interface for the IUAM ClickFix Generator phishing kit.

From the Factory to the Frontlines: Real-World Campaigns

Our analysis indicates that attackers have used the identified phishing kit (or closely related variants) to generate a range of ClickFix-themed phishing pages. These pages share a consistent visual theme spoofing the browser verification challenges commonly deployed by CDN and web security platforms. These pages also leverage tailored OS detection and command-copy mechanisms to socially engineer victims into manually executing malware payloads.

However, not all phishing pages identified share the same structure or behavior. While we confirmed at least one case where attackers delivered DeerStealer using a page this tool generated, we also saw several other phishing pages that differ slightly in technical implementation and visual design. These differences include:

  • Structural variations in the HTML/DOM layout
  • Modified or entirely different command copy mechanisms
  • Lack of specific JavaScript logic (e.g., OS detection, dynamic instructions)
  • Simplified or inconsistent spoofing of browser challenge pages

These discrepancies suggest there are multiple variants of the ClickFix kit, or there could be distinct phishing toolkits inspired by the same lure concept but built independently or derived from earlier versions.

Below are examples showcasing the range of ClickFix phishing pages we discovered, each demonstrating slightly different levels of sophistication, behavior and delivery mechanisms.

Campaign 1: The Windows-Only Attack (DeerStealer)

In one campaign, attackers configured the kit for a focused attack on Windows users. The threat actor included no OS detection logic in this setup. As a result, they didn’t configure the page to provide alternative commands or specific instructions for macOS or other non-Windows users.

When a victim interacts with the CAPTCHA element (Figure 2) by clicking a checkbox to determine whether they are human, this action triggers a background JavaScript to copy a malicious PowerShell command to their clipboard. Simultaneously, a popover appears, instructing them to open the Windows Run dialog (by pressing Win+R), paste the content from their clipboard and run the command. Once they follow these instructions, the command downloads and runs a multi-stage batch script that ultimately installs the DeerStealer infostealer.

Screenshot of a Cloudflare verification CAPTCHA prompt asking the user to press specific keys to confirm they are not a robot. Instructions and a CAPTCHA ID are visible.
Figure 2. Campaign 1 - ClickFix page delivering DeerStealer.

Figure 3 below shows the copied command we observed.

Screenshot of a command line script with a command to invoke a network request to a specified IP address and execute a batch file.
Figure 3. DOM structure showing the command copied to victim clipboard.

When executed, this command downloads a batch script cv.bat (SHA256: 2b74674587a65cfc9c2c47865ca8128b4f7e47142bd4f53ed6f3cb5cf37f7a6b) to the victim's temporary directory and immediately runs it.

Analysis of the batch script reveals a multi-stage process designed to download and execute a malicious MSI file (SHA256: ead6b1f0add059261ac56e9453131184bc0ae2869f983b6a41a1abb167edf151) identified as the DeerStealer infostealer.

Campaign 2: Multi-Platform Attack (Odyssey Infostealer)

In another case we observed (Figure 4), the threat actor deployed three variations of the phishing page. These all ultimately lead to the delivery of Odyssey infostealer for macOS users and an as-yet unidentified malware strain for Windows users. Despite these variations, the core structure of the phishing page remained consistent.

Screenshot of a security verification page from speedtestcheck.org, displaying a message about unusual web traffic detected from the user's IP address. The page includes instructions on how to verify human identity by entering commands into a computer terminal, and features a "I am not a robot" checkbox and a "Copy" button for copying the command text.
Figure 4. Campaign 2 - ClickFix page delivering Odyssey for macOS.

Each version of the phishing page detects the victim’s operating system via JavaScript, specifically by parsing the browser’s navigator.userAgent string, and delivers a payload accordingly.

While the visible text (Figure 4) suggests a harmless string, clicking the Copy button executes JavaScript that places a malicious command into the clipboard, not the one visually displayed.

The specific commands and targets vary between different versions of this phishing page.

Variation 1: Multi-platform Windows and macOS Payload

In multi-platform variants, attackers serve Windows users a malicious PowerShell command designed to download and execute an unidentified malware strain. They serve macOS users a Base64-encoded command to deliver Odyssey (Figure 5).

Screenshot of a computer code snippet in a text editor displaying conditional statements in JavaScript that handle copy commands based on the user's operating system, including Mac, Windows, and an unknown OS. The code includes comments and command lines for each condition.
Figure 5. DOM structure showing a multi-platform example.

Examples of domains that hosted this variant include:

  • tradingview.connect-app[.]us[.]com
  • treadingveew.dekstop-apps[.]com
  • treadingveew.last-desk[.]org

Variation 2: macOS-Targeted Variant with Windows Decoy and Fallback Handling

In other variants that appear to be macOS-focused, macOS users receive a Base64-encoded command to deliver Odyssey. Windows users receive a PowerShell command as a benign decoy intended to complete the social engineering lure without delivering a payload. These PowerShell commands sometimes use domains with Cyrillic characters that visually mimic Latin ones to appear legitimate (Figure 6 and 7).

And for people using unknown operating systems (i.e., when OS detection fails), the phishing page displays a benign-looking command that also results in no malicious activity (Figure 6 and 7).

Screenshot of a code snippet involving variables and different commands related to CloudFlare.
Figure 6. DOM structure of the phishing page showing OS conditioned commands.
Screenshot of a code snippet featuring JavaScript commands used for terminal commands, to handle different operating systems, and a variable currentThemeIsDark focused on Windows OS.
Figure 7. DOM structure of the phishing page showing OS conditioned commands.

Examples of domains that hosted this variant include:

  • claudflurer[.]com
  • teamsonsoft[.]com

Variation 3: macOS Exclusive Delivering Odyssey Only

Another variant appears to be exclusively macOS-focused, providing only a single Base64-encoded command that downloads and executes Odyssey, with no configurations for other operating systems (Figure 8).

Screenshot of a code snippet featuring JavaScript commands used for terminal commands.
Figure 8. macOS-focused example with no OS specification.

