unit42.paloaltonetworks.com
Open in
urlscan Pro
92.123.151.6
Public Scan
URL:
https://unit42.paloaltonetworks.com/suspicious-domain-registration-campaigns/
Submission: On December 09 via api from TR — Scanned from CH
Submission: On December 09 via api from TR — Scanned from CH
Form analysis
1 forms found in the DOMName: Unit42_Subscribe — POST https://www.paloaltonetworks.com/apps/pan/public/formsubmithandler.submitform.json
<form action="https://www.paloaltonetworks.com/apps/pan/public/formsubmithandler.submitform.json" method="post" novalidate="" class="subscribe-form" name="Unit42_Subscribe" id="unit42footerSubscription_form">
<input type="hidden" name="emailFormMask" value="">
<input type="hidden" value="1086" name="formid">
<input type="hidden" value="531-OCS-018" name="munchkinId">
<input type="hidden" value="2141" name="lpId">
<input type="hidden" value="1203" name="programId">
<input type="hidden" value="1086" name="formVid">
<input type="hidden" name="mkto_optinunit42" value="true">
<input type="hidden" name="mkto_opt-in" value="true">
<div class="form-group">
<label for="newsletter-email" id="newsletter-email-label">Your Email</label>
<input type="emal" placeholder="Your Email" name="Email" class="subscribe-field" id="newsletter-email" aria-labelledby="newsletter-email-label">
<p class="error-mail mb-15 text-danger" style="color: #dc3545"></p>
<p>Subscribe for email updates to all Unit 42 threat research.<br>By submitting this form, you agree to our
<a title="Terms of Use" href="https://www.paloaltonetworks.com/legal-notices/terms-of-use" data-page-track="true" data-page-track-value="Get updates from Unit 42:Terms of Use">Terms of Use</a> and acknowledge our
<a title="Privacy Statement" href="https://www.paloaltonetworks.com/legal-notices/privacy" data-page-track="true" data-page-track-value="Get updates from Unit 42:Privacy Statement">Privacy Statement.</a></p>
<div class="g-recaptcha" data-expired-callback="captchaExpires" data-callback="captchaComplete" data-sitekey="6Lc5EhgTAAAAAJa-DzE7EeWABasWg4LKv-R3ao6o"></div>
<p class="error-recaptcha d-none mt-15 text-danger" style="color: #dc3545">Invalid captcha!</p>
<button class="l-btn is-disabled" data-page-track="true" data-page-track-value="footer:Get updates from Unit 42:Subscribe" id="unit42footerSubscription_form_button"> Subscribe <img class="lozad"
data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/right-arrow.svg" alt="Right Arrow">
<img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-loader.svg" alt="loader" class="loader">
</button>
<div class="form-success-message"></div>
</div>
</form>
Text Content
Menu * Tools * ATOMs * Security Consulting * About Us * Under Attack? * * About Unit 42 * Services Services Assess and Test Your Security Controls * AI Security Assessment * Attack Surface Assessment * Breach Readiness Review * BEC Readiness Assessment * Cloud Security Assessment * Compromise Assessment * Cyber Risk Assessment * M&A Cyber Due Diligence * Penetration Testing * Purple Team Exercises * Ransomware Readiness Assessment * SOC Assessment * Supply Chain Risk Assessment * Tabletop Exercises * Unit 42 Retainer Transform Your Security Strategy * IR Plan Development and Review * Security Program Design * Virtual CISO * Zero Trust Advisory Respond in Record Time * Cloud Incident Response * Digital Forensics * Incident Response * Managed Detection and Response * Managed Threat Hunting * Unit 42 Retainer UNIT 42 RETAINER Custom-built to fit your organization's needs, you can choose to allocate your retainer hours to any of our offerings, including proactive cyber risk management services. Learn how you can put the world-class Unit 42 Incident Response team on speed dial. Learn more * Unit 42 Threat Research Unit 42 Threat Research Unit 42 Threat Research * Threat Briefs and Assessments Details on the latest cyber threats * Tools Lists of public tools released by our team * Threat Reports Downloadable, in-depth research reports THREAT REPORT 2024 Unit 42 Incident Response Report Read now THREAT BRIEF Russia-Ukraine Cyberattacks: How to Protect Against Related Cyberthreats