unit42.paloaltonetworks.com Open in urlscan Pro
92.123.151.6  Public Scan

URL: https://unit42.paloaltonetworks.com/suspicious-domain-registration-campaigns/
Submission: On December 09 via api from TR — Scanned from CH

Form analysis 1 forms found in the DOM

Name: Unit42_SubscribePOST https://www.paloaltonetworks.com/apps/pan/public/formsubmithandler.submitform.json

<form action="https://www.paloaltonetworks.com/apps/pan/public/formsubmithandler.submitform.json" method="post" novalidate="" class="subscribe-form" name="Unit42_Subscribe" id="unit42footerSubscription_form">
  <input type="hidden" name="emailFormMask" value="">
  <input type="hidden" value="1086" name="formid">
  <input type="hidden" value="531-OCS-018" name="munchkinId">
  <input type="hidden" value="2141" name="lpId">
  <input type="hidden" value="1203" name="programId">
  <input type="hidden" value="1086" name="formVid">
  <input type="hidden" name="mkto_optinunit42" value="true">
  <input type="hidden" name="mkto_opt-in" value="true">
  <div class="form-group">
    <label for="newsletter-email" id="newsletter-email-label">Your Email</label>
    <input type="emal" placeholder="Your Email" name="Email" class="subscribe-field" id="newsletter-email" aria-labelledby="newsletter-email-label">
    <p class="error-mail mb-15 text-danger" style="color: #dc3545"></p>
    <p>Subscribe for email updates to all Unit 42 threat research.<br>By submitting this form, you agree to our
      <a title="Terms of Use" href="https://www.paloaltonetworks.com/legal-notices/terms-of-use" data-page-track="true" data-page-track-value="Get updates from Unit 42:Terms of Use">Terms of Use</a> and acknowledge our
      <a title="Privacy Statement" href="https://www.paloaltonetworks.com/legal-notices/privacy" data-page-track="true" data-page-track-value="Get updates from Unit 42:Privacy Statement">Privacy Statement.</a></p>
    <div class="g-recaptcha" data-expired-callback="captchaExpires" data-callback="captchaComplete" data-sitekey="6Lc5EhgTAAAAAJa-DzE7EeWABasWg4LKv-R3ao6o"></div>
    <p class="error-recaptcha d-none mt-15 text-danger" style="color: #dc3545">Invalid captcha!</p>
    <button class="l-btn is-disabled" data-page-track="true" data-page-track-value="footer:Get updates from Unit 42:Subscribe" id="unit42footerSubscription_form_button"> Subscribe <img class="lozad"
        data-src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/right-arrow.svg" alt="Right Arrow">
      <img src="https://unit42.paloaltonetworks.com/wp-content/themes/unit42-v6/dist/images/icons/icon-loader.svg" alt="loader" class="loader">
    </button>
    <div class="form-success-message"></div>
  </div>
</form>

Text Content

Menu
 * Tools
 * ATOMs
 * Security Consulting
 * About Us
 * Under Attack?

 * 
 * About Unit 42
 * Services
   Services
   Assess and Test Your Security Controls
    * AI Security Assessment
    * Attack Surface Assessment
    * Breach Readiness Review
    * BEC Readiness Assessment
    * Cloud Security Assessment
    * Compromise Assessment
    * Cyber Risk Assessment
    * M&A Cyber Due Diligence
    * Penetration Testing
    * Purple Team Exercises
    * Ransomware Readiness Assessment
    * SOC Assessment
    * Supply Chain Risk Assessment
    * Tabletop Exercises
    * Unit 42 Retainer
   
   Transform Your Security Strategy
    * IR Plan Development and Review
    * Security Program Design
    * Virtual CISO
    * Zero Trust Advisory
   
   Respond in Record Time
    * Cloud Incident Response
    * Digital Forensics
    * Incident Response
    * Managed Detection and Response
    * Managed Threat Hunting
    * Unit 42 Retainer
   
   UNIT 42 RETAINER
   
   Custom-built to fit your organization's needs, you can choose to allocate
   your retainer hours to any of our offerings, including proactive cyber risk
   management services. Learn how you can put the world-class Unit 42 Incident
   Response team on speed dial.
   