This command downloads and executes a macOS Odyssey infostealer. It also uses nohup bash, which starts a new Bash shell in the background that ignores hang ups (HUP signals), so it keeps running even if the terminal is closed.

Examples of domains or IP addresses that hosted this variant include:

  • emailreddit[.]com
  • hxxps[:]//188.92.28[.]186
  • cloudlare-lndex[.]com
  • tradingviewen[.]com

Shared Origins and Developer Artifacts

Despite differences in targeting logic and payload delivery URLs, all analyzed phishing pages in Campaign 2 share an identical underlying structure, including a consistent HTML layout and JavaScript function naming.

Furthermore, while the specific command-and-control (C2) server address varied between the pages, Our analysis confirmed that, although the specific command-and-control (C2) server address varied between pages, all were Odyssey C2 servers.

This consistency in both the page structure and C2 infrastructure strongly suggests that these variants are part of the same activity cluster and likely originate from a shared codebase or builder tool.

Odyssey is a malware-as-a-service (MaaS) offering operated by a cybercrime actor active on dark web forums such as Exploit and XSS, known to collaborate with other actors and affiliates. As such, it is plausible that these phishing page variations reflect customized deployments of a base toolkit distributed by the malware operator or their affiliates.

According to posts published by the actor who advertises and operates the Odyssey MaaS, the actor has allegedly supplied ClickFix-style lure pages to affiliates upon request. This further supports the theory that these variants originate from a common generator tool but are tailored per affiliate, campaign or individual preferences.

Additionally, some pages contained leftover developer comments written in Russian (Figure 9 and 10).

A screenshot of computer code including a JavaScript function named notifyClick, which sends a click notification using the fetch API to 'stats.php'. The code includes a comment in Cyrillic characters that translates to 'Function for sending a click notification'.
Figure 9. Russian leftover developer comment.

English translation of this Russian comment in Figure 9: Add a call to stats.php when the page loads.

Screenshot of a comment in Cyrillic characters as part of a code snippet in a script tag that adds a 'stats.php' fetch call when a web page loads.
Figure 10. Russian leftover developer comment.

English translation of the Russian comment in Figure 10: Function for sending click notification.

Ultimately, the structural consistency across all samples strongly indicates they were generated from a single, configurable phishing kit, with every malicious variant designed to deliver the Odyssey infostealer malware.

Conclusion

The discovery of the IUAM ClickFix Generator provides a rare glimpse into the tooling that lowers the barrier to entry for cybercriminals, enabling them to launch sophisticated, multi-platform attacks without deep technical expertise. The ClickFix technique's effectiveness relies on exploiting a user's instinct to follow onscreen instructions from what appears to be a trusted security provider.

This threat underscores the importance of user awareness and vigilance. Individuals and organizations should be cautious of any website that instructs them to manually copy and execute commands to prove they are human. This simple but deceptive social engineering tactic is a growing threat that turns a person’s actions into the primary infection vector.

Palo Alto Networks Protection and Mitigation

Palo Alto Networks customers are better protected from the threats discussed above through the following products:

  • Advanced URL Filtering and Advanced DNS Security identify known domains and URLs associated with this activity as malicious.
  • The Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated in light of the indicators shared in this research.
  • Cortex XDR and XSIAM are designed to prevent the malware samples described in this post by employing the Malware Prevention Engine. This approach combines several layers of protection, including Advanced WildFire, Behavioral Threat Protection and the Local Analysis module, to prevent both known and unknown malware from causing harm to endpoints. The mitigation methods implement malware protection based on different operating systems: Windows, macOS and Linux.

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

  • North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
  • UK: +44.20.3743.3660
  • Europe and Middle East: +31.20.299.3130
  • Asia: +65.6983.8730
  • Japan: +81.50.1790.0200
  • Australia: +61.2.4062.7950
  • India: 000 800 050 45107

Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Indicators of Compromise

Table 1 lists SHA256 hashes for 18 Odyssey malware samples and eight DeerStealer samples associated with the ClickFix activity from this threat research article.

SHA256 Hash Malware
397ee604eb5e20905605c9418838aadccbbbfe6a15fc9146442333cfc1516273 Odyssey
7a8250904e6f079e1a952b87e55dc87e467cc560a2694a142f2d6547ac40d5e1 Odyssey
7765e5e0a7622ff69bd2cee0a75f2aae05643179b4dd333d0e75f98a42894065 Odyssey
d81cc9380673cb36a30f2a84ef155b0cbc7958daa6870096e455044fba5f9ee8 Odyssey
9c5920fa25239c0f116ce7818949ddce5fd2f31531786371541ccb4886c5aeb2 Odyssey
9090385242509a344efd734710e60a8f73719130176c726e58d32687b22067c8 Odyssey
8ed8880f40a114f58425e0a806b7d35d96aa18b2be83dede63eff0644fd7937d Odyssey
7881a60ee0ad02130f447822d89e09352b084f596ec43ead78b51e331175450f Odyssey
d375bb10adfd1057469682887ed0bc24b7414b7cec361031e0f8016049a143f9 Odyssey
039f82e92c592f8c39b9314eac1b2d4475209a240a7ad052b730f9ba0849a54a Odyssey
82b73222629ce27531f57bae6800831a169dff71849e1d7e790d9bd9eb6e9ee7 Odyssey
d110059f5534360e58ff5f420851eb527c556badb8e5db87ddf52a42c1f1fe76 Odyssey
816bf9ef902251e7de73d57c4bf19a4de00311414a3e317472074ef05ab3d565 Odyssey
72633ddb45bfff1abeba3fc215077ba010ae233f8d0ceff88f7ac29c1c594ada Odyssey
cd78a77d40682311fd30d74462fb3e614cbc4ea79c3c0894ba856a01557fd7c0 Odyssey
00c953a678c1aa115dbe344af18c2704e23b11e6c6968c46127dd3433ea73bf2 Odyssey
fe8b1b5b0ca9e7a95b33d3fcced833c1852c5a16662f71ddea41a97181532b14 Odyssey
966108cf5f3e503672d90bca3df609f603bb023f1c51c14d06cc99d2ce40790c Odyssey
029a5405bbb6e065c8422ecc0dea42bb2689781d03ef524d9374365ebb0542f9 DeerStealer
081921671d15071723cfe979633a759a36d1d15411f0a6172719b521458a987d DeerStealer
2b74674587a65cfc9c2c47865ca8128b4f7e47142bd4f53ed6f3cb5cf37f7a6b DeerStealer
6e4119fe4c8cf837dac27e2948ce74dc7af3b9d4e1e4b28d22c4cf039e18b993 DeerStealer
ba5305e944d84874bde603bf38008675503244dc09071d19c8c22ded9d4f6db4 DeerStealer
f2a068164ed7b173f17abe52ad95c53bccf3bb9966d75027d1e8960f7e0d43ac DeerStealer
3aee8ad1a30d09d7e40748fa36cd9f9429e698c28e2a1c3bcf88a062155eee8c DeerStealer
ead6b1f0add059261ac56e9453131184bc0ae2869f983b6a41a1abb167edf151 DeerStealer