Including DDoS, HermeticWiper, Gamaredon, Website Defacement Learn more THREAT REPORT Highlights from the Unit 42 Cloud Threat Report, Volume 6 Learn more * Partners Partners Partners * Threat Intelligence Sharing * Law Firms and Insurance Providers THREAT REPORT 2022 Unit 42 Ransomware Threat Report: Understand trends and tactics to bolster defenses Learn more THREAT BRIEF Russia-Ukraine Cyberattacks: How to Protect Against Related Cyberthreats Including DDoS, HermeticWiper, Gamaredon, Website Defacement Learn more THREAT BRIEF Operation Falcon II: Unit 42 Helps Interpol Identify Nigerian Business Email Compromise Ring Members Learn more * Resources Resources Resources * Research Reports * Webinars * Customer Stories * Datasheets * Videos * Infographics * Whitepapers * Cyberpedia Industries * Financial Services * Healthcare * Manufacturing ANALYST REPORT Unit 42® has been named a Leader in “The Forrester Wave™: Cybersecurity Incident Response Services, Q2 2024.” Read the Forrester report to learn why. Get the report THREAT REPORT Unit 42 Threat Frontier Report: Discover the latest insights on how threat actors are leveraging GenAI to exploit vulnerabilities — and learn what steps you can take to protect yourself. Get the report * * Under Attack? Search All * Tech Docs Close search modal * Threat Research Center * Threat Research * Malware Malware NETWORK ABUSES LEVERAGING HIGH-PROFILE EVENTS: SUSPICIOUS DOMAIN REGISTRATIONS AND OTHER SCAMS 9 min read Related Products Advanced DNS SecurityAdvanced URL FilteringAdvanced WildFireCloud-Delivered Security ServicesNext-Generation FirewallUnit 42 Incident Response * By: * Shu Wang * Zhanhao Chen * Chi-Wei Liu * Shunyao Yang * Zhenyu Mao * Shireen Hsu * Fan Fei * Daiping Liu * Xing Wang * Jiaqi Wu * Published:December 6, 2024 * Categories: * Malware * Threat Research * Tags: * Advanced Persistent Threat * ChatGPT * Cybersquatting * Malicious Domains * Network Scam * * Share * * * * * * * EXECUTIVE SUMMARY Threat actors frequently exploit trending events like global sporting championships to launch attacks, including phishing and scams. Because of this, proactive monitoring of event-related domain abuse is crucial for cybersecurity teams. Our network abuse investigations regularly uncover suspicious domain registration campaigns, particularly those using event-specific keywords or phrases in newly registered domains. These campaigns often surge around notable events. Our analysis of event-related abuse focuses on the following trends: * Domain registrations * DNS traffic * URL traffic * Most active domains * Verdict change requests * Domain textual patterns Our example case studies include observations related to the 2024 Summer Olympics in Paris. Palo Alto Networks customers are better protected against various network threats leveraging terminology associated with the current trending events through cloud-delivered security services such as Advanced DNS Security, Advanced URL Filtering and Advanced WildFire. If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response Team. Related Unit 42 Topics Cybersquatting, ChatGPT DOMAIN REGISTRATION FOR HIGH-PROFILE EVENTS High-profile global events, including sporting championships and product launches, attract cybercriminals seeking to exploit public interest. These criminals register deceptive domains mimicking official websites to sell counterfeit merchandise and offer fraudulent services. These sites can reach millions of people searching for event-related information or resources. For instance, during the COVID-19 pandemic, adversaries launched many campaigns exploiting the crisis to spread malware. We reported that attackers launched COVID-19-themed phishing campaigns targeting government and medical organizations or distributed Coronavirus-themed malware by tricking users into downloading malicious files. Similarly, the rise of ChatGPT provided another opportunity for exploitation such as the scam attacks exploiting interest in ChatGPT. Attackers promoted fake ChatGPT tools or services through fraudulent domains, often luring victims with promises of early