   Learn more
 * Unit 42 Threat Research
   Unit 42 Threat Research
   Unit 42 Threat Research
    * Threat Briefs and Assessments
      Details on the latest cyber threats
    * Tools
      Lists of public tools released by our team
    * Threat Reports
      Downloadable, in-depth research reports
   
   THREAT REPORT
   
   2024 Unit 42 Incident Response Report
   
   Read now
   THREAT BRIEF
   
   Russia-Ukraine Cyberattacks: How to Protect Against Related Cyberthreats
   Including DDoS, HermeticWiper, Gamaredon, Website Defacement
   
   Learn more
   THREAT REPORT
   
   Highlights from the Unit 42 Cloud Threat Report, Volume 6
   
   Learn more
 * Partners
   Partners
   Partners
    * Threat Intelligence Sharing
    * Law Firms and Insurance Providers
   
   THREAT REPORT
   
   2022 Unit 42 Ransomware Threat Report: Understand trends and tactics to
   bolster defenses
   
   Learn more
   THREAT BRIEF
   
   Russia-Ukraine Cyberattacks: How to Protect Against Related Cyberthreats
   Including DDoS, HermeticWiper, Gamaredon, Website Defacement
   
   Learn more
   THREAT BRIEF
   
   Operation Falcon II: Unit 42 Helps Interpol Identify Nigerian Business Email
   Compromise Ring Members
   
   Learn more
 * Resources
   Resources
   Resources
    * Research Reports
    * Webinars
    * Customer Stories
    * Datasheets
    * Videos
    * Infographics
    * Whitepapers
    * Cyberpedia
   
   Industries
    * Financial Services
    * Healthcare
    * Manufacturing
   
   ANALYST REPORT
   
   Unit 42® has been named a Leader in “The Forrester Wave™: Cybersecurity
   Incident Response Services, Q2 2024.” Read the Forrester report to learn why.
   
   Get the report
   THREAT REPORT
   
   Unit 42 Threat Frontier Report: Discover the latest insights on how threat
   actors are leveraging GenAI to exploit vulnerabilities — and learn what steps
   you can take to protect yourself.
   
   Get the report

 * 
 * Under Attack?




Search
All
 * Tech Docs


Close search modal

 * Threat Research Center
 * Threat Research
 * Malware

Malware


NETWORK ABUSES LEVERAGING HIGH-PROFILE EVENTS: SUSPICIOUS DOMAIN REGISTRATIONS
AND OTHER SCAMS

9 min read
Related Products
Advanced DNS SecurityAdvanced URL FilteringAdvanced WildFireCloud-Delivered
Security ServicesNext-Generation FirewallUnit 42 Incident Response
 * By:
    * Shu Wang
    * Zhanhao Chen
    * Chi-Wei Liu
    * Shunyao Yang
    * Zhenyu Mao
    * Shireen Hsu
    * Fan Fei
    * Daiping Liu
    * Xing Wang
    * Jiaqi Wu

 * Published:December 6, 2024
 * Categories:
    * Malware
    * Threat Research

 * Tags:
    * Advanced Persistent Threat
    * ChatGPT
    * Cybersquatting
    * Malicious Domains
    * Network Scam

 * 
 * 

Share
 * 
 * 
 * 
 * 
 * 
 * 
 * 


EXECUTIVE SUMMARY

Threat actors frequently exploit trending events like global sporting
championships to launch attacks, including phishing and scams. Because of this,
proactive monitoring of event-related domain abuse is crucial for cybersecurity
teams.

Our network abuse investigations regularly uncover suspicious domain
registration campaigns, particularly those using event-specific keywords or
phrases in newly registered domains. These campaigns often surge around notable
events.

Our analysis of event-related abuse focuses on the following trends:

 * Domain registrations
 * DNS traffic
 * URL traffic
 * Most active domains
 * Verdict change requests
 * Domain textual patterns

Our example case studies include observations related to the 2024 Summer
Olympics in Paris.