Table 1. Malware samples associated with the ClickFix campaigns from this article.

Table 2 lists the IPv4 addresses for C2 servers used by Odyssey malware samples from this article.

IP Address First Seen Last Seen Malware
45.146.130[.]129 2025-07-22 2025-07-28 Odyssey
45.135.232[.]33 2025-06-15 2025-07-18 Odyssey
83.222.190[.]214 2025-05-23 2025-08-10 Odyssey
194.26.29[.]217 2025-06-22 2025-06-24 Odyssey
88.214.50[.]3 2025-04-14 2025-05-16 Odyssey
45.146.130[.]132 2025-07-01 2025-07-28 Odyssey
45.146.130[.]131 2025-07-03 2025-07-28 Odyssey
185.93.89[.]62 2025-07-29 2025-09-18 Odyssey

Table 2. IPv4 addresses for C2 servers.

Table 3 lists the fully qualified domain names (FQDNs) associated with the malware discussed in this article.

Domain Associated Malware
Odyssey1[.]to Odyssey
Odyssey-st[.]com Odyssey
sdojifsfiudgigfiv[.]to Odyssey
Charge0x[.]at Odyssey
speedtestcheck[.]org Odyssey
claudflurer[.]com Odyssey
teamsonsoft[.]com Odyssey
Macosapp-apple[.]com Odyssey
tradingview.connect-app.us[.]com Odyssey
treadingveew.last-desk[.]org Odyssey
tradingviewen[.]com Odyssey
financementure[.]com Odyssey
Cryptoinfnews[.]com Odyssey
Emailreddit[.]com Odyssey
Macosxappstore[.]com Odyssey
Cryptoinfo-news[.]com Odyssey
Cryptoinfo-allnews[.]com Odyssey
apposx[.]com Odyssey
ttxttx[.]com Odyssey
Greenpropertycert[.]com Odyssey
cloudlare-lndex[.]com Odyssey
Dactarhome[.]com Odyssey
ibs-express[.]com Odyssey
favorite-hotels[.]com DeerStealer
watchlist-verizon[.]com DeerStealer
Growsearch[.]in DeerStealer
Creatorssky[.]com DeerStealer
quirkyrealty[.]com DeerStealer
Sharanilodge[.]com DeerStealer
asmicareer[.]com DeerStealer
crm.jskymedia[.]com DeerStealer
coffeyelectric[.]com DeerStealer
Sifld.rajeshmhegde[.]com DeerStealer
Pixelline[.]in DeerStealer
techinnovhub[.]co[.]za DeerStealer
fudgeshop[.]com[.]au DeerStealer
evodigital[.]com[.]au DeerStealer
365-drive[.]com DeerStealer

Table 3. FQDNs associated with the malware discussed in this article.

Note: In some cases, the ClickFix-style phishing page is not hosted on a domain the threat actor registered, but instead injected into a legitimate website that they’ve compromised. The actor adds a malicious JavaScript snippet that performs several DOM manipulations, including injecting the ClickFix phishing lure. They style this using Tailwind CSS, which overrides the site’s original layout and appearance to fully render the phishing content in place of the legitimate one.

Responding to Cloud Incidents: A Step-by-Step Guide From the 2025 Unit 42 Global Incident Response Report

Posted on by Unit 42

Cloud incidents like ransomware attacks and account compromise can bring operations to a halt and create a situation in which costs, reputation and customer trust are at stake.

What happens when your cloud environment falls under attack? How do you mitigate organizational impact step by step?

Unit 42 helps cybersecurity pros understand how cloud investigations differ from traditional incidents, and what matters most when time is critical.

Scope and Mindset for Cloud Investigations

According to the Unit 42 2025 Global Incident Response Report, 29% of incident investigations conducted in 2024 involved cloud or SaaS environments. One in five incidents involved threat actors adversely impacting cloud environments and assets. With entire business models relying on cloud-native architecture, it is vital to protect cloud surfaces.

Traditional incident investigations focus heavily on endpoints and network activity, so cloud investigations require a mindset shift. When cloud environments are breached, investigations primarily focus on investigating identities, misconfigurations and service interactions.

Unit 42 Cloud Incident Response begins each investigation by asking several questions:

  • What is the overall impact?
  • What logs do we have or lack?
  • Are identity/service misuse, automated actions or API exploitation contributing factors?

We’ll now go through the process, step by step.

Step 1: Triage and Scoping

Cloud investigations begin with triage and scoping. Investigators will do two things:

  • Establish a timeline.
     When did the abnormal activity begin? How was it detected? Is it ongoing?
  • Determine what cloud assets are involved.
    Does the incident involve virtual machines? What about identity and access management (IAM), cloud storage, containers, etc.?

Log gaps can be a major challenge due to misconfigurations or retention issues. Incident responders often uncover these problems during an engagement, which can be too late and obfuscate threat actor activity.