access or exclusive features, only to steal their credentials or spread malware. These examples expose how opportunistic threat actors are during significant global events. To mitigate the risks posed by these malicious campaigns, it is critical for defenders to proactively monitor the network abuse trends related to specific events. METRICS TO WATCH IN CASES OF NETWORK ABUSE Threat actors exploiting high-profile events often leave telltale signs in specific metrics. Defenders should monitor the following for suspicious activity: * Domain registrations * Textual patterns used in deceptive domains * Questionable DNS traffic trends * Abnormal URL patterns Further analysis of the most active domains and trends in verdict change requests can also provide valuable insights. DOMAIN REGISTRATION TRENDS When malicious actors pick trending topics to exploit, one of their first moves is to register domains with relevant keywords. Therefore, to deep dive into specific event-related cyberthreats, we analyze the historical newly registered domains (NRDs) containing event-specific keywords. We detect over 200,000 newly registered domains (NRDs) daily from sources like zone files, WHOIS databases and passive DNS. Our analysis begins by establishing the average daily domain registrations related to the target event. We then highlight those registrations flagged as suspicious. We label domains as suspicious if they are linked to activities like command and control (C2), ransomware, malware, phishing or grayware. DOMAIN TEXTUAL PATTERNS Understanding domain textual patterns is crucial in identifying deceptive domains. By analyzing the keywords, structure and even top-level domain (TLD) cues within these domains, we can uncover common features that indicate malicious intent. For example, many phishing domains combine event-specific keywords with suspicious terms like “rewards” to lure unsuspecting visitors. We investigate the textual patterns of these newly registered domains so that for each keyword analyzed, we can present the number of domains containing that keyword along with the ratio of suspicious domains. We also compare the TLDs used by both suspicious and overall NRDs to analyze which TLDs are appealing to attackers. DNS TRAFFIC TRENDS DNS traffic trends can provide valuable insight into the behavior of internet users and the strategies employed by attackers. Anomalies in DNS traffic, such as spikes in requests for specific domains, could indicate unusual activities like C2 communications. We present both total and suspicious DNS traffic trends, which include notable increases, significant spikes and changes in the ratio of suspicious DNS traffic. Our reports are able to reveal how attackers behave during key dates in relation to current events. URL TRAFFIC TRENDS We further analyze event-related NRDs through URL traffic. This illustrates the URL traffic trends for both overall and suspicious NRDs, along with the suspicious traffic ratio and significant spikes during current events. This trend can indicate the strategies attackers use to exploit event topics, particularly regarding visits to phishing websites. MOST ACTIVE DOMAIN TRENDS For DNS traffic and URL traffic, we analyze the trends of the top 10 domains most frequently visited over a specific period, if we note any interesting findings. This analysis can reveal shifts in visitor interest or point out potential emerging threats as new domains gain popularity. CHANGE REQUEST TRENDS Change request trends refer to the frequency and volume of requests to recategorize domains in our Palo Alto Networks URL testing system Test-A-Site. These requests include false-positive changes and false-negative changes. Sudden events, such as unexpected incidents, can trigger a surge in change requests within a short time frame. CONCLUSION High-profile events are prime targets for threat actors, where they frequently exploit public interest through deceptive domains, phishing and malicious traffic. By monitoring key metrics like domain registrations, textual patterns, DNS anomalies and change request trends, security teams