Palo Alto Networks customers are better protected against various network
threats leveraging terminology associated with the current trending events
through cloud-delivered security services such as Advanced DNS Security,
Advanced URL Filtering and Advanced WildFire. If you think you might have been
compromised or have an urgent matter, contact the Unit 42 Incident Response
Team.

Related Unit 42 Topics Cybersquatting, ChatGPT


DOMAIN REGISTRATION FOR HIGH-PROFILE EVENTS

High-profile global events, including sporting championships and product
launches, attract cybercriminals seeking to exploit public interest. These
criminals register deceptive domains mimicking official websites to sell
counterfeit merchandise and offer fraudulent services. These sites can reach
millions of people searching for event-related information or resources.

For instance, during the COVID-19 pandemic, adversaries launched many campaigns
exploiting the crisis to spread malware. We reported that attackers launched
COVID-19-themed phishing campaigns targeting government and medical
organizations or distributed Coronavirus-themed malware by tricking users into
downloading malicious files.

Similarly, the rise of ChatGPT provided another opportunity for exploitation
such as the scam attacks exploiting interest in ChatGPT. Attackers promoted fake
ChatGPT tools or services through fraudulent domains, often luring victims with
promises of early access or exclusive features, only to steal their credentials
or spread malware. These examples expose how opportunistic threat actors are
during significant global events.

To mitigate the risks posed by these malicious campaigns, it is critical for
defenders to proactively monitor the network abuse trends related to specific
events.


METRICS TO WATCH IN CASES OF NETWORK ABUSE

Threat actors exploiting high-profile events often leave telltale signs in
specific metrics. Defenders should monitor the following for suspicious
activity:

 * Domain registrations
 * Textual patterns used in deceptive domains
 * Questionable DNS traffic trends
 * Abnormal URL patterns

Further analysis of the most active domains and trends in verdict change
requests can also provide valuable insights.


DOMAIN REGISTRATION TRENDS

When malicious actors pick trending topics to exploit, one of their first moves
is to register domains with relevant keywords. Therefore, to deep dive into
specific event-related cyberthreats, we analyze the historical newly registered
domains (NRDs) containing event-specific keywords.

We detect over 200,000 newly registered domains (NRDs) daily from sources like
zone files, WHOIS databases and passive DNS. Our analysis begins by establishing
the average daily domain registrations related to the target event.

We then highlight those registrations flagged as suspicious. We label domains as
suspicious if they are linked to activities like command and control (C2),
ransomware, malware, phishing or grayware.


DOMAIN TEXTUAL PATTERNS

Understanding domain textual patterns is crucial in identifying deceptive
domains. By analyzing the keywords, structure and even top-level domain (TLD)
cues within these domains, we can uncover common features that indicate
malicious intent. For example, many phishing domains combine event-specific
keywords with suspicious terms like “rewards” to lure unsuspecting visitors.

We investigate the textual patterns of these newly registered domains so that
for each keyword analyzed, we can present the number of domains containing that
keyword along with the ratio of suspicious domains. We also compare the TLDs
used by both suspicious and overall NRDs to analyze which TLDs are appealing to
attackers.


DNS TRAFFIC TRENDS

DNS traffic trends can provide valuable insight into the behavior of internet
users and the strategies employed by attackers. Anomalies in DNS traffic, such
as spikes in requests for specific domains, could indicate unusual activities
like C2 communications.

We present both total and suspicious DNS traffic trends, which include notable
increases, significant spikes and changes in the ratio of suspicious DNS
traffic. Our reports are able to reveal how attackers behave during key dates in
relation to current events.


URL TRAFFIC TRENDS

We further analyze event-related NRDs through URL traffic. This illustrates the
URL traffic trends for both overall and suspicious NRDs, along with the
suspicious traffic ratio and significant spikes during current events. This
trend can indicate the strategies attackers use to exploit event topics,
particularly regarding visits to phishing websites.