Tip: Before any incidents occur, ensure you’ll have the data to investigate breaches properly:

  1. Enable logging within the CSP and retain the data for a minimum of 90 days.
  2. Enable additional logs specifically for tracking activity against your most sensitive resources.
  3. Ensure these logs are properly stored and encrypted to prevent any data loss if they are accessed by unauthorized parties.
  4. Centralize logs and apply machine learning and AI to correlate alerts.

Step 2: Evidence Collection

Once the incident has been triaged, evidence collection begins for investigators:

  • Collect audit logs, resource-specific logs and snapshots.
    • These can provide details on what resources the attacker can access.
  • Work with teams to capture volatile artifacts before they disappear.
    • Cloud environments are fast-moving and ephemeral, so anything that could assist the investigation needs to specifically be saved.
  • Image cloud virtual machines (VMs) or containers.
    • These images involve taking snapshots of virtual machines and their attached volumes.

This evidence enables understanding the attack and speedy remediation.

“In one investigation, the organization successfully mitigated an attack, only to be compromised again a short time later. Our investigators discovered that threat actors had automated exploitation of a vulnerability within a service used within the organization’s cloud-based products. By combining this with using anti-forensic techniques to hide activity, the threat actor was able to regain access to the organization and its clients even after internal teams appeared to have successfully removed them.”

2025 Unit 42 Global Incident Response Report, page 12

Step 3: Identity and Role Forensics

The majority of cloud breaches begin with compromised and overpermissioned identities. Bad actors gaining access to one admin-level account could wipe out business data or infrastructure. They could even provide themselves more SSH certificates or keys to enable attack persistence.

Attackers often use legitimate credentials. Behavioral baselining and anomaly detection via user and entity behavior analytics (UEBA) or Cortex XSIAM® is key.

During this step, the Unit 42 team will investigate:

  • IAM configurations
  • Assume-role patterns
  • Federated login logs
  • Privilege escalation attempts

One red flag investigators search for is excessive or unexpected identity hopping. Tracing how permissions are passed between identities, services or accounts is challenging but important.

Step 4: Uncovering Lateral Movement and Persistence

Cloud environments are often interconnected with the same set of credentials, depending on the architecture. Once inside, cloud-native lateral movement might involve attackers moving across regions, services or identities. Resource sprawl, the third-party ecosystem, as well as other factors can make these advancements difficult to detect.

Living-off-the-land (LotL) and modify-the-land (MtL) techniques also help them evade detection, because they abuse existing resources rather than import new, malicious ones (like malware).

To detect these attacks, teams must detect anomalies, not just signatures. That requires establishing a baseline of behavior. Once a baseline is achieved, you can flag unusual API calls, new role assumptions or atypical access patterns that are beyond failed logins.

Step 5: Containment, Eradication and Recovery

This step of a cloud incident investigation can be broken down into three parts:

Containment of Compromised Assets

Containment needs to be fast and surgical to avoid alerting the attacker or impacting production/operations. Investigators will revoke credentials, restrict IAM permissions and quarantine virtual machines, preferably all at once.

Eradication of Attacker Persistence

All possible sources of attacker persistence identified above need to be blocked. Eradication includes identifying persistence mechanisms, validating configuration changes and revoking tokens or rotating credentials.

Recovery of Business Operations

Recovery involves validating the integrity of cloud services, along with patching and monitoring exploited attack vectors.

For faster incident containment and recovery, Unit 42 has several recommendations:

  • Enable and centralize logs.
  • Define various cloud IR playbooks.
  • Prepare cloud sandboxes for forensics.

Learn from Past Experiences to Secure Future Environments

Ensure the tools to gather images and logs are set up along with your cloud environment, so you always have the evidence needed to investigate the cause of a breach. Understand the roles and identities involved, look for signs of attacker persistence and then contain and eradicate the intrusion. Once the attack is stopped, your security experts should analyze the data to identify the attack vector and close it.

Institutionalize lessons learned from previous incidents. As cloud adoption increases so will cloud-native attacks. Unit 42 can help you take a proactive stance against cloud attacks. Our approach identifies root causes and uses lessons learned, so clients increase their resiliency.

  • Gain visibility: Get a complete picture of where your organization stands with our Unit 42 Cloud Security Assessment, which includes an analysis of cloud threat trends and adversaries related to your business and technology.
  • Adopt zero trust: Taking incremental steps toward zero trust is pivotal to shrinking your cloud’s attack surface. Our Unit 42 Zero Trust Advisory helps you see where you stand today and helps you adopt a modern cybersecurity approach that eliminates implicit trust.
  • Get elite backup: With a Unit 42 Retainer, our experts become an extension of your team. We’ll be on speed dial in case of an incident, and we’ll help you achieve a proactive stance against tomorrow’s threats.

Ready to fortify your cloud defenses? Read the 2025 Global Incident Response Report for key insights from 500+ Unit 42 IR cases last year to help you better navigate the changing threat landscape.

Key Takeaways:

  1. Cloud incidents are increasing and require a shift in investigation mindset: Cloud and SaaS environments are increasingly targeted in incident investigations (29% in 2024), necessitating a focus on identities, misconfigurations and service interactions rather than traditional endpoints and network activity.
  2. Proactive logging and evidence collection are crucial: To effectively respond to cloud incidents, organizations must enable and centralize logs, retain data for a minimum of 90 days, and collect volatile artifacts and virtual machine images promptly. Log gaps due to misconfigurations or retention issues can significantly hinder investigations.
  3. Identity and lateral movement are key areas of focus for attackers: The majority of cloud breaches begin with compromised identities. Attackers often use legitimate credentials and employ "living-off-the-land" and "modify-the-land" techniques to move laterally and maintain persistence. Detecting these attacks requires behavioral baselining and anomaly detection.