can identify and mitigate threats early. Proactive analysis of these trends provides valuable intelligence, assisting organizations to block malicious domains and defend against opportunistic scams. Palo Alto Networks customers are better protected from the threats discussed in this article through the following products: * Next-Generation Firewall with cloud-delivered security services including Advanced DNS Security and Advanced URL Filtering. * Advanced WildFire is a cloud-based threat detection engine that detects the malware. If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call: * North America Toll-Free: 866.486.4842 (866.4.UNIT42) * EMEA: +31.20.299.3130 * APAC: +65.6983.8730 * Japan: +81.50.1790.0200 Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance. CASE STUDIES: NETWORK ABUSES OBSERVED IN CONNECTION WITH HIGH-PROFILE EVENTS ABUSES RELATED TO THE OLYMPIC GAMES IN PARIS 2024 DOMAIN REGISTRATION TRENDS FOR THE PARIS OLYMPICS Figure 1. Olympic-related domain registration trends, October 2023 through September 2024. In the one year period from October 2023 through September 2024, we saw an average of seven Olympic-related domains registered daily. However, we noted a significant rise in domain registrations during the event weeks noted in Figure 1. Specifically, Olympic-related registrations tripled compared to normal periods. Surprisingly, we deemed 16% of these domains suspicious – 13 times higher than the general rate for NRDs based on our previous research. This indicates how intensely threat actors exploited interest in the Olympics, and it highlights the critical need for ongoing threat monitoring. Significantly, during the opening ceremony week, the number of suspicious domains doubled. On the day of the opening ceremony on July 26, 2024, we detected 20% of all newly registered domains with Olympic keywords as suspicious. This surge reflects attackers capitalizing on high-traffic events. DOMAIN TEXTUAL PATTERNS LEVERAGING THE OLYMPIC GAMES Figure 2. Top 10 most common Olympic-related keywords in NRDs. Figure 2 showcases the top 10 most commonly used keywords and their associated suspicious rate. Unsurprisingly, 98% of these domains leverage variations of the word “Olympic,” including translations in multiple languages. The most heavily abused keyword was “aoyunhui” – the Chinese pinyin-based romanization term for “Olympic Games.” 27% of domains containing this term were flagged as suspicious. Figure 3. Top suspicious TLDs compared with total NRDs. Figure 3 shows .com is the most commonly used TLD among suspicious NRDs, accounting for 52% of the total. Threat actors use shopping-oriented TLDs such as .shop and .store to create fake e-commerce websites to deceive victims. In addition, other TLDs such as .online, .xyz, .top and .biz also show a higher rate of abuse by suspicious NRDs compared to their general usage. DNS TRAFFIC TRENDS LEADING UP TO THE 2024 OLYMPICS Figure 4. Normalized DNS traffic for Olympic-related NRDs. Figure 4 illustrates DNS traffic for Olympic-related NRDs began to rise during March 2024, coinciding with the release of Olympic posters and various event preparations. Alongside this overall increase in Olympic-related DNS traffic, we see a corresponding increase of suspicious DNS traffic. During the 2024 Olympic Games event, the malicious DNS traffic ratio fluctuated between 10-15%. Spikes in malicious DNS traffic occurred around key dates, such as the 100-day countdown on April 20 and the opening ceremony on July 26. URL TRAFFIC TRENDS FOR THE PARIS OLYMPICS Figure 5. Comparing suspicious to normalized URL traffic for Olympic-related NRDs. As Figure 5 shows, in the months leading up to the event, Olympic-related URLs were initially negligible. However, the amount jumps to concerning levels during the event, with the highest level on Aug. 2, 2024. At that point, 16.2% of all Olympic-related URLs were flagged as suspicious. Other significant suspicious spikes occur on August 12 (the closing ceremony) and August 14, during the final week of the games. SPECIFIC CASE STUDIES (1) PERSISTENT NETWORK THREAT ACTOR