MOST ACTIVE DOMAIN TRENDS

For DNS traffic and URL traffic, we analyze the trends of the top 10 domains
most frequently visited over a specific period, if we note any interesting
findings. This analysis can reveal shifts in visitor interest or point out
potential emerging threats as new domains gain popularity.


CHANGE REQUEST TRENDS

Change request trends refer to the frequency and volume of requests to
recategorize domains in our Palo Alto Networks URL testing system Test-A-Site.
These requests include false-positive changes and false-negative changes. Sudden
events, such as unexpected incidents, can trigger a surge in change requests
within a short time frame.


CONCLUSION

High-profile events are prime targets for threat actors, where they frequently
exploit public interest through deceptive domains, phishing and malicious
traffic. By monitoring key metrics like domain registrations, textual patterns,
DNS anomalies and change request trends, security teams can identify and
mitigate threats early. Proactive analysis of these trends provides valuable
intelligence, assisting organizations to block malicious domains and defend
against opportunistic scams.

Palo Alto Networks customers are better protected from the threats discussed in
this article through the following products:

 * Next-Generation Firewall with cloud-delivered security services including
   Advanced DNS Security and Advanced URL Filtering.
 * Advanced WildFire is a cloud-based threat detection engine that detects the
   malware.

If you think you may have been compromised or have an urgent matter, get in
touch with the Unit 42 Incident Response team or call:

 * North America Toll-Free: 866.486.4842 (866.4.UNIT42)
 * EMEA: +31.20.299.3130
 * APAC: +65.6983.8730
 * Japan: +81.50.1790.0200

Palo Alto Networks has shared these findings with our fellow Cyber Threat
Alliance (CTA) members. CTA members use this intelligence to rapidly deploy
protections to their customers and to systematically disrupt malicious cyber
actors. Learn more about the Cyber Threat Alliance.


CASE STUDIES: NETWORK ABUSES OBSERVED IN CONNECTION WITH HIGH-PROFILE EVENTS


ABUSES RELATED TO THE OLYMPIC GAMES IN PARIS 2024

DOMAIN REGISTRATION TRENDS FOR THE PARIS OLYMPICS

Figure 1. Olympic-related domain registration trends, October 2023 through
September 2024.


In the one year period from October 2023 through September 2024, we saw an
average of seven Olympic-related domains registered daily. However, we noted a
significant rise in domain registrations during the event weeks noted in Figure
1.

Specifically, Olympic-related registrations tripled compared to normal periods.
Surprisingly, we deemed 16% of these domains suspicious – 13 times higher than
the general rate for NRDs based on our previous research. This indicates how
intensely threat actors exploited interest in the Olympics, and it highlights
the critical need for ongoing threat monitoring.

Significantly, during the opening ceremony week, the number of suspicious
domains doubled. On the day of the opening ceremony on July 26, 2024, we
detected 20% of all newly registered domains with Olympic keywords as
suspicious. This surge reflects attackers capitalizing on high-traffic events.

DOMAIN TEXTUAL PATTERNS LEVERAGING THE OLYMPIC GAMES

Figure 2. Top 10 most common Olympic-related keywords in NRDs.


Figure 2 showcases the top 10 most commonly used keywords and their associated
suspicious rate. Unsurprisingly, 98% of these domains leverage variations of the
word “Olympic,” including translations in multiple languages.

The most heavily abused keyword was “aoyunhui” – the Chinese pinyin-based
romanization term for “Olympic Games.” 27% of domains containing this term were
flagged as suspicious.

Figure 3. Top suspicious TLDs compared with total NRDs.


Figure 3 shows .com is the most commonly used TLD among suspicious NRDs,
accounting for 52% of the total. Threat actors use shopping-oriented TLDs such
as .shop and .store to create fake e-commerce websites to deceive victims. In
addition, other TLDs such as .online, .xyz, .top and .biz also show a higher
rate of abuse by suspicious NRDs compared to their general usage.

DNS TRAFFIC TRENDS LEADING UP TO THE 2024 OLYMPICS

Figure 4. Normalized DNS traffic for Olympic-related NRDs.