TOTOLINK X6000R: Three New Vulnerabilities Uncovered

Posted on by Zhibin Zhang

Executive Summary

We have uncovered three vulnerabilities in the firmware of the TOTOLINK X6000R router, version V9.4.0cu.1360_B20241207, released on March 28, 2025:

CVE Rating Score Description
CVE-2025-52905 High CVSS-B 7.0 An argument injection flaw that attackers can use to trigger a denial of service (DoS), crashing the router or overwhelming remote servers.
CVE-2025-52906 Critical CVSS-B 9.3 An unauthenticated command injection vulnerability that allows attackers to remotely execute arbitrary commands on the device.
CVE-2025-52907 High CVSS-B 7.3 A security bypass that attackers can exploit to corrupt system files, cause a persistent denial-of-service, or achieve arbitrary file writes. Chaining attacks could lead to remote code execution (RCE).

TOTOLINK is a manufacturer of networking products, including routers and other Internet of Things (IoT) devices used by consumers worldwide. The widespread adoption of these products makes their security a critical area of focus.

We worked with TOTOLINK to address this issue, and they have released an updated firmware version to resolve it. Users are advised to install the latest firmware to secure their devices.

This article provides a detailed technical analysis of these vulnerabilities. We will analyze the root cause and demonstrate the impacts.

Palo Alto Networks customers are better protected from the threats described through the following products and services:

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

Related Unit 42 Topics IoT Vulnerability

Vulnerability Analysis

The TOTOLINK X6000R router's web interface relies heavily on the /cgi-bin/cstecgi.cgi endpoint for its core functionality. This endpoint acts as a central processing hub, receiving user requests and determining the appropriate action to take. When the web interface sends a request to cstecgi.cgi, it includes a topicurl parameter. The HTTP server within the router uses the value of topicurl to determine which internal function to call, effectively making it a routing mechanism for controlling the router's configuration and operations.

We discovered multiple vulnerabilities within the functions handled by this /cgi-bin/cstecgi.cgi endpoint, potentially allowing unauthenticated attackers to exploit the router's web interface. We will now proceed with a technical deep-dive into each vulnerability, starting with an argument injection vulnerability.

CVE-2025-52905: Argument Injection

Firmware version V9.4.0cu.1360_B20241207 includes an input sanitization function designed to prevent command injection, shown in Figure 1.

Screenshot of computer code in an IDE, featuring functions for string searching within given parameters.
Figure 1. Input validation function for user input.

This function's blocklist fails to filter the hyphen character (-), creating a High argument injection vulnerability across multiple components.

CVE-2025-52906: Unauthenticated Command Injection

The setEasyMeshAgentCfg function, responsible for configuring EasyMesh agent settings, is vulnerable to unauthenticated command injection. This vulnerability arises because the function fails to properly validate and sanitize the user-supplied input for the agentName parameter. As a result, an attacker can inject arbitrary commands that the router will execute with the privileges of the web server process.

This vulnerability does not require authentication, meaning any attacker who can reach the router's web interface can exploit it.

This type of vulnerability represents a failure of input validation. Gaining root access allows an attacker to:

  • Intercept traffic
  • Pivot to other devices on the network
  • Install persistent malware

CVE-2025-52907: Security Bypass

As established in the previous section, the firmware's sanitization function is implemented across multiple components but relies on an incomplete character blocklist. This allows an unauthenticated attacker to bypass the check and achieve arbitrary file manipulation.

This same vulnerability extends to other components, including the setWizardCfg function (Figure 2).

Screenshot of computer code featuring function calls and comments relating to user input, DHCP configuration, and a sanity check. Red boxes highlight theses three functions.
Figure 2. Vulnerable setWizardCfg processing analysis.

This vulnerability allows for an arbitrary file write by bypassing the same user-input confidence check, enabling an unauthenticated attacker to escalate their attack. This includes creating or modifying critical system files such as /etc/passwd to add new users, or altering boot scripts to achieve persistent RCE.

Conclusion and Recommendations

Home routers are the digital front door to the internet for millions of users. They serve as a key defense for personal data, smart home devices and corporate assets accessed via remote work.

Unauthenticated attackers could exploit these vulnerabilities to disrupt network services, gain unauthorized access to devices and potentially execute arbitrary code. Timely firmware updates are crucial for mitigating these risks. These vulnerabilities underscore the importance of robust security practices in IoT devices and the shared responsibility of vendors, security researchers and users in maintaining a secure digital ecosystem.

To protect against these threats, users should immediately upgrade their TOTOLINK X6000R router to the latest available firmware (V9.4.0cu.1498_B20250826).

For customers of Palo Alto Networks, our products deliver proactive protection against these vulnerabilities through the following services:

  • Next-Generation Firewall with a Threat Prevention or Advanced Threat Prevention security subscription can help block attacks with best practices via Threat Prevention signature 95097 and 96495.
  • The Palo Alto Networks Device Security security platform can leverage network traffic information to identify the vendor, model and firmware version of a device and identify specific devices that are affected by known vulnerabilities, and enforce risk-adaptive policies on these devices.
  • Cortex Xpanse and the ASM add-on for XSIAM allow for detection of internet exposed TOTOLINK router devices which may be inadvertently accessible.

Disclosure Timeline

  • June 13, 2025: The vulnerabilities were reported to TOTOLINK by Palo Alto Networks.
  • June 19, 2025: TOTOLINK provided a fixed firmware build (V9.4.0cu.1454_B20250619) for Palo Alto Networks to verify.
  • June 20, 2025: Palo Alto Networks initiated the process to assign CVEs to the vulnerabilities.
  • June 25, 2025: TOTOLINK made the updated firmware publicly available.
  • Sept. 23, 2025: The CVEs are published on the Palo Alto Networks GitHub.

Additional Resources

Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite

Posted on by Samantha Stallings

Executive Summary

Phantom Taurus is a previously undocumented nation-state actor whose espionage operations align with People’s Republic of China (PRC) state interests. Over the past two and a half years, Unit 42 researchers have observed Phantom Taurus targeting government and telecommunications organizations across Africa, the Middle East, and Asia.