FOR TWO SEPARATE OLYMPICS For this case study, we investigated 23 specific Olympic-related domains from both the Tokyo Olympics held in 2021 and the 2024 Paris Olympics. Despite being registered and active at different times, our analysis reveals a strong correlation among these domains. First, the domains exhibited similar naming conventions, using a consistent set of keywords such as live, tickets and games, along with the specific years and locations of the Olympic Games. Second, we observed a significant overlap in the resolved IP addresses of these domains, as illustrated in Figure 6 below. Figure 6. The correlation of resolved IP addresses between domains related to both the Tokyo Olympics and the Paris Olympics. For instance, the IP address 3.64.163[.]50 was shared by domains from 2021 (e.g., 2021olympicupdateslive[.]com) and those from 2024 (e.g., parisolympicgames2024[.]com). In addition, multiple domains from both Olympic events resolved to 76.223.67[.]189. This included domains targeting previous Olympics (e.g., tokyoolympicsport[.]com) and the 2024 Olympics (e.g., 2024olympicslive[.]com). From the observed infrastructure patterns, we infer that a single malicious actor is behind this persistent network abuse. (2) SCAMS LEVERAGING PARIS OLYMPICS We identified several scam campaigns exploiting the 2024 Paris Olympics, ranging from fake ticket sales to fraudulent internet data giveaways and fake cryptocurrency investment schemes. This section focuses on the latter two scam campaigns. Threat actors distributed the scam for fraudulent Paris Olympic internet data giveaways through a large number of domains. Figure 7 shows screenshots from an example that enticed victims by offering 48 GB of free internet data. Figure 7. Screenshots from a fake internet data giveaway scam. To claim the data, victims were prompted to enter their phone numbers and share the scam with their WhatsApp friends/groups. The final confirmation page offers additional scam surveys or malicious redirects. In another scam, threat actors capitalized on the Olympics to promote a fake cryptocurrency investment. Figure 8 shows two screenshots from the landing page of 2024olympics-shop[.]com that tricked visitors into registering for a bogus investment opportunity. The site also offers a download link for an Android app named Olympics[.]apk that poses as a legitimate cash app, but it is actually suspicious and likely intended to defraud people. Figure 8. The landing page of the fake cryptocurrency scheme leveraging the Olympics. (3) MALICIOUS GAMBLING We identified a campaign involving malicious gambling websites that exploited Olympic-related keywords to lure unsuspecting victims. These websites share several key characteristics: * Name servers: All gambling domains are resolved by the same DNS hosting service (share-dns), suggesting a potential connection between the operators. * WHOIS records: While most registration information for these Olympic-themed gambling NRDs is redacted, we observed that all registrant locations are listed as different provinces in China. * Website templates: The adversaries use various templates for gambling websites. Figures 9-11 showcase examples of gambling websites built with distinct templates within this campaign. Figure 9. Gambling website hosted on climbolympic[.]com. Figure 10. Gambling website hosted on allolympic[.]com. Figure 11. Gambling website hosted on olympiarealestate-online[.]com. INDICATORS OF COMPROMISE SUSPICIOUS DOMAINS FROM PERSISTENT OLYMPIC TARGETING THREAT * 2024olympicslive[.]com * 2024parisolympicathletes[.]com * olympicparis2024[.]com * paris-olympics2024[.]com * paris24olympics[.]com * parisolympic24[.]com * parisolympicgames2024[.]com * parisolympicgames2024official[.]com * parisolympicgamesevents[.]com * parisolympicgamesofficial[.]com * parisolympicgamestickets[.]com * parisolympicsphotographe[.]com * parisolympictickets[.]com SCAM DOMAINS LEVERAGING OLYMPICS * 2024olympics-shop[.]com MALICIOUS GAMBLING DOMAINS * climbolympic[.]com * allolympic[.]com * olympiarealestate-online[.]com ADDITIONAL RESOURCES * Newly