Figure 4 illustrates DNS traffic for Olympic-related NRDs began to rise during
March 2024, coinciding with the release of Olympic posters and various event
preparations. Alongside this overall increase in Olympic-related DNS traffic, we
see a corresponding increase of suspicious DNS traffic.

During the 2024 Olympic Games event, the malicious DNS traffic ratio fluctuated
between 10-15%. Spikes in malicious DNS traffic occurred around key dates, such
as the 100-day countdown on April 20 and the opening ceremony on July 26.

URL TRAFFIC TRENDS FOR THE PARIS OLYMPICS

Figure 5. Comparing suspicious to normalized URL traffic for Olympic-related
NRDs.


As Figure 5 shows, in the months leading up to the event, Olympic-related URLs
were initially negligible. However, the amount jumps to concerning levels during
the event, with the highest level on Aug. 2, 2024. At that point, 16.2% of all
Olympic-related URLs were flagged as suspicious. Other significant suspicious
spikes occur on August 12 (the closing ceremony) and August 14, during the final
week of the games.

SPECIFIC CASE STUDIES

(1) PERSISTENT NETWORK THREAT ACTOR FOR TWO SEPARATE OLYMPICS

For this case study, we investigated 23 specific Olympic-related domains from
both the Tokyo Olympics held in 2021 and the 2024 Paris Olympics. Despite being
registered and active at different times, our analysis reveals a strong
correlation among these domains.

First, the domains exhibited similar naming conventions, using a consistent set
of keywords such as live, tickets and games, along with the specific years and
locations of the Olympic Games.

Second, we observed a significant overlap in the resolved IP addresses of these
domains, as illustrated in Figure 6 below.

Figure 6. The correlation of resolved IP addresses between domains related to
both the Tokyo Olympics and the Paris Olympics.


For instance, the IP address 3.64.163[.]50 was shared by domains from 2021
(e.g., 2021olympicupdateslive[.]com) and those from 2024 (e.g.,
parisolympicgames2024[.]com).

In addition, multiple domains from both Olympic events resolved to
76.223.67[.]189. This included domains targeting previous Olympics (e.g.,
tokyoolympicsport[.]com) and the 2024 Olympics (e.g., 2024olympicslive[.]com).

From the observed infrastructure patterns, we infer that a single malicious
actor is behind this persistent network abuse.

(2) SCAMS LEVERAGING PARIS OLYMPICS

We identified several scam campaigns exploiting the 2024 Paris Olympics, ranging
from fake ticket sales to fraudulent internet data giveaways and fake
cryptocurrency investment schemes. This section focuses on the latter two scam
campaigns.

Threat actors distributed the scam for fraudulent Paris Olympic internet data
giveaways through a large number of domains. Figure 7 shows screenshots from an
example that enticed victims by offering 48 GB of free internet data.

Figure 7. Screenshots from a fake internet data giveaway scam.


To claim the data, victims were prompted to enter their phone numbers and share
the scam with their WhatsApp friends/groups. The final confirmation page offers
additional scam surveys or malicious redirects.

In another scam, threat actors capitalized on the Olympics to promote a fake
cryptocurrency investment. Figure 8 shows two screenshots from the landing page
of 2024olympics-shop[.]com that tricked visitors into registering for a bogus
investment opportunity. The site also offers a download link for an Android app
named Olympics[.]apk that poses as a legitimate cash app, but it is actually
suspicious and likely intended to defraud people.

Figure 8. The landing page of the fake cryptocurrency scheme leveraging the
Olympics.


(3) MALICIOUS GAMBLING

We identified a campaign involving malicious gambling websites that exploited
Olympic-related keywords to lure unsuspecting victims. These websites share
several key characteristics:

 * Name servers: All gambling domains are resolved by the same DNS hosting
   service (share-dns), suggesting a potential connection between the operators.
 * WHOIS records: While most registration information for these Olympic-themed
   gambling NRDs is redacted, we observed that all registrant locations are
   listed as different provinces in China.
 * Website templates: The adversaries use various templates for gambling
   websites. Figures 9-11 showcase examples of gambling websites built with
   distinct templates within this campaign.