Our observations show that Phantom Taurus’ main focus areas include ministries of foreign affairs, embassies, geopolitical events and military operations. The group’s primary objective is espionage. Its attacks demonstrate stealth, persistence and an ability to quickly adapt their tactics, techniques and procedures (TTPs).

What sets Phantom Taurus apart from other actors in the Chinese advanced persistent threat (APT) nexus is its distinctive set of TTPs. These enable the group to conduct highly covert operations and maintain long-term access to critical targets. This article sheds more light on the threat actor’s recently observed TTPs and reveals a previously undocumented custom tool in Phantom Taurus’ arsenal called NET-STAR.

We published our first article about this activity cluster (originally tracked as CL-STA-0043) in June 2023. In May 2024, we promoted the classification of this cluster to a temporary group, which we designated TGR-STA-0043 and nicknamed Operation Diplomatic Specter. Our ongoing investigations into this group deepened our understanding of the threat actor’s operations and enabled us to determine its connection to the Chinese nexus. This rare level of insight reflects the depth and duration of our investigation.

After sustained observation and intelligence collection over the past year, we have accumulated sufficient evidence to classify the temporary group as a new threat actor. Our attribution and cluster maturation process is based on Unit 42’s attribution framework. Figure 1 shows the process of promoting Phantom Taurus from a cluster of activity to a formally named threat actor.

Figure 1 shows the process of promoting Phantom Taurus from a cluster of activity to a formally named threat actor.

Timeline from 2022 to 2025 showing the evolution of a cybersecurity threat group. Starts with "CLA-STA-0043 Activity Cluster" in 2022, progresses to "TGR-STA-0043 Temporary Group Name" in 2024, and becomes "Phantom Taurus, New Formally-Named Threat Actor" by 2025. Includes logos of Palo Alto Networks and Unit 42.
Figure 1. The maturation process of Phantom Taurus.

Palo Alto Networks customers are better protected from the threats discussed above through the following products and services:

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

Related Unit 42 Topics Threat Actor Groups, TGR-STA-0043, CL-STA-0043

Phantom Taurus: The Evolution of a Threat Actor

Phantom Taurus is a Chinese APT group that conducts long-term intelligence collection operations against high-value targets to obtain sensitive, non-public information.

The group primarily targets government entities and government service providers across the Middle East, Africa and Asia. The targeting patterns align consistently with the People's Republic of China (PRC) economic and geopolitical interests. We observed that the group takes an interest in diplomatic communications, defense-related intelligence and the operations of critical governmental ministries. The timing and scope of the group’s operations frequently coincide with major global events and regional security affairs.

Our technical analysis reveals that the group employs a unique set of custom-developed tools and implements techniques that are rarely observed in the threat landscape. The list of TTPs is provided in Appendix A.

This group's distinctive modus operandi, combined with its advanced operational practices, sets Phantom Taurus apart from other Chinese APT groups. The designation of this group as a distinct Chinese APT is supported by multiple attribution factors, as illustrated in the Diamond Model of attribution [PDF] shown in Figure 2.

Diamond model framework for Phantom Taurus. Sections include Capabilities including various malware and tools like Ghost RAT and Yama. Infrastructure similarities to other groups, and Victimology including entities in the Middle East, Africa, and Asia.
Figure 2. Diamond Model representation of Phantom Taurus.

Diamond Model Attribution Breakdown

We established the attribution of Phantom Taurus through a comprehensive analysis of the following Diamond Model elements:

  • Infrastructure: Phantom Taurus uses a shared Chinese APT operational infrastructure that has been exclusively used by Chinese threat actors, including Iron Taurus (aka APT27), Starchy Taurus (aka Winnti) and Stately Taurus (aka Mustang Panda). However, the specific infrastructure components used by Phantom Taurus have not been observed in operations by other threat actors, indicating operational compartmentalization within this shared ecosystem.
  • Victimology: The group consistently targets high-value organizations that have access to sensitive non-public information. Over the past several years, we have observed Phantom Taurus targeting government and telecommunications sector organizations, particularly those that provide services and infrastructure. This group focuses its operations on the Middle East, Africa and Asia, reflecting intelligence collection priorities that align with Chinese strategic interests.
  • Capabilities: Phantom Taurus employs a set of TTPs that differentiate it from other threat actors. Several of these techniques have not been observed in operations by other groups, while others are sufficiently rare that only a handful of actors have been observed using similar methods. In addition to common tools such as China Chopper, the Potato suite and Impacket, the group uses customized tools, including the Specter malware family, Ntospy and the NET-STAR malware suite described later in this article.

By using the Diamond Model of attribution with the three nodes shown in Figure 2, we mapped the group’s similarities and overlaps with other threat actors. As we tracked the activity for an extended period, it became clear that the activities that we observed were carried out by a new threat actor.

Charting the Course From Email to Databases: Phantom Taurus’ New Data Collection Methods

Our continuous monitoring of Phantom Taurus activities has revealed a tactical evolution that we first observed in early 2025. Since 2023, Phantom Taurus has focused on stealing sensitive and specific emails of interest from email servers, as we described in a previous article. However, our telemetry indicates a shift from this email-centric methodology to the direct targeting of databases.

We observed Phantom Taurus using a script named mssq.bat to connect to and collect data from a targeted database.

The mssq.bat script operates in the following manner:

  • Connects to an SQL Server database with a given server name, a user ID named sa (system administrator) and a password that the attackers previously obtained
  • Reads the SQL query provided in the command-line arguments by the group’s operators. This allows dynamic searching for tables and specific keywords
  • Executes the provided query and returns the results that match the user’s search
  • Exports results to a CSV file
  • Closes the database connection

The threat actor leveraged Windows Management Instrumentation (WMI) to execute the mssq.bat script on the remote SQL Server. Figure 3 shows that the command contains both the embedded script and the execution instructions.

Screenshot of diagram in Cortex XDR. There are three circular interface icons depicting network connections below the error messages. Some of the text is highlighting to show the BAT file execution.
Figure 3. Execution of mssq.bat as shown in Cortex XDR.