Registered Domains: Malicious Abuse by Bad Actors – Unit 42, Palo Alto Networks * Malicious Attackers Target Government and Medical Organizations With COVID-19 Themed Phishing Campaigns – Unit 42, Palo Alto Networks * Studying How Cybercriminals Prey on the COVID-19 Pandemic – Unit 42, Palo Alto Networks * ChatGPT-Themed Scam Attacks Are on the Rise – Unit 42, Palo Alto Networks * 2024olympics.shop Scam Store: The Olympic Shop Scam – Malwaretips * Paris 2024 : 338 sites internet frauduleux de revente de billets recensés à quelques semaines du début de la compétition – Franceinfo * Security Brief: Scammers Create Fraudulent Olympics Ticketing Websites – Proofpoint * Olympics-related domains used for phishing and scams for the Tokyo and Paris2024 Olympics – Unit 42 on X * Threat actors exploit public attention in the Olympics by creating domains that seem related to the event – Unit 42 on X Back to top TAGS * Advanced Persistent Threat * ChatGPT * Cybersquatting * Malicious Domains * Network Scam Threat Research Center Next: Threat Assessment: Howling Scorpius (Akira Ransomware) TABLE OF CONTENTS * * Executive Summary * Domain Registration for High-Profile Events * Metrics to Watch in Cases of Network Abuse * Domain Registration Trends * Domain Textual Patterns * DNS Traffic Trends * URL Traffic Trends * Most Active Domain Trends * Change Request Trends * Conclusion * Case Studies: Network Abuses Observed in Connection with High-Profile Events * Abuses Related to the Olympic Games in Paris 2024 * Domain Registration Trends for the Paris Olympics * Domain Textual Patterns Leveraging the Olympic Games * DNS Traffic Trends Leading Up to the 2024 Olympics * URL Traffic Trends for the Paris Olympics * Specific Case Studies * Indicators of Compromise * Suspicious Domains From Persistent Olympic Targeting Threat * Scam Domains Leveraging Olympics * Malicious Gambling Domains * Additional Resources RELATED ARTICLES * Global Companies Are Unknowingly Paying North Koreans: Here’s How to Catch Them * Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware * Threat Assessment: North Korean Threat Groups RELATED MALWARE RESOURCES Threat Research September 23, 2024 INSIDE SNIPBOT: THE LATEST ROMCOM MALWARE VARIANT * Backdoor * RomCom Read now Threat Research September 19, 2024 DISCOVERING SPLINTER: A FIRST LOOK AT A NEW POST-EXPLOITATION RED TEAM TOOL * Red teaming tool * Pentest tool Read now Threat Actor Groups September 18, 2024 GLEAMING PISCES POISONED PYTHON PACKAGES CAMPAIGN DELIVERS PONDRAT LINUX AND MACOS BACKDOORS * Python * Cryptocurrency * North Korea Read now Threat Research November 22, 2024 LATERAL MOVEMENT ON MACOS: UNIQUE AND POPULAR TECHNIQUES AND IN-THE-WILD EXAMPLES * Remote Code Execution * Python * MacOS Read now Threat Research November 19, 2024 FROSTYGOOP’S ZOOM-IN: A CLOSER LOOK INTO THE MALWARE ARTIFACTS, BEHAVIORS AND NETWORK COMMUNICATIONS * BUSTLEBERM * FrostyGoop * Go Read now Threat Research November 1, 2024 TA PHONE HOME: EDR EVASION TESTING REVEALS EXTORTION ACTOR'S TOOLKIT * Extortion * Data exfiltration Read now Threat Research October 9, 2024 CONTAGIOUS INTERVIEW: DPRK THREAT ACTORS LURE TECH INDUSTRY JOB SEEKERS TO INSTALL NEW VARIANTS OF BEAVERTAIL AND INVISIBLEFERRET MALWARE * North Korea * Social engineering * Python Read now Threat Research October 1, 2024 DETECTING VULNERABILITY SCANNING TRAFFIC FROM UNDERGROUND TOOLS USING MACHINE LEARNING * Machine Learning Read now Threat Actor Groups September 26, 2024 UNRAVELING SPARKLING PISCES’S TOOL SET: KLOGEXE AND FPSPY * MITRE * Keylogger * North Korea Read now Threat Research September 23, 2024 INSIDE SNIPBOT: THE LATEST ROMCOM MALWARE VARIANT * Backdoor * RomCom Read now Threat Research September 19, 2024 DISCOVERING SPLINTER: A FIRST LOOK AT A NEW POST-EXPLOITATION RED TEAM TOOL * Red teaming tool * Pentest tool Read now Threat Actor Groups September 18, 2024 GLEAMING PISCES POISONED PYTHON PACKAGES CAMPAIGN DELIVERS PONDRAT LINUX AND MACOS BACKDOORS * Python * Cryptocurrency * North Korea Read now Threat Research November 22, 2024 LATERAL MOVEMENT ON MACOS: UNIQUE AND POPULAR