The Threat Intelligence Research That Mattered to You This Year

Clock Icon 2 min read


Unit 42 did some incredible work in 2015 discovering, analyzing and disclosing malware – some new and others making a reappearance. Take a look below at some of their top threat intelligence research from this past year:


Unit 42 analyzed XcodeGhost, which modifies Xcode and infects Apple iOS Apps, and its behavior. The team found that many popular iOS apps were infected, including WeChat, one of the most popular messaging applications in the world, and that the XcodeGhost attacker can phish passwords and open URLs through these infected apps.


In cooperation with WeipTech, Unit 42 identified samples of a new iOS malware family in the wild which they named KeyRaider. This is believed to be the largest known Apple account theft caused by malware, stealing over 225,000 valid Apple accounts and thousands of certificates, private keys, and purchasing receipts. Unit 42 also detailed how to keep yourself safe from KeyRaider.


Unit 42 identified a new Apple iOS malware, dubbed YiSpecter. YiSpecter is different from previously seen iOS malware in that it attacks both jailbroken and non-jailbroken iOS devices through unique and harmful malicious behaviors. Specifically, it was the first malware seen in the wild that abuses private APIs in the iOS system to implement malicious functionalities.

Android Installer Hijacking

Unit 42 discovered a widespread vulnerability in Google’s Android OS they called “Android Installer Hijacking,” estimated to impact 49.5 percent of all current Android users, which allows an attacker to modify or replace a seemingly benign Android app with malware, without user knowledge, only affecting applications downloaded from third-party app stores.

Operation Lotus Blossom

Unit 42 published new research identifying a persistent cyber espionage campaign targeting government and military organizations in Southeast Asia by adversary group they named "Lotus Blossom." The campaign has been in operation for some time; Unit 42 identified over 50 different attacks taking place over the past three years. Recently, Unit 42 found that a targeted attack directed at an individual working for the French Ministry of Foreign Affairs was linked to Operation Lotus Blossom.


Unit 42 found the new “BackStab” attack, used to steal private information from mobile device backup files stored on a victim’s computer.

Read more Unit 42 research

Learn more about Unit 42



Enlarged Image