Figure 9. Gambling website hosted on climbolympic[.]com.

Figure 10. Gambling website hosted on allolympic[.]com.

Figure 11. Gambling website hosted on olympiarealestate-online[.]com.



INDICATORS OF COMPROMISE


SUSPICIOUS DOMAINS FROM PERSISTENT OLYMPIC TARGETING THREAT

 * 2024olympicslive[.]com
 * 2024parisolympicathletes[.]com
 * olympicparis2024[.]com
 * paris-olympics2024[.]com
 * paris24olympics[.]com
 * parisolympic24[.]com
 * parisolympicgames2024[.]com
 * parisolympicgames2024official[.]com
 * parisolympicgamesevents[.]com
 * parisolympicgamesofficial[.]com
 * parisolympicgamestickets[.]com
 * parisolympicsphotographe[.]com
 * parisolympictickets[.]com


SCAM DOMAINS LEVERAGING OLYMPICS

 * 2024olympics-shop[.]com


MALICIOUS GAMBLING DOMAINS

 * climbolympic[.]com
 * allolympic[.]com
 * olympiarealestate-online[.]com


ADDITIONAL RESOURCES

 * Newly Registered Domains: Malicious Abuse by Bad Actors – Unit 42, Palo Alto
   Networks
 * Malicious Attackers Target Government and Medical Organizations With COVID-19
   Themed Phishing Campaigns – Unit 42, Palo Alto Networks
 * Studying How Cybercriminals Prey on the COVID-19 Pandemic – Unit 42, Palo
   Alto Networks
 * ChatGPT-Themed Scam Attacks Are on the Rise – Unit 42, Palo Alto Networks
 * 2024olympics.shop Scam Store: The Olympic Shop Scam – Malwaretips
 * Paris 2024 : 338 sites internet frauduleux de revente de billets recensés à
   quelques semaines du début de la compétition – Franceinfo
 * Security Brief: Scammers Create Fraudulent Olympics Ticketing Websites –
   Proofpoint
 * Olympics-related domains used for phishing and scams for the Tokyo and
   Paris2024 Olympics – Unit 42 on X
 * Threat actors exploit public attention in the Olympics by creating domains
   that seem related to the event – Unit 42 on X

Back to top


TAGS

 * Advanced Persistent Threat
 * ChatGPT
 * Cybersquatting
 * Malicious Domains
 * Network Scam

Threat Research Center Next: Threat Assessment: Howling Scorpius (Akira
Ransomware)


TABLE OF CONTENTS

 * 
 * Executive Summary
 * Domain Registration for High-Profile Events
 * Metrics to Watch in Cases of Network Abuse
   * Domain Registration Trends
   * Domain Textual Patterns
   * DNS Traffic Trends
   * URL Traffic Trends
   * Most Active Domain Trends
   * Change Request Trends
 * Conclusion
 * Case Studies: Network Abuses Observed in Connection with High-Profile Events
   * Abuses Related to the Olympic Games in Paris 2024
     * Domain Registration Trends for the Paris Olympics
     * Domain Textual Patterns Leveraging the Olympic Games
     * DNS Traffic Trends Leading Up to the 2024 Olympics
     * URL Traffic Trends for the Paris Olympics
     * Specific Case Studies
 * Indicators of Compromise
   * Suspicious Domains From Persistent Olympic Targeting Threat
   * Scam Domains Leveraging Olympics
   * Malicious Gambling Domains
 * Additional Resources


RELATED ARTICLES

 * Global Companies Are Unknowingly Paying North Koreans: Here’s How to Catch
   Them
 * Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to
   Install New Variants of BeaverTail and InvisibleFerret Malware
 * Threat Assessment: North Korean Threat Groups