The threat actor used this method to search for documents of interest and information related to specific countries such as Afghanistan and Pakistan.

The New NET-STAR Malware Suite

In addition to Phantom Taurus’ shift to collecting data from databases, we observed the group using a new and undocumented malware suite in its recent operations. This new tool is a .NET malware suite designed to target Internet Information Services (IIS) web servers. We named the suite NET-STAR, based on the use of the string in the malware’s program database (PDB) paths:

  • C:\Users\Administrator\Desktop\tmp\NETstarshard\ServerCore\obj\Release\ServerCore.pdb
  • C:\Users\admin\Desktop\starshard\NETstarshard\ExecuteAssembly\obj\Debug\ExecuteAssembly.pdb

The STAR string also appears as a delimiter in Base64-encoded data. The NET-STAR malware suite demonstrates Phantom Taurus’ advanced evasion techniques and a deep understanding of .NET architecture, representing a significant threat to internet-facing servers. The suite consists of three distinct web-based backdoors, each serving a specific role in the attack chain while maintaining persistence within the target’s IIS environment:

  • IIServerCore: A fileless modular backdoor that supports in-memory execution of command-line arguments, arbitrary commands and payloads
  • AssemblyExecuter V1: Loads and executes additional .NET payloads in memory
  • AssemblyExecuter V2: An enhanced version of AssemblyExecuter V1 that is also equipped with Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW) bypass capabilities

IIServerCore: A Modular Fileless IIS Backdoor

IIServerCore is the main web-based backdoor component in the NET-STAR malware suite. After being loaded by the web shell loader component, the backdoor operates entirely in memory within the w3wp.exe IIS worker process.

The IIServerCore backdoor has a unique modular, fileless execution flow that allows it to:

  • Receive additional payloads and arguments
  • Execute them in memory
  • Send the results in an encrypted command and control (C2) communication channel

Figure 4 shows the execution flow.

Illustration of a web-based process. 1. Web shell receives HTTP request. 2. Web shell loads ServerRun class into memory. 3. ServerRun establishes encrypted session. 4. ServerRun loads third-stage payload based on commands. 5. ServerRun executes operations and returns encrypted results. 6. All artifacts remain in memory only.
Figure 4. IIServerCore execution flow.

IIServerCore Under the Hood: From Web Shell Loader to Fileless Malware

The initial component of IIServerCore is an ASPX web shell named OutlookEN.aspx. This web shell contains an embedded Base64-compressed binary, the IIServerCore backdoor. When the web shell executes, it loads the backdoor into the memory of the w3wp.exe process and invokes the Run method, which is the main function of IIServerCore. Figure 5 shows the web shell.

Screenshot of a computer code in an IDE with certain lines highlighted in red, specifically focusing on system reflection methods and assembly loading. The text is set on a dark background. Syntax highlighting is applied.
Figure 5. Web shell content of OutlookEN.aspx.

In an attempt to evade detection efforts, the threat actor timestomped the ASPX file to match the timestamp of another old ASPX file found on the operating system. The threat actor timestomped not only the web shell, but also the backdoors in the NET-STAR malware suite. The actor changed the compilation time to a random future date to hide the malware’s real compilation timestamp.

IIServerCore also supports a command called changeLastModified. This suggests that the malware has active timestomping capabilities, designed to confuse security analysts and digital forensics tools.

Breaking Down IIServerCore Method by Method

The IIServerCore backdoor consists of a class called ServerRun and 11 methods. This includes a main method named Run as well as several others that provide additional capabilities. The methods and their descriptions are listed in Appendix B.

The main method, Run, receives the incoming communication and handles all malware operations. This method processes two types of requests:

  • Initial handshake requests to establish a session with the C2 server
  • Subsequent command execution requests to load and execute .NET assemblies dynamically

Figure 6 shows the Run method.

Image of a computer screen displaying software code, featuring functions for extracting session data and parsing STAR-delimited parameters along with a list of built-in commands in the editor. Annotated arrows and text highlight specific sections of the code.
Figure 6. Screenshot of IIServerCore main method Run.

The Run method manages the session state using cookies. This behavior allows the method to track and maintain information about a user’s session across multiple web requests. It decrypts incoming commands and payloads, loads .NET code from Base64-encoded assemblies and supports data encryption.

The backdoor supports various built-in commands that provide a wide range of functionalities, including:

  • File system operations
  • Database access, including running SQL commands
  • Arbitrary code execution
  • Web shell management to deploy and manage multiple web shells
  • Antivirus evasion: AMSI bypass functionality
  • Encrypted C2 communication, where all communications are AES encrypted
  • Memory-only execution: payloads are loaded directly into memory

The full list of commands is provided in Appendix C.

Two New Variants of .NET Malware Loaders

The second component in the NET-STAR suite is another .NET IIS malware that we named AssemblyExecuter. During our investigation, we observed two versions of AssemblyExecuter:

  • An older version (v1) that we believe the threat actors initially used around 2024
  • A newer version (v2) that we believe they used in 2025

AssemblyExecuter V1

The first AssemblyExecuter version is a .NET assembly designed for a single, specific purpose of executing other .NET assemblies directly in memory without writing them to disk.

This component enables threat actors to dynamically load and execute additional functionality after a compromise. The backdoor accepts assembly bytecode as input parameters, loads it using the .NET Assembly.Load() method and invokes the assembly’s entry point along with specified command-line arguments.

The component’s seemingly benign code structure results in minimal flagging by antivirus engines on VirusTotal, at the time of writing this article. This demonstrates a technique that threat actors can use to create tools that avoid overt code, which detection systems might interpret as malicious.

AssemblyExecuter V2

The second AssemblyExecuter version maintains the same core purpose as its predecessor, executing arbitrary .NET assemblies directly in memory. This version has enhanced evasion capabilities to operate in more heavily monitored environments.

