Unit 42

Tracing Digital Intent: New MacOS Tahoe 26 Artifact Discovered

Chip Riley — Fri, 12 Jun 2026 22:00:14 +0000

Unit 42 has discovered a new macOS Tahoe 26 forensic artifact that tracks user menu selections across the operating system. Learn more here.

The post Tracing Digital Intent: New MacOS Tahoe 26 Artifact Discovered appeared first on Unit 42.

Trust No Skill: Integrity Verification for AI Agent Supply Chains

Yuhao Wu, Tony Li and Hongliang Liu — Thu, 11 Jun 2026 10:00:24 +0000

Protect enterprise AI agents from supply chain risks by auditing third-party skills for hidden vulnerabilities and multi-stage attack chains.

The post Trust No Skill: Integrity Verification for AI Agent Supply Chains appeared first on Unit 42.

Blinding the Watchmen: Abusing Cloud Logging Services for Defense Evasion and Visibility

Yahav Festinger — Tue, 09 Jun 2026 22:00:21 +0000

Unit 42 research examines attack scenarios targeting cloud logging services. Learn how to defend against log manipulation and defense evasion.

The post Blinding the Watchmen: Abusing Cloud Logging Services for Defense Evasion and Visibility appeared first on Unit 42.

Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257

Andy Piazza and Unit 42 — Tue, 09 Jun 2026 14:05:42 +0000

We include indicators of activity and mitigations for PAN-OS vulnerability CVE-2026-0257.

The post Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257 appeared first on Unit 42.

When “Hi, This Is IT” Comes Through Microsoft Teams

Bill Batchelor — Mon, 08 Jun 2026 23:00:45 +0000

Attackers are increasingly targeting collaboration platforms like Microsoft Teams. Learn the risks and key steps to strengthen your organization's security.

The post When “Hi, This Is IT” Comes Through Microsoft Teams appeared first on Unit 42.

The npm Threat Landscape: Attack Surface and Mitigations (Updated June 2)

Unit 42 — Tue, 02 Jun 2026 17:30:33 +0000

Unit 42 analyzes npm supply chain evolution post-Shai Hulud. Discover wormable malware, CI/CD persistence, multi-stage attacks and more.

The post The npm Threat Landscape: Attack Surface and Mitigations (Updated June 2) appeared first on Unit 42.

Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor

Ido Asher, Noa Dekel and Tom Fakterman — Tue, 02 Jun 2026 10:00:31 +0000

Operation FlutterBridge is a malvertising campaign targeting macOS users. It distributed the new backdoor FlutterShell, built using the Flutter framework.

The post Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor appeared first on Unit 42.

2026 World Cup: Discussing The World’s Biggest Game’s Attack Surface

Justin Moore — Thu, 28 May 2026 10:00:53 +0000

The 2026 World Cup presents major cyber risks from ransomware groups, state-aligned actors, and other groups targeting critical infrastructure. Learn more here.

The post 2026 World Cup: Discussing The World’s Biggest Game’s Attack Surface appeared first on Unit 42.

Out of the Crypt: The Evolving Cyber Extortion Economy

Matt Brady and Justin Moore — Wed, 27 May 2026 22:00:46 +0000

Unit 42 explores trends in data theft and extortion, outlining key strategies for organizations as frontier AI models advance.

The post Out of the Crypt: The Evolving Cyber Extortion Economy appeared first on Unit 42.

Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns

Unit 42 — Fri, 22 May 2026 13:00:42 +0000

Unit 42 details Screening Serpens' use of AppDomainManager hijacking and new RAT variants to target tech and defense sectors in recent campaigns.

The post Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns appeared first on Unit 42.

Paved With Intent: ROADtools and Nation-State Tactics in the Cloud

Bill Batchelor and Eyal Rafian — Fri, 22 May 2026 10:00:24 +0000

Open-source framework ROADtools is being misused by threat actors for cloud intrusions. Learn how to identify its malicious use.

The post Paved With Intent: ROADtools and Nation-State Tactics in the Cloud appeared first on Unit 42.

Tracking TamperedChef Clusters via Certificate and Code Reuse

Joseph Ganter — Wed, 20 May 2026 10:00:46 +0000

Unit 42 analyzes TamperedChef malware clusters that use trojanized productivity apps and malvertising to deliver stealthy payloads to targets.

The post Tracking TamperedChef Clusters via Certificate and Code Reuse appeared first on Unit 42.

Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files

Pranay Kumar Chhaparwal and Mark Lim — Fri, 15 May 2026 10:00:52 +0000

Unit 42 analyzes the evolution of Gremlin stealer. This variant uses advanced obfuscation, crypto clipping and session hijacking to compromise data.

The post Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files appeared first on Unit 42.

Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools

Stav Setty, Tom Fakterman and Shachar Roitman — Mon, 11 May 2026 22:00:43 +0000

Unit 42 analyzes AD CS exploitation through template misconfigurations and shadow credential misuse while offering behavioral detection for defenders.

The post Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools appeared first on Unit 42.

Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution

Justin Moore and Unit 42 — Thu, 07 May 2026 00:00:53 +0000

Unit 42 details CVE-2026-0300, a buffer overflow vulnerability in the PAN-OS User-ID Authentication Portal. Read now for details.

The post Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution appeared first on Unit 42.