RELATED MALWARE RESOURCES

Threat Research September 23, 2024

INSIDE SNIPBOT: THE LATEST ROMCOM MALWARE VARIANT

 * Backdoor
 * RomCom

Read now
Threat Research September 19, 2024

DISCOVERING SPLINTER: A FIRST LOOK AT A NEW POST-EXPLOITATION RED TEAM TOOL

 * Red teaming tool
 * Pentest tool

Read now
Threat Actor Groups September 18, 2024

GLEAMING PISCES POISONED PYTHON PACKAGES CAMPAIGN DELIVERS PONDRAT LINUX AND
MACOS BACKDOORS

 * Python
 * Cryptocurrency
 * North Korea

Read now
Threat Research November 22, 2024

LATERAL MOVEMENT ON MACOS: UNIQUE AND POPULAR TECHNIQUES AND IN-THE-WILD
EXAMPLES

 * Remote Code Execution
 * Python
 * MacOS

Read now
Threat Research November 19, 2024

FROSTYGOOP’S ZOOM-IN: A CLOSER LOOK INTO THE MALWARE ARTIFACTS, BEHAVIORS AND
NETWORK COMMUNICATIONS

 * BUSTLEBERM
 * FrostyGoop
 * Go

Read now
Threat Research November 1, 2024

TA PHONE HOME: EDR EVASION TESTING REVEALS EXTORTION ACTOR'S TOOLKIT

 * Extortion
 * Data exfiltration

Read now
Threat Research October 9, 2024

CONTAGIOUS INTERVIEW: DPRK THREAT ACTORS LURE TECH INDUSTRY JOB SEEKERS TO
INSTALL NEW VARIANTS OF BEAVERTAIL AND INVISIBLEFERRET MALWARE

 * North Korea
 * Social engineering
 * Python

Read now
Threat Research October 1, 2024

DETECTING VULNERABILITY SCANNING TRAFFIC FROM UNDERGROUND TOOLS USING MACHINE
LEARNING

 * Machine Learning

Read now
Threat Actor Groups September 26, 2024

UNRAVELING SPARKLING PISCES’S TOOL SET: KLOGEXE AND FPSPY

 * MITRE
 * Keylogger
 * North Korea

Read now
Threat Research September 23, 2024

INSIDE SNIPBOT: THE LATEST ROMCOM MALWARE VARIANT

 * Backdoor
 * RomCom

Read now
Threat Research September 19, 2024

DISCOVERING SPLINTER: A FIRST LOOK AT A NEW POST-EXPLOITATION RED TEAM TOOL

 * Red teaming tool
 * Pentest tool

Read now
Threat Actor Groups September 18, 2024

GLEAMING PISCES POISONED PYTHON PACKAGES CAMPAIGN DELIVERS PONDRAT LINUX AND
MACOS BACKDOORS

 * Python
 * Cryptocurrency
 * North Korea

Read now
Threat Research November 22, 2024

LATERAL MOVEMENT ON MACOS: UNIQUE AND POPULAR TECHNIQUES AND IN-THE-WILD
EXAMPLES

 * Remote Code Execution
 * Python
 * MacOS

Read now
Threat Research November 19, 2024

FROSTYGOOP’S ZOOM-IN: A CLOSER LOOK INTO THE MALWARE ARTIFACTS, BEHAVIORS AND
NETWORK COMMUNICATIONS

 * BUSTLEBERM
 * FrostyGoop
 * Go

Read now
Threat Research November 1, 2024

TA PHONE HOME: EDR EVASION TESTING REVEALS EXTORTION ACTOR'S TOOLKIT

 * Extortion
 * Data exfiltration

Read now
Threat Research October 9, 2024

CONTAGIOUS INTERVIEW: DPRK THREAT ACTORS LURE TECH INDUSTRY JOB SEEKERS TO
INSTALL NEW VARIANTS OF BEAVERTAIL AND INVISIBLEFERRET MALWARE