While the fundamental assembly loading and execution logic remain unchanged, AssemblyExecuter v2 includes dedicated methods for bypassing two critical Windows security mechanisms, AMSI and ETW. The malware dynamically determines which bypass techniques to apply based on input parameters, allowing attackers to selectively disable security controls, depending on the target environment’s configuration.

Figure 7 displays the input parameters that the attackers used to achieve bypass.

Screenshot of a computer code snippet in that involves string manipulation and error handling. A portion is highlighted in a yellow box.
Figure 7. Security bypass code inside AssemblyExecuter V2.

Conclusion

This article details the maturation of activity cluster CL-STA-0043 to a formally designated threat actor, Phantom Taurus. We also provide a detailed technical analysis of NET-STAR, a previously undiscovered malware suite that represents a significant evolution in this actor's operational capabilities.

The extensive evidence that we gathered provides crucial insights into adversary persistence, adaptability, evolution process and strategic intent that short-term analysis cannot always capture.

The formal designation of Phantom Taurus demonstrates the value of sustained threat actor tracking. Our multi-year investigation exemplifies how long-term monitoring enables a comprehensive understanding of threat actor evolution and operational capabilities.

Palo Alto Networks Protection and Mitigation

Palo Alto Networks customers are better protected from the threats discussed above through the following products:

  • The Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated in light of the indicators shared in this research.
  • Advanced Threat Prevention has an inbuilt machine learning-based detection that can detect exploits in real time.
  • Cortex XDR and XSIAM.
    • The XDR agent is designed to protect against the initial NET-STAR malware loader, preventing the execution of the attack chain outlined in this article.
    • Figure 8 shows that the execution of the loader component was detected and prevented by the web shell protection module.
Image displaying a security alert log in Cortex XDR with columns labeled: Severity, which shows 'High' with a red indicator; Alert Source, labeled as 'XDR Agent'; Action, indicating 'Prevented (Blocked)'; Alert Name; Description, described as 'Web shell execution'; and Initiated by, marked as an EXE file.
Figure 8. Prevention alert for execution of web shell loader component.

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

  • North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
  • UK: +44.20.3743.3660
  • Europe and Middle East: +31.20.299.3130
  • Asia: +65.6983.8730
  • Japan: +81.50.1790.0200
  • Australia: +61.2.4062.7950
  • India: 000 800 050 45107

Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Indicators of Compromise

SHA256 hash for IIServerCore

  • (ServerCore.dll)
  • eeed5530fa1cdeb69398dc058aaa01160eab15d4dcdcd6cb841240987db284dc

SHA256 hash for AssemblyExecuter V1

  • (ExecuteAssembly.dll)
  • 3e55bf8ecaeec65871e6fca4cb2d4ff2586f83a20c12977858348492d2d0dec4

SHA256 hash for AssemblyExecuter V2

  • (ExecuteAssembly.dll)
  • afcb6289a4ef48bf23bab16c0266f765fab8353d5e1b673bd6e39b315f83676e
  • b76e243cf1886bd0e2357cbc7e1d2812c2c0ecc5068e61d681e0d5cff5b8e038

Additional Resources

Appendix A – Phantom Taurus Main TTPs

Tools Malware Techniques
  • Htran
  • Yasso
  • JuicyPotatoNG
  • Nbtscan
  • Scansql
  • Ladon
  • Samba SMBClient
  • Impacket
  • SharpEfsPotato
  • iislpe
  • Mimikatz
  • TunnelSpecter
  • SweetSpecter
  • Agent Racoon
  • IIServerCore
  • AssemblyExecuter
  • Ntospy
  • PlugX
  • Gh0st RAT
  • China Chopper
  • Running an in-memory Visual Basic script implant to act as a web shell
  • Stealing credentials by misusing the network providers
  • Stealing emails by misusing the Exchange Management Shell entity

Table 1. Phantom Taurus main TTPs.

Appendix B – IIServerCore Methods

Method Name Description
EncryptBase64 Receives a plain text string and performs basic Base64 encoding (not encryption, despite the name). This function is used throughout the malware to obfuscate data transmission.
DecryptBase64 Receives a Base64-encoded string and decodes it back to plain text.
Encrypt Receives raw byte data and an encryption key string. This function then performs AES encryption using ECB mode with PKCS7 padding. It creates an AES cipher with the provided key, encrypts the input data, and returns the encrypted bytes. The malware uses this method to secure communication with the C2.
Decrypt Receives encrypted byte data and the corresponding key. The function then decrypts the data using AES decryption with the same ECB mode and PKCS7 padding settings. It reverses the encryption process to recover the original data, enabling the malware to process encrypted commands from the attacker.
Compress Receives byte array data and compresses it using Gzip. Creates a compressed version of the input data to reduce the size of data it transmits between the malware and its C2 server, making network traffic less conspicuous.
Decompress Receives Gzip-compressed byte data and decompresses it back to its original form.
GetContext Receives a string containing the full request data. This function then extracts the payload portion and returns only the Base64-encoded payload data that contains the actual malicious payload.
ConvertToSpecialString Takes a list of dictionaries, each containing string key-value pairs, and converts them into a custom-formatted string. This string is used by the SetContext function to prepare command execution results.
SetContext Takes the structured output from ConvertToSpecialString and applies multi-layer encoding (compression, encryption and Base64) that is later used for secure transmission back to the C2 server.
GetMd5Hash Receives a string input and computes its MD5 hash.
Run The main execution function that receives the HTTP context and handles all malware operations.

Table 2. List of IIServerCore’s methods.

Appendix C – Built-In Commands

The following commands are embedded in the IIServerCore backdoor:

  • fileExist
  • listDir
  • createDir
  • renameDir
  • fileRead
  • deleteFile
  • Dictionary
  • createFile
  • changeLastModified
  • code_self
  • code_pid
  • run_code
  • addshell
  • bypassPrecompiledApp
  • listShell
  • removeShell
  • executeSQLQuery
  • ExecuteNonQuery
Get the latest news, invites to events, and threat alerts

Default Heading

Read the article Right Arrow