TECHNIQUES AND IN-THE-WILD EXAMPLES * Remote Code Execution * Python * MacOS Read now Threat Research November 19, 2024 FROSTYGOOP’S ZOOM-IN: A CLOSER LOOK INTO THE MALWARE ARTIFACTS, BEHAVIORS AND NETWORK COMMUNICATIONS * BUSTLEBERM * FrostyGoop * Go Read now Threat Research November 1, 2024 TA PHONE HOME: EDR EVASION TESTING REVEALS EXTORTION ACTOR'S TOOLKIT * Extortion * Data exfiltration Read now Threat Research October 9, 2024 CONTAGIOUS INTERVIEW: DPRK THREAT ACTORS LURE TECH INDUSTRY JOB SEEKERS TO INSTALL NEW VARIANTS OF BEAVERTAIL AND INVISIBLEFERRET MALWARE * North Korea * Social engineering * Python Read now Threat Research October 1, 2024 DETECTING VULNERABILITY SCANNING TRAFFIC FROM UNDERGROUND TOOLS USING MACHINE LEARNING * Machine Learning Read now Threat Actor Groups September 26, 2024 UNRAVELING SPARKLING PISCES’S TOOL SET: KLOGEXE AND FPSPY * MITRE * Keylogger * North Korea Read now Threat Research September 23, 2024 INSIDE SNIPBOT: THE LATEST ROMCOM MALWARE VARIANT * Backdoor * RomCom Read now Threat Research September 19, 2024 DISCOVERING SPLINTER: A FIRST LOOK AT A NEW POST-EXPLOITATION RED TEAM TOOL * Red teaming tool * Pentest tool Read now Threat Actor Groups September 18, 2024 GLEAMING PISCES POISONED PYTHON PACKAGES CAMPAIGN DELIVERS PONDRAT LINUX AND MACOS BACKDOORS * Python * Cryptocurrency * North Korea Read now * * Get updates from Unit 42 PEACE OF MIND COMES FROM STAYING AHEAD OF THREATS. CONTACT US TODAY. Your Email Subscribe for email updates to all Unit 42 threat research. By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. Invalid captcha! Subscribe PRODUCTS AND SERVICES * Network Security Platform * CLOUD DELIVERED SECURITY SERVICES * Advanced Threat Prevention * DNS Security * Data Loss Prevention * IoT Security * Next-Generation Firewalls * Hardware Firewalls * Strata Cloud Manager * SECURE ACCESS SERVICE EDGE * Prisma Access * Prisma SD-WAN * Autonomous Digital Experience Management * Cloud Access Security Broker * Zero Trust Network Access * Code to Cloud Platform * Prisma Cloud * Cloud-Native Application Protection Platform * AI-Driven Security Operations Platform * Cortex XDR * Cortex XSOAR * Cortex Xpanse * Cortex XSIAM * External Attack Surface Protection * Security Automation * Threat Prevention, Detection & Response * Threat Intel and Incident Response Services * Proactive Assessments * Incident Response * Transform Your Security Strategy * Discover Threat Intelligence COMPANY * About Us * Careers * Contact Us * Corporate Responsibility * Customers * Investor Relations * Location * Newsroom POPULAR LINKS * Blog * Communities * Content Library * Cyberpedia * Event Center * Manage Email Preferences * Products A-Z * Product Certifications * Report a Vulnerability * Sitemap * Tech Docs * Unit 42 * Do Not Sell or Share My Personal Information * Privacy * Trust Center * Terms of Use * Documents Copyright © 2024 Palo Alto Networks. All Rights Reserved * * * * * EN * Select your language * USA (ENGLISH) Your browser does not support the video tag. DEFAULT HEADING Read the article Seekbar Volume This site uses cookies essential to its operation, for analytics, and for personalized content and ads. Please read our privacy statement for more information.Privacy statement Cookies Settings Reject All Accept All Your Opt Out Preference Signal is Honored PRIVACY PREFERENCE CENTER When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer. More information on cookie consent Allow All MANAGE YOUR CONSENT PREFERENCES STRICTLY NECESSARY COOKIES Always Active These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information. PERFORMANCE COOKIES Performance Cookies These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance. FUNCTIONAL COOKIES Functional Cookies These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. TARGETING COOKIES Targeting Cookies These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising. Back Button COOKIE LIST Search Icon Filter Icon Clear checkbox label label Apply Cancel Consent Leg.Interest checkbox label label checkbox label label checkbox label label Reject All Confirm My Choices