Threat Research

Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns

Unit 42 details Screening Serpens' use of AppDomainManager hijacking and new RAT variants to target tech and defense sectors in recent campaigns. The post Track

Paved With Intent: ROADtools and Nation-State Tactics in the Cloud

Open-source framework ROADtools is being misused by threat actors for cloud intrusions. Learn how to identify its malicious use. The post Paved With Intent: ROA

Tracking TamperedChef Clusters via Certificate and Code Reuse

Unit 42 analyzes TamperedChef malware clusters that use trojanized productivity apps and malvertising to deliver stealthy payloads to targets. The post Tracking

Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files

Unit 42 analyzes the evolution of Gremlin stealer. This variant uses advanced obfuscation, crypto clipping and session hijacking to compromise data. The post Gr

Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools

Unit 42 analyzes AD CS exploitation through template misconfigurations and shadow credential misuse while offering behavioral detection for defenders. The post

Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution

Unit 42 details CVE-2026-0300, a buffer overflow vulnerability in the PAN-OS User-ID Authentication Portal. Read now for details. The post Threat Brief: Exploit

Copy Fail: What You Need to Know About the Most Severe Linux Threat in Years

Copy Fail (CVE-2026-31431) is a critical Linux kernel LPE that allows stealthy root access. This flaw impacts millions of systems. Read our analysis. The post C

Essential Data Sources for Detection Beyond the Endpoint

Unit 42 highlights the need for a comprehensive security strategy that spans every IT zone. Explore the full details here. The post Essential Data Sources for D

That AI Extension Helping You Write Emails? It’s Reading Them First

Unit 42 uncovers high-risk AI browser extensions. Disguised as productivity tools, they steal data, intercept prompts, and exfiltrate passwords. Protect your br

TGR-STA-1030: New Activity in Central and South America

Unit 42 research reports that TGR-STA-1030 remains an active threat, particularly in Central and South America. The post TGR-STA-1030: New Activity in Central a

On the Effectiveness of Mutational Grammar Fuzzing

Mutational grammar fuzzing is a fuzzing technique in which the fuzzer uses a predefined grammar that describes the structure of the samples. When a sample gets

Breaking the Sound Barrier, Part II: Exploiting CVE-2024-54529

In the first part of this series, I detailed my journey into macOS security research, which led to the discovery of a type confusion vulnerability (CVE-2024-545

Tentacles of ‘0ktapus’ Threat Group Victimize 130 Firms

Over 130 companies tangled in sprawling phishing campaign that spoofed a multi-factor authentication system.

iPhone Users Urged to Update to Patch 2 Zero-Days

Separate fixes to macOS and iOS patch respective flaws in the kernel and WebKit that can allow threat actors to take over devices and are under attack.

IronWorm and New Miasma Worm Variant Hit npm in Supply Chain Attacks

Multiple software supply chain attacks have hit the npm ecosystem, with threat actors using both malicious and poisoned versions of over 50 legitimate packages

Seeking Counsel: Ongoing Targeted Campaign Against US Law Firms

Written by: Chad Reams, Tufail Ahmed, Keith Knapp, Ashley Frazer, Tyler McLellan Introduction From January through May 2026, Mandiant identified a financially m

Attackers obtained encrypted password vaults from some Dashlane user accounts

Dashlane has disclosed new details about a brute-force attack that let a threat actor access some customer accounts and copy encrypted vaults. Dashlane said it

Hackers Exploit Critical Everest Forms Pro WordPress Plugin Flaw to Take Over Sites

Threat actors are actively exploiting a critical security flaw in Everest Forms Pro, a WordPress plugin with about 4,000 active installations, to execute arbitr

PCPJack Hijacks 230 AWS, Google Cloud, and Azure Servers for Covert SMTP Relay Network

The threat actor known as PCPJack has hijacked cloud servers associated with Amazon Web Services (AWS), Google Cloud, and Microsoft Azure to create a covert SMT

3 Principles to Safely Scale Agentic AI