 * North Korea
 * Social engineering
 * Python

Read now
Threat Research October 1, 2024

DETECTING VULNERABILITY SCANNING TRAFFIC FROM UNDERGROUND TOOLS USING MACHINE
LEARNING

 * Machine Learning

Read now
Threat Actor Groups September 26, 2024

UNRAVELING SPARKLING PISCES’S TOOL SET: KLOGEXE AND FPSPY

 * MITRE
 * Keylogger
 * North Korea

Read now
Threat Research September 23, 2024

INSIDE SNIPBOT: THE LATEST ROMCOM MALWARE VARIANT

 * Backdoor
 * RomCom

Read now
Threat Research September 19, 2024

DISCOVERING SPLINTER: A FIRST LOOK AT A NEW POST-EXPLOITATION RED TEAM TOOL

 * Red teaming tool
 * Pentest tool

Read now
Threat Actor Groups September 18, 2024

GLEAMING PISCES POISONED PYTHON PACKAGES CAMPAIGN DELIVERS PONDRAT LINUX AND
MACOS BACKDOORS

 * Python
 * Cryptocurrency
 * North Korea

Read now
 * 
 * 


Get updates from Unit 42


PEACE OF MIND COMES FROM STAYING AHEAD OF THREATS. CONTACT US TODAY.

Your Email



Subscribe for email updates to all Unit 42 threat research.
By submitting this form, you agree to our Terms of Use and acknowledge our
Privacy Statement.



Invalid captcha!

Subscribe



PRODUCTS AND SERVICES

 * Network Security Platform
 * CLOUD DELIVERED SECURITY SERVICES
 * Advanced Threat Prevention
 * DNS Security
 * Data Loss Prevention
 * IoT Security

 * Next-Generation Firewalls
 * Hardware Firewalls
 * Strata Cloud Manager

 * SECURE ACCESS SERVICE EDGE
 * Prisma Access
 * Prisma SD-WAN
 * Autonomous Digital Experience Management
 * Cloud Access Security Broker
 * Zero Trust Network Access

 * Code to Cloud Platform
 * Prisma Cloud
 * Cloud-Native Application Protection Platform

 * AI-Driven Security Operations Platform
 * Cortex XDR
 * Cortex XSOAR
 * Cortex Xpanse
 * Cortex XSIAM
 * External Attack Surface Protection
 * Security Automation
 * Threat Prevention, Detection & Response

 * Threat Intel and Incident Response Services
 * Proactive Assessments
 * Incident Response
 * Transform Your Security Strategy
 * Discover Threat Intelligence


COMPANY

 * About Us
 * Careers
 * Contact Us
 * Corporate Responsibility
 * Customers
 * Investor Relations
 * Location
 * Newsroom


POPULAR LINKS

 * Blog
 * Communities
 * Content Library
 * Cyberpedia
 * Event Center
 * Manage Email Preferences
 * Products A-Z
 * Product Certifications
 * Report a Vulnerability
 * Sitemap
 * Tech Docs
 * Unit 42
 * Do Not Sell or Share My Personal Information

 * Privacy
 * Trust Center
 * Terms of Use
 * Documents


Copyright © 2024 Palo Alto Networks. All Rights Reserved
 * 
 * 
 * 
 * 
 * 

EN
 * Select your language
 * USA (ENGLISH)


Your browser does not support the video tag.


DEFAULT HEADING

Read the article
Seekbar



Volume
This site uses cookies essential to its operation, for analytics, and for
personalized content and ads. Please read our privacy statement for more
information.Privacy statement
Cookies Settings Reject All Accept All


Your Opt Out Preference Signal is Honored


PRIVACY PREFERENCE CENTER

When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information on cookie consent
Allow All


MANAGE YOUR CONSENT PREFERENCES

STRICTLY NECESSARY COOKIES

Always Active

These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms.    You can set your browser to
block or alert you about these cookies, but some parts of the site will not then
work. These cookies do not store any personally identifiable information.

PERFORMANCE COOKIES

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site.    All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.

FUNCTIONAL COOKIES

Functional Cookies

These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages.    If you do not allow these cookies then
some or all of these services may not function properly.

TARGETING COOKIES

Targeting Cookies

These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites.    They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.

Back Button


COOKIE LIST



Search Icon
Filter Icon

Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label

Reject All Confirm My Choices